Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Problems With Virus

  1. 2009-06-17, 09:27 #1
    Fames
    Fames is offline
    Junior Member
    Join Date
    Jun 2009
    Posts
    17

    Default Problems With Virus

    Hi,
    I Currently have a computer that is Infected by Spyware or Virus (am not sure). I canīt run any of my Security Tools like, (Spybot,Malwarebytes Anti-Malware,Registry Clean Expert) Etc. I was able to install (Malwarebytes,Spybot,Spyware Terminator,Symantec Endpoint Protection) but its not letting me use the program it self xcept for Spyware Terminator.
    Ive also try to boot in safemode but i get the same results. So am assuming The (Virus) has disabled all (Antivirus/Spyware Softwares), Another thing that i just notice while typing is that when i type While holding Shift (Symbols,quotes or dashes) Etc, It totally inserts something different other than the original symbol.

    Hereīs a HJT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:23:25 AM, on 6/17/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
    C:\Program Files\RFA\rfagent.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers...meLeftPane.htm
    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    R3 - URLSearchHook: (no name) - {98572e47-b5fe-43de-9aea-492a1d3064cd} - (no file)
    R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
    O1 - Hosts: 66.199.231.174 google.com
    O1 - Hosts: 66.199.231.174 google.co.uk
    O1 - Hosts: 66.199.231.174 google.ca
    O1 - Hosts: 66.199.231.174 google.es
    O1 - Hosts: 66.199.231.174 google.de
    O1 - Hosts: 66.199.231.174 google.fr
    O1 - Hosts: 66.199.231.174 google.com.au
    O1 - Hosts: 207.68.172.246 msn.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
    O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - S-1-5-18 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'Default user')
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &AOL Email Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL Email Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...OS/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://lupita1garcia.spaces.live.com...d/MsnPUpld.cab
    O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/active...oadControl.cab
    O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/...ixItClient.CAB
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156544601250
    O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/R...hotoOnline.cab
    O16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} - http://o.aolcdn.com/pictures/ap/Reso...s.10.6.0.6.cab
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Unknown owner - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

    --
    End of file - 9410 bytes
    Last edited by tashi; 2009-06-18 at 17:42. Reason: Removed code around log
  2. 2009-06-18, 08:43 #2
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi Fames

    Download gmer.zip and save to your desktop.
    alternate download site
    • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
    • When you have done this, disconnect from the Internet and close all running programs.
      There is a small chance this application may crash your computer so save any work you have open.
    • Double-click on Gmer.exe to start the program.
    • Allow the gmer.sys driver to load if asked.
    • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
    • Click on the Rootkit tab.
    • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
    • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    • Click on the "Scan" and wait for the scan to finish.
      Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
    • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
    • Note: If you have any problems, try running GMER in SAFE MODE"

    Important! Please do not select the "Show all" checkbox during the scan..
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  3. 2009-06-18, 17:30 #3
    Fames
    Fames is offline
    Junior Member
    Join Date
    Jun 2009
    Posts
    17

    Default

    Thanks Shaba for the Help, I had to boot in safe mode and rename the (.exe) for gamer to work. Also Ive upload a new HJT Report
  4. 2009-06-18, 17:47 #4
    Fames
    Fames is offline
    Junior Member
    Join Date
    Jun 2009
    Posts
    17

    Default

    I ran Symantec Endpoint Protection Virus Scan and its found (Packed.Generic.200) I Couldnīt delete or quarantine it wonīt let me. Ive upload the log.
    Another symptom of this male ware thing that Ive notice when am browsing on Firefox it redirects me to different sites etc,
  5. 2009-06-18, 17:48 #5
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please copy/paste those logs to your next reply
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  6. 2009-06-18, 18:20 #6
    Fames
    Fames is offline
    Junior Member
    Join Date
    Jun 2009
    Posts
    17

    Default

    Gmer Log
    Code:
    GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-18 08:03:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code     849F45B8                                                                                                                              ZwEnumerateKey
Code     849F4580                                                                                                                              ZwFlushInstructionCache
Code     84A52786                                                                                                                              IofCallDriver
Code     84A5408E                                                                                                                              IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text    ntoskrnl.exe!IofCallDriver                                                                                                            804E13A7 5 Bytes  JMP 84A5278B 
.text    ntoskrnl.exe!IofCompleteRequest                                                                                                       804E17BD 5 Bytes  JMP 84A54093 

---- User code sections - GMER 1.0.15 ----

.text    C:\WINDOWS\system32\winlogon.exe[200] ntdll.dll!LdrLoadDll                                                                            7C915CBB 5 Bytes  JMP 0064000A 
.text    C:\WINDOWS\system32\winlogon.exe[200] ntdll.dll!LdrUnloadDll                                                                          7C916C83 5 Bytes  JMP 0065000A 
.text    C:\WINDOWS\system32\services.exe[248] ntdll.dll!LdrLoadDll                                                                            7C915CBB 5 Bytes  JMP 006F000A 
.text    C:\WINDOWS\system32\services.exe[248] ntdll.dll!LdrUnloadDll                                                                          7C916C83 5 Bytes  JMP 0071000A 
.text    C:\WINDOWS\system32\lsass.exe[260] ntdll.dll!LdrLoadDll                                                                               7C915CBB 5 Bytes  JMP 006F000A 
.text    C:\WINDOWS\system32\lsass.exe[260] ntdll.dll!LdrUnloadDll                                                                             7C916C83 5 Bytes  JMP 0072000A 
.text    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[580] ntdll.dll!LdrLoadDll                                                  7C915CBB 5 Bytes  JMP 0061000A 
.text    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[580] ntdll.dll!LdrUnloadDll                                                7C916C83 5 Bytes  JMP 0062000A 
.text    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[684] ntdll.dll!LdrLoadDll                                          7C915CBB 5 Bytes  JMP 00A1000A 
.text    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[684] ntdll.dll!LdrUnloadDll                                        7C916C83 5 Bytes  JMP 00A2000A 
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] ntdll.dll!LdrLoadDll                                                            7C915CBB 5 Bytes  JMP 00A0000A 
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] ntdll.dll!LdrUnloadDll                                                          7C916C83 5 Bytes  JMP 00A1000A 
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!DialogBoxParamW                                                      7E42555F 5 Bytes  JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!DialogBoxIndirectParamW                                              7E432032 5 Bytes  JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!MessageBoxIndirectA                                                  7E43A04A 5 Bytes  JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!DialogBoxParamA                                                      7E43B10C 5 Bytes  JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!MessageBoxExW                                                        7E4505D8 5 Bytes  JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!MessageBoxExA                                                        7E4505FC 5 Bytes  JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!DialogBoxIndirectParamA                                              7E456B50 5 Bytes  JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] USER32.dll!MessageBoxIndirectW                                                  7E4662AB 5 Bytes  JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] WININET.dll!HttpAddRequestHeadersA                                              7805FB4D 5 Bytes  JMP 00DE000A 
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] WININET.dll!HttpAddRequestHeadersW                                              780CD14D 5 Bytes  JMP 00EC000A 
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!getaddrinfo                                                          71AB2A6F 5 Bytes  JMP 00F8F9F0 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!connect                                                              71AB406A 5 Bytes  JMP 00F908A0 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!send                                                                 71AB428A 5 Bytes  JMP 00F90780 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!gethostbyname                                                        71AB4FD4 5 Bytes  JMP 00F8FDA0 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!recv                                                                 71AB615A 5 Bytes  JMP 00F8FFD0 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll
.text    C:\Program Files\Internet Explorer\Iexplore.exe[1148] WS2_32.dll!closesocket                                                          71AB9639 5 Bytes  JMP 00F90A60 \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll
.text    C:\Documents and Settings\Owner\Desktop\gmer\adkasd.exe[1272] ntdll.dll!LdrLoadDll                                                    7C915CBB 5 Bytes  JMP 009E000A 
.text    C:\Documents and Settings\Owner\Desktop\gmer\adkasd.exe[1272] ntdll.dll!LdrUnloadDll                                                  7C916C83 5 Bytes  JMP 009F000A 
.text    C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!LdrLoadDll                                                                                    7C915CBB 5 Bytes  JMP 00C0000A 
.text    C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!LdrUnloadDll                                                                                  7C916C83 5 Bytes  JMP 00C1000A 
.text    C:\WINDOWS\system32\ctfmon.exe[1416] ntdll.dll!LdrLoadDll                                                                             7C915CBB 5 Bytes  JMP 0098000A 
.text    C:\WINDOWS\system32\ctfmon.exe[1416] ntdll.dll!LdrUnloadDll                                                                           7C916C83 5 Bytes  JMP 0099000A 
---- Processes - GMER 1.0.15 ----

