Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 35

Thread: Explorer & Google redirects

  1. #21
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default Results of GMER Part 2

    Bytes JMP 00A30040
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A300BA
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A30F72
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A300DF
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A30F46
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A30F2B
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A30FC3
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A30FEF
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A3009D
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A30FD4
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A3002F
    .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A30F61
    .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A20FB9
    .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A20F8D
    .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A20FD4
    .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A20FEF
    .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A2004A
    .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A20000
    .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A20025
    .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A20F9E
    .text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10064
    .text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10053
    .text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A1001D
    .text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10000
    .text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10038
    .text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10FE3
    .text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00000
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01FF0000
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01FF0087
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01FF0F92
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01FF0FA3
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01FF0062
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01FF0FC0
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01FF00AE
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01FF0F66
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01FF00F5
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01FF00E4
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01FF0F41
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01FF0047
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01FF001B
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01FF0F77
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01FF002C
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01FF0FDB
    .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01FF00C9
    .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01FE0040
    .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01FE0091
    .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01FE0FEF
    .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01FE0025
    .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01FE0076
    .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01FE0000
    .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01FE0065
    .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01FE0FD4
    .text C:\WINDOWS\System32\svchost.exe[1316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01FD0F92
    .text C:\WINDOWS\System32\svchost.exe[1316] msvcrt.dll!system 77C293C7 5 Bytes JMP 01FD0FAD
    .text C:\WINDOWS\System32\svchost.exe[1316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01FD0FD9
    .text C:\WINDOWS\System32\svchost.exe[1316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01FD0000
    .text C:\WINDOWS\System32\svchost.exe[1316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01FD0FBE
    .text C:\WINDOWS\System32\svchost.exe[1316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01FD0011
    .text C:\WINDOWS\System32\svchost.exe[1316] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01FC0FE5
    .text C:\WINDOWS\System32\svchost.exe[1316] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00EC0FEF
    .text C:\WINDOWS\System32\svchost.exe[1316] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00EC0000
    .text C:\WINDOWS\System32\svchost.exe[1316] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00EC0FCA
    .text C:\WINDOWS\System32\svchost.exe[1316] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00EC0FAF
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0094000A
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00940087
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0094006C
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0094005B
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00940FA8
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00940FCA
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009400BF
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009400AE
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00940F55
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00940F66
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00940F3A
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00940FB9
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00940025
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00940F77
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00940FEF
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00940040
    .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009400E4
    .text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093001E
    .text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093005B
    .text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FC3
    .text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FDE
    .text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FA8
    .text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
    .text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093004A
    .text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093002F
    .text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0092003D
    .text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FA8
    .text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920011
    .text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FE3
    .text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920022
    .text C:\WINDOWS\System32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920000
    .text C:\WINDOWS\System32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0091000A
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0065
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0054
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0F7C
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0F8D
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0FC3
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F30
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0076
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C00BF
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00A4
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C00E4
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0F9E
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0014
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F4B
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0FD4
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C002F
    .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0093
    .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0FC3
    .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0F7C
    .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0014
    .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0FD4
    .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0039
    .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FE5
    .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009B0F97
    .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BB, 88]
    .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FB2
    .text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0F9A
    .text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A002F
    .text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0000
    .text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FEF
    .text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FB5
    .text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FD2
    .text C:\WINDOWS\system32\svchost.exe[1572] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990000
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40000
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40F77
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40F88
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40062
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40047
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B4002C
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B400A4
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40093
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B400BF
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B40F26
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B400D0
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40FAF
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40011
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40F5C
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40FC0
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40FDB
    .text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B40F41
    .text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B30022
    .text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B30FB6
    .text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B30FD1
    .text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B30011
    .text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B30073
    .text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B30000
    .text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B3004E
    .text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B3003D
    .text C:\WINDOWS\System32\svchost.exe[1916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B20FA3
    .text C:\WINDOWS\System32\svchost.exe[1916] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20FC8
    .text C:\WINDOWS\System32\svchost.exe[1916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20FE3
    .text C:\WINDOWS\System32\svchost.exe[1916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20000
    .text C:\WINDOWS\System32\svchost.exe[1916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20038
    .text C:\WINDOWS\System32\svchost.exe[1916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20011
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90080
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B9006F
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90054
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90043
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FA1
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F5C
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B900AE
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900DA
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90F41
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90F1C
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90032
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FDE
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90091
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FB2
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90FCD
    .text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B900C9
    .text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FD4
    .text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930051
    .text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930025
    .text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093000A
    .text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930036
    .text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
    .text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F94
    .text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
    .text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FB9
    .text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FB7
    .text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920038
    .text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092001D
    .text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
    .text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FC8
    .text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FE3
    .text C:\WINDOWS\System32\svchost.exe[1976] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FEF
    .text C:\WINDOWS\System32\svchost.exe[1976] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0090000A
    .text C:\WINDOWS\System32\svchost.exe[1976] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FD4
    .text C:\WINDOWS\System32\svchost.exe[1976] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00900025
    .text C:\WINDOWS\System32\svchost.exe[1976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006C
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0051
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0040
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F83
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F30
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F41
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A009D
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0EFA
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EE9
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F9E
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A001B
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F5C
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FCA
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FE5
    .text C:\WINDOWS\Explorer.EXE[2716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F0B
    .text C:\WINDOWS\Explorer.EXE[2716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FDB
    .text C:\WINDOWS\Explorer.EXE[2716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FAF
    .text C:\WINDOWS\Explorer.EXE[2716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029002C
    .text C:\WINDOWS\Explorer.EXE[2716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029001B
    .text C:\WINDOWS\Explorer.EXE[2716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FC0
    .text C:\WINDOWS\Explorer.EXE[2716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0029000A
    .text C:\WINDOWS\Explorer.EXE[2716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290062
    .text C:\WINDOWS\Explorer.EXE[2716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290047
    .text C:\WINDOWS\Explorer.EXE[2716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0053
    .text C:\WINDOWS\Explorer.EXE[2716] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FC8
    .text C:\WINDOWS\Explorer.EXE[2716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FE3
    .text C:\WINDOWS\Explorer.EXE[2716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A000C
    .text C:\WINDOWS\Explorer.EXE[2716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0038
    .text C:\WINDOWS\Explorer.EXE[2716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A001D
    .text C:\WINDOWS\Explorer.EXE[2716] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 002C0000
    .text C:\WINDOWS\Explorer.EXE[2716] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 002C0011
    .text C:\WINDOWS\Explorer.EXE[2716] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 002C002C
    .text C:\WINDOWS\Explorer.EXE[2716] WININET.dll!InternetOpenUrlW 3D998439 1 Byte [E9]
    .text C:\WINDOWS\Explorer.EXE[2716] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 002C003D
    .text C:\WINDOWS\Explorer.EXE[2716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01E80FEF

