View Full Version : spybot has become unresponsive
recently, i ran a scan from spybot and it detected a trojan (maybe generic?) I don't recall at the time, but it has been a week or so and I am not able to use spybot, I keep getting a float-point error and it closes. about a day ago, I was locked out of task manager and regedit by an 'admin', but since i'm the only one on the computer, it must be something else.
Please, please help!
(I restored my use of task manager and regedit with a run commands, so that I could try and fix the problem, but to no avail, I didn't anything else, since i don't want to destroy my comp.)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:15 AM, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\glennl~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\glennl~1\locals~1\temp\ntdll64.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227070532546
O17 - HKLM\System\CCS\Services\Tcpip\..\{221BC6F8-34AA-4C1B-94BA-645F762BAFB5}: NameServer = 192.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 4970 bytes
Hi,
There seems to be malware there.
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Thank you so much!
And so quick about it!
DDS***************
DDS (Ver_09-02-01.01) - NTFSx86
Run by Glenn Levesque at 12:54:46.79 on Mon 03/02/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1552 [GMT -5:00]
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Documents and Settings\Glenn Levesque\Desktop\dds.com
============== Pseudo HJT Report ===============
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\glennl~1\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\docume~1\glennl~1\locals~1\temp\ntdll64.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227070532546
TCP: {221BC6F8-34AA-4C1B-94BA-645F762BAFB5} = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C5BF49A2-94F3-42BD-F434-3604812C8955} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\glennl~1\applic~1\mozilla\firefox\profiles\vu24rmxe.default\
============= SERVICES / DRIVERS ===============
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-18 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-18 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-18 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-18 168776]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-8 33752]
=============== Created Last 30 ================
2009-03-01 00:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-28 04:46 <DIR> --d----- c:\program files\Trend Micro
2009-02-28 04:41 <DIR> --d----- C:\!KillBox
2009-02-28 03:37 <DIR> --dsh--- c:\documents and settings\glenn levesque\IECompatCache
2009-02-28 01:48 <DIR> --dsh--- c:\documents and settings\glenn levesque\IETldCache
2009-02-28 01:43 115 a------- c:\windows\system32\win32hlp.cnf
2009-02-28 01:41 104,960 ac------ c:\windows\system32\dllcache\userinit.exe
2009-02-28 01:41 0 a------- C:\kked.exe
2009-02-28 01:41 101,608 a------- c:\windows\system32\drivers\24d213fd.sys
2009-02-28 01:41 104,960 a------- c:\windows\system32\ntdll64.exe
2009-02-28 01:40 1 a------- c:\windows\system32\uniq.tll
2009-02-28 01:40 2 a------- C:\-54793591
2009-02-28 01:40 8,704 a------- C:\mvbrac.exe
2009-02-28 01:40 20,480 a------- C:\lsass.exe
2009-02-28 01:40 20,480 a------- C:\pbepbhhg.exe
2009-02-28 01:40 30,720 a------- c:\windows\system32\frmwrk32.exe
2009-02-28 01:40 30,720 a------- C:\pdfbg.exe
2009-02-28 01:40 39,936 a------- c:\windows\Dcileyocozo.dll
2009-02-28 01:40 39,936 a------- C:\ubhgxno.exe
2009-02-28 01:26 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-02-28 01:18 79,360 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-02-27 23:10 <DIR> --d----- c:\program files\CCleaner
==================== Find3M ====================
2009-02-28 01:41 104,960 a------- c:\windows\system32\userinit.exe
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 02:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 02:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-02 18:53 1,085,440 a------- c:\windows\system32\rn.tmp
2008-12-29 08:31 142,872 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2008-12-29 08:30 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
============= FINISH: 12:55:22.10 ===============
ATTACH****************************************
DDS (Ver_09-02-01.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/17/2008 7:04:23 PM
System Uptime: 3/2/2009 12:50:43 PM (0 hours ago)
Motherboard: http://www.abit.com.tw/ | | KN8 SLI(NF-CK804)
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 2210/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 190 GiB total, 116.606 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM (CDFS)
G: is CDROM ()
H: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: Applied Networking Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi
==== System Restore Points ===================
RP79: 12/4/2008 5:53:39 PM - Installed Microsoft Office Enterprise 2007
RP80: 12/4/2008 5:56:45 PM - Installed Microsoft Office Enterprise 2007
RP81: 12/4/2008 6:00:04 PM - Installed Microsoft Office Enterprise 2007
RP82: 12/4/2008 6:08:02 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP83: 12/4/2008 6:08:24 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP84: 12/4/2008 9:09:19 PM - Software Distribution Service 3.0
RP85: 12/6/2008 8:18:28 AM - System Checkpoint
RP86: 12/6/2008 1:07:49 PM - Installed DING!
