Jump to content

ArmedMonkey

Members
  • Posts

    5
  • Joined

  • Last visited

Everything posted by ArmedMonkey

  1. TDSKiller seems to have done the trick. It detected a rootkit (see logs) 2010/12/30 16:29:18.0859 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0) 2010/12/30 16:29:18.0862 ================================================================================ 2010/12/30 16:29:18.0862 Scan finished 2010/12/30 16:29:18.0862 ================================================================================ 2010/12/30 16:29:18.0869 Detected object count: 2 2010/12/30 16:30:12.0098 Locked file(sptd) - User select action: Skip 2010/12/30 16:30:12.0126 \HardDisk0 - will be cured after reboot 2010/12/30 16:30:12.0126 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure (I uninstalled the sptd manually and did a scan again to see that the entry was gone because I knew what it was associated with) I'm curious about this one because it's the first piece of malware I wasn't able to remove from a computer myself and manually. Are you familiar with this one at all in terms of how it works and where it hides? In any case, thanks very much for your help and I wish you and yours a happy new year! TDSSKiller.2.4.12.0_30.12.2010_16.29.01_log.txt
  2. Unfortunately, no change. Another detail I noticed (which, I admit, probably won't be very helpful) is that despite the fact that it doesn't seem to be attributed to just one browser it does seem to be able to track my recent searches through google. Some of the ad pages it goes to have querystrings for my most recent search.
  3. Sorry for the delay. Here's the log. Thanks ComboFix.txt
  4. Thank you Maniac Here are the requested logs: DDS.txt Attach.txt mbam_log_2010_12_28__09_40_45_.txt
  5. So this has been going on for a while, some months. I haven't had time to address the issue until now. I believe it started when I went on a page which loaded a java servlet. I tried to kill Java but it was too late and dumped some crap on my computer. Now, every once in a while, I'll get a 'popup' that goes to some sort of page with a referrer link... Some of them are "you won...", some are "you're infected", and some are just random. The unusual thing to note is, it happens in any browser that I have open, which makes me think that it's not just an infected browser (i've tried reinstalling FF, using a brand new browser, etc). It seems to be something running in a different process which launches this stuff through shell and just opens it in whatever browser is handling URL requests at the time. It will usually give me one right when I launch my browser (But never before), and um... that's all I can think of right now. HijackThis Startup: StartupList report, 12/27/2010, 9:38:57 AM StartupList version: 1.52.2 Started from : C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.EXE Detected: Windows 7 (WinNT 6.00.3504) Detected: Internet Explorer v8.00 (8.00.7600.16700) * Using default options * Showing rarely important sections ================================================== Running processes: C:\Program Files (x86)\Switcher\Switcher.exe - windows expose-like program C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe C:\Users\kir\Local Settings\Apps\F.lux\flux.exe - screen brightness util C:\Program Files (x86)\Ray Adams\ATI Tray Tools\atitray.exe D:\Backup\Volumouse\volumouse.exe - volume util C:\Program Files (x86)\Skype\Phone\Skype.exe C:\Program Files (x86)\MagicTune Premium\GammaTray.exe - monitor util (added after problem started) C:\Users\kir\AppData\Roaming\Dropbox\bin\Dropbox.exe C:\Program Files (x86)\stickies\stickies.exe C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe - mouse driver C:\Program Files (x86)\MagicTune Premium\MagicTuneEngine.exe C:\Users\kir\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor.gadget\GPUMonitor.exe - system monitor C:\Program Files (x86)\Razer\DeathAdder\razertra.exe - mouse C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe - mouse C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe C:\Program Files (x86)\MagicTune Premium\MagicTune.exe - monitor C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Trillian\trillian.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Users\kir\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe C:\Program Files (x86)\foobar2000\foobar2000.exe C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Users\kir\AppData\Local\Temp\mozOpenDownload\jvj2r7nx.exe - anti rootkit thing running here C:\Users\kir\AppData\Local\Temp\mozOpenDownload\Defogger.exe C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe C:\Windows\SysWOW64\NOTEPAD.EXE C:\Windows\SysWOW64\notepad.