Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] McAfee has a detected an infection that cannot be repa

Started by hyprchld88 , Oct 27 2007 10:52 AM

  • This topic is locked This topic is locked
11 replies to this topic

#1 hyprchld88

hyprchld88

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 27 October 2007 - 10:52 AM

got this virus the other day and cannot seem to fix it ive tryed scanning with like 6 other virus scanners but nothing can get it. getkeep getting a message from McAfee saying.
McAfee has detected an infected file that cannot be repaired.
Detection: Downloader.gen.a (Trojan).
File Path: C:\WINDOWS\system32\gebxuuv.dll

someone plaes help me fix this problem.

Details
Detection: Downloader.gen.a (Trojan), Downloader.gen.a (Trojan), Downloader.gen.a (Trojan), Downloader.gen.a (Trojan), Downloader.gen.a (Trojan), Downloader.gen.a (Trojan), Downloader.gen.a (Trojan)
File Path: C:\WINDOWS\system32\gebxuuv.dll

More Info
Trojan horses appear to be legitimate programs but can disrupt, damage, or provide unauthorized access to your computer.


Logfile of HijackThis v1.99.1
Scan saved at 12:38:58 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Azureus Installer\Azureus-Installer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Xfire\xfire.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\qywlnthe.dll
O2 - BHO: (no name) - {8EDA102C-FED9-4E45-A3F5-31BD343AAD9F} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\slznrlrx.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\slznrlrx.dll (file missing)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [28d6c1cf] rundll32.exe "C:\WINDOWS\system32\rrnaayji.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Azureus Installer] "C:\Program Files\Azureus Installer\Azureus-Installer.exe" hmw
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: gebxuuv - C:\WINDOWS\SYSTEM32\gebxuuv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

    Advertisements

Register to Remove

#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 October 2007 - 11:51 AM

Hello hyprchld88 and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.

A. Please download this file - combofix.exe by sUBs
  • You must download it to and run it from your Desktop
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Regards,

