Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I may be infected?

Started by Nman , Jun 29 2010 07:06 PM

  • This topic is locked This topic is locked
99 replies to this topic

#46 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 July 2010 - 09:51 PM

It should be a text (.txt) file and really notepad should open it. You should also be able to upload .txt files.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#47 Nman

Nman

    Authentic Member

  • Authentic Member
  • PipPip
  • 95 posts

Posted 03 July 2010 - 10:01 PM

Well I was able to open it as a picture in one note without a crash, I will try to get it to you asap. Though it is very long.... How can you understand all these things. lol :wacko:
Hey hey, a hymn to humanity, love has gone people, are you worried?

#48 Nman

Nman

    Authentic Member

  • Authentic Member
  • PipPip
  • 95 posts

Posted 03 July 2010 - 10:05 PM

Hehehe.... I was able to convert the pic to text! Here is what it gave me, tell me if this is correct.
PS I named it ark.log2 myself so as to not confuse it with the other one





ark.log2
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-03 19:25:40
Windows 6.0.6002 Service Pack 2
Running: ipdoubn0.exe; Driver: C:\Users\NATHAN~1\AppData\Local\Temp\kxdcruoc.sys ---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x807C0D88]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x807C0DB2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x807C0D9E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x807C0D74]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 826449D2 5 Bytes JMP 807C0D78 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82809DA3 5 Bytes JMP 807C0DB6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 828294FA 7 Bytes JMP 807C0D8C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 828297BD 5 Bytes JMP 807C0DA2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x89F58480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x89F99900, 0x3CA, 0x48000040]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8D804000, 0x263970, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[296] ntdll.dll!NtCreateFile 779943D4 5 Bytes JMP 008E0000
.text C:\Windows\system32\svchost.exe[296] ntdll.dll!NtCreateProcess Page 1

ark.log2
77994494 5 Bytes JMP 008E0FC0
.text C:\Windows\system32\svchost.exe[296] ntdll.dll!NtProtectVirtualMemory 77994D34 5 Bytes JMP 008E0FDB
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!GetStartupInfoW 76561929 5 Bytes JMP 001200E3
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!GetStartupInfoA 765619C9 5 Bytes JMP 001200C8
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!CreateProcessW 76561BF3 5 Bytes JMP 00120119
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!CreateProcessA 76561C28 5 Bytes JMP 00120F82
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!VirtualProtect 76561DC3 5 Bytes JMP 0012008B
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeA 76562EF5 5 Bytes JMP 0012002C
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeW 76565C0C 5 Bytes JMP 00120047
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!CreatePipe 76588E6E 5 Bytes JMP 001200B7
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!LoadLibraryExW 76589109 5 Bytes JMP 00120FBD
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!LoadLibraryW 76589362 5 Bytes JMP 00120069
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!LoadLibraryExA 765894B4 5 Bytes JMP 0012007A
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!LoadLibraryA 765894DC 5 Bytes JMP 00120058
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!VirtualProtectEx 7658DBDA 5 Bytes JMP 0012009C
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!GetProcAddress 765A903B 5 Bytes JMP 00120F67
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!CreateFileW 765AAECB 5 Bytes JMP 0012001B
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!CreateFileA 765ACE5F 5 Bytes JMP 00120000
.text C:\Windows\system32\svchost.exe[296] kernel32.dll!WinExec 765F5CF7 5 Bytes JMP 001200FE
.text C:\Windows\system32\svchost.exe[296] msvcrt.dll!_wsystem 76767F2F 5 Bytes JMP 00880F92
.text C:\Windows\system32\svchost.exe[296] msvcrt.dll!system 7676804B 5 Bytes JMP 00880FAD
.text C:\Windows\system32\svchost.exe[296] msvcrt.dll!_creat 7676BBE1 5 Bytes JMP 00880FC8
.text C:\Windows\system32\svchost.exe[296] msvcrt.dll!_open 7676D106 5 Bytes JMP 00880FEF
Page 2

