Jump to content

I dont know what to donext- please analyze


Recommended Posts

I had some silly promo pop up which panicked me to do a virus scan. My son had put AVG Virus prog on here but apparently its disabled or missing [says no components now] So I immediately ran Malwarebytes and had 23 files infected!! I chose remove all then noticed the sys32 files which is bad right?

I am anxious [scared!] about rebooting to delete some of these files...but also concerned about the Trojans of course...We just had comp serviced last week and I cannot lose any more worktime! help!

here is mwb log:

Malwarebytes' Anti-Malware 1.23

Database version: 985

Windows 5.1.2600 Service Pack 3

2:27:21 PM 1/28/2009

mbam-log-1-28-2009 (14-27-21).txt

Scan type: Quick Scan

Objects scanned: 44278

Time elapsed: 17 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 4

Registry Keys Infected: 10

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\vtUkighh.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\xhcjofni.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\jkdjhw.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\geBrppqo.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d92af15-a7c1-4cbd-9eec-bee8163a5343} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1d92af15-a7c1-4cbd-9eec-bee8163a5343} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e31ddf3a-5e5d-476c-a9d5-47a1c85edf37} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{e31ddf3a-5e5d-476c-a9d5-47a1c85edf37} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebrppqo (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28ef570b (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtukighh -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtukighh -> Delete on reboot.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\jkdjhw.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\vtUkighh.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\hhgikUtv.ini (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\hhgikUtv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\xhcjofni.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\infojchx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\geBrppqo.dll (Trojan.BHO) -> Delete on reboot.

C:\WINDOWS\system32\vciuswyj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WT85QZM5\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fccbYpQH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

and Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:37:07 PM, on 1/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\hh.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: {6efa1882-7936-73fb-c9b4-17ef3bb202d4} - {4d202bb3-fe71-4b9c-bf37-63972881afe6} - C:\WINDOWS\system32\gxgcdd.dll

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\geBrppqo.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - C:\WINDOWS\system32\ejdbampp.dll

O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: (no name) - {E31DDF3A-5E5D-476C-A9D5-47A1C85EDF37} - C:\WINDOWS\system32\vtUkighh.dll (file missing)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file)

O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (file missing)

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe"

O4 - HKCU\..\Run: [Azeroth Advisor Uploader] C:\Program Files\Azeroth Advisor Uploader\AzerothAdvisor.exe SILENT

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user')

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.amaena.com

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.antispyexpert.com

O15 - Trusted Zone: *.avsystemcare.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.imageservr.com

O15 - Trusted Zone: *.imagesrvr.com

O15 - Trusted Zone: *.onerateld.com

O15 - Trusted Zone: *.safetydownload.com

O15 - Trusted Zone: *.spyguardpro.com

O15 - Trusted Zone: *.storageguardsoft.com

O15 - Trusted Zone: *.trustedantivirus.com

O15 - Trusted Zone: *.virusremover2008.com

O15 - Trusted Zone: *.virusschlacht.com

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll jkdjhw.dll gxgcdd.dll

O20 - Winlogon Notify: geBrppqo - C:\WINDOWS\SYSTEM32\geBrppqo.dll

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 7464 bytes

I would app

Link to post
Share on other sites

  • Root Admin

Okay the good news - I just saved a bunch of money on my car insurance..... LOL

Just kidding. Okay, the issue you have is that your MBAM is WAY out of date and needs to be updated.

Your version is:

Malwarebytes' Anti-Malware 1.23

Database version: 985

My version is:

Malwarebytes' Anti-Malware 1.33

Database version: 1704

Please click on the UPDATE tab and try to update the program. If you can not then try to download a NEW copy and install that.

http://www.malwarebytes.org/mbam.php

Once you've updated your program please run the following.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Thank you....sorry it took me awhile to get back...we tried restarting last night [w/ old version] and added Avira too...now I did it w/ the new MWB....here are the logs...thank you!

Malwarebytes' Anti-Malware 1.33

Database version: 1707

Windows 5.1.2600 Service Pack 3

1/29/2009 8:24:28 PM

mbam-log-2009-01-29 (20-24-28).txt

Scan type: Quick Scan

Objects scanned: 60869

Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\3J4FWLIH\CAC9GXSR (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\3J4FWLIH\CAD3V1C4 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\3J4FWLIH\CAH42XD7 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\CAAFMLMX (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\CAEZOXU7 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\CAO5U51E (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CA270L2Z (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CA87694B (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CAEBS52F (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CAIV45QF (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CAT46PX3 (Trojan.Vundo) -> Quarantined and deleted successfully.

and HIJACK:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:27:31 PM, on 1/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {E31DDF3A-5E5D-476C-A9D5-47A1C85EDF37} - C:\WINDOWS\system32\vtUkighh.dll (file missing)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file)

O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (file missing)

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe"

O4 - HKCU\..\Run: [Azeroth Advisor Uploader] C:\Program Files\Azeroth Advisor Uploader\AzerothAdvisor.exe SILENT