RP87: 12/26/2008 3:59:06 PM - System Checkpoint
RP88: 12/26/2008 7:52:12 PM - Installed Company of Heroes.
RP89: 12/28/2008 12:53:17 PM - Software Distribution Service 3.0
RP90: 12/28/2008 1:23:47 PM - Software Distribution Service 3.0
RP91: 12/28/2008 2:14:16 PM - Software Distribution Service 3.0
RP92: 12/28/2008 7:06:46 PM - Software Distribution Service 3.0
RP93: 12/28/2008 7:57:56 PM - Software Distribution Service 3.0
RP94: 12/28/2008 8:20:47 PM - Software Distribution Service 3.0
RP95: 12/28/2008 9:00:24 PM - Software Distribution Service 3.0
RP96: 12/29/2008 12:08:19 AM - Installed Windows Media Player 11
RP97: 12/29/2008 12:10:00 AM - Installed Windows XP MSCompPackV1.
RP98: 12/29/2008 12:10:40 AM - Installed Windows XP KB926239.
RP99: 12/29/2008 8:09:39 AM - Installed DirectX
RP100: 12/29/2008 8:19:59 AM - Installed Windows XP Service Pack 3.
RP101: 12/29/2008 8:32:53 AM - Installed Windows XP KB915800-v4.
RP102: 12/29/2008 8:33:43 AM - Installed Windows XP KB938464.
RP103: 12/29/2008 8:34:39 AM - Installed Windows XP KB946648.
RP104: 12/29/2008 8:35:34 AM - Installed Windows XP KB950762.
RP105: 12/29/2008 8:36:32 AM - Installed Windows XP KB950974.
RP106: 12/29/2008 8:37:27 AM - Installed Windows XP KB951066.
RP107: 12/29/2008 8:38:25 AM - Installed Windows XP KB951376-v2.
RP108: 12/29/2008 8:39:20 AM - Installed Windows XP KB951698.
RP109: 12/29/2008 8:40:17 AM - Installed Windows XP KB951748.
RP110: 12/29/2008 8:41:14 AM - Installed Windows XP KB952287.
RP111: 12/29/2008 8:42:09 AM - Installed Windows XP KB952954.
RP112: 12/29/2008 8:43:07 AM - Installed Windows XP KB954211.
RP113: 12/29/2008 8:44:02 AM - Installed Windows XP KB954600.
RP114: 12/29/2008 8:44:58 AM - Installed Windows XP KB955069.
RP115: 12/29/2008 8:45:57 AM - Installed Windows XP KB956802.
RP116: 12/29/2008 8:46:54 AM - Installed Windows XP KB956803.
RP117: 12/29/2008 8:47:49 AM - Installed Windows XP KB956841.
RP118: 12/29/2008 8:48:46 AM - Installed Windows XP KB957095.
RP119: 12/29/2008 8:49:43 AM - Installed Windows XP KB957097.
RP120: 12/29/2008 8:50:38 AM - Installed Windows XP KB958644.
RP121: 12/29/2008 3:30:21 PM - Removed Company of Heroes.
RP122: 12/29/2008 3:52:28 PM - Removed Company of Heroes.
RP123: 12/29/2008 3:54:14 PM - Software Distribution Service 3.0
RP124: 12/29/2008 4:16:09 PM - Installed Company of Heroes.
RP125: 12/29/2008 6:49:50 PM - Installed EasyRecovery Professional
RP126: 12/30/2008 6:13:31 PM - Removed Company of Heroes.