ark.log2
.text C:\Windows\system32\svchost.exe[296] msvcrt.dll!_wcreat 7676D326 5 Bytes JMP 0088001D
.text C:\Windows\system32\svchost.exe[296] msvcrt.dll!_wopen 7676D501 5 Bytes JMP 00880000
.text C:\Windows\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExA 776939AB 5 Bytes JMP 00890F6B
.text C:\Windows\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyA 77693BA9 5 Bytes JMP 00890F97
.text C:\Windows\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyA 776989C7 5 Bytes JMP 00890FEF
.text C:\Windows\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW 776A391E 5 Bytes JMP 00890F86
.text C:\Windows\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExW 776A41F1 5 Bytes JMP 00890F50
.text C:\Windows\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExA 776A7C42 5 Bytes JMP 00890FC3
.text C:\Windows\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyW 776AE2B5 5 Bytes JMP 00890FDE
.text C:\Windows\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExW 776B7BA1 5 Bytes JMP 00890FB2
.text C:\Windows\system32\svchost.exe[296] WS2_32.dll!socket 762736D1 5 Bytes JMP 00070000
.text C:\Windows\system32\services.exe[708] ntdll.dll!NtCreateFile 779943D4 5 Bytes JMP 00350FE5
.text C:\Windows\system32\services.exe[708] ntdll.dll!NtCreateProcess 77994494 5 Bytes JMP 00350FCA
.text C:\Windows\system32\services.exe[708] ntdll.dll!NtProtectVirtualMemory 77994D34 5 Bytes JMP 00350000
.text C:\Windows\system32\services.exe[708] kernel32.dll!GetStartupInfoW 76561929 5 Bytes JMP 003400BF
.text C:\Windows\system32\services.exe[708] kernel32.dll!GetStartupInfoA 765619C9 5 Bytes JMP 003400A4
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateProcessW 76561BF3 5 Bytes JMP 00340F43
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateProcessA 76561C28 5 Bytes JMP 003400DA
.text C:\Windows\system32\services.exe[708] kernel32.dll!VirtualProtect 76561DC3 5 Bytes JMP 00340089
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateNamedPipeA 76562EF5 5 Bytes JMP 00340025
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateNamedPipeW 76565C0C 5 Bytes JMP 00340036
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreatePipe 76588E6E 5 Bytes JMP 00340F83
.text C:\Windows\system32\services.exe[708] kernel32.dll!LoadLibraryExW Page 3

ark.log2
76589109 5 Bytes JMP 00340078
.text C:\Windows\system32\services.exe[708] kernel32.dll!LoadLibraryW 76589362 5 Bytes JMP 00340051
.text C:\Windows\system32\services.exe[708] kernel32.dll!LoadLibraryExA 765894B4 5 Bytes JMP 00340FB9
.text C:\Windows\system32\services.exe[708] kernel32.dll!LoadLibraryA 765894DC 5 Bytes JMP 00340FCA
.text C:\Windows\system32\services.exe[708] kernel32.dll!VirtualProtectEx 7658DBDA 5 Bytes JMP 00340F94
.text C:\Windows\system32\services.exe[708] kernel32.dll!GetProcAddress 765A903B 5 Bytes JMP 003400EB
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateFileW 765AAECB 5 Bytes JMP 00340FE5
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateFileA 765ACE5F 5 Bytes JMP 00340000
.text C:\Windows\system32\services.exe[708] kernel32.dll!WinExec 765F5CF7 5 Bytes JMP 00340F54
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyExA 776939AB 5 Bytes JMP 00380062
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyA 77693BA9 5 Bytes JMP 00380FD1
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyA 776989C7 5 Bytes JMP 0038000A
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyW 776A391E 5 Bytes JMP 00380FC0
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyExW 776A41F1 5 Bytes JMP 0038007D
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyExA 776A7C42 5 Bytes JMP 0038002C
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyW 776AE2B5 5 Bytes JMP 0038001B
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyExW 776B7BA1 5 Bytes JMP 0038003D
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_wsystem 76767F2F 5 Bytes JMP 00370FC1
.text C:\Windows\system32\services.exe[708] msvcrt.dll!system 7676804B 5 Bytes JMP 0037004C
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_creat 7676BBE1 5 Bytes JMP 0037000C
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_open 7676D106 5 Bytes JMP 00370FEF
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_wcreat 7676D326 5 Bytes JMP 00370031
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_wopen 7676D501 5 Bytes JMP 00370FD2
Page 4