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmxjt.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSvoqm.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSnvuo.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahs.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSxhyf.log
    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkai.log
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ...

    ---- EOF - GMER 1.0.15 ----

  2. #22
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    The GMER log is still showing signs of the TDSS Rootkit . Drag Combofix to the trash , redownload and run it but do it this way this time.


    Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3






    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #23
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default Combo-Fix log results

    Sorry, I was out of town for a few days.

    Ran Combofix:

    ComboFix 10-02-03.04 - Owner 02/03/2010 22:16:40.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.592 [GMT -8:00]
    Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
    .

    2010-02-01 05:15 . 2006-02-15 11:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Neoteris

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-04 06:36 . 2009-03-01 03:54 -------- d-----w- c:\program files\lg_fwupdate
    2010-02-04 01:12 . 2008-09-06 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-02-03 01:40 . 2010-02-03 01:38 -------- d-----w- c:\program files\iTunes
    2010-02-03 01:38 . 2005-06-03 19:43 -------- d-----w- c:\program files\iPod
    2010-02-03 01:38 . 2007-09-15 06:04 -------- d-----w- c:\program files\Common Files\Apple
    2010-02-03 01:21 . 2010-02-03 01:21 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
    2010-01-28 07:03 . 2008-12-20 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-27 06:27 . 2005-05-11 22:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Musicmatch
    2010-01-27 06:26 . 2000-08-06 02:38 -------- d-----w- c:\program files\MUSICMATCH
    2010-01-20 23:03 . 2009-07-25 23:15 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-19 08:01 . 2010-01-19 08:01 -------- d-----w- c:\program files\ERUNT
    2010-01-18 18:03 . 2010-01-18 18:03 -------- d-----w- c:\program files\Trend Micro
    2010-01-18 00:45 . 2005-05-07 19:16 -------- d-----w- c:\program files\Java
    2010-01-18 00:42 . 2010-01-18 00:42 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-01-18 00:42 . 2010-01-18 00:42 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-01-16 16:19 . 2009-01-17 15:45 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-01-14 07:34 . 2007-10-05 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-01-08 00:07 . 2008-12-20 22:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-08 00:07 . 2008-12-20 22:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-05 16:43 . 2009-03-01 03:54 16384 ----a-w- c:\windows\system32\lgfwunis.exe
    2010-01-05 10:00 . 2005-02-18 23:19 832512 ------w- c:\windows\system32\wininet.dll
    2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-01-05 10:00 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
    2009-12-29 05:06 . 2005-05-07 22:44 -------- d-----w- c:\program files\Yahoo!
    2009-12-21 17:07 . 2005-05-06 05:36 -------- d-----w- c:\documents and settings\Owner\Application Data\CyberLink
    2009-12-21 17:07 . 2009-12-21 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
    2009-12-07 22:17 . 2006-10-14 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2009-11-21 15:51 . 2003-07-16 20:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2008-04-08 03:32 . 2008-04-08 03:32 0 ----a-w- c:\program files\temp01
    2005-05-18 23:32 . 2005-05-18 23:32 774144 ----a-w- c:\program files\RngInterstitial.dll
    2002-07-27 02:02 . 2007-03-12 02:52 153088 ----a-w- c:\program files\UNWISE.EXE
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-06 39408]
    "FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-06 2356088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
    "USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
    "LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-05 557056]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
    "InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
    "NBKeyScan"="c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-09-17 1377576]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-06-01 196608]
    "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ SsiEfr.e\0SsiEfr.e\0sprecovr \SystemRoot\sprecovr.tx

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 Neofltr;Neoteris TDI Filter - Layered Version;c:\windows\system32\drivers\NEOFLTR.sys [8/13/2004 7:19 PM 50349]
    R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [8/14/2009 8:20 AM 53307]
    R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [2/28/2009 8:00 PM 7936]
    S3 PAC207;Webcam 1200;c:\windows\system32\DRIVERS\PFC027.SYS --> c:\windows\system32\DRIVERS\PFC027.SYS [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-12-05 20:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 22:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-03 c:\windows\Tasks\20100125_231900_pezzini.job
    - c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2007-09-17 17:35]

    2010-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

    2010-02-04 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-06 02:31]

    2009-08-15 c:\windows\Tasks\McDefragTask.job
    - c:\windows\system32\defrag.exe [2003-07-16 00:12]

    2009-01-01 c:\windows\Tasks\McQcTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2006-07-31 19:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.yahoo.com/?fr=fp-grpj
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uCustomizeSearch =
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-MimBoot - c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-03 22:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
    "ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
    "ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2116)
    c:\windows\system32\WININET.dll
    c:\program files\iTunes\iTunesMiniPlayer.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\imapi.exe
    c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\BCMSMMSG.exe
    c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-02-03 22:48:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-02-04 06:48
    ComboFix2.txt 2010-01-26 21:45

    Pre-Run: 13,766,045,696 bytes free
    Post-Run: 13,842,587,648 bytes free

    - - End Of File - - A9EF340FE6E189EC07BB64E558A6394F

  4. #24
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:03:02 PM, on 2/3/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\lg_fwupdate\fwupdate.exe
    C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    C:\Program Files\Nero\Nero 7\InCD\InCD.exe
    C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-grpj
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/supergerball...GameLoader.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    O24 - Desktop Component 0: (no name) - http://www.rmtadventures.ca/causway%...ir%20009fp.jpg

    --
    End of file - 12267 bytes

  5. #25
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,


    Backup Your Registry with ERUNT:
    • Download erunt.zip to your Desktop from here:
      http://aumha.org/downloads/erunt.zip
    • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
    • Inside the new folder, double-click ERUNT.exe to start the program
    • OK all the prompts to back up your registry to the default location.
    Note: to restore your registry, go to the backup folder and start ERDNT.exe


    Drag Combofix to the trash and grab a fresh copy and then do this

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::


    Code:
    Driver::
    TDSSmxjt
    
    Rootkit::
    C:\windows\system32\drivers\TDSSmxjt.sys
    
    Registry::
    [-Hkey_local_machine\SYSTEM\ControlSet001\Services\TDSSserv.sys]
    Save this as CFScript to your desktop.

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
    Last edited by ken545; 2010-02-04 at 14:17.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  6. #26
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default Comb Fix Log and HJT results from 2/4/10

    ComboFix 10-02-03.07 - Owner 02/04/2010 7:30.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.604 [GMT -8:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
    .

    2010-02-03 01:38 . 2010-02-03 01:40 -------- d-----w- c:\program files\iTunes
    2010-01-19 08:01 . 2010-02-04 15:19 -------- d-----w- c:\program files\ERUNT
    2010-01-18 18:03 . 2010-01-18 18:03 -------- d-----w- c:\program files\Trend Micro
    2010-01-13 14:37 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-04 15:46 . 2009-03-01 03:54 -------- d-----w- c:\program files\lg_fwupdate
    2010-02-04 01:12 . 2008-09-06 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-02-03 01:38 . 2005-06-03 19:43 -------- d-----w- c:\program files\iPod
    2010-02-03 01:38 . 2007-09-15 06:04 -------- d-----w- c:\program files\Common Files\Apple
    2010-01-28 07:03 . 2008-12-20 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-27 06:27 . 2005-05-11 22:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Musicmatch
    2010-01-20 23:03 . 2009-07-25 23:15 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-18 00:45 . 2005-05-07 19:16 -------- d-----w- c:\program files\Java
    2010-01-14 07:34 . 2007-10-05 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-01-08 00:07 . 2008-12-20 22:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-08 00:07 . 2008-12-20 22:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-05 16:43 . 2009-03-01 03:54 16384 ----a-w- c:\windows\system32\lgfwunis.exe
    2010-01-05 10:00 . 2005-02-18 23:19 832512 ------w- c:\windows\system32\wininet.dll
    2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-01-05 10:00 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
    2009-12-29 05:06 . 2005-05-07 22:44 -------- d-----w- c:\program files\Yahoo!
    2009-12-21 17:07 . 2005-05-06 05:36 -------- d-----w- c:\documents and settings\Owner\Application Data\CyberLink
    2009-12-21 17:07 . 2009-12-21 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
    2009-12-07 22:17 . 2006-10-14 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2008-04-08 03:32 . 2008-04-08 03:32 0 ----a-w- c:\program files\temp01
    2005-05-18 23:32 . 2005-05-18 23:32 774144 ----a-w- c:\program files\RngInterstitial.dll
    2002-07-27 02:02 . 2007-03-12 02:52 153088 ----a-w- c:\program files\UNWISE.EXE
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-06 39408]
    "FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
    "USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
    "LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-05 557056]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
    "InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
    "NBKeyScan"="c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-09-17 1377576]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-06-01 196608]
    "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ SsiEfr.e\0SsiEfr.e\0sprecovr \SystemRoot\sprecovr.tx

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 Neofltr;Neoteris TDI Filter - Layered Version;c:\windows\system32\drivers\NEOFLTR.sys [8/13/2004 7:19 PM 50349]
    R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [8/14/2009 8:20 AM 53307]
    R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [2/28/2009 8:00 PM 7936]
    S3 PAC207;Webcam 1200;c:\windows\system32\DRIVERS\PFC027.SYS --> c:\windows\system32\DRIVERS\PFC027.SYS [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-12-05 20:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 22:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-03 c:\windows\Tasks\20100125_231900_pezzini.job
    - c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2007-09-17 17:35]

    2010-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

    2010-02-04 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-06 02:31]

    2009-08-15 c:\windows\Tasks\McDefragTask.job
    - c:\windows\system32\defrag.exe [2003-07-16 00:12]

    2009-01-01 c:\windows\Tasks\McQcTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2006-07-31 19:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.yahoo.com/?fr=fp-grpj
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uCustomizeSearch =
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-04 07:45
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
    "ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
    "ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3928)
    c:\windows\system32\WININET.dll
    c:\program files\iTunes\iTunesMiniPlayer.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\imapi.exe
    c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\BCMSMMSG.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-02-04 08:01:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-02-04 16:01
    ComboFix2.txt 2010-02-04 06:48
    ComboFix3.txt 2010-01-26 21:45

    Pre-Run: 13,714,255,872 bytes free
    Post-Run: 13,673,009,152 bytes free

    - - End Of File - - E0B6D72F559FB6CC558ADDBB05E58E46



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:38:48 AM, on 2/4/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\lg_fwupdate\fwupdate.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    C:\Program Files\Nero\Nero 7\InCD\InCD.exe
    C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-grpj
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/supergerball...GameLoader.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    O24 - Desktop Component 0: (no name) - http://www.rmtadventures.ca/causway%...ir%20009fp.jpg

    --
    End of file - 12427 bytes

  7. #27
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    Not sure if it has been removed. Be back in a bit. How are things running now ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  8. #28
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default Seems ok

    So far it seems to be fine. I will have to reboot a few times to see if the McAfee Systemguard gets turned off again.

    I still get the error message if I try to use msconfig and unclick something in the Startup tab. I don't understand why I get the message about needing to sign in as an administrator. Again, I think that might be user misunderstanding rather than a sign of an infection.

    Thanks for your help. Maybe i just need to get a new machine and have this one wiped clean.

  9. #29
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    When you have a serious infection its not a bad idea to do a clean install, but hang in a bit I am still looking into your issues.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  10. #30
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules (not active ControlSet) <--This means its fine and nothing to worry about.


    If you would like I can link you to a windows forum to help you with the other non malware related issues , let me know
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •