Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

NTOSKRNL-HOOK infection

Started by zacgoesrawr , Apr 08 2009 05:27 PM

Please log in to reply

#1
zacgoesrawr

Posted 08 April 2009 - 05:27 PM

New Member

Member
7 posts

I have been told i can get Ntosknrl-Hook fixed with u guys thanks for the help in advance :] (i find it in a scan and it comes back...even in safe mode....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:22 PM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Documents and Settings\Zachary\Desktop\HiJackThis.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Windows Services] service.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5483.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50F63D93-A701-468A-ACB1-57D0E1E4C074}: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF3D4071-3382-4D45-8A25-7463F2F21323}: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 10868 bytes

#2
kahdah

Posted 08 April 2009 - 05:29 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello zacgoesrawr

Welcome to G2Go.

=====================

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

#3
zacgoesrawr

Posted 08 April 2009 - 11:37 PM

New Member

Topic Starter
Member
7 posts

hey thanks for responding

DDS:
DDS (Ver_09-03-16.01) - NTFSx86
Run by Zachary at 22:32:39.78 on Wed 04/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.60 [GMT -7:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Zachary\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7TSHB
uWindow Title = Microsoft Internet Explorer
mDefault_Page_URL =
mDefault_Search_URL =
mSearch Page =
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\toscdspd.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [THotkey] "c:\program files\toshiba\toshiba applet\thotkey.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [AGRSMMSG] "AGRSMMSG.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPSMain] "TPSMain.exe"
mRun: [PadTouch] "c:\program files\toshiba\touch and launch\PadExe.exe"
mRun: [SmoothView] "c:\program files\toshiba\toshiba zooming utility\SmoothView.exe"
mRun: [dla] "c:\windows\system32\dla\DLACTRLW.exe"
mRun: [Tvs] "c:\program files\toshiba\tvs\TvsTray.exe"
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] "TDispVol.exe"
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [Alcmtr] "ALCMTR.EXE"
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [MBkLogOnHook] "c:\program files\mcafee\mbk\LogOnHook.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Windows Services] service.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoFolderOptions = 00000000
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-system: NoSecCPL = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDevMgrPage = 0 (0x0)
uPolicies-system: NoConfigPage = 0 (0x0)
uPolicies-system: NoVirtMemPage = 0 (0x0)
uPolicies-system: NoFileSysPage = 0 (0x0)
uPolicies-system: NoNetSetup = 0 (0x0)
uPolicies-system: NoNetSetupIDPage = 0 (0x0)
uPolicies-system: NoNetSetupSecurityPage = 0 (0x0)
uPolicies-system: NoWorkgroupContents = 0 (0x0)
uPolicies-system: NoEntireNetwork = 0 (0x0)
uPolicies-system: NoFileSharingControl = 0 (0x0)
mPolicies-explorer: NoFolderOptions = 00000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.198,85.255.112.70
TCP: {50F63D93-A701-468A-ACB1-57D0E1E4C074} = 85.255.112.198,85.255.112.70
TCP: {EF3D4071-3382-4D45-8A25-7463F2F21323} = 85.255.112.198,85.255.112.70
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zachary\applic~1\mozilla\firefox\profiles\iwxpeu3j.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-7 130424]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-25 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-30 201320]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2006-3-20 14336]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-30 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-10-30 144704]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-4-5 603904]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-25 4048240]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-7 1178728]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-30 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-30 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-30 40488]
S0 skzch;skzch;c:\windows\system32\drivers\wawdqsfy.sys --> c:\windows\system32\drivers\wawdqsfy.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-30 33832]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-7 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-7 1095560]