Library  \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [500]                   0x00A00000                                                                                                
Library  \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [500]                   0x00AB0000                                                                                                
Library  \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [664]                   0x00A00000                                                                                                
Library  \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [664]                   0x00AB0000                                                                                                
Library  \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1148]  0x00F80000                                                                                                
Library  \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1340]                          0x00D00000                                                                                                

---- Services - GMER 1.0.15 ----

Service  C:\WINDOWS\system32\drivers\SKYNETrnfvcxxl.sys (*** hidden *** )                                                                      [SYSTEM] SKYNEToixjinix                                                                                    <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\drivers\UACvxdpmylyxmynsms.sys (*** hidden *** )                                                                  [SYSTEM] UACd.sys                                                                                          <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix@start                                                                           1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix@type                                                                            1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix@group                                                                           file system
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix@imagepath                                                                       \systemroot\system32\drivers\SKYNETrnfvcxxl.sys
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\main                                                                            
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\main\injector                                                                   
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\modules                                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\modules@SKYNETrk.sys                                                            \systemroot\system32\drivers\SKYNETrnfvcxxl.sys
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SKYNEToixjinix\modules@SKYNETcmd.dll                                                           \systemroot\system32\SKYNETnusjdriy.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys                                                                                       
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start                                                                                 1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type                                                                                  1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath                                                                             \systemroot\system32\drivers\UACvxdpmylyxmynsms.sys
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group                                                                                 file system
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules                                                                               
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd                                                                          \\?\globalroot\systemroot\system32\drivers\UACvxdpmylyxmynsms.sys
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc                                                                          \\?\globalroot\systemroot\system32\UACobqoikqxwnkoobr.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr                                                                         \\?\globalroot\systemroot\system32\UACkrgikjlhlpqtkba.dat
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog                                                                        \\?\globalroot\systemroot\system32\UACqcqmltensqimoyp.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask                                                                       \\?\globalroot\systemroot\system32\UACjduiwsippaqwkjx.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf                                                                       \\?\globalroot\systemroot\system32\UACdthjvrndakqgxvv.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal                                                                        \\?\globalroot\systemroot\system32\UACvdsiqlhghkfkyxq.db
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem                                                                        \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr                                                                        \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc                                                                       \\?\globalroot\systemroot\system32\UACslkllaltgfbekwf.log
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls                                                                       \\?\globalroot\systemroot\system32\UACgvpbifpfcidjtkq.log
Reg      HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors                                                                     \\?\globalroot\systemroot\system32\UAClxutahdmdrltrdy.log
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix@start                                                                               1
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix@type                                                                                1
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix@group                                                                               file system
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix@imagepath                                                                           \systemroot\system32\drivers\SKYNETrnfvcxxl.sys
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\main                                                                                
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\main\injector                                                                       
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\modules                                                                             
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\modules@SKYNETrk.sys                                                                \systemroot\system32\drivers\SKYNETrnfvcxxl.sys
Reg      HKLM\SYSTEM\ControlSet003\Services\SKYNEToixjinix\modules@SKYNETcmd.dll                                                               \systemroot\system32\SKYNETnusjdriy.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys                                                                                           
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start                                                                                     1
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type                                                                                      1
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath                                                                                 \systemroot\system32\drivers\UACvxdpmylyxmynsms.sys
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group                                                                                     file system
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules                                                                                   
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd                                                                              \\?\globalroot\systemroot\system32\drivers\UACvxdpmylyxmynsms.sys
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc                                                                              \\?\globalroot\systemroot\system32\UACobqoikqxwnkoobr.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr                                                                             \\?\globalroot\systemroot\system32\UACkrgikjlhlpqtkba.dat
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog                                                                            \\?\globalroot\systemroot\system32\UACqcqmltensqimoyp.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask                                                                           \\?\globalroot\systemroot\system32\UACjduiwsippaqwkjx.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf                                                                           \\?\globalroot\systemroot\system32\UACdthjvrndakqgxvv.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal                                                                            \\?\globalroot\systemroot\system32\UACvdsiqlhghkfkyxq.db
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem                                                                            \\?\globalroot\systemroot\system32\UACeoerrhuqspfsitu.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr                                                                            \\?\globalroot\systemroot\system32\UACehjfenoeouudtkh.dll
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc                                                                           \\?\globalroot\systemroot\system32\UACslkllaltgfbekwf.log
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls                                                                           \\?\globalroot\systemroot\system32\UACgvpbifpfcidjtkq.log
Reg      HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors                                                                         \\?\globalroot\systemroot\system32\UAClxutahdmdrltrdy.log
Reg      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs                                                                
Reg      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                                                    15
Reg      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                                                       10000
Reg      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                                                     yes
Reg      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                                                                    
Reg      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                                                    90
Reg      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                                                      10000
Reg      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs                                                            1