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user')

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.amaena.com

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.antispyexpert.com

O15 - Trusted Zone: *.avsystemcare.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.imageservr.com

O15 - Trusted Zone: *.imagesrvr.com

O15 - Trusted Zone: *.onerateld.com

O15 - Trusted Zone: *.safetydownload.com

O15 - Trusted Zone: *.spyguardpro.com

O15 - Trusted Zone: *.storageguardsoft.com

O15 - Trusted Zone: *.trustedantivirus.com

O15 - Trusted Zone: *.virusremover2008.com

O15 - Trusted Zone: *.virusschlacht.com

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546

O20 - AppInit_DLLs: jkdjhw.dll,gxgcdd.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 6439 bytes

The comp is already faster! maybe its good now?...fingers crossed...

Link to post
Share on other sites

  • Root Admin

Sandboxie is a good program but for now let's disable it so we're sure what we're working on is the real box.

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
  • O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Then RESTART your computer

You're running Bit Torrent which is a file sharing program that can and does easily infect users such as yourself

File sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology. However, P2P applications introduce security risks that may put your information or your computer in jeopardy.

Risks of File-Sharing Technology

You need to uninstall or disable it at least while we're assisting you.

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
  • O2 - BHO: (no name) - {E31DDF3A-5E5D-476C-A9D5-47A1C85EDF37} - C:\WINDOWS\system32\vtUkighh.dll (file missing)
  • O15 - Trusted Zone: *.amaena.com
  • O15 - Trusted Zone: *.antimalwareguard.com
  • O15 - Trusted Zone: *.antispyexpert.com
  • O15 - Trusted Zone: *.avsystemcare.com
  • O15 - Trusted Zone: *.gomyhit.com
  • O15 - Trusted Zone: *.imageservr.com
  • O15 - Trusted Zone: *.imagesrvr.com
  • O15 - Trusted Zone: *.onerateld.com
  • O15 - Trusted Zone: *.safetydownload.com
  • O15 - Trusted Zone: *.spyguardpro.com
  • O15 - Trusted Zone: *.storageguardsoft.com
  • O15 - Trusted Zone: *.trustedantivirus.com
  • O15 - Trusted Zone: *.virusremover2008.com
  • O15 - Trusted Zone: *.virusschlacht.com
  • O20 - AppInit_DLLs: jkdjhw.dll,gxgcdd.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Then run another round of updates please.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

First of all...You guys rock...i am so glad someone understands this language! And I appreciate the help...I probably could have used it many times before! I do have some ?s- My son actually put Sandbox and BitTorrent on...I do not really use them, [or understand them] but I did tell him I thought there could be problems from the sharing thing [he plays a lot of games with other players, idk...] Is this our biggest problem? How can he play w/out file-sharing? I would appreciate an expert opinion b/c he's about to get cut off the comp

Anyhoo...I did follow all steps to the best of my ability but one Java file would not delete ["cannot delete jusched.exe Access denied"] and one line I could not find at the final cleanout on HJT ["C;/Windows/Sys32/vtUkighh.dll].... but the records look good now :)

Malwarebytes' Anti-Malware 1.33

Database version: 1711

Windows 5.1.2600 Service Pack 3

1/31/2009 12:42:02 AM

mbam-log-2009-01-31 (00-42-02).txt

Scan type: Quick Scan

Objects scanned: 63708

Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:44:10 AM, on 1/31/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll

O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file)

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe"

O4 - HKCU\..\Run: [Azeroth Advisor Uploader] C:\Program Files\Azeroth Advisor Uploader\AzerothAdvisor.exe SILENT

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user')

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 5094 bytes

One more question? How can I get Internet Explorer off? It has been messed up for a few months and I just started using Foxfire [which my son had on here already] but I cannot Add/Remove the IE program...is this advisable? I did finally get it off the default setting...sorry to be too much bother...i'm clueless

Thank you again!

Link to post
Share on other sites

  • Root Admin

You can not remove IE, it is integral to Windows. We can run some tools later to repair it.

For now please only run the following and then RESTART the computer.

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
  • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
  • O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file)
  • O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file)
  • O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
  • O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent
  • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
  • O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Now RESTART the computer and go into the Control Panel, Add/Remove and look for ANY applications that has the name JAVA in it and if found uninstall it.

Then look at running this method to fully remove the AVG 8 Anti-Virus since you're now using Avira. There are pieces of AVG still running.

How to uninstall AVG (remove it permanently from PC)

Then run a new MBAM scan and HJT log as shown below and we'll go from there.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Thanks again... here are the most recent logs...it sounds good [?]

Malwarebytes' Anti-Malware 1.33

Database version: 1714

Windows 5.1.2600 Service Pack 3

2/1/2009 7:35:30 PM

mbam-log-2009-02-01 (19-35-30).txt

Scan type: Quick Scan

Objects scanned: 60653

Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:37:55 PM, on 2/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user')

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 4097 bytes

Link to post
Share on other sites

  • Root Admin

That just looks too clean as far as items running, ie. not normal.