=============== Created Last 30 ================

2009-04-07 21:20 42 a------- c:\windows\system32\RegistryEasy.lie
2009-04-07 21:00 <DIR> --d----- c:\program files\Registry Easy
2009-04-07 20:25 <DIR> --d----- c:\program files\NVT Malware Remover Tool
2009-04-07 20:13 775,168 a------- c:\windows\isRS-000.tmp
2009-04-07 20:12 <DIR> --d----- c:\program files\MSSOAP
2009-04-07 20:12 1,553,784 a------- c:\windows\WRSetup.dll
2009-04-07 20:12 <DIR> --d----- c:\docume~1\zachary\applic~1\Webroot
2009-04-07 20:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-04-07 20:12 <DIR> --d----- c:\program files\Webroot
2009-04-07 20:01 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-07 20:01 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-07 20:01 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-07 20:00 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-07 20:00 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-07 20:00 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-07 20:00 <DIR> --d----- c:\docume~1\zachary\applic~1\PC Tools
2009-04-07 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-07 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-07 16:52 <DIR> --d----- c:\program files\meowrawr
2009-04-06 23:57 <DIR> --d----- c:\docume~1\zachary\applic~1\GetRightToGo
2009-04-05 00:57 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-04-05 00:57 27,904 a------- c:\windows\system32\uxtuneup.dll
2009-04-05 00:57 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2009-04-05 00:57 <DIR> --d----- c:\docume~1\zachary\applic~1\TuneUp Software
2009-04-05 00:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2009-04-05 00:56 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2009-04-05 00:55 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-05 00:42 <DIR> --d----- c:\program files\RegistryFix7
2009-04-03 23:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-04-01 23:19 <DIR> --d----- c:\windows\Downloaded Installations
2009-03-31 17:06 69,372 -------- c:\windows\hpoins05.dat.temp
2009-03-31 17:06 19,696 -------- c:\windows\hpomdl05.dat.temp
2009-03-30 22:47 <DIR> --d----- c:\docume~1\zachary\applic~1\BitTorrent
2009-03-30 22:46 <DIR> --d----- c:\program files\DNA
2009-03-30 22:46 <DIR> --d----- c:\docume~1\zachary\applic~1\DNA
2009-03-30 22:14 <DIR> --d----- c:\docume~1\zachary\applic~1\.purple
2009-03-30 22:14 <DIR> --d----- c:\program files\Pidgin
2009-03-30 22:13 <DIR> --d----- c:\program files\common files\GTK
2009-03-30 21:52 <DIR> --d----- c:\windows\pss
2009-03-22 18:18 <DIR> --d----- c:\program files\iPhoneBrowser
2009-03-19 21:22 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-15 13:49 <DIR> --d----- C:\cygwin
2009-03-12 22:06 <DIR> --d----- c:\program files\iPod
2009-03-12 22:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 21:50 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-12 21:39 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-04-06 16:35 2,830 a------- c:\docume~1\zachary\applic~1\wklnhst.dat
2009-03-31 17:23 68,901 a------- c:\windows\hpoins05.dat
2009-03-19 21:22 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-03 15:19 33,816 a---h--- c:\windows\system32\mlfcache.dat
2009-02-25 15:24 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-02-25 15:24 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-02-25 15:24 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-15 22:29 356,352 a------- c:\windows\eSellerateEngine.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-10-30 19:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008103020081031\index.dat

============= FINISH: 22:33:29.53 ===============

Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/29/2008 9:57:15 PM
System Uptime: 4/8/2009 9:43:07 PM (1 hours ago)

Motherboard: ATI | | SB450
Processor: Intel® Celeron® M CPU 420 @ 1.60GHz | U23 | 1596/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 49.008 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP71: 3/31/2009 5:51:57 PM - Installed Sudo for Windows

==== Installed Programs ======================

7200
7200_Help
7200Trb
Adobe AIR
Adobe Anchor Service CS4
Adobe Dreamweaver CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 7.0
Adobe Photoshop.com Inspiration Browser
Adobe Reader 9
Adobe Setup
Adobe Shockwave Player 11
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 5
ArcSoft TotalMedia Extreme
Atheros Client Utility
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BitTorrent
Bonjour
BufferChm
CD/DVD Drive Acoustic Silencer
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DNA
DocProc
DocumentViewer
DVD-RAM Driver
Fax
Google Desktop
Google Toolbar for Internet Explorer
GTK+ Runtime 2.14.7 rev a (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Image Zone Express
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPSystemDiagnostics
InstantShare
InterVideo WinDVD for TOSHIBA
iPhoneBrowser
iTunes
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 12
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Works
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Notepad++
NVT Malware Remover Tool v2.0.8b1
Office 2003 Trial Assistant
PanoStandAlone
PhotoGallery
PhotoshopdotcomInspirationBrowser
Pidgin
ProductContext
QFolder
QuickTime
Readme
RealPlayer Basic
REALTEK GbE & FE Ethernet NIC Driver
Realtek High Definition Audio Driver
RegCure 1.5.0.0
Registry Easy v4.0
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
SkinsHP1
Sonic DLA
Sonic RecordNow!
Speeditup Free 4.90
Spy Sweeper Core
Spyware Doctor 6.0
SQL Server System CLR Types
Suite Shared Configuration CS4
Synaptics Pointing Device Driver
TI Connect 1.6
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
TrayApp
TuneUp Utilities 2009
Unload
WebFldrs XP
WebReg
Webroot AntiVirus with AntiSpyware
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver

==== Event Viewer Messages From Past Week ========

4/5/2009 1:15:09 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
4/5/2009 1:11:12 AM, error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/5/2009 12:57:40 AM, error: Service Control Manager [7000] - The TuneUp Theme Extension service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/5/2009 12:36:39 AM, error: Service Control Manager [7000] - The npkcrypt service failed to start due to the following error: The system cannot find the path specified.
4/5/2009 12:32:15 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/5/2009 12:12:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/5/2009 12:12:25 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
4/4/2009 10:40:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm mfehidk
4/4/2009 10:39:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
4/4/2009 10:38:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/3/2009 11:10:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
4/1/2009 11:41:08 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f2a3459b, parameter3 efe9beb0, parameter4 00000000.
4/1/2009 11:16:12 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/1/2009 11:16:12 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
4/1/2009 11:16:06 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
4/5/2009 10:25:46 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f22b859b, parameter3 eeb19158, parameter4 00000000.
4/5/2009 10:25:52 AM, error: Service Control Manager [7034] - The MBackMonitor service terminated unexpectedly. It has done this 1 time(s).
4/6/2009 11:52:47 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
4/6/2009 11:52:57 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/6/2009 11:53:01 PM, error: Service Control Manager [7034] - The Adobe Active File Monitor V7 service terminated unexpectedly. It has done this 1 time(s).
4/7/2009 8:42:32 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
4/7/2009 8:56:15 PM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 00A0D15ED602 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/8/2009 4:42:19 PM, error: ssidrv [19] - Invalid memory address found.
4/6/2009 4:31:01 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file wlnotify.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.

==== End Of File ===========================

thanks agains Zac

#4
zacgoesrawr

Posted 08 April 2009 - 11:38 PM

New Member

Topic Starter
Member
7 posts

oh and this is what GMER said idk if you need

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-08 22:38:07
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF14C59AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF14C5AFA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF14C5ADF]
Code 84C6E010 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF14C59EC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF14C5B24]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF14C5930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF14C5944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF14C59C0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF14C5B60]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF14C5AC9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF14C5AB3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF14C5B4C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF14C5B38]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF14C5B0E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF14C5A02]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF14C59D6]
Code 84D23ABE IofCallDriver
Code 84AEB0F6 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip 84B67190
Device \Driver\Tcpip \Device\Ip 84D4CD98
Device \Driver\Tcpip \Device\Ip 84C04A00
Device \Driver\Tcpip \Device\Ip 84EC4A70

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp 84B67190
Device \Driver\Tcpip \Device\Tcp 84D4CD98
Device \Driver\Tcpip \Device\Tcp 84C04A00
Device \Driver\Tcpip \Device\Tcp 84EC4A70

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp 84B67190
Device \Driver\Tcpip \Device\Udp 84D4CD98
Device \Driver\Tcpip \Device\Udp 84C04A00
Device \Driver\Tcpip \Device\Udp 84EC4A70

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp 84B67190
Device \Driver\Tcpip \Device\RawIp 84D4CD98
Device \Driver\Tcpip \Device\RawIp 84C04A00
Device \Driver\Tcpip \Device\RawIp 84EC4A70

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gaopdxnkecnwmcytlpsoqowkvhonaojexwrxsa.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#5
kahdah

Posted 09 April 2009 - 06:16 AM

GeekU Teacher

Retired Staff
15,822 posts

Hi you are welcome.

Please go to Start > Control Panel > then Add\Remove programs.
Then uninstall these:

RegCure 1.5.0.0
Registry Easy v4.0
Spy Sweeper Core
Spyware Doctor 6.0
Webroot AntiVirus with AntiSpyware

Only keep Spyware Doctor if you have paid for it otherwise it is to much running protection on the system.
Same goes for Spy Sweeper.
If you want to keep it rather than McAfee then uninstall McAfee and keep Spy Sweeper.
=======================
AFter that We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

#6
zacgoesrawr

Posted 09 April 2009 - 02:09 PM

New Member

Topic Starter
Member
7 posts

hi, sorry for being so late i have been busy.

here you are: -LOG-
ComboFix 09-04-04.01 - Zachary 2009-04-09 12:40:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.131 [GMT -7:00]
Running from: c:\documents and settings\Zachary\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\svchost.exe
c:\recycler\S-1-8-15-100022447-100029573-100014223-4671.com
c:\windows\system32\drivers\gaopdxnkecnwmcytlpsoqowkvhonaojexwrxsa.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxoyeixmaskcqgxirikwjuqvptprpuawnt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_IPRIP
-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-09 12:30 . 2009-04-09 12:31 <DIR> d-------- C:\32788R22FWJFW
2009-04-09 12:23 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-04-07 21:20 . 2009-04-07 21:20 42 --a------ c:\windows\system32\RegistryEasy.lie
2009-04-07 21:00 . 2009-04-09 12:16 <DIR> d-------- c:\program files\Registry Easy
2009-04-07 20:16 . 2009-04-07 20:23 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-04-07 20:13 . 2009-04-07 20:13 775,168 --a------ c:\windows\isRS-000.tmp
2009-04-07 20:12 . 2009-04-07 20:12 <DIR> d-------- c:\program files\MSSOAP
2009-04-07 16:53 . 2009-04-07 16:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TuneUp Software
2009-04-07 16:52 . 2009-04-07 17:22 <DIR> d-------- c:\program files\meowrawr
2009-04-07 16:52 . 2009-04-07 16:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-06 23:57 . 2009-04-06 23:59 <DIR> d-------- c:\documents and settings\Zachary\Application Data\GetRightToGo
2009-04-06 23:27 . 2009-04-06 23:27 <DIR> d-------- c:\program files\Windows Defender
2009-04-05 00:57 . 2009-04-05 00:57 <DIR> d-------- c:\documents and settings\Zachary\Application Data\TuneUp Software
2009-04-05 00:57 . 2009-04-05 00:57 603,904 --a------ c:\windows\system32\TUProgSt.exe
2009-04-05 00:57 . 2009-04-05 00:57 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2009-04-05 00:57 . 2008-12-11 14:31 27,904 --a------ c:\windows\system32\uxtuneup.dll
2009-04-05 00:56 . 2009-04-05 00:57 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2009-04-05 00:56 . 2009-04-05 00:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-04-05 00:55 . 2009-04-05 00:55 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-05 00:42 . 2009-04-05 01:14 <DIR> d-------- c:\program files\RegistryFix7
2009-04-03 23:24 . 2009-04-03 23:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCPitstop
2009-04-01 23:19 . 2009-04-01 23:19 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-31 17:06 . 2009-01-31 19:44 69,372 --------- c:\windows\hpoins05.dat.temp
2009-03-31 17:06 . 2004-12-14 08:39 19,696 --------- c:\windows\hpomdl05.dat.temp
2009-03-30 22:47 . 2009-04-07 21:01 <DIR> d-------- c:\documents and settings\Zachary\Application Data\BitTorrent
2009-03-30 22:46 . 2009-04-09 12:54 <DIR> d-------- c:\program files\DNA
2009-03-30 22:46 . 2009-04-09 12:54 <DIR> d-------- c:\documents and settings\Zachary\Application Data\DNA
2009-03-30 22:37 . 2009-03-30 22:38 <DIR> d-------- c:\documents and settings\Zachary\Application Data\Download Manager
2009-03-30 22:19 . 2009-04-02 22:07 <DIR> d-------- c:\documents and settings\Zachary\Application Data\gtk-2.0
2009-03-30 22:14 . 2009-03-30 22:14 <DIR> d-------- c:\program files\Pidgin
2009-03-30 22:14 . 2009-04-02 22:07 <DIR> d-------- c:\documents and settings\Zachary\Application Data\.purple
2009-03-30 22:13 . 2009-03-30 22:13 <DIR> d-------- c:\program files\Common Files\GTK
2009-03-22 18:18 . 2009-03-29 16:06 <DIR> d-------- c:\program files\iPhoneBrowser
2009-03-19 21:22 . 2009-03-19 21:22 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-17 17:20 . 2009-03-22 13:41 <DIR> d-------- c:\documents and settings\Zachary\Application Data\Notepad++
2009-03-15 13:49 . 2009-04-02 16:49 <DIR> d-------- C:\cygwin
2009-03-15 13:36 . 2009-03-15 13:36 <DIR> d-------- c:\program files\Notepad++
2009-03-15 13:36 . 2009-03-15 13:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Notepad++
2009-03-12 22:06 . 2009-03-12 22:06 <DIR> d-------- c:\program files\iPod
2009-03-12 22:05 . 2009-03-12 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 21:56 . 2009-03-12 21:59 <DIR> d-------- c:\program files\QuickTime
2009-03-12 21:50 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-12 21:39 . 2009-03-12 21:39 <DIR> d-------- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 19:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-07 05:53 --------- d-----w c:\documents and settings\Zachary\Application Data\McAfee
2009-04-07 05:28 --------- d-----w c:\documents and settings\Zachary\Application Data\LimeWire
2009-04-06 23:35 2,830 ----a-w c:\documents and settings\Zachary\Application Data\wklnhst.dat
2009-04-05 08:18 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2009-04-05 08:18 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-02 23:49 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-04-02 23:49 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-01 01:50 --------- d-----w c:\program files\Common Files\Adobe