---- Files - GMER 1.0.15 ----

File     C:\WINDOWS\system32\drivers\UACvxdpmylyxmynsms.sys                                                                                    53760 bytes executable                                                                                     <-- ROOTKIT !!!
File     C:\WINDOWS\system32\UACdthjvrndakqgxvv.dll                                                                                            19456 bytes executable
File     C:\WINDOWS\system32\UACehjfenoeouudtkh.dll                                                                                            66560 bytes
File     C:\WINDOWS\system32\UACeoerrhuqspfsitu.dll                                                                                            30208 bytes executable
File     C:\WINDOWS\system32\uacinit.dll                                                                                                       6270 bytes
File     C:\WINDOWS\system32\UACjduiwsippaqwkjx.dll                                                                                            17408 bytes executable
File     C:\WINDOWS\system32\UACkrgikjlhlpqtkba.dat                                                                                            224 bytes
File     C:\WINDOWS\system32\UACobqoikqxwnkoobr.dll                                                                                            25600 bytes executable
File     C:\WINDOWS\system32\UACqcqmltensqimoyp.dll                                                                                            19968 bytes executable
File     C:\WINDOWS\system32\UACslkllaltgfbekwf.log                                                                                            69362 bytes
File     C:\WINDOWS\system32\uactmp.db                                                                                                         3976714 bytes
File     C:\WINDOWS\system32\UACvdsiqlhghkfkyxq.db                                                                                             1110399 bytes

---- EOF - GMER 1.0.15 ----
  7. 2009-06-18, 18:22 #7
    Fames
    Fames is offline
    Junior Member
    Join Date
    Jun 2009
    Posts
    17

    Default

    hijackthis02 Log
    Code:
    Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:03 AM, on 6/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1154027607\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://lupita1garcia.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156544601250
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O20 - Winlogon Notify: !SASWinLogon - C:\2.TEMPO\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7650 bytes
  8. 2009-06-18, 18:23 #8
    Fames
    Fames is offline
    Junior Member
    Join Date
    Jun 2009
    Posts
    17

    Default

    Symantec Endpoint Protection Log

    Code:
    Packed.Generic.200
Date and Time,Risk,Action,Filename,Risk Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description
6/17/2009 5:48:03 PM,Packed.Generic.200,Log only,uaceoerrhuqspfsitu.dll,Heuristics,globalroot\systemroot\system32\,EMILY,Owner,Log only,globalroot\systemroot\system32\,Clean security risk,Quarantine,Manual scan,The file was left unchanged.
  9. 2009-06-18, 18:24 #9
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New HijackThis log.

    A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  10. 2009-06-18, 19:24 #10
    Fames
    Fames is offline
    Junior Member
    Join Date
    Jun 2009
    Posts
    17

    Default

    NEW HJT LOG
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:23:35 AM, on 6/18/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\AOL\1154027607\ee\aolsoftware.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...OS/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://lupita1garcia.spaces.live.com...d/MsnPUpld.cab
    O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/active...oadControl.cab
    O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/...ixItClient.CAB
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156544601250
    O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/R...hotoOnline.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\2.TEMPO\SASWINLO.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

    --
    End of file - 6503 bytes
    Last edited by tashi; 2009-06-18 at 19:52. Reason: Removed code around log, as per forum FAQ ;-)
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules