PDA

View Full Version : ntskrnl-hook removal -- HJTlog



nkrumm
2009-05-10, 04:06
Hi,

I am having a hard time removing what seems to be a combination of rootkits, including the NTSKRNL-HOOK variant on Windows XP.

(this is a friend's computer-- i dont know what kind of things happened to it before this, and I have no idea what is installed, updated, etc. Also, I come from a mac background, my last windows system ran windows 2000-- so bear with me on anything very specific to XP)

STEPS I'VE TAKEN:

- used a linux boot drive to copy ComboFix.exe to the infected computer (usb and internet were no longer working when i received the computer)
- Ran Combofix (forgot if it was first run in Windows Safe Mode, or regular. I DID run it with all virus scanning off, as far as i could tell). This greatly freed up the computer and has allowed me to continue to use it, including downloading the Trend Micro HijackThis v2.0.2 program.
- Using whatever version of Mcafee was on the computer, I re-scanned. As I had feared, the rootkit continued to show up, despite being marked "deleted".
- Later, I re-ran the same combofix, this time dragging the MS windows recovery file (the KB310994) onto combofix.exe. THIS log file is posted along with the HJT below. I am also posting a picture of the files combofix.exe found on this computer, prior to restarting (it asked me to make note of the files). I also noted an error that showed up twice during this run, something to the effect of "nircmdc is not recognized" (sorry, i didn't write that one down)

Sadly, none of this seems to have really helped, and it's extremely difficult for me to tell what the state of the computer is now. I am happy to re-run any of the programs or re-do any of the steps. I am grateful for any help!

Also, as a final note, I hope this post was clear enough and coherent enough. If I missed anything, or egregiously violated some rule of the forum, i sincerely apologize and will try to correct it asap!

Thanks
Nik

ken545
2009-05-11, 14:19
Hello nkrumm

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

You need to read the Before You Post link as it puts us on the same page and makes the cleanup go faster.

Combofix is an extremely powerful tool and is not to be taken lightly, if running it on your own you damage your system, this forum, myself and sUbs will not be responsible.



Please do not attach any logs, just copy and paste them into this thread. <-----



Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.





Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.


1. Run ATF Cleaner
2. Run Malwarebytes and post the log and a new HJT log
2. Reboot your computer
4. Run GMER and post the log

nkrumm
2009-05-12, 10:50
Hi ken545, thanks for your quick reply-- I really appreciate it the help this forum provides!

OK. Did steps you outlined, virus scanning OFF (again, as far as i could tell-- not sure if i need to kill processes, or if it is alright to just turn off scanning from the taskbar?)

1. Run ATF Cleaner
2. Run Malwarebytes and post the log and a new HJT log
2. Reboot your computer
4. Run GMER and post the log

(5. Then i ran Mcafee On-demand scan, which indicated that it deleted several files, then after reboot no longer finds any suspicious files, a first in this process)

I'm not sure how to interpret the HJT, GMER and MWB logs--What do you think, is the machine in the clear?

Logs are pasted below:

MWB:

Malwarebytes' Anti-Malware 1.36
Database version: 2112
Windows 5.1.2600 Service Pack 2

5/11/2009 5:41:46 PM
mbam-log-2009-05-11 (17-41-46).txt

Scan type: Quick Scan
Objects scanned: 84183
Time elapsed: 2 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dl32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ilana Roberts\Application Data\Twain (Trojan.Matcash) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2692f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jomibeyo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:13 PM, on 5/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?zx=w541nhfbafok#inbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070823
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1619855920.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1619855920.exe (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11349 bytes


GMER:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-11 19:16:08
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 00326DCE C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003272BA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 00325BBB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 0032737D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0032724D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!ReadFile 7C80180E 7 Bytes JMP 00325AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 003273E3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!CreateFileMappingW 7C8093AA 5 Bytes JMP 00326C79 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!CloseHandle 7C809B57 5 Bytes JMP 0032595F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!GetDriveTypeW 7C80B2E0 5 Bytes JMP 003261DA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 003265B6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!DuplicateHandle 7C80DE0E 7 Bytes JMP 00326AEA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 0032633F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!FindClose 7C80EDE7 7 Bytes JMP 00326261 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 003262BB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00326035 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!GetFileSizeEx 7C810A19 5 Bytes JMP 003266AD C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!GetFileInformationByHandle 7C810C7D 5 Bytes JMP 00326A54 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 003259B9 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 003264E4 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!GetLongPathNameW 7C813363 5 Bytes JMP 00326EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!GetShortPathNameW 7C81F27E 5 Bytes JMP 00326F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!MoveFileWithProgressW 7C81F73E 5 Bytes JMP 00326725 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!SetFilePointerEx 7C821067 5 Bytes JMP 00327202 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!CopyFileExW 7C827B42 7 Bytes JMP 00325C61 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 00325BDA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 0032718A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 00326BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!SetFileAttributesW 7C8314F5 5 Bytes JMP 0032644C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!GetOverlappedResult 7C8315E4 5 Bytes JMP 003269D0 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 00326135 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!SetEndOfFile 7C83208E 5 Bytes JMP 00327001 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!FlushViewOfFile 7C8359B9 5 Bytes JMP 00326D63 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!RemoveDirectoryW 7C836FA3 5 Bytes JMP 00325E5A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!BackupRead 7C856F6F 5 Bytes JMP 00326E31 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!CreateDirectoryExW 7C85A782 5 Bytes JMP 00325F4C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!WriteFileEx 7C85C891 5 Bytes JMP 00325A83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!GetCompressedFileSizeW 7C85D501 5 Bytes JMP 00327108 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] kernel32.dll!CreateHardLinkW 7C86B65C 7 Bytes JMP 00327236 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[3332] USER32.dll!ExitWindowsEx 7E45A045 5 Bytes JMP 003271E7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\internet explorer\iexplore.exe[4784] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4784] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4784] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4784] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4784] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4784] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4784] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4784] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B355AC8A
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{67778503-1EEF-9651-8527-6B6B52F388BF}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{67778503-1EEF-9651-8527-6B6B52F388BF}@galeeeaoncahok 0x63 0x61 0x6D 0x69 ...

---- EOF - GMER 1.0.15 ----


Thanks again,
Nik

ken545
2009-05-12, 11:28
Hello Nik,

No rootkit :bigthumb:

Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.

Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer
Internet Explorer is needed to run this program properly.



Post a new HJT log, no need to quote it, let me know also how your computer is running now?

ken545
2009-05-17, 14:30
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.