Feb

14

Google redirect

Filed Under Virus | 

Hi all, completely new to this forum, so please excuse me if I’m asking for help with an obvious or age-old problem!

My Problem:

The first click on any link generated from a google search is redirected to another site; not always the same one, sometimes its another search engine, other times its just an advertisement. I normally get the correct site after the second or third click.

What I’ve done:

I’m not much use with the technical aspects of removing unwanted files and son on, but I’ve read what I can and have installed Hijackthis and removed some files that appeared suspect (’URL Searchook’ to name one!)

Result:

My system appears a little better, but I still get the redirects, but no as frequently as before.

I’ve just ran the scan again and here are the results below. Anyone able to help?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:48:03, on 17/01/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\DOCUME~1\Rich\LOCALS~1\Temp\clclean.0001

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll (file missing)

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)

O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php (file missing)

O9 - Extra ‘Tools’ menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/…oUploader5.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.co…x/HMAtchmt.ocx

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

End of file - 11411 bytes

Hi 79rich79

Welcome to linabbs.

Please do the following in the order given.

Download Malwarebytes’ Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select ‘Perform Quick Scan’, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Post the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Now this.

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Please post the MBAM log and the DDS.txt log.

Thanks

Geri

Thanks for you post Geri

I’ve done what you advised and have pasted the results below.

Thanks for your help so far, things appear to be working better already!

MALWAREBYTES LOG:

Malwarebytes’ Anti-Malware 1.33

Database version: 1665

Windows 5.1.2600 Service Pack 3

18/01/2009 18:21:33

mbam-log-2009-01-18 (18-21-33).txt

Scan type: Quick Scan

Objects scanned: 61429

Time elapsed: 9 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 26

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 4

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\avirtrwarning.warningbho (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\avirtrwarning.warningbho.1 (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{764bc8b4-1159-4736-8af1-f124a7c8c3a8} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{df3f06c6-d443-48a8-bdf2-4e31f0554ebf} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{4d25f920-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{4d25f923-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25 f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3ed86073-2fa7-4cf4-810b-28b030671678} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3a26 7370-076e-4af4-b986-77626b8e89df} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6446 6b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2eef 94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8f b116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vide osoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExp lorer add-on (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Syst em Alert Popup (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2eef94df-75f6-42e9-b7fb-af5a170a6e2e} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rich\Start Menu\Programs\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msqpdxytyfpsqu.dll (Trojan.TDSS) -> Delete on reboot.

C:\Program Files\videosoft\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rich\Start Menu\Programs\videosoft\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\msqpdxurwrufet.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\msqpdxvkydcxjy.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rich\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rich\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rich\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rich\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tempo-7EF.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tempo-C41.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

DDS LOG:

DDS (Ver_09-01-18.01) - NTFSx86

Run by Rich at 18:27:59.10 on 18/01/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.537 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\Rundll32.exe

C:\DOCUME~1\Rich\LOCALS~1\Temp\clclean.0001

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\nvsvc32.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\Documents and Settings\Rich\Local Settings\Temporary Internet Files\Content.IE5\H2ZPL8DK\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK

uStart Page = hxxp://www.google.co.uk/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [SetDefaultMIDI] MIDIDef.exe

uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [SigmatelSysTrayApp] stsystra.exe

mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe

mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r

mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon

mRun: [UpdReg] c:\windows\UpdReg.EXE

mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup

mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray

mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon

mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions

mRun: [nwiz] nwiz.exe /install

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe

mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-22 201320]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-22 695624]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-22 79304]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-22 35240]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-22 40488]

R4 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2006-10-15 2304]

R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-22 359248]

R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-22 144704]

R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 14336]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-22 33832]

S3 MicNgBas;Cinergy 2400i DT Base Driver;c:\windows\system32\drivers\MicNgBas.sys [2006-3-10 48768]

S3 MicNgCap;Cinergy 2400i DT Capture Driver;c:\windows\system32\drivers\MicNgCap.sys [2006-3-10 50560]

S3 MicNgTun;Cinergy 2400i DT Tuner Driver;c:\windows\system32\drivers\MicNgTun.sys [2006-3-10 122752]

S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-9-28 83880]

S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-9-28 15016]

S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-9-28 110632]

S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-9-28 104616]

S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-9-28 25512]

S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-9-28 100648]

S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-9-28 110120]

=============== Created Last 30 ================

2009-01-18 18:10 <DIR> –d—– c:\docume~1\rich\applic~1\Malwarebytes

2009-01-18 18:10 15,504 a——- c:\windows\system32\drivers\mbam.sys

2009-01-18 18:10 38,496 a——- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-18 18:10 <DIR> –d—– c:\program files\Malwarebytes’ Anti-Malware

2009-01-18 18:10 <DIR> –d—– c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-01-16 12:46 <DIR> –d—– c:\program files\Trend Micro

2009-01-13 21:26 <DIR> –d—– C:\!KillBox

2009-01-13 19:19 782,336 a—-r– c:\windows\system32\tmp81.tmp

2009-01-02 02:31 <DIR> –d—– c:\docume~1\rich\applic~1\LegalSounds

2009-01-02 02:31 <DIR> –d—– c:\program files\LegalSounds

2009-01-01 16:48 <DIR> –d—– c:\docume~1\rich\applic~1\McAfee

2009-01-01 15:30 <DIR> –d—– c:\program files\4Media

2008-12-31 22:42 <DIR> –d—– c:\program files\Tansee iPod Transfer

2008-12-31 22:42 <DIR> –d—– c:\program files\common files\Download Manager

2008-12-31 22:24 131,856 a——- c:\windows\system32\MSADODC.ocx

2008-12-31 22:24 1,435,272 a——- c:\windows\system32\Flash.ocx

2008-12-31 21:46 <DIR> –d—– c:\program files\iPod 2 iPod

2008-12-28 13:59 107,368 a——- c:\windows\system32\GEARAspi.dll

2008-12-28 13:59 15,464 a——- c:\windows\system32\drivers\GEARAspiWDM.sys

2008-12-28 13:59 <DIR> –d—– c:\program files\iPod

2008-12-28 13:59 <DIR> –d—– c:\program files\iTunes

2008-12-28 13:59 <DIR> –d—– c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-28 13:57 32,000 a——- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-01-13 22:01 5,278 a——- c:\windows\system32\tmp.reg

2008-12-13 06:40 3,593,216 a——- c:\windows\system32\dllcache\mshtml.dll

2008-12-08 11:08 410,984 a——- c:\windows\system32\deploytk.dll

2008-10-24 11:21 455,296 ——– c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 a——- c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ——– c:\windows\system32\dllcache\gdi32.dll

2006-07-16 00:04 56 —shr– c:\windows\system32\2D39FC8E9C.sys

2006-09-01 15:43 56 —shr– c:\windows\system32\D85799A972.sys

2007-04-20 15:10 6,580 a–sh— c:\windows\system32\KGyGaAvL.sys

2008-09-04 14:34 32,768 a–sh— c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 18:28:59.01 ===============

Hi

OK please do this.

Download RootRepeal to your Desktop. Extract the compressed file to it’s own folder.
Open the folder and doubleclick on RootRepeal.exe to run it.
Click on the Report tab, and then click on: Scan
A window opens asking what to include in the scan.
Check the following boxes then click OK:Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on, if not C)
Click OK once again.
The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report

Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here

Thanks

Geri

Thanks Geri,

I’ve ran the RootRepeal program, results below:

ROOTREPEAL (c) AD, 2007-2008

==================================================

Scan Time: 2009/01/18 18:49

Program Version: Version 1.2.3.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Drivers

——————-

Name: bhbk.sys

Image Path: bhbk.sys

Address: 0xF7592000 Size: 61440 File Visible: No

Status: -

Name: dump_iastor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys

Address: 0xED04B000 Size: 872448 File Visible: No

Status: -

Name: PCI_PNP1774

Image Path: \Driver\PCI_PNP1774

Address: 0×00000000 Size: 0 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB8F64000 Size: 45056 File Visible: No

Status: -

Name: spkl.sys

Image Path: spkl.sys

Address: 0xF7391000 Size: 1048576 File Visible: No

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0×00000000 Size: 0 File Visible: No

Status: -

Hidden/Locked Files

——————-

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\mcafee_4mkSg6ThJVLutun

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\mcmsc_6b3DztkhQdfsGJx

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl

Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\Rich\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rich\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ

Status: Locked to the Windows API!

SSDT

——————-

#: 041 Function Name: NtCreateKey

Status: Hooked by "spkl.sys" at address 0xf73920e0

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "spkl.sys" at address 0xf73b0ca2

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "spkl.sys" at address 0xf73b1030

#: 119 Function Name: NtOpenKey

Status: Hooked by "spkl.sys" at address 0xf73920c0

#: 160 Function Name: NtQueryKey

Status: Hooked by "spkl.sys" at address 0xf73b1108

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "spkl.sys" at address 0xf73b0f88

#: 247 Function Name: NtSetValueKey

Status: Hooked by "spkl.sys" at address 0xf73b119a

Stealth Objects

——————-

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0×871641f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0×865f61f8 Size: -

Object: Hidden Code [Driver: a9bjgddtȅ䵃䥖ȁఅ䵃䥖⭘��ᣑ៩, IRP_MJ_CREATE]

Process: System Address: 0×865e51f8 Size: -

Object: Hidden Code [Driver: a9bjgddtȅ䵃䥖ȁఅ䵃䥖⭘��ᣑ៩, IRP_MJ_CLOSE]

Process: System Address: 0×865e51f8 Size: -

Object: Hidden Code [Driver: a9bjgddtȅ䵃䥖ȁఅ䵃䥖⭘��ᣑ៩, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×865e51f8 Size: -

Object: Hidden Code [Driver: a9bjgddtȅ䵃䥖ȁఅ䵃䥖⭘��ᣑ៩, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0×865e51f8 Size: -

Object: Hidden Code [Driver: a9bjgddtȅ䵃䥖ȁఅ䵃䥖⭘��ᣑ៩, IRP_MJ_POWER]

Process: System Address: 0×865e51f8 Size: -

Object: Hidden Code [Driver: a9bjgddtȅ䵃䥖ȁఅ䵃䥖⭘��ᣑ៩, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0×865e51f8 Size: -

Object: Hidden Code [Driver: a9bjgddtȅ䵃䥖ȁఅ䵃䥖⭘��ᣑ៩, IRP_MJ_PNP]

Process: System Address: 0×865e51f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]

Process: System Address: 0×864931f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]

Process: System Address: 0×864931f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]

Process: System Address: 0×864931f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]

Process: System Address: 0×864931f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×864931f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0×864931f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]

Process: System Address: 0×864931f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0×864931f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]

Process: System Address: 0×864931f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]

Process: System Address: 0×871661f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]

Process: System Address: 0×8668d1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]

Process: System Address: 0×8668d1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×8668d1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0×8668d1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]

Process: System Address: 0×8668d1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0×8668d1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]

Process: System Address: 0×8668d1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System Address: 0×871d71f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System Address: 0×863cd500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System Address: 0×863cd500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×863cd500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0×863cd500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System Address: 0×863cd500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System Address: 0×863cd500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System Address: 0×866601f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System Address: 0×866601f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×866601f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0×866601f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System Address: 0×866601f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0×866601f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System Address: 0×866601f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]

Process: System Address: 0×85a7e1f8 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_CREATE]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_CLOSE]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_READ]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_SHUTDOWN]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_CLEANUP]

Process: System Address: 0×86194500 Size: -

Object: Hidden Code [Driver: Cdfsࠅ扏煓ะࠂఉ瑎捦܉@考, IRP_MJ_PNP]

Process: System Address: 0×86194500 Size: -

Hidden Services

——————-

Service Name: msqpdxserv.sys

Image Path: C:\WINDOWS\system32\drivers\msqpdxurwrufet.sys

Hi

OK please do this.

Click Start> Run and type (or paste) the following lines one at a time into the run box. hit Enter after each line.

sc stop msqpdxserv.sys

sc delete msqpdxserv.sys

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\drivers\msqpdxurwrufet.sys

After that, Reboot.

Open the RootRepeal folder and doubleclick on RootRepeal.exe to run it.
Click on the Report tab, and then click on: Scan
A window opens asking what to include in the scan.
Check the following boxes then click OK:Hidden Services

You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on, if not C)
Click OK once again.
The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report

Name the log RootRepeal2.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here

Thanks

Geri

Hmmm, slight problem here. I can’t locate the file to delete it(?) I’ve tried deleting it using Rootrepeal but I get

‘could not force delete file, error code 0xc0000034!’

And I can’t find it using the Explore function from the Start Tab.

The Rootrepeal log though came back like this:

ROOTREPEAL (c) AD, 2007-2008

==================================================

Scan Time: 2009/01/19 08:17

Program Version: Version 1.2.3.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Hidden Services

——————-

Service Name: msqpdxserv.sys

Image Path: C:\WINDOWS\system32\drivers\msqpdxurwrufet.sys

Hi

OK please do this.

Download ComboFix from Here to your Desktop.

It’s best to disable realtime protection applications as they sometimes interfere with the tool.

Check this link for any applicable programs you may have.Close all open programs and windows
Double click combofix.exe and follow the prompts.
Vista users right click Combofix.exe and select Run As Administrator.
When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Thanks

Geri

Hi

I’ve followed your last instructions. Please find the log below:

Plus, I ran the Rootrepeal again, hidden services is now blank :)

ROOTREPEAL (c) AD, 2007-2008

==================================================

Scan Time: 2009/01/20 02:09

Program Version: Version 1.2.3.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

ComboFix 09-01-19.03 - Rich 2009-01-20 1:59:06.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.572 [GMT 0:00]

Running from: c:\documents and settings\Rich\My Documents\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Outdated)

FW: McAfee Personal Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\404Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\tmp69.tmp

c:\windows\system32\tmp81.tmp

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

.

((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))

.

2009-01-18 18:10 . 2009-01-18 18:10 <DIR> d——– c:\program files\Malwarebytes’ Anti-Malware

2009-01-18 18:10 . 2009-01-18 18:10 <DIR> d——– c:\documents and settings\Rich\Application Data\Malwarebytes

2009-01-18 18:10 . 2009-01-18 18:10 <DIR> d——– c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-18 18:10 . 2009-01-14 16:11 38,496 –a—— c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-18 18:10 . 2009-01-14 16:11 15,504 –a—— c:\windows\system32\drivers\mbam.sys

2009-01-16 12:46 . 2009-01-16 12:46 <DIR> d——– c:\program files\Trend Micro

2009-01-13 21:26 . 2009-01-13 21:26 <DIR> d——– C:\!KillBox

2009-01-05 18:30 . 2009-01-05 18:30 <DIR> d——– c:\documents and settings\LocalService\Application Data\McAfee

2009-01-02 02:31 . 2009-01-02 02:31 <DIR> d——– c:\program files\LegalSounds

2009-01-02 02:31 . 2009-01-02 02:31 <DIR> d——– c:\documents and settings\Rich\Application Data\LegalSounds

2009-01-01 16:48 . 2009-01-01 16:48 <DIR> d——– c:\documents and settings\Rich\Application Data\McAfee

2009-01-01 15:30 . 2009-01-01 15:30 <DIR> d——– c:\program files\4Media

2008-12-31 22:42 . 2008-12-31 22:54 <DIR> d——– c:\program files\Tansee iPod Transfer

2008-12-31 22:42 . 2008-12-31 22:42 <DIR> d——– c:\program files\Common Files\Download Manager

2008-12-31 22:24 . 2005-08-27 03:38 1,435,272 –a—— c:\windows\system32\Flash.ocx

2008-12-31 22:24 . 2004-03-09 00:00 131,856 –a—— c:\windows\system32\MSADODC.ocx

2008-12-31 21:46 . 2008-12-31 22:22 <DIR> d——– c:\program files\iPod 2 iPod

2008-12-28 13:59 . 2008-12-28 13:59 <DIR> d——– c:\program files\iTunes

2008-12-28 13:59 . 2008-12-28 13:59 <DIR> d——– c:\program files\iPod

2008-12-28 13:59 . 2008-12-28 17:50 <DIR> d——– c:\documents and settings\Rich\Application Data\Apple Computer

2008-12-28 13:59 . 2008-12-28 13:59 <DIR> d——– c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-28 13:59 . 2008-04-17 13:12 107,368 –a—— c:\windows\system32\GEARAspi.dll

2008-12-28 13:59 . 2008-04-17 13:12 15,464 –a—— c:\windows\system32\drivers\GEARAspiWDM.sys

2008-12-28 13:58 . 2008-12-28 13:58 <DIR> d——– c:\program files\QuickTime

2008-12-28 13:58 . 2008-12-28 13:58 <DIR> d——– c:\documents and settings\All Users\Application Data\Apple Computer

2008-12-28 13:57 . 2008-12-28 13:57 <DIR> d——– c:\program files\Apple Software Update

2008-12-28 13:57 . 2008-11-07 14:23 32,000 –a—— c:\windows\system32\drivers\usbaapl.sys

2008-12-28 13:56 . 2008-12-28 13:56 <DIR> d——– c:\program files\Common Files\Apple

2008-12-28 13:56 . 2008-12-28 13:56 <DIR> d——– c:\documents and settings\All Users\Application Data\Apple

Last edited by 79rich79; 17 Hours Ago at 03:11.

Hi

OK I need the rest of the Combofix log.

You can find it here.

C:\combofix.txt

Please post the whole log.

Thanks

Thanks Geri.

ComboFix 09-01-19.03 - Rich 2009-01-20 1:59:06.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.572 [GMT 0:00]

Running from: c:\documents and settings\Rich\My Documents\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Outdated)

FW: McAfee Personal Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\404Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\tmp69.tmp

c:\windows\system32\tmp81.tmp

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

.

((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))

.

2009-01-18 18:10 . 2009-01-18 18:10 <DIR> d——– c:\program files\Malwarebytes’ Anti-Malware

2009-01-18 18:10 . 2009-01-18 18:10 <DIR> d——– c:\documents and settings\Rich\Application Data\Malwarebytes

2009-01-18 18:10 . 2009-01-18 18:10 <DIR> d——– c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-18 18:10 . 2009-01-14 16:11 38,496 –a—— c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-18 18:10 . 2009-01-14 16:11 15,504 –a—— c:\windows\system32\drivers\mbam.sys

2009-01-16 12:46 . 2009-01-16 12:46 <DIR> d——– c:\program files\Trend Micro

2009-01-13 21:26 . 2009-01-13 21:26 <DIR> d——– C:\!KillBox

2009-01-05 18:30 . 2009-01-05 18:30 <DIR> d——– c:\documents and settings\LocalService\Application Data\McAfee

2009-01-02 02:31 . 2009-01-02 02:31 <DIR> d——– c:\program files\LegalSounds

2009-01-02 02:31 . 2009-01-02 02:31 <DIR> d——– c:\documents and settings\Rich\Application Data\LegalSounds

2009-01-01 16:48 . 2009-01-01 16:48 <DIR> d——– c:\documents and settings\Rich\Application Data\McAfee

2009-01-01 15:30 . 2009-01-01 15:30 <DIR> d——– c:\program files\4Media

2008-12-31 22:42 . 2008-12-31 22:54 <DIR> d——– c:\program files\Tansee iPod Transfer

2008-12-31 22:42 . 2008-12-31 22:42 <DIR> d——– c:\program files\Common Files\Download Manager

2008-12-31 22:24 . 2005-08-27 03:38 1,435,272 –a—— c:\windows\system32\Flash.ocx

2008-12-31 22:24 . 2004-03-09 00:00 131,856 –a—— c:\windows\system32\MSADODC.ocx

2008-12-31 21:46 . 2008-12-31 22:22 <DIR> d——– c:\program files\iPod 2 iPod

2008-12-28 13:59 . 2008-12-28 13:59 <DIR> d——– c:\program files\iTunes

2008-12-28 13:59 . 2008-12-28 13:59 <DIR> d——– c:\program files\iPod

2008-12-28 13:59 . 2008-12-28 17:50 <DIR> d——– c:\documents and settings\Rich\Application Data\Apple Computer

2008-12-28 13:59 . 2008-12-28 13:59 <DIR> d——– c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-28 13:59 . 2008-04-17 13:12 107,368 –a—— c:\windows\system32\GEARAspi.dll

2008-12-28 13:59 . 2008-04-17 13:12 15,464 –a—— c:\windows\system32\drivers\GEARAspiWDM.sys

2008-12-28 13:58 . 2008-12-28 13:58 <DIR> d——– c:\program files\QuickTime

2008-12-28 13:58 . 2008-12-28 13:58 <DIR> d——– c:\documents and settings\All Users\Application Data\Apple Computer

2008-12-28 13:57 . 2008-12-28 13:57 <DIR> d——– c:\program files\Apple Software Update

2008-12-28 13:57 . 2008-11-07 14:23 32,000 –a—— c:\windows\system32\drivers\usbaapl.sys

2008-12-28 13:56 . 2008-12-28 13:56 <DIR> d——– c:\program files\Common Files\Apple

2008-12-28 13:56 . 2008-12-28 13:56 <DIR> d——– c:\documents and settings\All Users\Application Data\Apple

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-13 21:36 ——— d—a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-13 21:08 ——— d–h–w c:\program files\InstallShield Installation Information

2009-01-13 20:54 ——— d—–w c:\program files\DNA

2009-01-13 20:54 ——— d—–w c:\program files\Dell

2009-01-13 20:50 ——— d—–w c:\program files\AVS4YOU

2009-01-08 15:17 ——— d—–w c:\documents and settings\Rich\Application Data\BitTorrent

2009-01-01 16:47 ——— d—–w c:\documents and settings\All Users\Application Data\McAfee

2008-12-28 14:01 ——— d—–w c:\program files\McAfee

2008-12-13 06:40 3,593,216 —-a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-12 13:50 ——— d—–w c:\program files\Common Files\AVSMedia

2008-12-12 13:50 ——— d—–w c:\documents and settings\Rich\Application Data\AVS4YOU

2008-12-12 13:50 ——— d—–w c:\documents and settings\All Users\Application Data\AVS4YOU

2008-12-08 11:08 410,984 —-a-w c:\windows\system32\deploytk.dll

2008-12-08 11:08 ——— d—–w c:\program files\Java

2008-11-27 21:22 ——— d—–w c:\program files\MFInstall

2008-11-22 23:11 ——— d—–w c:\program files\Google

2008-10-24 11:21 455,296 ——w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 —-a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ——w c:\windows\system32\dllcache\gdi32.dll

2006-07-16 00:04 56 –sh–r c:\windows\system32\2D39FC8E9C.sys

2006-09-01 15:43 56 –sh–r c:\windows\system32\D85799A972.sys

2007-04-20 15:10 6,580 –sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-04 14:34 32,768 –sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"KernelFaultCheck"="c:\windows\system32\dumprep 0 -k" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]

"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]

"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]

"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]

"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

–a—— 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bohemia Interactive\\ArmA\\arma.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\SDP\\SDP Downloader\\SDP.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=

R4 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2006-10-15 2304]

R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2005-08-16 14336]

S3 MicNgBas;Cinergy 2400i DT Base Driver;c:\windows\system32\drivers\MicNgBas.sys [2006-03-10 48768]

S3 MicNgCap;Cinergy 2400i DT Capture Driver;c:\windows\system32\drivers\MicNgCap.sys [2006-03-10 50560]

S3 MicNgTun;Cinergy 2400i DT Tuner Driver;c:\windows\system32\drivers\MicNgTun.sys [2006-03-10 122752]

S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-09-28 83880]

S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-09-28 15016]

S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-09-28 110632]

S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-09-28 104616]

S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-09-28 25512]

S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-09-28 100648]

S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-09-28 110120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

.

Contents of the ‘Scheduled Tasks’ folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AvirTr - c:\program files\AvirTrsoftware\AvirTr.exe

.

——- Supplementary Scan ——-

.

uStart Page = hxxp://www.google.co.uk/

IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-20 02:00:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????? ???????????????????????????????????????????

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

——————— LOCKED REGISTRY KEYS ———————

[HKEY_USERS\S-1-5-21-1932283237-4062469473-4039853353-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:6a,9e,0c,d0,a1,24,31,aa,75,0c,ae,9c,46,65,62,a2,de,c1,a3,7b,53,5b, 05,

0a,c8,f8,46,e2,95,57,11,b9,99,7a,7e,e3,78,35,2f,6d,45,f1,5e,06,88,98,70,c7, \

"??"=hex:81,d7,06,db,64,1d,a3,ec,b3,e8,5a,c2,80,d2,e7,76

.

Completion time: 2009-01-20 2:03:29

ComboFix-quarantined-files.txt 2009-01-20 02:03:23

Pre-Run: 143,016,366,080 bytes free

Post-Run: 143,070,756,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

207 — E O F — 2008-12-19 13:00:44

Related Posts:

written by lina \\ tags: , , , , , , , , , , , , , , , , , , , ,

Comments

Leave a Reply

You must be logged in to post a comment.