2009-04-01 00:15 --------- d-----w c:\program files\Common Files\HP
2009-03-29 20:15 --------- d-----w c:\program files\WinFlip
2009-03-29 04:57 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-29 04:55 --------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2009-03-27 03:56 --------- d-----w c:\documents and settings\Zachary\Application Data\ArcSoft
2009-03-15 04:40 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-15 04:38 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-03-15 04:28 --------- d-----w c:\program files\McAfee
2009-03-15 04:23 --------- d-----w c:\program files\HP
2009-03-13 05:07 --------- d-----w c:\program files\iTunes
2009-03-13 05:06 --------- d-----w c:\program files\Common Files\Apple
2009-03-13 02:32 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-03-09 01:31 --------- d-----w c:\documents and settings\Zachary\Application Data\VMware
2009-03-09 00:46 --------- d-----w c:\documents and settings\Zachary\Application Data\Sonic
2009-03-06 06:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-06 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2009-03-05 00:49 --------- d-----w c:\documents and settings\LocalService\Application Data\McAfee
2009-03-05 00:48 --------- d-----w c:\documents and settings\Zachary\Application Data\GetRight
2009-03-03 22:18 --------- d-----w c:\documents and settings\Zachary\Application Data\Apple Computer
2009-02-16 06:33 --------- d-----w c:\documents and settings\Zachary\Application Data\ImTOO Software Studio
2009-02-16 06:31 --------- d-----w c:\program files\Common Files\AVSMedia
2009-02-16 06:27 --------- d-----w c:\documents and settings\Zachary\Application Data\AVS4YOU
2009-02-16 06:26 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-02-16 05:29 356,352 ----a-w c:\windows\eSellerateEngine.dll
2009-02-15 01:02 --------- d-----w c:\program files\Google
2009-02-15 00:40 --------- d-----w c:\documents and settings\Zachary\Application Data\acccore
2009-02-15 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-02-15 00:06 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-02-15 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-15 00:04 --------- d-----w c:\program files\Common Files\AOL
2009-02-09 18:27 --------- d-----w c:\program files\Java
2008-10-31 02:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008103020081031\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-30 321344]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-03-06 356352]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-02 82012]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-05 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-03 c:\windows\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 c:\windows\RTHDCPL.exe]
"CFSServ.exe"="CFSServ.exe" [BU]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Pinger"=c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Documents and Settings\\Zachary\\My Documents\\My Music\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S0 skzch;skzch;c:\windows\system32\drivers\wawdqsfy.sys --> c:\windows\system32\drivers\wawdqsfy.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SimpTcp
*Deregistered* - SNMP
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Swupdtmr
*Deregistered* - TapiSrv
*Deregistered* - TAPPSRV
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - TuneUp.ProgramStatisticsSvc
*Deregistered* - UxTuneUp
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - WinDefend
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 22:36]

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2008-10-31 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-10-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Microsoft Windows Services - service.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7TSHB
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Zachary\Application Data\Mozilla\Firefox\Profiles\iwxpeu3j.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 12:57:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\CLBCATQ.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TUProgSt.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Windows Defender\MSASCui.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\RAMASST.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-09 13:06:20 - machine was rebooted [Zachary]
ComboFix-quarantined-files.txt 2009-04-09 20:06:12

Pre-Run: 52,791,705,600 bytes free
Post-Run: 53,120,630,784 bytes free

308 --- E O F --- 2009-03-15 05:03:00

#7
zacgoesrawr

Posted 09 April 2009 - 03:07 PM

New Member

Topic Starter
Member
7 posts

Hey i think its fixed idk u can tell i cant but i can conncet to download.microsoft.com now

#8
kahdah

Posted 10 April 2009 - 06:09 AM

GeekU Teacher

Retired Staff
15,822 posts

Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.

@Echo off

sc stop skzch
sc delete skzch
del fixthis.bat

Then please double click on fixthis.bat a window will open and close quickly.This is normal.
=========================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.