Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Generic Fake Alert html Viris PLEASE HELP REMOVE

Started by Fredooch , Sep 30 2009 12:14 AM

  • This topic is locked This topic is locked
20 replies to this topic

#1 Fredooch

Fredooch

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 30 September 2009 - 12:14 AM

Dear Tech,
I got this virus last night.....McAfee keeps deleting it but everytime i get on the web I get like 5 pop ups and Mcafee removing it. Here is myHijack log.....PLEASE HELP!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:45 AM, on 9/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: {dcaaf66a-cb7a-8398-8804-dd888210ca83} - {38ac0128-88dd-4088-8938-a7bca66faacd} - (no file)
O2 - BHO: (no name) - {486FDF0D-DF14-4532-807A-B741E908E2DA} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {674CA4EB-8D12-4B61-A032-B25E22B0C2F4} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {8D27B193-E71B-4390-99CA-1B263CFB042f} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Gif Animator Toolbar Helper - {96372AB6-15EB-4316-B497-71C741BC548C} - C:\Program Files\Easy Gif Animator Extension\v3.3.0.0\EasyGifAnimator_Toolbar.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {ca747fab-a4ae-41b1-970d-86398f85319a} - (no file)
O2 - BHO: (no name) - {d5d40b74-119f-47d2-865c-6efdf054eb16} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F1FDD4FC-C230-4E13-A4B0-33EBF44D3FCF} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Easy Gif Animator Toolbar - {35065594-9169-4A34-B167-FC4865038E53} - C:\Program Files\Easy Gif Animator Extension\v3.3.0.0\EasyGifAnimator_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Fredooch\Cookies\FREDOO~3.SH! C:\DOCUME~1\Fredooch\Cookies\FR44B4~1.TXT C:\DOCUME~1\Fredooch\Cookies\FRC66A~1.SH! C:\DOCUME~1\Fredooch\Cookies\FRD1D8~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR73AE~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR6BBB~1.SH! C:\DOCUME~1\Fredooch\Cookies\FRE4E4~1.SH! C:\DOCUME~1\Fredooch\Cookies\FRB353~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR90FA~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR1150~1.SH!
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2p...bs/QOLCheck.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202257947406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter hijack: text/html - {39d60013-e993-4ded-85eb-d2ff4589bb4e} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\datime32.dll
O20 - Winlogon Notify: charNic - charNic.dll (file missing)
O20 - Winlogon Notify: e8726c1d684 - C:\WINDOWS\System32\datime32.dll
O20 - Winlogon Notify: efcbcbc - efcbcbc.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14132 bytes

    Advertisements

Register to Remove

#2 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 01 October 2009 - 02:19 PM

Due, in part, to the large numbers of HJT logs being posted, there are four things that you need to be aware of.

1) If you have already posted this log at another forum, you need to post here that you have done so and this topic will be closed.
Multiple posting not only ties up valuable resources, but could also result is some unpleasant side-effects for your system if you follow two sets of instructions at the same time.
If, during research, an identical log is identified at another forum, this thread will be closed.

2) If you don't post a meaningful reply to any of my posts within five days, this thread will be closed. Due to limited free time I can only have so many open threads at any one time and if yours isn't active, somebody else's will be.
If, by omission, the thread hasn't be closed after five days and you post, it will just serve as a reminder to me to close it.
Please note that "I just dropped in to say Hi!" isn't a meaningful reply!

3) Malware removal is a tricky business, and malware writers don't tend to worry about the damage their creations do, so it is advisable to back-up all important files BEFORE we start. Although most cases have a successful conclusion, on occasion things don't go according to plan and it is better to be prepared for the worst.

4) Back-ups can get lost or damaged, so make two if the files are that important to you!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pay a visit to the ESET Online Scanner - IE is preferred for this.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Sec-Info2.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

You should now see a folder with a file in it - double click Sec-info2.vbs to run it.
Once you have been informed that the script has completed, a text file called Sec-Info.txt should be created in the same folder - you may need to wait a couple of seconds for it to appear..
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download RootRepeal from one of the locations below and save it to your Desktop:
Location 1
Location 2
Location 3
  • Double click RootRepeal.exe to fire up the tool and OK any Windows confirmation if necessary.
  • Ensure that the Report Tab is selected at the bottom.
  • Click the Scan button, check ALL the boxes in the window that appears and then click OK.
  • Check the box next to your main hard drive - usually C: and click OK
  • Put the kettle on and perhaps open a packet of biscuits - the scan will take some time.
  • Once the scan has completed a Notepad window will open with the results in.
  • These results will also be saved to the root of your main drive as \RootRepeal report date time.txt
Let me have a copy of the contents in your next reply.
Death to the salad eaters!

#3 Fredooch

Fredooch

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 02 October 2009 - 12:49 AM

ESET results C:\WINDOWS\system32\2Rb77Pjy02ZvoLw.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\8iU94iuF0fhuqOe.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\datime32.dll Win32/TrojanDownloader.Agent.PDY trojan C:\WINDOWS\system32\dlqpkesd.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\euqowkpl.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\FrWPMRk.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\hnmdhtcl.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\JaxLFZFy0Ipvbo7.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\jbxgpdmp.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\JiQpWvut.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\JiQpWvut.ini2 Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\klhdijuw.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\krndpgxc.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\loleueba.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\lqeumsxe.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\obmrdurx.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\oUtsDcdd.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\oUtsDcdd.ini2 Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\pdfyjybh.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\pekprpwq.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\pirdnwlx.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\qybkeaek.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\qyiugrka.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\rodspnxc.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\rraqsqyf.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\ryjaaalf.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\sbfrqsmo.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\thtieika.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\utbmctsg.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\vyadd.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\vyadd.ini2 Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\wbmjndpk.ini Win32/Adware.Virtumonde.NEO application C:\WINDOWS\system32\ymqcmgne.ini Win32/Adware.Virtumonde.NEO application Operating memory Win32/TrojanDownloader.Agent.PDY trojan Script run: 10/1/2009 11:38:21 PM ~~~~~~~~~~~~~~~~~~~~~~~~ Sect-Info Results Company Name: McAfee AV Name: McAfee VirusScan Version Number: On-Access Scanning Enabled: Yes Product up-to-date: Yes ~~~~~~~~~~~~~~~~~~~~~~~~ Company Name: McAfee Firewall Name: McAfee Personal Firewall Version Number: Enabled: No ~~~~~~~~~~~~~~~~~~~~~~~~ The Windows Firewall is disabled. ~~~~~~~~~~~~~~~~~~~~~~~~ The Security Center Anti-Virus Alerts are enabled. The Security Center Firewall Alerts are enabled. ~~~~~~~~~~~~~~~~~~~~~~~~ Number of Restore Points found: 0 ~~~~~~~~~~~~~~~~~~~~~~~~ Hijack This results 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office Suite Service Pack 1 (SP1) Acrobat.com Acrobat.com Adobe AIR Adobe AIR Adobe Anchor Service CS3 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe Camera Raw 4.0 Adobe CMaps Adobe Color - Photoshop Specific Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Default Language CS3 Adobe Device Central CS3 Adobe Download Manager Adobe ExtendScript Toolkit 2 Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Fonts All Adobe Help Viewer CS3 Adobe Linguistics CS3 Adobe PDF Library Files Adobe Photoshop 7.0 Adobe Photoshop CS3 Adobe Reader 9 Adobe Setup Adobe Shockwave Player Adobe Stock Photos CS3 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 AGEIA PhysX v7.07.24 AIM 6 AOLIcon Apple Software Update ATI Control Panel ATI Display Driver Avery Wizard 3.1 Brother MFL-Pro Suite MFC-5890CN Canon Camera Window for ZoomBrowser EX Canon EOS 10D WIA Driver Canon RAW