RP127: 12/30/2008 6:14:30 PM - Removed EasyRecovery Professional
RP128: 12/31/2008 4:03:49 PM - Installed iTunes
RP129: 1/1/2009 5:18:08 PM - System Checkpoint
RP130: 1/1/2009 5:36:49 PM - Installed EasyRecovery Professional
RP131: 1/2/2009 5:41:39 PM - System Checkpoint
RP132: 1/2/2009 11:42:28 PM - Installed WD Diagnostics
RP133: 1/7/2009 4:22:52 PM - System Checkpoint
RP134: 1/10/2009 11:05:51 AM - System Checkpoint
RP135: 1/17/2009 11:23:24 AM - Software Distribution Service 3.0
RP136: 1/18/2009 4:04:04 PM - System Checkpoint
RP137: 1/25/2009 1:19:19 PM - System Checkpoint
RP138: 2/8/2009 2:47:29 PM - System Checkpoint
RP139: 2/8/2009 6:55:27 PM - Removed Adobe Reader 7.0
RP140: 2/8/2009 6:55:53 PM - Installed Adobe Reader 9.
RP141: 2/15/2009 9:02:26 AM - Software Distribution Service 3.0
RP142: 2/16/2009 3:25:06 PM - System Checkpoint
RP143: 2/17/2009 7:09:00 PM - System Checkpoint
RP144: 2/20/2009 5:21:24 PM - System Checkpoint
RP145: 2/27/2009 10:58:30 PM - Removed EasyRecovery Professional
RP146: 2/27/2009 11:02:39 PM - Removed WD Diagnostics
RP147: 2/28/2009 1:12:02 AM - Software Distribution Service 3.0
RP148: 2/28/2009 1:27:03 AM - Installed DirectX
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 1 (SP1)
ABITEQ
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
Audiosurf
Bonjour
CCleaner (remove only)
Command & Conquer Generals
Command & Conquer™ Red Alert™ 3
Command and ConquerTM Generals Zero Hour
Creative EAX Settings
Creative Speaker Settings
Creative System Information
Device Control
DING!
Dungeon Siege
EA Download Manager
EVGA Display Driver
Fallout 3
FlashMenu
getPlus(R) for Adobe
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Hamachi 1.0.1.1
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
iTunes
LightScribe System Software 1.10.19.1
Linksys Wireless-G PCI Network Adapter with SpeedBooster
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft XML Parser
Mozilla Firefox (3.0.6)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Nero 8 Essentials
neroxml
NVIDIA Drivers
QuickTime
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 8 (KB960714)
Security Update for Windows Internet Explorer 8 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
ShockWave V0.95
Sound Blaster Audigy
Steam
Team Fortress 2
TeamSpeak 2 RC2
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959634)
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VCRedistSetup
Ventrilo Client
VLC media player 0.9.6
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8 Release Candidate 1
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
2/27/2009 11:02:47 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
2/27/2009 11:01:57 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
2/28/2009 1:47:08 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
2/28/2009 1:47:09 AM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
2/28/2009 3:26:23 AM, error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
2/28/2009 3:29:36 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
2/28/2009 3:58:55 AM, error: Service Control Manager [7000] - The Crypkey License service failed to start due to the following error: The system cannot find the file specified.
2/28/2009 4:24:38 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/28/2009 4:25:26 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/28/2009 4:25:26 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/28/2009 4:25:26 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/28/2009 4:25:26 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/28/2009 4:25:26 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/28/2009 4:25:26 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/28/2009 4:25:26 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec mfetdik MRxSmb NetBIOS NetBT NetworkX RasAcd Rdbss Tcpip WS2IFSL
2/28/2009 4:26:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/28/2009 5:08:02 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/1/2009 12:12:53 AM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/2/2009 12:52:54 PM, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
2/28/2009 3:26:54 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file cryptdlg.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
2/28/2009 3:26:54 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file cryptext.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.131.2600.5512.