Please run the following tool and let's see if we can see anything else that might be the cause of this, and your sure that your not running SandBoxie (it's not shown as running).

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

OK hope this is right...pretty sure Sandboxie is off...thanks!

janflora_rootrepeal.txt

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/02/03 00:41

Program Version: Version 1.2.3.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Drivers

-------------------

Name: dump_iastor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys

Address: 0xA10FA000 Size: 872448 File Visible: No

Status: -

Name: PCI_PNP6678

Image Path: \Driver\PCI_PNP6678

Address: 0x00000000 Size: 0 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF76B2000 Size: 45056 File Visible: No

Status: -

Name: spei.sys

Image Path: spei.sys

Address: 0xF7411000 Size: 1048576 File Visible: No

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: C:\Documents and Settings\janet\Local Settings\Temp\etilqs_5Lie2wTJvX82xWj21Yhq

Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\WINDOWS\system32\wbem\Logs\wbemcore.log

Status: Size mismatch (API: 65039, Raw: 64947)

Path: C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Log\log_20.trc

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\ian\Local Settings\Apps\2.0\2Y5PQEEZ.0RA\1OAT52G6.V7T\manifests\WindowsApplication1.exe.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ian\Local Settings\Apps\2.0\2Y5PQEEZ.0RA\1OAT52G6.V7T\manifests\WindowsApplication1.exe.manifest

Status: Locked to the Windows API!

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "spei.sys" at address 0xf74120e0

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xf7d615d4

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "spei.sys" at address 0xf7430ca2

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "spei.sys" at address 0xf7431030

#: 119 Function Name: NtOpenKey

Status: Hooked by "spei.sys" at address 0xf74120c0

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xf7d615c0

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xf7d615c5

#: 160 Function Name: NtQueryKey

Status: Hooked by "spei.sys" at address 0xf7431108

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "spei.sys" at address 0xf7430f88

#: 247 Function Name: NtSetValueKey

Status: Hooked by "spei.sys" at address 0xf743119a

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xf7d615cf

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "<unknown>" at address 0xf7d615ca

Stealth Objects

-------------------

Object: Hidden Module [Name: UIX.dll]

Process: Zune.exe (PID: 2296) Address: 0x01060000 Size: 1683456

Object: Hidden Module [Name: UIX.renderapi.dll]

Process: Zune.exe (PID: 2296) Address: 0x00f10000 Size: 692224

Object: Hidden Module [Name: ZuneShell.dll]

Process: Zune.exe (PID: 2296) Address: 0x00e10000 Size: 987136

Object: Hidden Module [Name: ZuneDBApi.dll]

Process: Zune.exe (PID: 2296) Address: 0x00fc0000 Size: 647168

Object: Hidden Module [Name: UIXcontrols.dll]

Process: Zune.exe (PID: 2296) Address: 0x034d0000 Size: 2699264

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x873d41f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x868d51f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]

Process: System Address: 0x873661f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]

Process: System Address: 0x8660a1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]

Process: System Address: 0x8660a1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8660a1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8660a1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]

Process: System Address: 0x8660a1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8660a1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]

Process: System Address: 0x8660a1f8 Size: -

Object: Hidden Code [Driver: iastor, IRP_MJ_CREATE]

Process: System Address: 0x873d61f8 Size: -

Object: Hidden Code [Driver: iastor, IRP_MJ_CLOSE]

Process: System Address: 0x873d61f8 Size: -

Object: Hidden Code [Driver: iastor, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x873d61f8 Size: -

Object: Hidden Code [Driver: iastor, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x873d61f8 Size: -

Object: Hidden Code [Driver: iastor, IRP_MJ_POWER]

Process: System Address: 0x873d61f8 Size: -

Object: Hidden Code [Driver: iastor, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x873d61f8 Size: -

Object: Hidden Code [Driver: iastor, IRP_MJ_PNP]

Process: System Address: 0x873d61f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System Address: 0x873d71f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System Address: 0x860b21f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System Address: 0x860b21f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x860b21f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x860b21f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System Address: 0x860b21f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System Address: 0x860b21f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System Address: 0x8693a500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System Address: 0x8693a500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8693a500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8693a500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System Address: 0x8693a500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8693a500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System Address: 0x8693a500 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]

Process: System Address: 0x860a41f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_CREATE]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_CLOSE]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_READ]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_CLEANUP]

Process: System Address: 0x8602a1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_PNP]

Process: System Address: 0x8602a1f8 Size: -

Link to post
Share on other sites

  • Root Admin

Click on
START - RUN
and type in
SIGVERIF
and click OK

This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the
    START
    button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.

  • Close the
    File Signature Verification
    application.

  • Find and attach the file C:\WINDOWS\
    SIGVERIF.TXT
    to your reply.

  • DO NOT
    post the log directly into your reply, attach the file please.

Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.

At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.

Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.