Image Task for ZoomBrowser EX Canon RemoteCapture Task for ZoomBrowser EX Canon Utilities File Viewer Utility 1.3 Canon Utilities PhotoStitch 3.1 Canon Utilities RemoteCapture 2.7 Canon Utilities ZoomBrowser EX CCleaner (remove only) Corel Photo Album 6 Create-Ringtone 4.96 Creative WebCam Live! Driver (1.02.03.0606) Critical Update for Windows Media Player 11 (KB959772) Dell Digital Jukebox Driver Dell Driver Reset Tool Digital Content Portal Easy GIF Animator 4.3 Easy Gif Animator Extension ELIcon ESET Online Scanner v3 ESPNMotion FaceOnBody Firebird SQL Server - MAGIX Edition HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB895961-v4) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Image Resizer Powertoy for Windows XP Intel® 537EP V9x DF PCI Modem Intel® PRO Network Connections Drivers Intel® PROSet for Wired Connections InterActual Player iTunes J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 9 Java 2 Runtime Environment, SE v1.4.2_03 Java™ 6 Update 11 LG USB Modem driver LimeWire 5.1.2 Linksys Wireless-G PCI Network Adapter with SpeedBooster Malwarebytes' Anti-Malware McAfee SecurityCenter MCU Media Center Extender Media Center Extender Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 3.5 SP1 Microsoft Choice Guard Microsoft Encarta Encyclopedia Standard 2006 Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Professional 2007 Microsoft Office Professional 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft Silverlight Microsoft Streets & Trips 2006 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Word 2002 Microsoft Works Microsoft Works Suite 2006 Setup Launcher Microsoft Works Suite Add-in for Microsoft Word Morpheus Photo Animation Suite v3.01 Move Networks Player for Internet Explorer MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) Musicmatch® Jukebox Nero 8 neroxml OpenMG Limited Patch 4.2-05-07-27-01 OpenMG Secure Module 4.2.00 Opera 10.00 PaperPort Image Printer PDF Settings PL-2303 USB-to-Serial PowerDVD 5.5 Project64 1.6 Quickstart CD and DVD Label Studio Pro QuickTime Road Runner Install Road Runner Medic 6.1 ScanSoft PaperPort 11 Scientific Atlanta WebSTAR 2000 series Cable Modem Security Update for 2007 Microsoft Office System (KB951550) Security Update for 2007 Microsoft Office System (KB951944) Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB969679) Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Microsoft Office Excel 2007 (KB969682) Security Update for Microsoft Office PowerPoint 2007 (KB957789) Security Update for Microsoft Office Publisher 2007 (KB969693) Security Update for Microsoft Office system 2007 (KB954326) Security Update for Microsoft Office system 2007 (KB969613) Security Update for Microsoft Office Word 2007 (KB969604) Security Update for Visio 2007 (KB947590) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Segoe UI Sonic Copy Module Sonic DLA Sonic Encoders Sonic Express Labeler Sonic MyDVD Plus SonicStage 3.2 Sony Image Data Suite Sony Picture Utility SpyHunter Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft Office Outlook 2007 (KB969907) Update for Outlook 2007 Junk Email Filter (kb973514) Update for Windows Internet Explorer 8 (KB973874) Update for Windows XP (KB951978) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) Update Manager VCRedistSetup VideoSpirit Pro 1.40 Viewpoint Media Player WavePad Sound Editor WD Diagnostics WebCyberCoach 3.2 Dell WebIQ Client Software WildTangent Web Driver Windows Genuine Advantage v1.3.0254.0 Windows Internet Explorer 8 Windows Live Essentials Windows Live Essentials Windows Live Sign-in Assistant Windows Live Upload Tool Windows Live Writer Windows Media Encoder 9 Series Windows Media Encoder 9 Series Windows Media Format 11 runtime Windows Media Player 10 Windows Media Player 11 Windows XP Creativity Fun Packs - Windows Movie Maker 2 - Audio Windows XP Creativity Fun Packs - Windows Movie Maker 2 - Titles Windows XP Media Center Edition 2005 KB905589 Windows XP Media Center Edition 2005 KB973768 Windows XP Service Pack 3 WinRAR archiver Yahoo! Messenger Yahoo! Software Update Yahoo! Toolbar ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/01 23:42 Program Version: Version 1.3.5.0 Windows Version: Windows XP Media Center Edition SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEE420000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7BB6000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xEBD95000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: c:\windows\temp\sqlite_1czka5aey2crfgk Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\windows\temp\sqlite_bu2zv9hhfrdwzuv Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\windows\temp\sqlite_gtaiaafa4xziz08 Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\windows\temp\sqlite_udhojggybwvmbzi Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\windows\temp\sqlite_wnt03xng7udjt1e Status: Allocation size mismatch (API: 4096, Raw: 0) Path: Volume G:\ Status: MBR Rootkit Detected! Path: Volume G:\, Sector 1 Status: Sector mismatch Path: Volume G:\, Sector 61 Status: Sector mismatch Path: Volume G:\, Sector 62 Status: Sector mismatch Stealth Objects ------------------- Object: Hidden Handle [Index: 156, Type: Event] Process: RMSvc.exe (PID: 2616) Address: 0x86ca0d88 Size: - ==EOF==

#4 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 02 October 2009 - 01:29 PM

Download mbr.exe by GMER from here and save it to your Desktop.
Go to Start > Run...,enter the following into the textbox and click OK:

cmd

When the Command Window opens enter the following and then hit <ENTER>:

cd Desktop

Finally enter the following and hit <ENTER> again:

mbr > output.txt

This should create a text file on your Desktop called output.txt - i'd like a copy of the contents in your next reply.
Death to the salad eaters!

#5 Fredooch

Fredooch

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 02 October 2009 - 03:27 PM

I downloaded MBR and ran it but it automatically opens and then closes as fast....then it created the log file in text you see below....it doesnt let me type anything in it.




Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#6 Fredooch

Fredooch

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 02 October 2009 - 03:32 PM

Ok I misuderstood intructions...I did exactley what you posted and got the same results as above shown in output.txt


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#7 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 02 October 2009 - 04:01 PM

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh HJT log (run in Normal Mode) AND a description of how your PC is behaving.
Death to the salad eaters!

#8 Fredooch

Fredooch

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 02 October 2009 - 07:38 PM

Malwarebytes' Anti-Malware 1.41 Database version: 2897 Windows 5.1.2600 Service Pack 3 10/2/2009 8:37:29 PM mbam-log-2009-10-02 (20-37-29).txt Scan type: Full Scan (C:\|) Objects scanned: 224829 Time elapsed: 2 hour(s), 3 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\datime32.dll (Trojan.Tracur) -> Delete on reboot. C:\WINDOWS\system32\561.tmp (Worm.P2P) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\e8726c1d684 (Trojan.Tracur) -> Delete on reboot. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\datime32.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\datime32.dll -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\datime32.dll (Trojan.Tracur) -> Delete on reboot. C:\WINDOWS\system32\561.tmp (Worm.P2P) -> Delete on reboot. C:\WINDOWS\system32\GroupPolicy000.dat (Malware.Trace) -> Quarantined and deleted successfully.

#9 Fredooch

Fredooch

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 02 October 2009 - 07:52 PM

System seems to be behaving normally....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:41 PM, on 10/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: {dcaaf66a-cb7a-8398-8804-dd888210ca83} - {38ac0128-88dd-4088-8938-a7bca66faacd} - (no file)
O2 - BHO: (no name) - {486FDF0D-DF14-4532-807A-B741E908E2DA} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {674CA4EB-8D12-4B61-A032-B25E22B0C2F4} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {8D27B193-E71B-4390-99CA-1B263CFB042f} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Gif Animator Toolbar Helper - {96372AB6-15EB-4316-B497-71C741BC548C} - C:\Program Files\Easy Gif Animator Extension\v3.3.0.0\EasyGifAnimator_Toolbar.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {ca747fab-a4ae-41b1-970d-86398f85319a} - (no file)
O2 - BHO: (no name) - {d5d40b74-119f-47d2-865c-6efdf054eb16} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F1FDD4FC-C230-4E13-A4B0-33EBF44D3FCF} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Easy Gif Animator Toolbar - {35065594-9169-4A34-B167-FC4865038E53} - C:\Program Files\Easy Gif Animator Extension\v3.3.0.0\EasyGifAnimator_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_15\TrayServer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Fredooch\Cookies\FREDOO~3.SH! C:\DOCUME~1\Fredooch\Cookies\FR44B4~1.TXT C:\DOCUME~1\Fredooch\Cookies\FRC66A~1.SH! C:\DOCUME~1\Fredooch\Cookies\FRD1D8~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR73AE~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR6BBB~1.SH! C:\DOCUME~1\Fredooch\Cookies\FRE4E4~1.SH! C:\DOCUME~1\Fredooch\Cookies\FRB353~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR90FA~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR1150~1.SH!
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2p...bs/QOLCheck.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202257947406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter hijack: text/html - {39d60013-e993-4ded-85eb-d2ff4589bb4e} - (no file)
O20 - Winlogon Notify: charNic - charNic.dll (file missing)
O20 - Winlogon Notify: efcbcbc - efcbcbc.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 13918 bytes

#10 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 03 October 2009 - 02:48 PM

You may need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: {dcaaf66a-cb7a-8398-8804-dd888210ca83} - {38ac0128-88dd-4088-8938-a7bca66faacd} - (no file)
O2 - BHO: (no name) - {486FDF0D-DF14-4532-807A-B741E908E2DA} - (no file)
O2 - BHO: (no name) - {674CA4EB-8D12-4B61-A032-B25E22B0C2F4} - (no file)
O2 - BHO: (no name) - {8D27B193-E71B-4390-99CA-1B263CFB042f} - (no file)
O2 - BHO: (no name) - {ca747fab-a4ae-41b1-970d-86398f85319a} - (no file)
O2 - BHO: (no name) - {d5d40b74-119f-47d2-865c-6efdf054eb16} - (no file)
O2 - BHO: (no name) - {F1FDD4FC-C230-4E13-A4B0-33EBF44D3FCF} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O18 - Filter hijack: text/html - {39d60013-e993-4ded-85eb-d2ff4589bb4e} - (no file)
O20 - Winlogon Notify: charNic - charNic.dll (file missing)
O20 - Winlogon Notify: efcbcbc - efcbcbc.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Remove any/all of the following files/folders that you can find:

Files

C:\WINDOWS\system32\2Rb77Pjy02ZvoLw.vbs
C:\WINDOWS\system32\8iU94iuF0fhuqOe.vbs
C:\WINDOWS\system32\datime32.dll
C:\WINDOWS\system32\dlqpkesd.ini
C:\WINDOWS\system32\euqowkpl.ini
C:\WINDOWS\system32\FrWPMRk.vbs
C:\WINDOWS\system32\hnmdhtcl.ini
C:\WINDOWS\system32\JaxLFZFy0Ipvbo7.vbs
C:\WINDOWS\system32\jbxgpdmp.ini
C:\WINDOWS\system32\JiQpWvut.ini
C:\WINDOWS\system32\JiQpWvut.ini2
C:\WINDOWS\system32\klhdijuw.ini
C:\WINDOWS\system32\krndpgxc.ini
C:\WINDOWS\system32\loleueba.ini
C:\WINDOWS\system32\lqeumsxe.ini
C:\WINDOWS\system32\obmrdurx.ini
C:\WINDOWS\system32\oUtsDcdd.ini
C:\WINDOWS\system32\oUtsDcdd.ini2
C:\WINDOWS\system32\pdfyjybh.ini
C:\WINDOWS\system32\pekprpwq.ini
C:\WINDOWS\system32\pirdnwlx.ini
C:\WINDOWS\system32\qybkeaek.ini
C:\WINDOWS\system32\qyiugrka.ini
C:\WINDOWS\system32\rodspnxc.ini
C:\WINDOWS\system32\rraqsqyf.ini
C:\WINDOWS\system32\ryjaaalf.ini
C:\WINDOWS\system32\sbfrqsmo.ini
C:\WINDOWS\system32\thtieika.ini
C:\WINDOWS\system32\utbmctsg.ini
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\wbmjndpk.ini
C:\WINDOWS\system32\ymqcmgne.ini

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'

Files

charNic.dll
efcbcbc.dll

Click on Start,
Click on Search
Click on 'All files and folders'
In the 'All or part of the file name:' textbox, enter the above file name(s) and click on Search
Right click on any entries that are found and from the menu that appears, click on Delete

Should any of these files fail to delete, reboot the PC and try again. If they still don't go, try Safe Mode and then give up and let me know.

Let me have a fresh HJT log and a brief description of the PC's behaviour, as always, and also the results of the instructions below.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

Double click gmer.exe to begin:
  • If you get a message about rootkit activity and are asked if you want to scan, click No.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for
    • Sections
    • IAT/EAT
    • Show All
    • All drives except your main one, which is usually C:\.
  • Click the Scan button on the right.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Save button and pick a name and handy location.
The Preview option may show the whole log being posted, but they sometimes get cut down when the actual post is made, so check the post once it is completed.
Death to the salad eaters!

    Advertisements

Register to Remove

#11 Fredooch

Fredooch

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 03 October 2009 - 07:15 PM

I was able to delete all the files you stated except the 2 that you wanted for me to manually search for. I searched for them and they did not show up. Computer is behaving normally.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:30 PM, on 10/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Fredooch\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Gif Animator Toolbar Helper - {96372AB6-15EB-4316-B497-71C741BC548C} - C:\Program Files\Easy Gif Animator Extension\v3.3.0.0\EasyGifAnimator_Toolbar.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Easy Gif Animator Toolbar - {35065594-9169-4A34-B167-FC4865038E53} - C:\Program Files\Easy Gif Animator Extension\v3.3.0.0\EasyGifAnimator_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TrayServer] C:\PROGRA~1\MAGIX\MOVIE_~1\TrayServer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Fredooch\Cookies\FREDOO~3.SH! C:\DOCUME~1\Fredooch\Cookies\FR44B4~1.TXT C:\DOCUME~1\Fredooch\Cookies\FRC66A~1.SH! C:\DOCUME~1\Fredooch\Cookies\FRD1D8~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR73AE~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR6BBB~1.SH! C:\DOCUME~1\Fredooch\Cookies\FRE4E4~1.SH! C:\DOCUME~1\Fredooch\Cookies\FRB353~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR90FA~1.SH! C:\DOCUME~1\Fredooch\Cookies\FR1150~1.SH!
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2p...bs/QOLCheck.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202257947406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter hijack: text/html - {39d60013-e993-4ded-85eb-d2ff4589bb4e} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

#12 Fredooch

Fredooch

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 04 October 2009 - 12:03 AM

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-03 23:13:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Fredooch\LOCALS~1\Temp\pwtdypob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE24C4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEE24C581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE24C498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE24C4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE24C595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE24C5C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE24C62F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE24C619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE24C52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE24C65B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE24C56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE24C470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE24C484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE24C4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE24C697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE24C603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE24C5ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE24C5AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE24C683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE24C66F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE24C4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE24C4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEE24C5D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE24C559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE24C645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE24C540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE24C514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#13 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 04 October 2009 - 12:37 PM

OK, I need you to check on the status of your firewall for me - assuming that you are using the McAfee one, it should be active.
Death to the salad eaters!

#14 Fredooch

Fredooch

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 04 October 2009 - 12:58 PM

Yes it is active

#15 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 04 October 2009 - 02:43 PM

Good. The only problem remaining is taken from an earlier log:

Path: Volume G:\
Status: MBR Rootkit Detected!

Path: Volume G:\, Sector 1
Status: Sector mismatch

Path: Volume G:\, Sector 61
Status: Sector mismatch

Path: Volume G:\, Sector 62
Status: Sector mismatch

I'm not sure why this is showing, unless you have used Volume G as a main drive at some time - is this the case?
Death to the salad eaters!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·