ark.log2
.text C:\Windows\system32\services.exe[708] WS2_32.dll!socket 762736D1 5 Bytes JMP 0036000A
.text C:\Windows\system32\lsass.exe[720] ntdll.dll!NtCreateFile 779943D4 5 Bytes JMP 00F60000
.text C:\Windows\system32\lsass.exe[720] ntdll.dll!NtCreateProcess 77994494 5 Bytes JMP 00F60FD1
.text C:\Windows\system32\lsass.exe[720] ntdll.dll!NtProtectVirtualMemory 77994D34 5 Bytes JMP 00F60011
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!GetStartupInfoW 76561929 5 Bytes JMP 00F4007D
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!GetStartupInfoA 765619C9 5 Bytes JMP 00F40F37
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateProcessW 76561BF3 5 Bytes JMP 00F4009F
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateProcessA 76561C28 5 Bytes JMP 00F4008E
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!VirtualProtect 76561DC3 5 Bytes JMP 00F40F6D
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeA 76562EF5 5 Bytes JMP 00F40FD1
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeW 76565C0C 5 Bytes JMP 00F40FB6
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreatePipe 76588E6E 5 Bytes JMP 00F40F52
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!LoadLibraryExW 76589109 5 Bytes JMP 00F40047
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!LoadLibraryW 76589362 5 Bytes JMP 00F40F94
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!LoadLibraryExA 765894B4 5 Bytes JMP 00F40036
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!LoadLibraryA 765894DC 5 Bytes JMP 00F40FA5
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!VirtualProtectEx 7658DBDA 5 Bytes JMP 00F40062
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!GetProcAddress 765A903B 5 Bytes JMP 00F400BA
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateFileW 765AAECB 5 Bytes JMP 00F40011
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateFileA 765ACE5F 5 Bytes JMP 00F40000
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!WinExec 765F5CF7 5 Bytes JMP 00F40F1C
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExA 776939AB 5 Bytes JMP 00FD0047
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyA Page 5

ark.log2
77693BA9 5 Bytes JMP 00FD002C
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyA 776989C7 5 Bytes JMP 00FD0FEF
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyW 776A391E 5 Bytes JMP 00FD0FA5
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExW 776A41F1 5 Bytes JMP 00FD0F80
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExA 776A7C42 5 Bytes JMP 00FD0011
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyW 776AE2B5 5 Bytes JMP 00FD0000
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExW 776B7BA1 5 Bytes JMP 00FD0FC0
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_wsystem 76767F2F 5 Bytes JMP 00FC0031
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!system 7676804B 5 Bytes JMP 00FC0FA6
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_creat 7676BBE1 5 Bytes JMP 00FC0FC8
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_open 7676D106 5 Bytes JMP 00FC0000
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_wcreat 7676D326 5 Bytes JMP 00FC0FB7
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_wopen 7676D501 5 Bytes JMP 00FC0FE3
.text C:\Windows\system32\lsass.exe[720] WS2_32.dll!socket 762736D1 5 Bytes JMP 00F70FEF
.text C:\Windows\System32\svchost.exe[896] ntdll.dll!NtCreateFile 779943D4 5 Bytes JMP 001B0FEF
.text C:\Windows\System32\svchost.exe[896] ntdll.dll!NtCreateProcess 77994494 5 Bytes JMP 001B0FAF
.text C:\Windows\System32\svchost.exe[896] ntdll.dll!NtProtectVirtualMemory 77994D34 5 Bytes JMP 001B0FD4
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!GetStartupInfoW 76561929 5 Bytes JMP 00180062
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!GetStartupInfoA 765619C9 5 Bytes JMP 00180051
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateProcessW 76561BF3 5 Bytes JMP 0018008E
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateProcessA 76561C28 5 Bytes JMP 00180073
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!VirtualProtect 76561DC3 5 Bytes JMP 00180F30
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 76562EF5 5 Bytes JMP 00180FAF
Page 6

ark.log2
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 76565C0C 5 Bytes JMP 00180F94
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreatePipe 76588E6E 5 Bytes JMP 00180040
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!LoadLibraryExW 76589109 5 Bytes JMP 00180014
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!LoadLibraryW 76589362 5 Bytes JMP 00180F68
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!LoadLibraryExA 765894B4 5 Bytes JMP 00180F57
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!LoadLibraryA 765894DC 5 Bytes JMP 00180F83
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7658DBDA 5 Bytes JMP 00180025
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!GetProcAddress 765A903B 5 Bytes JMP 0018009F
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateFileW 765AAECB 5 Bytes JMP 00180FCA
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateFileA 765ACE5F 5 Bytes JMP 00180FE5
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!WinExec 765F5CF7 5 Bytes JMP 00180EF7
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_wsystem 76767F2F 5 Bytes JMP 0019006E
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!system 7676804B 5 Bytes JMP 0019005D
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_creat 7676BBE1 5 Bytes JMP 00190FE3
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_open 7676D106 5 Bytes JMP 00190000
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_wcreat 7676D326 5 Bytes JMP 00190038
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_wopen 7676D501 5 Bytes JMP 0019001D
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 776939AB 5 Bytes JMP 001A0FA5
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 77693BA9 5 Bytes JMP 001A0036
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 776989C7 5 Bytes JMP 001A0FEF
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 776A391E 5 Bytes JMP 001A0051
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 776A41F1 5 Bytes JMP 001A0F94
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA Page 7

ark.log2
776A7C42 5 Bytes JMP 001A001B
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 776AE2B5 5 Bytes JMP 001A000A
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 776B7BA1 5 Bytes JMP 001A0FCA
.text C:\Windows\System32\svchost.exe[896] WS2_32.dll!socket 762736D1 5 Bytes JMP 0017000A
.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtCreateFile 779943D4 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtCreateProcess 77994494 5 Bytes JMP 001E0FE5
.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtProtectVirtualMemory 77994D34 5 Bytes JMP 001E001B
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetStartupInfoW 76561929 5 Bytes JMP 001D00E6
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetStartupInfoA 765619C9 5 Bytes JMP 001D00D5
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessW 76561BF3 5 Bytes JMP 001D0123
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessA 76561C28 5 Bytes JMP 001D0112
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!VirtualProtect 76561DC3 5 Bytes JMP 001D008E
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 76562EF5 5 Bytes JMP 001D001B
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 76565C0C 5 Bytes JMP 001D002C
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreatePipe 76588E6E 5 Bytes JMP 001D00C4
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW 76589109 5 Bytes JMP 001D0073
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryW 76589362 5 Bytes JMP 001D0051
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryExA 765894B4 5 Bytes JMP 001D0062
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryA 765894DC 5 Bytes JMP 001D0FC0
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 7658DBDA 5 Bytes JMP 001D009F
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetProcAddress 765A903B 5 Bytes JMP 001D0134
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateFileW 765AAECB 5 Bytes JMP 001D0FE5
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateFileA 765ACE5F 5 Bytes JMP 001D0000
Page 8

ark.log2
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!WinExec 765F5CF7 5 Bytes JMP 001D00F7
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wsystem 76767F2F 5 Bytes JMP 00680084
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!system 7676804B 5 Bytes JMP 0068005F
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_creat 7676BBE1 5 Bytes JMP 00680029
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_open 7676D106 5 Bytes JMP 0068000C
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wcreat 7676D326 5 Bytes JMP 0068004E
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wopen 7676D501 5 Bytes JMP 00680FEF
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 776939AB 5 Bytes JMP 00690036
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 77693BA9 5 Bytes JMP 00690F8A
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 776989C7 5 Bytes JMP 00690FE5
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 776A391E 5 Bytes JMP 00690011
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 776A41F1 5 Bytes JMP 00690047
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 776A7C42 5 Bytes JMP 00690000
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 776AE2B5 5 Bytes JMP 00690FCA
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 776B7BA1 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 776B7BA1 5 Bytes JMP 00690FA5
.text C:\Windows\system32\svchost.exe[912] WS2_32.dll!socket 762736D1 5 Bytes JMP 00670000
.text C:\Windows\system32\svchost.exe[1000] ntdll.dll!NtCreateFile 779943D4 5 Bytes JMP 00190000
.text C:\Windows\system32\svchost.exe[1000] ntdll.dll!NtCreateProcess 77994494 5 Bytes JMP 00190025
.text C:\Windows\system32\svchost.exe[1000] ntdll.dll!NtProtectVirtualMemory 77994D34 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoW 76561929 5 Bytes JMP 00180F63
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoA 765619C9 5 Bytes JMP 001800B3
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!CreateProcessW Page 9

ark.log2
76561BF3 5 Bytes JMP 001800CE
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!CreateProcessA 76561C28 5 Bytes JMP 00180F37
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!VirtualProtect 76561DC3 5 Bytes JMP 00180FA3
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeA 76562EF5 5 Bytes JMP 00180FE5
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeW 76565C0C 5 Bytes JMP 00180040
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!CreatePipe 76588E6E 5 Bytes JMP 00180F7E
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExW 76589109 5 Bytes JMP 00180FC0
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!LoadLibraryW 76589362 5 Bytes JMP 0018006C
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExA 765894B4 5 Bytes JMP 0018007D
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!LoadLibraryA 765894DC 5 Bytes JMP 00180051
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!VirtualProtectEx 7658DBDA 5 Bytes JMP 0018008E
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!GetProcAddress 765A903B 5 Bytes JMP 001800DF
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!CreateFileW 765AAECB 5 Bytes JMP 0018001B
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!CreateFileA 765ACE5F 5 Bytes JMP 00180000
.text C:\Windows\system32\svchost.exe[1000] kernel32.dll!WinExec 765F5CF7 5 Bytes JMP 00180F52
.text C:\Windows\system32\svchost.exe[1000] msvcrt.dll!_wsystem 76767F2F 5 Bytes JMP 00630FA6
.text C:\Windows\system32\svchost.exe[1000] msvcrt.dll!system 7676804B 5 Bytes JMP 00630FB7
.text C:\Windows\system32\svchost.exe[1000] msvcrt.dll!_creat 7676BBE1 5 Bytes JMP 00630FC8
.text C:\Windows\system32\svchost.exe[1000] msvcrt.dll!_open 7676D106 5 Bytes JMP 00630000
.text C:\Windows\system32\svchost.exe[1000] msvcrt.dll!_wcreat 7676D326 5 Bytes JMP 00630027
.text C:\Windows\system32\svchost.exe[1000] msvcrt.dll!_wopen 7676D501 5 Bytes JMP 00630FEF
.text C:\Windows\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExA 776939AB 5 Bytes JMP 00640F57
.text C:\Windows\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyA 77693BA9 5 Bytes JMP 00640F8D
Page 10

ark.log2
.text C:\Windows\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyA 776989C7 5 Bytes JMP 00640FEF
.text C:\Windows\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyW 776A391E 5 Bytes JMP 00640F72
.text C:\Windows\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExW 776A41F1 5 Bytes JMP 00640F46
.text C:\Windows\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExA 776A7C42 5 Bytes JMP 00640FC3
.text C:\Windows\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyW 776AE2B5 5 Bytes JMP 00640FD4
.text C:\Windows\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExW 776B7BA1 5 Bytes JMP 00640FA8
.text C:\Windows\system32\svchost.exe[1000] WS2_32.dll!socket 762736D1 5 Bytes JMP 001A0FEF
.text C:\Windows\System32\svchost.exe[1172] ntdll.dll!NtCreateFile 779943D4 5 Bytes JMP 008B0FE5
.text C:\Windows\System32\svchost.exe[1172] ntdll.dll!NtCreateProcess 77994494 5 Bytes JMP 008B0FB9
.text C:\Windows\System32\svchost.exe[1172] ntdll.dll!NtProtectVirtualMemory 77994D34 5 Bytes JMP 008B0FD4
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 76561929 5 Bytes JMP 008600B5
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 765619C9 5 Bytes JMP 00860F65
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateProcessW 76561BF3 5 Bytes JMP 008600DA
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateProcessA 76561C28 5 Bytes JMP 00860F43
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!VirtualProtect 76561DC3 5 Bytes JMP 00860F94
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 76562EF5 5 Bytes JMP 00860FD4
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 76565C0C 5 Bytes JMP 0086002F
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreatePipe 76588E6E 5 Bytes JMP 00860090
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 76589109 5 Bytes JMP 0086006E
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryW 76589362 5 Bytes JMP 00860051
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 765894B4 5 Bytes JMP 00860FAF
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryA 765894DC 5 Bytes JMP 00860040
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!VirtualProtectEx Page 11

Edited by Nman, 03 July 2010 - 10:06 PM.

Hey hey, a hymn to humanity, love has gone people, are you worried?

#49 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 July 2010 - 10:12 PM

Good job :thumbup:

Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

C:\Windows\system32\DRIVERS\tos_sps32.sys


Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.


If virscan.org is too busy you can try these.

http://virscan.org/

http://www.kaspersky...anforvirus.html


http://www.virustota.../en/indexf.html

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#50 Nman

Nman

    Authentic Member

  • Authentic Member
  • PipPip
  • 95 posts

Posted 03 July 2010 - 10:20 PM

Jotti logo Jotti's malware scan Filename: tos_sps32.sys Status: Scan finished. 0 out of 19 scanners reported malware. Scan taken on: Sun 4 Jul 2010 06:15:34 (CET) Permalink Additional info File size: 279376 bytes Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit MD5: 4399a9bf7d8f49991a07fd86590a1619 SHA1: 1726d6bbef7aae163596b1e3e6cf99bd97f3324d Scanners [ArcaVir] 2010-07-02 Found nothing [G DATA] 2010-07-04 Found nothing [Avast! antivirus] 2010-07-03 Found nothing [Ikarus] 2010-07-03 Found nothing [Grisoft AVG Anti-Virus] 2010-07-03 Found nothing [Kaspersky Anti-Virus] 2010-07-04 Found nothing [Avira AntiVir] 2010-07-02 Found nothing [ESET NOD32] 2010-07-03 Found nothing [Softwin BitDefender] 2010-07-04 Found nothing [Panda Antivirus] 2010-07-02 Found nothing [ClamAV] 2010-07-04 Found nothing [Quick Heal] 2010-07-01 Found nothing [CPsecure] 2010-07-04 Found nothing [Sophos] 2010-07-03 Found nothing [Dr.Web] 2010-07-04 Found nothing [VirusBlokAda VBA32] 2010-07-02 Found nothing [Frisk F-Prot Antivirus] 2010-07-03 Found nothing [VirusBuster] 2010-07-03 Found nothing [F-Secure Anti-Virus] 2010-07-03 Found nothing Scan a file - Hash search - Frequently Asked Questions - Privacy policy © 2004-2010 Jotti <jotti@jotti.org> Okay I hope I copied and pasted correctly, I could not find a report but I just drug the arrow over the page while clicking and was able to copy that.
Hey hey, a hymn to humanity, love has gone people, are you worried?

#51 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 July 2010 - 10:25 PM

It sounds like your file associations are messed up.

1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#52 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 July 2010 - 10:27 PM

I'm worn out.
I'll be back in the morning.

After you run exeHelper try combofix again.

Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#53 Nman

Nman

    Authentic Member

  • Authentic Member
  • PipPip
  • 95 posts

Posted 03 July 2010 - 10:37 PM

Hope you have a good rest. It is not late here in cali, or at least not very late. I will be at work in the morning but I will run those programs tonight and post the logs. :thumbup: And Happy 4th of July!

Edited by Nman, 03 July 2010 - 11:00 PM.

Hey hey, a hymn to humanity, love has gone people, are you worried?

#54 Nman

Nman

    Authentic Member

  • Authentic Member
  • PipPip
  • 95 posts

Posted 03 July 2010 - 11:07 PM

exeHelper by Raktor Build 20100414 Run at 22:03:28 on 07/03/10 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- And now I will do combofix and post that.
Hey hey, a hymn to humanity, love has gone people, are you worried?

#55 Nman

Nman

    Authentic Member

  • Authentic Member
  • PipPip
  • 95 posts

Posted 03 July 2010 - 11:30 PM

ComboFix 10-07-03.04 - Nathaniel 07/03/2010 22:16:20.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1814 [GMT -7:00]
Running from: c:\users\Nathaniel\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e4878b45-e2c0-4307-b6e8-734922f92f5b}"= "c:\program files\Road_Runner\tbRoad.dll" [2009-09-08 2260504]

[HKEY_CLASSES_ROOT\clsid\{e4878b45-e2c0-4307-b6e8-734922f92f5b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e4878b45-e2c0-4307-b6e8-734922f92f5b}]
2009-09-08 17:32 2260504 ----a-w- c:\program files\Road_Runner\tbRoad.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e4878b45-e2c0-4307-b6e8-734922f92f5b}"= "c:\program files\Road_Runner\tbRoad.dll" [2009-09-08 2260504]

[HKEY_CLASSES_ROOT\clsid\{e4878b45-e2c0-4307-b6e8-734922f92f5b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E4878B45-E2C0-4307-B6E8-734922F92F5B}"= "c:\program files\Road_Runner\tbRoad.dll" [2009-09-08 2260504]

[HKEY_CLASSES_ROOT\clsid\{e4878b45-e2c0-4307-b6e8-734922f92f5b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-30 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Steam"="c:\program files\Steam\Steam.exe" [2010-06-11 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-22 61440]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-03-13 6965792]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-18 1451304]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-03-07 468320]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-12-18 448376]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-03-23 729088]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-13 299008]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2009-04-15 1318912]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-03-24 1007616]
"TPCHWMsg"="c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe" [2009-04-09 570736]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-13 1833504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

c:\users\Nathaniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(B):12,ab,fe,e3,92,7f,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-04-28 83496]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-04-28 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-04-28 160720]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-04-22 176128]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-03-26 93320]
S2 McMPFSvc;McAfee Personal Firewall;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2009-12-15 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2009-12-15 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-04-28 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-04-28 141792]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-02-19 57344]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-01 62776]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-04-15 176128]
S2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-03-17 73728]
S2 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-04-09 656752]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-03-21 12920]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-04-28 55456]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-04-28 312616]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MFERKDET01
*Deregistered* - mfeavfk01
*Deregistered* - mferkdet01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 20:51]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 20:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\6i6mazbs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2490311&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://discussions.godandscience.org/index.php
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=60459&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\Nathaniel\AppData\Roaming\Mozilla\Firefox\Profiles\6i6mazbs.default\extensions\{336dc353-5272-420c-84e7-ba1f3c9c2aeb}\components\Engine.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 22:26
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5876)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
Completion time: 2010-07-03 22:28:22
ComboFix-quarantined-files.txt 2010-07-04 05:28

Pre-Run: 185,942,204,416 bytes free
Post-Run: 185,882,398,720 bytes free

- - End Of File - - 72CA7FDCE6C7BF47F206A7224BEC3843



And no crash this time! :D
Hey hey, a hymn to humanity, love has gone people, are you worried?

    Advertisements

Register to Remove

#56 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 July 2010 - 06:44 AM

ComboFix 10-07-03.04 - Nathaniel 07/03/2010 22:16:20.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1814 [GMT -7:00]
Running from: c:\users\Nathaniel\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

Is this where the the results log started?
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#57 Nman

Nman

    Authentic Member

  • Authentic Member
  • PipPip
  • 95 posts

Posted 04 July 2010 - 06:45 PM

ComboFix 10-07-03.04 - Nathaniel 07/03/2010 22:16:20.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1814 [GMT -7:00]
Running from: c:\users\Nathaniel\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

Is this where the the results log started?
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Yes, that is where the log starts.
Hey hey, a hymn to humanity, love has gone people, are you worried?

#58 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 July 2010 - 07:12 AM

I'm looking into this.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#59 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 July 2010 - 08:21 AM

Can you post the results of this text file?
C:\combofix-quarantine-files.txt

Also delete the combofix you have now.
Download a new copy and run a new scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#60 Nman

Nman

    Authentic Member

  • Authentic Member
  • PipPip
  • 95 posts

Posted 05 July 2010 - 03:57 PM

2010-07-04 05:23:05 . 2010-07-04 05:23:05 6,162 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2010-07-04 05:14:14 . 2010-07-04 05:16:20 62 ----a-w- C:\Qoobox\Quarantine\catchme.log This is all that was in that log. Do you want me to uninstall combo fix like before and then down load it, or just right click and delete?
Hey hey, a hymn to humanity, love has gone people, are you worried?

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·