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Users\kir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup] Dropbox.lnk = kir\AppData\Roaming\Dropbox\bin\Dropbox.exe OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE RazerExt.exe - Shortcut.lnk = kir\Documents\Visual Studio 2008\Projects\RazerExt\RazerExt\bin\Stable\RazerExt.exe - my personal util for my mouse, written by me Stickies.lnk = C:\Program Files (x86)\stickies\stickies.exe Shell folders Common Startup: [C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup] GammaTray.lnk = ? - monitor -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\Windows\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DeathAdder = C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe MagicTuneEngine = C:\Program Files (x86)\MagicTune Premium\MagicTuneEngine.exe Malwarebytes' Anti-Malware (reboot) = "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Malwarebytes' Anti-Malware = C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sidebar = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun Switcher = "C:\Program Files (x86)\Switcher\Switcher.exe" /quiet MultiScreen = Volumousex64 = "D:\Backup\Volumouse\x64\volumouse.exe" /nodlg F.lux = "C:\Users\kir\Local Settings\Apps\F.lux\flux.exe" /noshow AtiTrayTools = "C:\Program Files (x86)\Ray Adams\ATI Tray Tools\atitray.exe" $Volumouse$ = "D:\Backup\Volumouse\volumouse.exe" /nodlg Skype = "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [AutorunsDisabled] FileZilla Server Interface = "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe" IJNetworkScanUtility = C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe AdobeCS5ServiceManager = "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run [AdobeUpdater] = [AutorunsDisabled] *No values found* -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\Windows\SysWOW64\mshta.exe "%1" %* -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = %SystemRoot%\system32\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] * StubPath = "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install -------------------------------------------------- Shell & screensaver key from C:\Windows\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\Windows\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\Windows\Explorer\Explorer.exe: not present C:\Windows\System\Explorer.exe: not present C:\Windows\System32\Explorer.exe: not present C:\Windows\Command\Explorer.exe: not present C:\Windows\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: *Registry key not found* .shb: *Registry key not found* .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\Windows - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename NOT OK: 'REGEDIT.EXE.MUI' - File description: 'Registry Editor' Registry check failed! -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6} URLRedirectionBHO - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL - {B4F3A835-0E21-4959-BA22-42B3008E02FF} (no name) - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9} (no name) - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} -------------------------------------------------- Enumerating Task Scheduler jobs: AutoKMS.job GoogleUpdateTaskUserS-1-5-21-1267673217-2014917464-5534178-1003Core.job GoogleUpdateTaskUserS-1-5-21-1267673217-2014917464-5534178-1003UA.job -------------------------------------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\Windows\SysWOW64\Macromed\Flash\Flash10i.ocx CODEBASE = [url="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab"]http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab[/url] [{E2883E8F-472F-4FB0-9522-AC9BF37916A7}] CODEBASE = [url="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab"]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\Windows\system32\NLAapi.dll NameSpace #4: C:\Windows\system32\napinsp.dll NameSpace #5: C:\Windows\system32\pnrpnsp.dll NameSpace #6: C:\Windows\system32\pnrpnsp.dll NameSpace #7: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL NameSpace #8: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL Protocol #11: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll Protocol #12: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services AMD External Events Utility: %SystemRoot%\system32\atiesrxx.exe (autostart) @%windir%\system32\inetsrv\iisres.dll,-30011: %windir%\system32\svchost.exe -k apphost (autostart) @%SystemRoot%\system32\audiosrv.dll,-204: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart) @%SystemRoot%\system32\audiosrv.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart) @%SystemRoot%\system32\bfe.dll,-1001: %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork (autostart) Microsoft .NET Framework NGEN v4.0.30319_X86: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (autostart) Microsoft .NET Framework NGEN v4.0.30319_X64: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (autostart) @%SystemRoot%\system32\cryptsvc.dll,-1001: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart) @%systemroot%\system32\cscsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart) @oleres.dll,-5012: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart) @%SystemRoot%\system32\dhcpcore.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (autostart) @%SystemRoot%\System32\dnsapi.dll,-101: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart) @%systemroot%\system32\dps.dll,-500: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork (autostart) @%SystemRoot%\system32\wevtsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart) @comres.dll,-2450: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) @%systemroot%\system32\fdrespub.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation (autostart) @gpapi.dll,-112: %systemroot%\system32\svchost.exe -k netsvcs (autostart) VMware hcmon: \??