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 hyprchld88

hyprchld88

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 27 October 2007 - 12:32 PM

ComboFix 07-10-27.4 - Mason 2007-10-27 14:01:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.164 [GMT -4:00]
Running from: C:\Documents and Settings\Mason\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Mason\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Mason\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Mason\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\lnnmp.bak1
C:\WINDOWS\system32\lnnmp.bak2
C:\WINDOWS\system32\lnnmp.tmp
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qywlnthe.dll
C:\WINDOWS\system32\slznrlrx.dllbox
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-27 13:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 13:31 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-27 13:29 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-26 14:37 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Lavasoft
2007-10-26 12:22 86,592 --a------ C:\WINDOWS\system32\rrnaayji.dll
2007-10-25 20:42 44,054 --a------ C:\WINDOWS\system32\gebxuuv.dll
2007-10-25 20:35 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Azureus
2007-10-25 20:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Azureus
2007-10-25 20:24 <DIR> d-------- C:\Program Files\Azureus
2007-10-25 20:19 36 --a------ C:\WINDOWS\system32\azi.dat
2007-10-25 20:18 <DIR> d-------- C:\Program Files\Azureus Installer
2007-10-25 17:05 <DIR> d-------- C:\Program Files\Funcom
2007-10-24 20:39 <DIR> d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Xfire
2007-10-24 20:35 <DIR> d-------- C:\Program Files\Xfire
2007-10-24 20:35 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Xfire
2007-10-24 19:04 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\My Battle for Middle-earth Files
2007-10-24 18:50 <DIR> d-------- C:\Program Files\EA GAMES
2007-10-24 18:33 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2007-10-24 17:50 <DIR> d-------- C:\Program Files\Electronic Arts
2007-10-24 17:48 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-10-22 16:32 <DIR> d-------- C:\Program Files\Total Video Converter
2007-10-20 14:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-20 14:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-14 12:52 <DIR> d-------- C:\users
2007-10-14 12:52 <DIR> d-------- C:\My Games
2007-10-14 12:48 <DIR> d-------- C:\Program Files\RealArcade
2007-10-03 23:45 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-03 23:05 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-10-03 22:53 <DIR> d-------- C:\Program Files\Sierra
2007-09-29 21:53 <DIR> d-------- C:\WINDOWS\FLV Player
2007-09-29 21:53 <DIR> d-------- C:\Program Files\FLV Player
2007-09-29 19:09 <DIR> d-------- C:\Hot Chick
2007-09-29 17:44 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\LightScribe
2007-09-29 17:43 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-29 17:43 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-09-29 17:42 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-09-29 17:39 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Ahead
2007-09-29 17:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2007-09-29 17:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2007-09-29 17:08 <DIR> d-------- C:\Program Files\BitLord2
2007-09-29 15:52 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Creative
2007-09-29 13:57 405,504 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-09-29 13:41 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2007-09-29 13:41 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2007-09-28 20:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Last.fm
2007-09-28 19:20 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Apple Computer
2007-09-28 19:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-09-28 19:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2007-09-28 19:06 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-09-28 19:04 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-09-28 19:04 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-09-28 19:04 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-09-28 19:04 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-09-28 19:04 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-09-28 19:04 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-09-28 19:03 <DIR> d-------- C:\Program Files\McAfee.com
2007-09-28 19:03 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-09-28 18:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2007-09-28 17:24 2,012 --a------ C:\WINDOWS\mozver.dat
2007-09-28 17:14 113,128 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-09-28 16:48 <DIR> d-------- C:\Documents and Settings\Mason\dwhelper
2007-09-28 16:33 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-28 16:29 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-27 11:44 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-09-27 11:17 90,112 --------- C:\WINDOWS\Updreg.EXE
2007-09-27 11:17 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-09-27 11:17 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-09-27 11:17 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-09-27 11:17 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2007-09-27 11:17 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-09-27 11:17 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-09-27 11:17 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2007-09-27 11:15 11,264 --a------ C:\WINDOWS\INRES.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 16:17 --------- d-----w C:\Program Files\Java
2007-10-25 21:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-25 00:46 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2007-10-25 00:46 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2007-10-09 23:03 --------- d-----w C:\Program Files\McAfee
2007-09-29 21:00 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-09-29 18:06 --------- d--h--w C:\Program Files\Creative Installation Information
2007-09-29 17:59 --------- d-----w C:\Program Files\Creative
2007-09-29 17:57 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-09-29 00:20 --------- d-----w C:\Program Files\Last.fm
2007-09-29 00:10 --------- d-----w C:\Program Files\iTunes
2007-09-29 00:10 --------- d-----w C:\Program Files\iPod
2007-09-29 00:09 --------- d-----w C:\Program Files\Apple Software Update
2007-09-24 11:47 512 ----a-w C:\ScanSectorLog.dat
2007-09-09 00:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\SampleView
2007-09-06 07:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2007-09-06 05:11 --------- d-----w C:\Program Files\Halo 3 News Reader
2007-09-06 05:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Halo 3 News Reader
2007-08-29 06:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-08-29 00:47 --------- d-----w C:\Program Files\e-Sword
2007-08-28 23:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio
2007-08-28 23:32 --------- d-----w C:\Program Files\Napster
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{837B45D6-BF85-457D-AABF-6D2E7815F791}]
2007-10-25 20:42 44054 --a------ C:\WINDOWS\system32\gebxuuv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EDA102C-FED9-4E45-A3F5-31BD343AAD9F}]
C:\WINDOWS\system32\pmnnl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2006-03-17 16:11 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 09:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"CTXFIREG"="CTxfiReg.exe" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"28d6c1cf"="C:\WINDOWS\system32\rrnaayji.dll" [2007-10-26 12:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 10:19]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 22:03]
"Azureus Installer"="C:\Program Files\Azureus Installer\Azureus-Installer.exe" [2007-03-15 10:45]

C:\Documents and Settings\Mason\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-10-02 19:55:24]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-12 00:48:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{837B45D6-BF85-457D-AABF-6D2E7815F791}"= C:\WINDOWS\system32\gebxuuv.dll [2007-10-25 20:42 44054]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxuuv]
gebxuuv.dll 2007-10-25 20:42 44054 C:\WINDOWS\system32\gebxuuv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
R3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-29 00:09:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-15 08:17:06 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-01 05:00:14 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 14:13:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 14:18:03 - machine was rebooted
.
--- E O F ---



HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 2:27:54 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Azureus Installer\Azureus-Installer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\gebxuuv.dll
O2 - BHO: (no name) - {8EDA102C-FED9-4E45-A3F5-31BD343AAD9F} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [28d6c1cf] rundll32.exe "C:\WINDOWS\system32\rrnaayji.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Azureus Installer] "C:\Program Files\Azureus Installer\Azureus-Installer.exe" hmw
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: gebxuuv - C:\WINDOWS\SYSTEM32\gebxuuv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 October 2007 - 01:23 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\rrnaayji.dll
C:\WINDOWS\system32\gebxuuv.dll
C:\WINDOWS\system32\pmnnl.dll

Dirlook::
C:\users

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{837B45D6-BF85-457D-AABF-6D2E7815F791}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EDA102C-FED9-4E45-A3F5-31BD343AAD9F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"28d6c1cf"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxuuv]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 hyprchld88

hyprchld88

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 27 October 2007 - 02:03 PM

ComboFix 07-10-27.4 - Mason 2007-10-27 15:41:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.88 [GMT -4:00]
Running from: C:\Documents and Settings\Mason\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mason\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\gebxuuv.dll
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\rrnaayji.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gebxuuv.dll
C:\WINDOWS\system32\rrnaayji.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-27 13:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 13:31 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-27 13:29 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-26 14:37 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Lavasoft
2007-10-25 20:35 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Azureus
2007-10-25 20:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Azureus
2007-10-25 20:24 <DIR> d-------- C:\Program Files\Azureus
2007-10-25 20:19 36 --a------ C:\WINDOWS\system32\azi.dat
2007-10-25 20:18 <DIR> d-------- C:\Program Files\Azureus Installer
2007-10-25 17:05 <DIR> d-------- C:\Program Files\Funcom
2007-10-24 20:39 <DIR> d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Xfire
2007-10-24 20:35 <DIR> d-------- C:\Program Files\Xfire
2007-10-24 20:35 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Xfire
2007-10-24 19:04 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\My Battle for Middle-earth Files
2007-10-24 18:50 <DIR> d-------- C:\Program Files\EA GAMES
2007-10-24 18:33 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2007-10-24 17:50 <DIR> d-------- C:\Program Files\Electronic Arts
2007-10-24 17:48 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-10-22 16:32 <DIR> d-------- C:\Program Files\Total Video Converter
2007-10-20 14:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-20 14:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-14 12:52 <DIR> d-------- C:\users
2007-10-14 12:52 <DIR> d-------- C:\My Games
2007-10-14 12:48 <DIR> d-------- C:\Program Files\RealArcade
2007-10-03 23:45 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-03 23:05 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-10-03 22:53 <DIR> d-------- C:\Program Files\Sierra
2007-09-29 21:53 <DIR> d-------- C:\WINDOWS\FLV Player
2007-09-29 21:53 <DIR> d-------- C:\Program Files\FLV Player
2007-09-29 19:09 <DIR> d-------- C:\Hot Chick
2007-09-29 17:44 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\LightScribe
2007-09-29 17:43 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-29 17:43 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-09-29 17:42 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-09-29 17:39 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Ahead
2007-09-29 17:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2007-09-29 17:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2007-09-29 17:08 <DIR> d-------- C:\Program Files\BitLord2
2007-09-29 15:52 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Creative
2007-09-29 13:57 405,504 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-09-29 13:41 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2007-09-29 13:41 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2007-09-28 20:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Last.fm
2007-09-28 19:20 <DIR> d-------- C:\Documents and Settings\Mason\Application Data\Apple Computer
2007-09-28 19:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-09-28 19:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2007-09-28 19:06 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-09-28 19:04 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-09-28 19:04 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-09-28 19:04 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-09-28 19:04 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-09-28 19:04 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-09-28 19:04 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-09-28 19:03 <DIR> d-------- C:\Program Files\McAfee.com
2007-09-28 19:03 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-09-28 18:56 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2007-09-28 17:24 2,012 --a------ C:\WINDOWS\mozver.dat
2007-09-28 17:14 113,128 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-09-28 16:48 <DIR> d-------- C:\Documents and Settings\Mason\dwhelper
2007-09-28 16:33 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-28 16:29 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-27 11:44 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-09-27 11:17 90,112 --------- C:\WINDOWS\Updreg.EXE
2007-09-27 11:17 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-09-27 11:17 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-09-27 11:17 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-09-27 11:17 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2007-09-27 11:17 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-09-27 11:17 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-09-27 11:17 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2007-09-27 11:15 11,264 --a------ C:\WINDOWS\INRES.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 16:17 --------- d-----w C:\Program Files\Java
2007-10-25 21:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-25 00:46 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2007-10-25 00:46 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2007-10-09 23:03 --------- d-----w C:\Program Files\McAfee
2007-09-29 21:00 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-09-29 18:06 --------- d--h--w C:\Program Files\Creative Installation Information
2007-09-29 17:59 --------- d-----w C:\Program Files\Creative
2007-09-29 17:57 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-09-29 00:20 --------- d-----w C:\Program Files\Last.fm
2007-09-29 00:10 --------- d-----w C:\Program Files\iTunes
2007-09-29 00:10 --------- d-----w C:\Program Files\iPod
2007-09-29 00:09 --------- d-----w C:\Program Files\Apple Software Update
2007-09-24 11:47 512 ----a-w C:\ScanSectorLog.dat
2007-09-09 00:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\SampleView
2007-09-06 07:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2007-09-06 05:11 --------- d-----w C:\Program Files\Halo 3 News Reader
2007-09-06 05:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Halo 3 News Reader
2007-08-29 06:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-08-29 00:47 --------- d-----w C:\Program Files\e-Sword
2007-08-28 23:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio
2007-08-28 23:32 --------- d-----w C:\Program Files\Napster
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\users ----

2007-10-14 13:02 32768 --a------ C:\users\public\RealArcade\userdata_m2.db
2007-10-14 13:02 107 --a------ C:\users\public\RealArcade\18736.rnlic
2007-10-14 12:53 106496 --a------ C:\users\public\RealArcade\metadata_m2.db


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2006-03-17 16:11 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 09:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"CTXFIREG"="CTxfiReg.exe" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 10:19]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 22:03]
"Azureus Installer"="C:\Program Files\Azureus Installer\Azureus-Installer.exe" [2007-03-15 10:45]

C:\Documents and Settings\Mason\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-10-02 19:55:24]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-12 00:48:38]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
R3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-29 00:09:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-15 08:17:06 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-01 05:00:14 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 15:50:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-27 15:52:19 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-27 14:18
.
--- E O F ---




HJT report


Logfile of HijackThis v1.99.1
Scan saved at 3:58:35 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Azureus Installer] "C:\Program Files\Azureus Installer\Azureus-Installer.exe" hmw
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

#6 hyprchld88

hyprchld88

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 27 October 2007 - 03:04 PM

hey everything seems ok now. thank you very much.

#7 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 October 2007 - 03:38 PM

Your logs appear clean. However, they just represent a sampling that was taken from your system. We still need to ensure that no more "baddies" are lurking on the rest of your system ready to pounce after one reboot or two.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply, along with a fresh HijackThis log
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#8 hyprchld88

hyprchld88

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 27 October 2007 - 08:24 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 27, 2007 10:19:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/10/2007
Kaspersky Anti-Virus database records: 447236
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
H:\

Scan Statistics:
Total number of scanned objects: 91463
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 02:16:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\14128ac72e7e735f6b9c76113d0b0c67_2c1aa317-f268-4e3a-b5c2-05c34e45c127 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSC\Logs\{1F506E8E-40B9-4980-84F3-88DBAED88AD7}.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSC\Logs\{2191278D-524C-4876-8662-C41B70D19754}.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mason\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\cert8.db Object is locked skipped
C:\Documents and Settings\Mason\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\history.dat Object is locked skipped
C:\Documents and Settings\Mason\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\key3.db Object is locked skipped
C:\Documents and Settings\Mason\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\parent.lock Object is locked skipped
C:\Documents and Settings\Mason\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Mason\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Mason\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Application Data\Mozilla\Firefox\Profilesbbdkabg.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mason\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mason\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mason\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\gebxuuv.dll.vir Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\qoobox\Quarantine\catchme2007-10-27_154956.15.zip/gebxuuv.dll Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\qoobox\Quarantine\catchme2007-10-27_154956.15.zip/gebxuuv.dll.1 Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\qoobox\Quarantine\catchme2007-10-27_154956.15.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DDF9AFD2-EE81-45E3-8FA7-F4D2D9B64BFB}\RP65\A0008486.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{DDF9AFD2-EE81-45E3-8FA7-F4D2D9B64BFB}\RP65\A0008489.exe Infected: Trojan-Downloader.Win32.Small.fwh skipped
C:\System Volume Information\_restore{DDF9AFD2-EE81-45E3-8FA7-F4D2D9B64BFB}\RP69\A0008655.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{DDF9AFD2-EE81-45E3-8FA7-F4D2D9B64BFB}\RP69\A0008659.exe Infected: Trojan-Downloader.Win32.Small.fwh skipped
C:\System Volume Information\_restore{DDF9AFD2-EE81-45E3-8FA7-F4D2D9B64BFB}\RP70\A0009200.dll Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\System Volume Information\_restore{DDF9AFD2-EE81-45E3-8FA7-F4D2D9B64BFB}\RP70\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_VhSCpV4P8BTc9NL Object is locked skipped
C:\WINDOWS\Temp\mcmsc_4sKfXWNMd84GTkB Object is locked skipped
C:\WINDOWS\Temp\mcmsc_HfIlJlNpD15BhIA Object is locked skipped
C:\WINDOWS\Temp\mcmsc_IGlh8caAWSThkCJ Object is locked skipped
C:\WINDOWS\Temp\mcmsc_o3BZ5sbBFEyN6Rf Object is locked skipped
C:\WINDOWS\Temp\mcmsc_vCzLe2eGFHwGUNf Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


HJT report


Logfile of HijackThis v1.99.1
Scan saved at 10:20:29 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Azureus Installer\Azureus-Installer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Azureus Installer] "C:\Program Files\Azureus Installer\Azureus-Installer.exe" hmw
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

#9 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 October 2007 - 08:42 PM

All infections are either quarantined or in your System Restore Cache. Everything will be cleaned out by following the following procedures:


Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make sure you keep your Windows OS currentby visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

2. I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
And also see TonyKlein's good advice
So how did I get infected in the first place?

Regards,

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#10 hyprchld88

hyprchld88

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 27 October 2007 - 08:58 PM

thank you so much. everything looks to be running great. thanks again. -Mason :thumbup:

#11 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 October 2007 - 09:05 PM

My Pleasure Mason,

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#12 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 October 2007 - 09:05 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·