==== End Of File ===========================
Hi again :)
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
OK, we got NEW the DDS here:
DDS (Ver_09-02-01.01) - NTFSx86
Run by Glenn Levesque at 22:32:18.00 on Mon 03/02/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1607 [GMT -5:00]
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Glenn Levesque\Desktop\dds.com
============== Pseudo HJT Report ===============
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\glennl~1\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227070532546
TCP: {221BC6F8-34AA-4C1B-94BA-645F762BAFB5} = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\glennl~1\applic~1\mozilla\firefox\profiles\vu24rmxe.default\
============= SERVICES / DRIVERS ===============
P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-18 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-18 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-18 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-18 168776]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-8 33752]
=============== Created Last 30 ================
2009-03-02 22:11 161,792 a------- c:\windows\SWREG.exe
2009-03-02 22:11 98,816 a------- c:\windows\sed.exe
2009-03-02 21:55 <DIR> --dshr-- C:\cmdcons
2009-03-02 21:55 <DIR> --d----- c:\windows\setup.pss
2009-03-02 21:55 <DIR> --d----- c:\windows\setupupd
2009-03-01 00:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-28 04:46 <DIR> --d----- c:\program files\Trend Micro
2009-02-28 04:41 <DIR> --d----- C:\!KillBox
2009-02-28 03:37 <DIR> --dsh--- c:\documents and settings\glenn levesque\IECompatCache
2009-02-28 01:48 <DIR> --dsh--- c:\documents and settings\glenn levesque\IETldCache
2009-02-28 01:41 0 a------- C:\kked.exe
2009-02-28 01:41 101,608 a------- c:\windows\system32\drivers\24d213fd.sys
2009-02-28 01:40 2 a------- C:\-54793591
2009-02-28 01:40 8,704 a------- C:\mvbrac.exe
2009-02-28 01:40 20,480 a------- C:\pbepbhhg.exe
2009-02-28 01:40 30,720 a------- C:\pdfbg.exe
2009-02-28 01:40 39,936 a------- C:\ubhgxno.exe
2009-02-28 01:26 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-02-28 01:18 79,360 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-02-27 23:10 <DIR> --d----- c:\program files\CCleaner
==================== Find3M ====================
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 02:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 02:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-02 18:53 1,085,440 a------- c:\windows\system32\rn.tmp
2008-12-29 08:31 142,872 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2008-12-29 08:30 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
============= FINISH: 22:32:31.07 ===============
and the Combofix here:
ComboFix 09-03-02.01 - Glenn Levesque 2009-03-02 22:19:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1582 [GMT -5:00]
Running from: c:\documents and settings\Glenn Levesque\Desktop\ComboFix1.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\GLENNL~1\LOCALS~1\Temp\mousehook.dll
c:\docume~1\GLENNL~1\LOCALS~1\Temp\ntdll64.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\lsass.exe
c:\windows\system32\drivers\UACbejwqjkd.sys
c:\windows\system32\frmwrk32.exe
c:\windows\system32\init32.exe
c:\windows\system32\ntdll64.exe
c:\windows\system32\UACbsbvpyxu.log
c:\windows\system32\UACdxvnuqqh.log
c:\windows\system32\UACeqmqeabf.log
c:\windows\system32\UACexgbrfth.dat
c:\windows\system32\UACkjlnssiy.dll
c:\windows\system32\UACmbpjxfpn.dll
c:\windows\system32\UACtvgrrpai.dll
c:\windows\system32\UACuxtprral.dat
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
----- BITS: Possible infected sites -----
hxxp://donyeess.110mb.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_uacd.sys
((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.
2009-03-01 00:33 . 2009-03-01 00:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-28 04:46 . 2009-02-28 04:46 <DIR> d-------- c:\program files\Trend Micro
2009-02-28 04:41 . 2009-02-28 04:41 <DIR> d-------- C:\!KillBox
2009-02-28 04:24 . 2009-02-28 04:24 <DIR> d-------- c:\documents and settings\Administrator
2009-02-28 03:37 . 2009-02-28 03:37 <DIR> d--hs---- c:\documents and settings\Glenn Levesque\IECompatCache
2009-02-28 01:48 . 2009-02-28 01:48 <DIR> d--hs---- c:\documents and settings\Glenn Levesque\IETldCache
2009-02-28 01:41 . 2009-03-02 22:25 101,608 --a------ c:\windows\system32\drivers\24d213fd.sys
2009-02-28 01:41 . 2009-02-28 01:41 0 --a------ C:\kked.exe
2009-02-28 01:40 . 2009-02-28 01:40 39,936 --a------ C:\ubhgxno.exe
2009-02-28 01:40 . 2009-02-28 01:40 30,720 --a------ C:\pdfbg.exe
2009-02-28 01:40 . 2009-02-28 01:40 20,480 --a------ C:\pbepbhhg.exe
2009-02-28 01:40 . 2009-02-28 01:40 8,704 --a------ C:\mvbrac.exe
2009-02-28 01:40 . 2009-02-28 01:41 2 --a------ C:\-54793591
2009-02-28 01:26 . 2009-02-28 01:27 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-02-28 01:18 . 2009-01-11 00:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-02-27 23:10 . 2009-02-27 23:10 <DIR> d-------- c:\program files\CCleaner
2009-02-08 18:57 . 2009-02-08 18:57 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-08 18:47 . 2009-02-08 18:47 <DIR> d-------- c:\program files\NOS
2009-02-08 18:47 . 2009-02-08 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 18:40 --------- d-----w c:\program files\Steam
2009-03-01 05:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-01 05:28 --------- d-----w c:\program files\uTorrent
2009-02-28 06:43 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-28 06:07 --------- d-----w c:\program files\Windows Desktop Search
2009-02-28 04:01 --------- d-----w c:\program files\Stellar Phoenix Windows Data Recovery
2009-02-28 04:00 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-28 04:00 --------- d-----w c:\program files\Ontrack
2009-02-15 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-08 23:56 --------- d-----w c:\program files\Common Files\Adobe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-02-28 396288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
c:\documents and settings\Glenn Levesque\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-06-22 462848]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.4.game"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-08 33752]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
.
------- Supplementary Scan -------
.
TCP: {221BC6F8-34AA-4C1B-94BA-645F762BAFB5} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Glenn Levesque\Application Data\Mozilla\Firefox\Profiles\vu24rmxe.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 22:25:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\24d213fd]
"ImagePath"="\SystemRoot\System32\drivers\24d213fd.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\s-1-5-21-343818398-1336601894-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:ae,fa,46,a7,fd,0b,a6,e3,60,02,04,e4,d7,fc,47,5e,26,19,77,b9,3f,
eb,a3,8c,7e,fc,7a,d7,28,6d,d1,ef,80,68,26,1a,f5,52,c4,54,27,b4,10,f1,e7,06,\
"rkeysecu"=hex:c2,69,b2,90,7a,21,2d,74,0c,e8,96,35,0f,52,46,9e
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\sxs.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-02 22:28:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 03:28:06
Pre-Run: 110,865,489,920 bytes free
Post-Run: 110,904,721,408 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
167 --- E O F --- 2009-02-28 06:19:08
Again, thanks so much for what you're doing!
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?t=46272
Collect::[4]
c:\windows\system32\drivers\24d213fd.sys
C:\kked.exe
C:\ubhgxno.exe
C:\pdfbg.exe
C:\pbepbhhg.exe
C:\mvbrac.exe
C:\-54793591
c:\windows\system32\rn.tmp
Driver::
24d213fd
Folder::
c:\program files\uTorrent
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe (let ComboFix update itself)
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new dds.txt log & above mentioned ComboFix report.
Log from eset
C:\Documents and Settings\Glenn Levesque\My Documents\Downloads\AVG_anti-Virus8.0.164pro_ABBY-\AVG Anti-Virus\Keygen.exe probably a variant of Win32/Agent trojan
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090228-050212-170.dll Win32/TrojanDownloader.Small.NTQ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir Win32/TrojanDownloader.FakeAlert.YV trojan
C:\Qoobox\Quarantine\C\lsass.exe.vir probably a variant of Win32/Genetik trojan
COMBOFIX
ComboFix 09-03-04.01 - Glenn Levesque 2009-03-05 14:13:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1536 [GMT -5:00]
Running from: c:\documents and settings\Glenn Levesque\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\Glenn Levesque\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\-54793591
C:\kked.exe
C:\pbepbhhg.exe
C:\pdfbg.exe
c:\program files\uTorrent
c:\program files\uTorrent\Dj Tiesto - Just Be.torrent
c:\program files\uTorrent\Rosetta Stone Spanish Latin America.torrent
c:\program files\uTorrent\Rosetta Stone v3 App incl Spanish Latin America 1-3.torrent
c:\program files\uTorrent\Spanish (Spain) - Level I & II.torrent
c:\program files\uTorrent\Stalker Clear Sky.torrent
c:\program files\uTorrent\Stellar Phoenix (windows+linux).7z.torrent
c:\program files\uTorrent\Tiesto_-_Elements_of_Life_Remixed_(2008).torrent
c:\windows\system32\drivers\24d213fd.sys
c:\windows\system32\rn.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_24d213fd
((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.
2009-03-05 13:53 . 2009-03-05 13:53 <DIR> d--h----- c:\documents and settings\Glenn Levesque\Application Data\GTek
2009-03-05 13:53 . 2009-03-05 13:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2009-03-05 13:52 . 2009-03-05 13:53 <DIR> d-------- c:\program files\Linksys EasyLink Advisor
2009-03-05 13:52 . 2009-03-05 13:53 <DIR> d-ah----- c:\documents and settings\All Users\Application Data\GTek
2009-03-05 13:52 . 2006-11-23 17:51 1,922,048 --a------ c:\windows\system32\gdql_lsa.dll
2009-03-05 13:52 . 2006-01-16 21:08 683,150 --a------ c:\windows\system32\qdiaglsa.ocx
2009-03-05 13:52 . 2005-08-30 11:23 208,896 --a------ c:\windows\system32\GTDownLS_125.ocx
2009-03-05 13:52 . 2006-11-13 12:08 135,168 --a------ c:\windows\system32\GoProto.dll
2009-03-05 13:52 . 2009-03-05 13:52 28,672 --a------ c:\windows\system32\drivers\goprot51.sys
2009-03-05 13:52 . 2004-06-09 08:29 6,977 --a------ c:\windows\system32\DDMI2.sys
2009-03-05 13:52 . 2005-03-13 15:54 6,656 --a------ c:\windows\system32\DLPT2.sys
2009-03-01 00:33 . 2009-03-01 00:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-28 04:46 . 2009-02-28 04:46 <DIR> d-------- c:\program files\Trend Micro
2009-02-28 04:41 . 2009-02-28 04:41 <DIR> d-------- C:\!KillBox
2009-02-28 04:24 . 2009-02-28 04:24 <DIR> d-------- c:\documents and settings\Administrator
2009-02-28 03:37 . 2009-02-28 03:37 <DIR> d--hs---- c:\documents and settings\Glenn Levesque\IECompatCache
2009-02-28 01:48 . 2009-02-28 01:48 <DIR> d--hs---- c:\documents and settings\Glenn Levesque\IETldCache
2009-02-28 01:41 . 2009-03-05 14:17 101,608 --a------ c:\windows\system32\drivers\24d213fd.sys
2009-02-28 01:26 . 2009-02-28 01:27 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-02-28 01:18 . 2009-01-11 00:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-02-27 23:10 . 2009-02-27 23:10 <DIR> d-------- c:\program files\CCleaner
2009-02-08 18:57 . 2009-02-08 18:57 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-08 18:47 . 2009-02-08 18:47 <DIR> d-------- c:\program files\NOS
2009-02-08 18:47 . 2009-02-08 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 04:50 --------- d-----w c:\program files\Steam
2009-03-01 05:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-28 06:43 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-28 06:07 --------- d-----w c:\program files\Windows Desktop Search
2009-02-28 04:01 --------- d-----w c:\program files\Stellar Phoenix Windows Data Recovery
2009-02-28 04:00 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-28 04:00 --------- d-----w c:\program files\Ontrack
2009-02-15 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-08 23:56 --------- d-----w c:\program files\Common Files\Adobe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-02_22.27.20.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-03 03:26:02 72,094 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-05 18:43:10 72,094 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-03 03:26:02 444,088 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-05 18:43:10 444,088 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-02-28 396288]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
c:\documents and settings\Glenn Levesque\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-06-22 462848]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.4.game"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-08 33752]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
TCP: {221BC6F8-34AA-4C1B-94BA-645F762BAFB5} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Glenn Levesque\Application Data\Mozilla\Firefox\Profiles\vu24rmxe.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 14:16:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\24d213fd]
"ImagePath"="\SystemRoot\System32\drivers\24d213fd.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\s-1-5-21-343818398-1336601894-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:ae,fa,46,a7,fd,0b,a6,e3,60,02,04,e4,d7,fc,47,5e,26,19,77,b9,3f,
eb,a3,8c,7e,fc,7a,d7,28,6d,d1,ef,80,68,26,1a,f5,52,c4,54,27,b4,10,f1,e7,06,\
"rkeysecu"=hex:c2,69,b2,90,7a,21,2d,74,0c,e8,96,35,0f,52,46,9e
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\sxs.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
.
**************************************************************************
.
Completion time: 2009-03-05 14:20:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 19:20:00
ComboFix2.txt 2009-03-03 03:28:10
Pre-Run: 111,674,265,600 bytes free
Post-Run: 111,505,973,248 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
167 --- E O F --- 2009-02-28 06:19:08
DDS REPORT
DDS (Ver_09-02-01.01) - NTFSx86
Run by Glenn Levesque at 16:12:45.43 on Thu 03/05/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1321 [GMT -5:00]
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Glenn Levesque\Desktop\dds.com
============== Pseudo HJT Report ===============
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: eset.eu\www
DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227070532546
TCP: {221BC6F8-34AA-4C1B-94BA-645F762BAFB5} = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\glennl~1\applic~1\mozilla\firefox\profiles\vu24rmxe.default\
============= SERVICES / DRIVERS ===============
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-18 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-18 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-18 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-18 168776]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-8 33752]
=============== Created Last 30 ================
2009-03-05 15:17 <DIR> --d----- c:\program files\ESET
2009-03-05 15:04 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-03-02 22:11 161,792 a------- c:\windows\SWREG.exe
2009-03-02 22:11 98,816 a------- c:\windows\sed.exe
2009-03-02 21:55 <DIR> --dshr-- C:\cmdcons
2009-03-02 21:55 <DIR> --d----- c:\windows\setup.pss
2009-03-02 21:55 <DIR> --d----- c:\windows\setupupd
2009-03-01 00:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-28 04:46 <DIR> --d----- c:\program files\Trend Micro
2009-02-28 04:41 <DIR> --d----- C:\!KillBox
2009-02-28 03:37 <DIR> --dsh--- c:\documents and settings\glenn levesque\IECompatCache
2009-02-28 01:48 <DIR> --dsh--- c:\documents and settings\glenn levesque\IETldCache
2009-02-28 01:26 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-02-28 01:18 79,360 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-02-27 23:10 <DIR> --d----- c:\program files\CCleaner
==================== Find3M ====================
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 02:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 02:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2008-12-29 08:31 142,872 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2008-12-29 08:30 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
============= FINISH: 16:13:13.84 ===============
Just got in, here ya go! (and the eset link worked, but the scanner did not. active x would prompt me to install the scanner, I would say yes, then nothing would happen. maybe the scanner was down, but I found and used the beta, which was a download able executable. I could get past the active x issue and make the log file)
Thank you!
Hi
Upload c:\windows\system32\drivers\24d213fd.sys file to http://www.virustotal.com and post back the results.
Delete C:\Documents and Settings\Glenn Levesque\My Documents\Downloads\AVG_anti-Virus8.0.164pro_ABBY- folder and C:\Program Files\Trend Micro\HijackThis\backups\backup-20090228-050212-170.dll file.
Thank you for the help, I deleted the files you asked, but there is was no file with that name in the system32/drivers/ folder.
Hi
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
If you still can't see the file after doing above, please post a fresh dds.txt log and let me know how's the system running.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.