\C:\Windows\system32\drivers\hcmon.sys (autostart) HID Class Driver: system32\DRIVERS\hidusb.sys (autostart) @%windir%\system32\inetsrv\iisres.dll,-30007: %windir%\system32\inetsrv\inetinfo.exe (autostart) @%SystemRoot%\system32\ikeext.dll,-501: %systemroot%\system32\svchost.exe -k netsvcs (autostart) @%SystemRoot%\system32\iphlpsvc.dll,-500: %SystemRoot%\System32\svchost.exe -k NetSvcs (autostart) KMService: C:\Windows\system32\srvany.exe (autostart) ks3MYSQL: "C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.1\my.ini" ks3MYSQL (autostart) @%systemroot%\system32\srvsvc.dll,-100: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) @%systemroot%\system32\wkssvc.dll,-100: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) Link-Layer Topology Discovery Mapper I/O Driver: system32\DRIVERS\lltdio.sys (autostart) @%SystemRoot%\system32\lmhsvc.dll,-101: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (autostart) LMIGuardianSvc: "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" (autostart) LogMeIn Kernel Information Provider: \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys (autostart) LogMeIn Remote File System Driver: \??\C:\Windows\system32\drivers\LMIRfsDriver.sys (autostart) @%systemroot%\system32\drivers\luafv.sys,-100: \SystemRoot\system32\drivers\luafv.sys (autostart) @%systemroot%\system32\mmcss.dll,-100: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) @%SystemRoot%\system32\FirewallAPI.dll,-23090: %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork (autostart) SQL Server Integration Services 10.0: "C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe" (autostart) @mqutil.dll,-6102: %systemroot%\system32\mqsvc.exe (autostart) SQL Server (BWDATOOLSET): "D:\Program Files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sBWDATOOLSET (autostart) SQL Server (KS3SQL): "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.KS3SQL\MSSQL\Binn\sqlservr.exe" -sKS3SQL (autostart) SQL Server (SQLEXPRESS): "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (autostart) SQL Server (MSSQLSERVER): "C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (autostart) @%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8195: "%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" -NetMsmqActivator (autostart) @%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8197: "%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" (autostart) @%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8199: "%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" (autostart) @%SystemRoot%\System32\nlasvc.dll,-1: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) @%SystemRoot%\system32\nsisvc.dll,-200: %systemroot%\system32\svchost.exe -k LocalService (autostart) @%SystemRoot%\system32\pcasvc.dll,-1: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart) PEAUTH: system32\drivers\peauth.sys (autostart) @%SystemRoot%\system32\umpnpmgr.dll,-100: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart) @%SystemRoot%\system32\umpo.dll,-100: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart) @%systemroot%\system32\profsvc.dll,-300: %systemroot%\system32\svchost.exe -k netsvcs (autostart) @%windir%\system32\RpcEpMap.dll,-1001: %SystemRoot%\system32\svchost.exe -k RPCSS (autostart) @oleres.dll,-5010: %SystemRoot%\system32\svchost.exe -k rpcss (autostart) Link-Layer Topology Discovery Responder: system32\DRIVERS\rspndr.sys (autostart) @%SystemRoot%\system32\samsrv.dll,-1: %SystemRoot%\system32\lsass.exe (autostart) @%SystemRoot%\system32\schedsvc.dll,-100: %systemroot%\system32\svchost.exe -k netsvcs (autostart) @%SystemRoot%\system32\Sens.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) @%SystemRoot%\System32\shsvcs.dll,-12288: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) @%systemroot%\system32\spoolsv.exe,-1: %SystemRoot%\System32\spoolsv.exe (autostart) @%SystemRoot%\system32\sppsvc.exe,-101: %SystemRoot%\system32\sppsvc.exe (autostart) SQL Server VSS Writer: "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" (autostart) @%SystemRoot%\system32\wiaservc.dll,-9: %SystemRoot%\system32\svchost.exe -k imgsvc (autostart) @%SystemRoot%\system32\sysmain.dll,-1000: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart) TCP/IP Registry Compatibility: System32\drivers\tcpipreg.sys (autostart) @%SystemRoot%\System32\themeservice.dll,-8192: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) @%SystemRoot%\system32\trkwks.dll,-1: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart) Unsigned Themes: C:\Windows\UnsignedThemesSvc.exe (autostart) uxpatch: \??\C:\Windows\system32\drivers\uxpatch.sys (autostart) @%SystemRoot%\system32\dwm.exe,-2000: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart) VMware Authorization Service: "C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe" (autostart) VMware vmci: \??\C:\Windows\system32\drivers\vmci.sys (autostart) VMware Bridge Protocol: system32\DRIVERS\vmnetbridge.sys (autostart) VMware DHCP Service: C:\Windows\system32\vmnetdhcp.exe (autostart) VMware Network Application Interface: \??\C:\Windows\system32\drivers\vmnetuserif.sys (autostart) VMware USB Arbitration Service: "C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe" (autostart) VMware NAT Service: C:\Windows\system32\vmnat.exe (autostart) VMware vmx86: \??\C:\Windows\system32\drivers\vmx86.sys (autostart) Vstor2 WS60 Virtual Storage Driver: \??\C:\Program Files (x86)\VMware\VMware Workstation\vstor2-ws60.sys (autostart) @%windir%\system32\inetsrv\iisres.dll,-30003: %windir%\system32\svchost.exe -k iissvcs (autostart) WebDrive Filesystem Driver: \??\C:\Program Files (x86)\WebDrive\wdfsd.sys (autostart) WebDrive Service: C:\Program Files (x86)\WebDrive\wdService.exe (autostart) @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103: %SystemRoot%\System32\svchost.exe -k secsvcs (autostart) @%Systemroot%\system32\wbem\wmisvc.dll,-205: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Windows Live ID Sign-in Assistant: "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE" (autostart) @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101: "%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe" (autostart) @%SystemRoot%\System32\wscsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart) @%systemroot%\system32\SearchIndexer.exe,-103: %systemroot%\system32\SearchIndexer.exe /Embedding (autostart) @%systemroot%\system32\wuaueng.dll,-105: %systemroot%\system32\svchost.exe -k netsvcs (autostart) @%SystemRoot%\system32\wudfsvc.dll,-1000: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: C:\Program Files (x86)\Malwarebytes' Anti-Malware\zlib.dll -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: *Registry key not found* HijackThis Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 9:49:52 AM, on 12/27/2010 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16700) Boot mode: Normal Running processes: C:\Program Files (x86)\Switcher\Switcher.exe C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe C:\Users\kir\Local Settings\Apps\F.lux\flux.exe C:\Program Files (x86)\Ray Adams\ATI Tray Tools\atitray.exe D:\Backup\Volumouse\volumouse.exe C:\Program Files (x86)\Skype\Phone\Skype.exe C:\Program Files (x86)\MagicTune Premium\GammaTray.exe C:\Users\kir\AppData\Roaming\Dropbox\bin\Dropbox.exe C:\Program Files (x86)\stickies\stickies.exe C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe C:\Program Files (x86)\MagicTune Premium\MagicTuneEngine.exe C:\Users\kir\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor.gadget\GPUMonitor.exe C:\Program Files (x86)\Razer\DeathAdder\razertra.exe C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe C:\Program Files (x86)\MagicTune Premium\MagicTune.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Trillian\trillian.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Users\kir\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe C:\Program Files (x86)\foobar2000\foobar2000.exe C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Users\kir\AppData\Local\Temp\mozOpenDownload\jvj2r7nx.exe C:\Users\kir\AppData\Local\Temp\mozOpenDownload\Defogger.exe C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe C:\Windows\SysWOW64\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (file missing) O4 - HKLM\..\Run: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe O4 - HKLM\..\Run: [MagicTuneEngine] C:\Program Files (x86)\MagicTune Premium\MagicTuneEngine.exe O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [Switcher] "C:\Program Files (x86)\Switcher\Switcher.exe" /quiet O4 - HKCU\..\Run: [MultiScreen] O4 - HKCU\..\Run: [Volumousex64] "D:\Backup\Volumouse\x64\volumouse.exe" /nodlg O4 - HKCU\..\Run: [F.lux] "C:\Users\kir\Local Settings\Apps\F.lux\flux.exe" /noshow O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files (x86)\Ray Adams\ATI Tray Tools\atitray.exe" O4 - HKCU\..\Run: [$Volumouse$] "D:\Backup\Volumouse\volumouse.exe" /nodlg O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Startup: AutorunsDisabled O4 - Startup: Dropbox.lnk = kir\AppData\Roaming\Dropbox\bin\Dropbox.exe O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE O4 - Startup: RazerExt.exe - Shortcut.lnk = kir\Documents\Visual Studio 2008\Projects\RazerExt\RazerExt\bin\Stable\RazerExt.exe O4 - Startup: Stickies.lnk = C:\Program Files (x86)\stickies\stickies.exe O4 - Global Startup: GammaTray.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing) O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing) O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware workstation\vsocklib.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware workstation\vsocklib.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab"]http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab[/url] O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [url="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab"]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{1ED823D6-47E7-4DE0-8A25-DFC2EE110ED0}: NameServer = 8.8.8.8,8.8.4.4 O17 - HKLM\System\CS1\Services\Tcpip\..\{1ED823D6-47E7-4DE0-8A25-DFC2EE110ED0}: NameServer = 8.8.8.8,8.8.4.4 O17 - HKLM\System\CS2\Services\Tcpip\..\{1ED823D6-47E7-4DE0-8A25-DFC2EE110ED0}: NameServer = 8.8.8.8,8.8.4.4 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\Skype4COM.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing) O23 - Service: ANTS Performance Profiler 6 Service - Red Gate Software Ltd. - C:\Program Files\Red Gate\ANTS Performance Profiler 6\RedGate.Profiler.IISService.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe O23 - Service: ks3MYSQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: LMIGuardianSvc - Unknown owner - C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @mqutil.dll,-6102 (MSMQ) - Unknown owner - C:\Windows\system32\mqsvc.exe (file missing) O23 - Service: SQL Server (BWDATOOLSET) (MSSQL$BWDATOOLSET) - Unknown owner - D:\Program Files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Workstation\vmware-ufad.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\Windows\UnsignedThemesSvc.exe O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files (x86)\WebDrive\wdService.exe O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: @C:\Windows\Microsoft.NET\Framework64\v4.0.30128\WPF\WPFFontCache_v0400.exe,-100 (WPFFontCache_v0400) - Unknown owner - C:\Windows\Microsoft.NET\Framework64\v4.0.30128\WPF\WPFFontCache_v0400.exe (file missing) -- End of file - 13094 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.