SteveT5195 Posted March 17, 2009 ID:65100 Share Posted March 17, 2009 I have the installation file on my machine as well as the program installed on my machine but the installed program won't run and the installation won't run. Help please!!!!Here is my Highjack This log...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:43:00 AM, on 3/17/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeC:\Program Files\Trend Micro\Internet Security 2005\pccguide.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\WINDOWS\system32\nvsvc32.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\System32\HPZipm12.exeC:\Program Files\Spyware Doctor\sdhelp.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exeC:\Documents and Settings\Steve\Desktop\HijackThis.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.comcast.net/login?s=portal&am...3D1236860560388R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by ComcastR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: (no name) - {ABE9C052-8DBA-36A6-CB42-D2DD0083434C} - NSYSCPLSTR.dll (file missing)R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: {9636d4e2-f0ed-533b-1754-2ed9ba71116e} - {e61117ab-9de2-4571-b335-de0f2e4d6369} - (no file)O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /serverO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"O4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exeO4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1.NTA\protect.dll,_IWMPEvents@16O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')O4 - Startup: ChkDisk.dllO4 - Startup: ChkDisk.lnk = ?O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO15 - Trusted Zone: *.passport.comO16 - DPF: {028518E1-9FA8-44FC-92D7-5C54244B5F36} - http://activex.microsoft.com/objects/ocget.dllO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237055561203O16 - DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} (SFImageUpload1_8.ImageUpload) - http://riteaid.storefront.com/images/globa...geUpload1_8.CABO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO18 - Filter hijack: text/html - {933750af-5c45-45f5-be94-783239a5f0f6} - C:\WINDOWS\system32\mst122.dllO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeO23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe--End of file - 10045 bytes Link to post Share on other sites More sharing options...
Fatdcuk Posted March 17, 2009 ID:65112 Share Posted March 17, 2009 Hi please use the following wlakthrough to see if you have CLB driver present and take appropriate action if it is.http://www.malwarebytes.org/forums/index.php?showtopic=12709 Link to post Share on other sites More sharing options...
SteveT5195 Posted March 18, 2009 Author ID:65542 Share Posted March 18, 2009 Hi please use the following wlakthrough to see if you have CLB driver present and take appropriate action if it is.http://www.malwarebytes.org/forums/index.php?showtopic=12709I am really trying to follow the instructions on the link. I can download "rootrepeal" but the program won't run. It can't find the "associated program."What is the associated program to run this? It won't automatically find the program and asks me to designate a program.I need help this is VERY frustrating. Link to post Share on other sites More sharing options...
SteveT5195 Posted March 18, 2009 Author ID:65544 Share Posted March 18, 2009 Okay I've managed to run "rootrepeal"However, after identifying the file to "wipe" and selecting the "wipe" option it's telling me "Could not find file on disk."Here is the entire list (I've bolded the one I "think" I'm supposed to wipe).ROOTREPEAL © AD, 2007-2008==================================================Scan Time: 2009/03/18 05:31Program Version: Version 1.2.3.0Windows Version: Windows XP SP2==================================================Drivers-------------------Name: 1394BUS.SYSImage Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYSAddress: 0xF754F000 Size: 53248 File Visible: -Status: -Name: ACPI.sysImage Path: ACPI.sysAddress: 0xF74E0000 Size: 187776 File Visible: -Status: -Name: ACPI_HALImage Path: \Driver\ACPI_HALAddress: 0x804D7000 Size: 2180352 File Visible: -Status: -Name: afd.sysImage Path: C:\WINDOWS\System32\drivers\afd.sysAddress: 0xF4E8B000 Size: 138496 File Visible: -Status: -Name: agp440.sysImage Path: agp440.sysAddress: 0xF759F000 Size: 42368 File Visible: -Status: -Name: ALIEHCI.sysImage Path: C:\WINDOWS\System32\Drivers\ALIEHCI.sysAddress: 0xF642E000 Size: 111680 File Visible: -Status: -Name: AliRtHub.sysImage Path: C:\WINDOWS\System32\DRIVERS\AliRtHub.sysAddress: 0xF7C6B000 Size: 2944 File Visible: -Status: -Name: AmosNt.SYSImage Path: C:\WINDOWS\System32\DRIVERS\AmosNt.SYSAddress: 0xF64FA000 Size: 155648 File Visible: -Status: -Name: arp1394.sysImage Path: C:\WINDOWS\System32\DRIVERS\arp1394.sysAddress: 0xF76EF000 Size: 60800 File Visible: -Status: -Name: atapi.sysImage Path: atapi.sysAddress: 0xF7498000 Size: 95360 File Visible: -Status: -Name: ATMFD.DLLImage Path: C:\WINDOWS\System32\ATMFD.DLLAddress: 0xBFFA0000 Size: 286720 File Visible: -Status: -Name: audstub.sysImage Path: C:\WINDOWS\System32\DRIVERS\audstub.sysAddress: 0xF7C58000 Size: 3072 File Visible: -Status: -Name: basic2.sysImage Path: C:\WINDOWS\System32\DRIVERS\basic2.sysAddress: 0xF65A7000 Size: 69408 File Visible: -Status: -Name: Beep.SYSImage Path: C:\WINDOWS\System32\Drivers\Beep.SYSAddress: 0xF7A97000 Size: 4224 File Visible: -Status: -Name: BOOTVID.dllImage Path: C:\WINDOWS\system32\BOOTVID.dllAddress: 0xF793F000 Size: 12288 File Visible: -Status: -Name: Cdfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Cdfs.SYSAddress: 0xF3649000 Size: 63744 File Visible: -Status: -Name: Cdr4_xp.SYSImage Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYSAddress: 0xF6B1E000 Size: 59168 File Visible: -Status: -Name: Cdralw2k.SYSImage Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYSAddress: 0xF792F000 Size: 22144 File Visible: -Status: -Name: cdrom.sysImage Path: C:\WINDOWS\System32\DRIVERS\cdrom.sysAddress: 0xF6B0E000 Size: 49536 File Visible: -Status: -Name: cdudf_xp.SYSImage Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYSAddress: 0xF4FAA000 Size: 236032 File Visible: -Status: -Name: CLASSPNP.SYSImage Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYSAddress: 0xF758F000 Size: 53248 File Visible: -Status: -Name: ctlfacem.sysImage Path: C:\WINDOWS\system32\drivers\ctlfacem.sysAddress: 0xF7A81000 Size: 6912 File Visible: -Status: -Name: ctljystk.sysImage Path: C:\WINDOWS\System32\DRIVERS\ctljystk.sysAddress: 0xF7C44000 Size: 3712 File Visible: -Status: -Name: disk.sysImage Path: disk.sysAddress: 0xF757F000 Size: 36352 File Visible: -Status: -Name: drmk.sysImage Path: C:\WINDOWS\system32\drivers\drmk.sysAddress: 0xF777F000 Size: 61440 File Visible: -Status: -Name: dump_atapi.sysImage Path: C:\WINDOWS\System32\Drivers\dump_atapi.sysAddress: 0xF3264000 Size: 98304 File Visible: NoStatus: -Name: dump_WMILIB.SYSImage Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYSAddress: 0xF7ADD000 Size: 8192 File Visible: NoStatus: -Name: Dxapi.sysImage Path: C:\WINDOWS\System32\drivers\Dxapi.sysAddress: 0xF4E67000 Size: 12288 File Visible: -Status: -Name: dxg.sysImage Path: C:\WINDOWS\System32\drivers\dxg.sysAddress: 0xBF9C3000 Size: 73728 File Visible: -Status: -Name: dxgthk.sysImage Path: C:\WINDOWS\System32\drivers\dxgthk.sysAddress: 0xF7C4F000 Size: 4096 File Visible: -Status: -Name: emu10k1m.sysImage Path: C:\WINDOWS\system32\drivers\emu10k1m.sysAddress: 0xF64B4000 Size: 283904 File Visible: -Status: -Name: fallback.sysImage Path: C:\WINDOWS\System32\DRIVERS\fallback.sysAddress: 0xB9E44000 Size: 289888 File Visible: -Status: -Name: faxnt.sysImage Path: C:\WINDOWS\System32\DRIVERS\faxnt.sysAddress: 0xB9048000 Size: 199712 File Visible: -Status: -Name: fdc.sysImage Path: C:\WINDOWS\System32\DRIVERS\fdc.sysAddress: 0xF7917000 Size: 27392 File Visible: -Status: -Name: Fips.SYSImage Path: C:\WINDOWS\System32\Drivers\Fips.SYSAddress: 0xF76DF000 Size: 34944 File Visible: -Status: -Name: flpydisk.sysImage Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sysAddress: 0xF7817000 Size: 20480 File Visible: -Status: -Name: fltmgr.sysImage Path: fltmgr.sysAddress: 0xF7478000 Size: 128896 File Visible: -Status: -Name: Fs_Rec.SYSImage Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYSAddress: 0xF7A95000 Size: 7936 File Visible: -Status: -Name: fsksnt.sysImage Path: C:\WINDOWS\System32\DRIVERS\fsksnt.sysAddress: 0xB9E27000 Size: 115776 File Visible: -Status: -Name: ftdisk.sysImage Path: ftdisk.sysAddress: 0xF74B0000 Size: 125056 File Visible: -Status: -Name: gameenum.sysImage Path: C:\WINDOWS\System32\DRIVERS\gameenum.sysAddress: 0xF7253000 Size: 10624 File Visible: -Status: -Name: GEARAspiWDM.sysImage Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sysAddress: 0xF7243000 Size: 9472 File Visible: -Status: -Name: hal.dllImage Path: C:\WINDOWS\system32\hal.dllAddress: 0x806EC000 Size: 131968 File Visible: -Status: -Name: HIDCLASS.SYSImage Path: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYSAddress: 0xF76FF000 Size: 36864 File Visible: -Status: -Name: HIDPARSE.SYSImage Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYSAddress: 0xF786F000 Size: 28672 File Visible: -Status: -Name: hidusb.sysImage Path: C:\WINDOWS\System32\DRIVERS\hidusb.sysAddress: 0xF7A17000 Size: 9600 File Visible: -Status: -Name: HPZid412.sysImage Path: C:\WINDOWS\System32\DRIVERS\HPZid412.sysAddress: 0xF773F000 Size: 50848 File Visible: -Status: -Name: HPZipr12.sysImage Path: C:\WINDOWS\System32\DRIVERS\HPZipr12.sysAddress: 0xF7A27000 Size: 16224 File Visible: -Status: -Name: HPZius12.sysImage Path: C:\WINDOWS\System32\DRIVERS\HPZius12.sysAddress: 0xF7897000 Size: 21472 File Visible: -Status: -Name: HSF_CNXT.sysImage Path: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sysAddress: 0xF6520000 Size: 551168 File Visible: -Status: -Name: HTTP.sysImage Path: C:\WINDOWS\System32\Drivers\HTTP.sysAddress: 0xB6395000 Size: 262784 File Visible: -Status: -Name: i8042prt.sysImage Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sysAddress: 0xF779F000 Size: 52736 File Visible: -Status: -Name: ikhfile.sysImage Path: C:\WINDOWS\system32\drivers\ikhfile.sysAddress: 0xF784F000 Size: 30592 File Visible: -Status: -Name: ikhlayer.sysImage Path: C:\WINDOWS\System32\drivers\ikhlayer.sysAddress: 0xF76CF000 Size: 51072 File Visible: -Status: -Name: Imapi.SYSImage Path: C:\WINDOWS\System32\Drivers\Imapi.SYSAddress: 0xF6AEE000 Size: 41856 File Visible: -Status: -Name: intelide.sysImage Path: intelide.sysAddress: 0xF7A33000 Size: 5504 File Visible: -Status: -Name: intelppm.sysImage Path: C:\WINDOWS\System32\DRIVERS\intelppm.sysAddress: 0xF774F000 Size: 36096 File Visible: -Status: -Name: ipnat.sysImage Path: C:\WINDOWS\System32\DRIVERS\ipnat.sysAddress: 0xF4E42000 Size: 134912 File Visible: -Status: -Name: ipsec.sysImage Path: C:\WINDOWS\System32\DRIVERS\ipsec.sysAddress: 0xF4F2D000 Size: 74752 File Visible: -Status: -Name: isapnp.sysImage Path: isapnp.sysAddress: 0xF752F000 Size: 35840 File Visible: -Status: -Name: k56nt.sysImage Path: C:\WINDOWS\System32\DRIVERS\k56nt.sysAddress: 0xB9D9F000 Size: 391744 File Visible: -Status: -Name: kbdclass.sysImage Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sysAddress: 0xF791F000 Size: 24576 File Visible: -Status: -Name: KDCOM.DLLImage Path: C:\WINDOWS\system32\KDCOM.DLLAddress: 0xF7A2F000 Size: 8192 File Visible: -Status: -Name: kmixer.sysImage Path: C:\WINDOWS\system32\drivers\kmixer.sysAddress: 0xACB51000 Size: 172416 File Visible: -Status: -Name: ks.sysImage Path: C:\WINDOWS\system32\drivers\ks.sysAddress: 0xF646D000 Size: 143360 File Visible: -Status: -Name: KSecDD.sysImage Path: KSecDD.sysAddress: 0xF744F000 Size: 92032 File Visible: -Status: -Name: L8042pr2.SysImage Path: C:\WINDOWS\System32\DRIVERS\L8042pr2.SysAddress: 0xF75CF000 Size: 46976 File Visible: -Status: -Name: LMouFlt2.SysImage Path: C:\WINDOWS\System32\DRIVERS\LMouFlt2.SysAddress: 0xF6B3E000 Size: 63328 File Visible: -Status: -Name: mmc_2K.SYSImage Path: C:\WINDOWS\System32\Drivers\mmc_2K.SYSAddress: 0xF77EF000 Size: 21696 File Visible: -Status: -Name: mnmdd.SYSImage Path: C:\WINDOWS\System32\Drivers\mnmdd.SYSAddress: 0xF7A99000 Size: 4224 File Visible: -Status: -Name: Modem.SYSImage Path: C:\WINDOWS\System32\Drivers\Modem.SYSAddress: 0xF7907000 Size: 30080 File Visible: -Status: -Name: MODEMCSA.sysImage Path: C:\WINDOWS\system32\drivers\MODEMCSA.sysAddress: 0xF79BF000 Size: 16128 File Visible: -Status: -Name: mouclass.sysImage Path: C:\WINDOWS\System32\DRIVERS\mouclass.sysAddress: 0xF7927000 Size: 23040 File Visible: -Status: -Name: MountMgr.sysImage Path: MountMgr.sysAddress: 0xF755F000 Size: 42240 File Visible: -Status: -Name: mrxdav.sysImage Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sysAddress: 0xB9F53000 Size: 179584 File Visible: -Status: -Name: mrxsmb.sysImage Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sysAddress: 0xF4DA8000 Size: 453120 File Visible: -Status: -Name: Msfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Msfs.SYSAddress: 0xF782F000 Size: 19072 File Visible: -Status: -Name: msgpc.sysImage Path: C:\WINDOWS\System32\DRIVERS\msgpc.sysAddress: 0xF6AAE000 Size: 35072 File Visible: -Status: -Name: mssmbios.sysImage Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sysAddress: 0xF69B8000 Size: 15488 File Visible: -Status: -Name: Mup.sysImage Path: Mup.sysAddress: 0xF737A000 Size: 107904 File Visible: -Status: -Name: NDIS.sysImage Path: NDIS.sysAddress: 0xF7395000 Size: 182912 File Visible: -Status: -Name: ndistapi.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sysAddress: 0xF69C0000 Size: 9600 File Visible: -Status: -Name: ndisuio.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sysAddress: 0xBAC1A000 Size: 12928 File Visible: -Status: -Name: ndiswan.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sysAddress: 0xF63EA000 Size: 91776 File Visible: -Status: -Name: NDProxy.SYSImage Path: C:\WINDOWS\System32\Drivers\NDProxy.SYSAddress: 0xF75FF000 Size: 38016 File Visible: -Status: -Name: netbios.sysImage Path: C:\WINDOWS\System32\DRIVERS\netbios.sysAddress: 0xF766F000 Size: 34560 File Visible: -Status: -Name: netbt.sysImage Path: C:\WINDOWS\System32\DRIVERS\netbt.sysAddress: 0xF4EAD000 Size: 162816 File Visible: -Status: -Name: nic1394.sysImage Path: C:\WINDOWS\System32\DRIVERS\nic1394.sysAddress: 0xF75BF000 Size: 61824 File Visible: -Status: -Name: Npfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Npfs.SYSAddress: 0xF7837000 Size: 30848 File Visible: -Status: -Name: Ntfs.sysImage Path: Ntfs.sysAddress: 0xF73C2000 Size: 574464 File Visible: -Status: -Name: ntoskrnl.exeImage Path: C:\WINDOWS\system32\ntoskrnl.exeAddress: 0x804D7000 Size: 2180352 File Visible: -Status: -Name: Null.SYSImage Path: C:\WINDOWS\System32\Drivers\Null.SYSAddress: 0xF7C6D000 Size: 2944 File Visible: -Status: -Name: nv4_disp.dllImage Path: C:\WINDOWS\System32\nv4_disp.dllAddress: 0xBF9D5000 Size: 4530176 File Visible: -Status: -Name: nv4_mini.sysImage Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sysAddress: 0xF65CC000 Size: 3994624 File Visible: -Status: -Name: ohci1394.sysImage Path: ohci1394.sysAddress: 0xF753F000 Size: 61056 File Visible: -Status: -Name: OMCI.SYSImage Path: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYSAddress: 0xF7A0B000 Size: 12864 File Visible: -Status: -Name: parport.sysImage Path: C:\WINDOWS\System32\DRIVERS\parport.sysAddress: 0xF641A000 Size: 80128 File Visible: -Status: -Name: PartMgr.sysImage Path: PartMgr.sysAddress: 0xF77B7000 Size: 18688 File Visible: -Status: -Name: ParVdm.SYSImage Path: C:\WINDOWS\System32\Drivers\ParVdm.SYSAddress: 0xF7AA7000 Size: 6784 File Visible: -Status: -Name: pci.sysImage Path: pci.sysAddress: 0xF74CF000 Size: 68224 File Visible: -Status: -Name: pciide.sysImage Path: pciide.sysAddress: 0xF7AF7000 Size: 3328 File Visible: -Status: -Name: PCIIDEX.SYSImage Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYSAddress: 0xF77AF000 Size: 28672 File Visible: -Status: -Name: pfc.sysImage Path: C:\WINDOWS\system32\drivers\pfc.sysAddress: 0xF724B000 Size: 10368 File Visible: -Status: -Name: PnpManagerImage Path: \Driver\PnpManagerAddress: 0x804D7000 Size: 2180352 File Visible: -Status: -Name: portcls.sysImage Path: C:\WINDOWS\system32\drivers\portcls.sysAddress: 0xF6490000 Size: 147456 File Visible: -Status: -Name: psched.sysImage Path: C:\WINDOWS\System32\DRIVERS\psched.sysAddress: 0xF63D9000 Size: 69120 File Visible: -Status: -Name: ptilink.sysImage Path: C:\WINDOWS\System32\DRIVERS\ptilink.sysAddress: 0xF77DF000 Size: 17792 File Visible: -Status: -Name: pwd_2k.SYSImage Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYSAddress: 0xF6401000 Size: 101024 File Visible: -Status: -Name: PxHelp20.sysImage Path: PxHelp20.sysAddress: 0xF77BF000 Size: 19936 File Visible: -Status: -Name: rasacd.sysImage Path: C:\WINDOWS\System32\DRIVERS\rasacd.sysAddress: 0xF79E7000 Size: 8832 File Visible: -Status: -Name: rasl2tp.sysImage Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sysAddress: 0xF6ADE000 Size: 51328 File Visible: -Status: -Name: raspppoe.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sysAddress: 0xF6ACE000 Size: 41472 File Visible: -Status: -Name: raspptp.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspptp.sysAddress: 0xF6ABE000 Size: 48384 File Visible: -Status: -Name: raspti.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspti.sysAddress: 0xF77E7000 Size: 16512 File Visible: -Status: -Name: RAWImage Path: \FileSystem\RAWAddress: 0x804D7000 Size: 2180352 File Visible: -Status: -Name: rdbss.sysImage Path: C:\WINDOWS\System32\DRIVERS\rdbss.sysAddress: 0xF4E17000 Size: 174592 File Visible: -Status: -Name: RDPCDD.sysImage Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sysAddress: 0xF7A9B000 Size: 4224 File Visible: -Status: -Name: redbook.sysImage Path: C:\WINDOWS\System32\DRIVERS\redbook.sysAddress: 0xF6AFE000 Size: 57472 File Visible: -Status: -Name: rksample.sysImage Path: C:\WINDOWS\System32\DRIVERS\rksample.sysAddress: 0xF776F000 Size: 59392 File Visible: -Status: -Name: rootrepeal.sysImage Path: C:\WINDOWS\system32\drivers\rootrepeal.sysAddress: 0xAE60F000 Size: 45056 File Visible: NoStatus: -Name: RTL8139.SYSImage Path: C:\WINDOWS\System32\DRIVERS\RTL8139.SYSAddress: 0xF78FF000 Size: 20992 File Visible: -Status: -Name: sdcplh.sysImage Path: C:\WINDOWS\System32\drivers\sdcplh.sysAddress: 0xF76AF000 Size: 40576 File Visible: -Status: -Name: secdrv.sysImage Path: C:\WINDOWS\System32\DRIVERS\secdrv.sysAddress: 0xBA00F000 Size: 40960 File Visible: -Status: -Name: serenum.sysImage Path: C:\WINDOWS\System32\DRIVERS\serenum.sysAddress: 0xF724F000 Size: 15488 File Visible: -Status: -Name: serial.sysImage Path: C:\WINDOWS\System32\DRIVERS\serial.sysAddress: 0xF6B2E000 Size: 64896 File Visible: -Status: -Name: sfmanm.sysImage Path: C:\WINDOWS\system32\drivers\sfmanm.sysAddress: 0xF778F000 Size: 36480 File Visible: -Status: -Name: SOAR.SYSImage Path: C:\WINDOWS\System32\DRIVERS\SOAR.SYSAddress: 0xF775F000 Size: 45056 File Visible: -Status: -Name: spkpnt.sysImage Path: C:\WINDOWS\System32\DRIVERS\spkpnt.sysAddress: 0xB9036000 Size: 73248 File Visible: -Status: -Name: sr.sysImage Path: sr.sysAddress: 0xF7466000 Size: 73472 File Visible: -Status: -Name: srv.sysImage Path: C:\WINDOWS\System32\DRIVERS\srv.sysAddress: 0xB9D4D000 Size: 332928 File Visible: -Status: -Name: SSHDRV65.sysImage Path: C:\WINDOWS\System32\drivers\SSHDRV65.sysAddress: 0xF5004000 Size: 139264 File Visible: -Status: -Name: swenum.sysImage Path: C:\WINDOWS\System32\DRIVERS\swenum.sysAddress: 0xF7A8B000 Size: 4352 File Visible: -Status: -Name: sysaudio.sysImage Path: C:\WINDOWS\system32\drivers\sysaudio.sysAddress: 0xF4D88000 Size: 60800 File Visible: -Status: -Name: tcpip.sysImage Path: C:\WINDOWS\System32\DRIVERS\tcpip.sysAddress: 0xF4ED5000 Size: 360064 File Visible: -Status: -Name: TDI.SYSImage Path: C:\WINDOWS\System32\DRIVERS\TDI.SYSAddress: 0xF77D7000 Size: 20480 File Visible: -Status: -Name: termdd.sysImage Path: C:\WINDOWS\System32\DRIVERS\termdd.sysAddress: 0xF75DF000 Size: 40704 File Visible: -Status: -Name: tm_cfw.sysImage Path: C:\WINDOWS\System32\Drivers\tm_cfw.sysAddress: 0xB8F1D000 Size: 821728 File Visible: -Status: -Name: Tmpreflt.sysImage Path: C:\WINDOWS\system32\drivers\Tmpreflt.sysAddress: 0xF772F000 Size: 53248 File Visible: -Status: -Name: tmtdi.sysImage Path: C:\WINDOWS\System32\Drivers\tmtdi.sysAddress: 0xF768F000 Size: 35456 File Visible: -Status: -Name: TmXPFlt.sysImage Path: C:\WINDOWS\system32\drivers\TmXPFlt.sysAddress: 0xBAC22000 Size: 274432 File Visible: -Status: -Name: tonesnt.sysImage Path: C:\WINDOWS\System32\DRIVERS\tonesnt.sysAddress: 0xB90B1000 Size: 50688 File Visible: -Status: -Name: UACcoihaiqd.sysImage Path: C:\WINDOWS\system32\drivers\UACcoihaiqd.sysAddress: 0xF4F85000 Size: 77824 File Visible: -Status: Hidden from Windows API!Name: UdfReadr_xp.SYSImage Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYSAddress: 0xF4F52000 Size: 206336 File Visible: -Status: -Name: update.sysImage Path: C:\WINDOWS\System32\DRIVERS\update.sysAddress: 0xF636F000 Size: 364160 File Visible: -Status: -Name: usbccgp.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sysAddress: 0xF7877000 Size: 31616 File Visible: -Status: -Name: USBD.SYSImage Path: C:\WINDOWS\System32\DRIVERS\USBD.SYSAddress: 0xF7A8D000 Size: 8192 File Visible: -Status: -Name: usbhub.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbhub.sysAddress: 0xF75EF000 Size: 57600 File Visible: -Status: -Name: usbohci.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbohci.sysAddress: 0xF790F000 Size: 17024 File Visible: -Status: -Name: USBPORT.SYSImage Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYSAddress: 0xF644A000 Size: 143360 File Visible: -Status: -Name: usbprint.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbprint.sysAddress: 0xF788F000 Size: 25856 File Visible: -Status: -Name: usbscan.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbscan.sysAddress: 0xF7A23000 Size: 15104 File Visible: -Status: -Name: USBSTOR.SYSImage Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYSAddress: 0xF789F000 Size: 26496 File Visible: -Status: -Name: usbuhci.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sysAddress: 0xF7937000 Size: 20480 File Visible: -Status: -Name: v124nt.sysImage Path: C:\WINDOWS\System32\DRIVERS\v124nt.sysAddress: 0xB8E7D000 Size: 490336 File Visible: -Status: -Name: vga.sysImage Path: C:\WINDOWS\System32\drivers\vga.sysAddress: 0xF7827000 Size: 20992 File Visible: -Status: -Name: VIDEOPRT.SYSImage Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYSAddress: 0xF65B8000 Size: 81920 File Visible: -Status: -Name: VolSnap.sysImage Path: VolSnap.sysAddress: 0xF756F000 Size: 52352 File Visible: -Status: -Name: Vsapint.sysImage Path: C:\WINDOWS\system32\drivers\Vsapint.sysAddress: 0xBAC65000 Size: 1188640 File Visible: -Status: -Name: wanarp.sysImage Path: C:\WINDOWS\System32\DRIVERS\wanarp.sysAddress: 0xF769F000 Size: 34560 File Visible: -Status: -Name: watchdog.sysImage Path: C:\WINDOWS\System32\watchdog.sysAddress: 0xF3720000 Size: 20480 File Visible: -Status: -Name: wdmaud.sysImage Path: C:\WINDOWS\system32\drivers\wdmaud.sysAddress: 0xBA255000 Size: 82944 File Visible: -Status: -Name: Win32kImage Path: \Driver\Win32kAddress: 0xBF800000 Size: 1847296 File Visible: -Status: -Name: win32k.sysImage Path: C:\WINDOWS\System32\win32k.sysAddress: 0xBF800000 Size: 1847296 File Visible: -Status: -Name: WMILIB.SYSImage Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYSAddress: 0xF7A31000 Size: 8192 File Visible: -Status: -Name: WMIxWDMImage Path: \Driver\WMIxWDMAddress: 0x804D7000 Size: 2180352 File Visible: -Status: -Name: ws2ifsl.sysImage Path: C:\WINDOWS\System32\drivers\ws2ifsl.sysAddress: 0xF79EF000 Size: 12032 File Visible: -Status: -Should I use the "Force Delete" Option? Or what? Link to post Share on other sites More sharing options...
SteveT5195 Posted March 18, 2009 Author ID:65545 Share Posted March 18, 2009 Here is my listing when I use the "file" scan option...ROOTREPEAL © AD, 2007-2008==================================================Scan Time: 2009/03/18 05:35Program Version: Version 1.2.3.0Windows Version: Windows XP SP2==================================================Hidden/Locked Files-------------------Path: C:\DELL.SDRStatus: Could not get file information (Error 0xc0000008)Path: C:\MSDOS.SYSStatus: Could not get file information (Error 0xc0000008)Path: C:\RECYCLERStatus: Could not get file information (Error 0xc0000008)Path: C:\tempStatus: Could not get file information (Error 0xc0000008)Path: C:\devicetable.logStatus: Could not get file information (Error 0xc0000008)Path: C:\DISNEYStatus: Could not get file information (Error 0xc0000008)Path: C:\Documents and SettingsStatus: Could not get file information (Error 0xc0000008)Path: C:\DRIVERSStatus: Could not get file information (Error 0xc0000008)Path: C:\DSC00018.JPGStatus: Could not get file information (Error 0xc0000008)Path: C:\EmpireStatus: Could not get file information (Error 0xc0000008)Path: C:\EPSONREGStatus: Could not get file information (Error 0xc0000008)Path: C:\Faith Builders Notes.docStatus: Could not get file information (Error 0xc0000008)Path: C:\FRIENDS.BMPStatus: Could not get file information (Error 0xc0000008)Path: C:\Gap KidsStatus: Could not get file information (Error 0xc0000008)Path: C:\Graphs for IT.docStatus: Could not get file information (Error 0xc0000008)Path: C:\hiberfil.sysStatus: Could not get file information (Error 0xc0000008)Path: C:\Highjack ThisStatus: Could not get file information (Error 0xc0000008)Path: C:\I386Status: Could not get file information (Error 0xc0000008)Path: C:\IO.SYSStatus: Could not get file information (Error 0xc0000008)Path: C:\IPH.PHStatus: Could not get file information (Error 0xc0000008)Path: C:\KAStatus: Could not get file information (Error 0xc0000008)Path: C:\KPSTUDIOStatus: Could not get file information (Error 0xc0000008)Path: C:\log.txtStatus: Could not get file information (Error 0xc0000008)Path: C:\log_fs.logStatus: Could not get file information (Error 0xc0000008)Path: C:\MAXISStatus: Could not get file information (Error 0xc0000008)Path: C:\MediaStatus: Could not get file information (Error 0xc0000008)Path: C:\!KillBoxStatus: Could not get file information (Error 0xc0000008)Path: C:\2 weeks notice.docStatus: Could not get file information (Error 0xc0000008)Path: C:\38d1ce25f386f278faStatus: Could not get file information (Error 0xc0000008)Path: C:\Alyssa's Cell Number.txtStatus: Could not get file information (Error 0xc0000008)Path: C:\AUTOEXEC.BATStatus: Could not get file information (Error 0xc0000008)Path: C:\BACKUPStatus: Could not get file information (Error 0xc0000008)Path: C:\boot.iniStatus: Could not get file information (Error 0xc0000008)Path: C:\BOOTSECT.DOSStatus: Could not get file information (Error 0xc0000008)Path: C:\CD Slide ShowStatus: Could not get file information (Error 0xc0000008)Path: C:\CD's.bmpStatus: Could not get file information (Error 0xc0000008)Path: C:\CD's2.jpgStatus: Could not get file information (Error 0xc0000008)Path: C:\Config.MsiStatus: Could not get file information (Error 0xc0000008)Path: C:\CONFIG.SYSStatus: Could not get file information (Error 0xc0000008)Path: C:\CWONDERSStatus: Could not get file information (Error 0xc0000008)Path: C:\CWShredder.zipStatus: Could not get file information (Error 0xc0000008)Path: C:\DELLStatus: Could not get file information (Error 0xc0000008)Path: C:\My DocumentsStatus: Could not get file information (Error 0xc0000008)Path: C:\My MusicStatus: Could not get file information (Error 0xc0000008)Path: C:\Nancy DrewStatus: Could not get file information (Error 0xc0000008)Path: C:\net_save.dnaStatus: Could not get file information (Error 0xc0000008)Path: C:\NeverwinterNightsStatus: Could not get file information (Error 0xc0000008)Path: C:\New Adobe PhotoDeluxe Home Edition Image.pddStatus: Could not get file information (Error 0xc0000008)Path: C:\NTDETECT.COMStatus: Could not get file information (Error 0xc0000008)Path: C:\ntldrStatus: Could not get file information (Error 0xc0000008)Path: C:\ntuser.datStatus: Could not get file information (Error 0xc0000008)Path: C:\ntuser.dat.LOGStatus: Could not get file information (Error 0xc0000008)Path: C:\NVIDIAStatus: Could not get file information (Error 0xc0000008)Path: C:\package_adp_SIAC.exeStatus: Could not get file information (Error 0xc0000008)Path: C:\Program FilesStatus: Could not get file information (Error 0xc0000008)Path: C:\pub22.tmpStatus: Could not get file information (Error 0xc0000008)Path: C:\Q3.DIRStatus: Could not get file information (Error 0xc0000008)Path: C:\QDATA1.QDFStatus: Could not get file information (Error 0xc0000008)Path: C:\QDATA1.QELStatus: Could not get file information (Error 0xc0000008)Path: C:\QDATA1.QSDStatus: Could not get file information (Error 0xc0000008)Path: C:\Quicken BackupStatus: Could not get file information (Error 0xc0000008)Path: C:\QUICKENWStatus: Could not get file information (Error 0xc0000008)Path: C:\RecycledStatus: Could not get file information (Error 0xc0000008)Path: C:\Roast Duck.docStatus: Could not get file information (Error 0xc0000008)Path: C:\sbtupd.EXEStatus: Could not get file information (Error 0xc0000008)Path: C:\SEGAStatus: Could not get file information (Error 0xc0000008)Path: C:\SierraStatus: Could not get file information (Error 0xc0000008)Path: C:\sorrySave.0Status: Could not get file information (Error 0xc0000008)Path: C:\sorrySave.1Status: Could not get file information (Error 0xc0000008)Path: C:\sorrySave.2Status: Could not get file information (Error 0xc0000008)Path: C:\StubInstaller.exeStatus: Could not get file information (Error 0xc0000008)Path: C:\System Volume InformationStatus: Could not get file information (Error 0xc0000008)Path: C:\tmp.txtStatus: Could not get file information (Error 0xc0000008)Path: C:\trig.dtlStatus: Could not get file information (Error 0xc0000008)Path: C:\tsremov.batStatus: Could not get file information (Error 0xc0000008)Path: C:\UCmore - The Search AcceleratorStatus: Could not get file information (Error 0xc0000008)Path: C:\updateStatus: Could not get file information (Error 0xc0000008)Path: C:\url.txtStatus: Could not get file information (Error 0xc0000008)Path: C:\USAMPCStatus: Could not get file information (Error 0xc0000008)Path: C:\VETlog.dmpStatus: Could not get file information (Error 0xc0000008)Path: C:\VETlog.txtStatus: Could not get file information (Error 0xc0000008)Path: C:\WESTWOODStatus: Could not get file information (Error 0xc0000008)Path: C:\WINDOWSStatus: Could not get file information (Error 0xc0000008)Path: C:\WORLDMPCStatus: Could not get file information (Error 0xc0000008)Path: C:\ws_ftple_508.exeStatus: Could not get file information (Error 0xc0000008)Path: C:\WUTempStatus: Could not get file information (Error 0xc0000008)Path: C:\~QW~LINK.QDTStatus: Could not get file information (Error 0xc0000008)I "think" I should be deleting the bolded file, but there is no "wipe" option in this file scan mode. Should I use "force delete?" Link to post Share on other sites More sharing options...
Fatdcuk Posted March 18, 2009 ID:65563 Share Posted March 18, 2009 Hi ya,Rootrepeal is not functioning 100% on your computer probaly as a result of corrupted installation.Do not attempt to delete/wipe or force-delete any files with it now.The driver's scan has detected CLB driver(UACcoihaiqd.sys) as present but since CLB fakes its driver path then that is why attempting anything against the driver from drivers scan option will fail.The hidden file scan is reporting some very unusual data but there is no CLB related entries there which leads me to believe the tool is not functioning properly.We will need to another advanced tool inorder to attack the resident CLB driver.STEP 01Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exehttp://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
SteveT5195 Posted March 18, 2009 Author ID:65570 Share Posted March 18, 2009 One potential issue with running ComboFix.I've read through the instructions for running ComboFix and it clearly indicates that I need to have all programs shut down or disabled while it runs. That much is pretty straight forward, however, I am experiencing a glitch right now that I think is being created by some sort of malware.Here is what is happening. Internet Explorer is not functioning correctly on my machine so I've gone to using Firefox. Whenever the computer is up, approximately every 5 minutes I'm getting a popup window with an error message "Internet Explorer has encountered a problem and must be shut down." It gives me the option of reporting the problem, or shutting down. However, I'm not running IE at all. If I open Task Manager, I will find numerous Iexplorer.exe processes running, one for each time the popup hits.Based on what I've read in the ComboFix instructions, whatever is causing this might interfere with ComboFix running and I need to find someway to kill this first.Any suggestions? Should I just go ahead and try running ComboFix anyway? Link to post Share on other sites More sharing options...
Fatdcuk Posted March 18, 2009 ID:65571 Share Posted March 18, 2009 Yeah procede with combofix,The precaution is more aimed at folks that think its ok to carry on chatting on messenger client,downloading or gamesplaying etc on PC whilst fixing tools are running B) Link to post Share on other sites More sharing options...
SteveT5195 Posted March 18, 2009 Author ID:65581 Share Posted March 18, 2009 Okay, I'll run ComboFix first thing tomorrow morning. I'm posting from work where I have a perfectly functioning machine.I'll admit I'm more than a bit nervous about doing this since I don't know what is causing this IE popup error and that it "might" cause a problem with ComboFix.I have Restore points set on my machine but Restore won't function so there's not much help there. Link to post Share on other sites More sharing options...
SteveT5195 Posted March 19, 2009 Author ID:65799 Share Posted March 19, 2009 Well, I downloaded ComboFix, followed the instructions to the letter and just like mbam it won't run.I double click on the icon, I get the hourglass for about 10-15 seconds and then nothing. If I go into Task Manager is shows ComboFix.exe as running, but nothing is happpening.What now???? Link to post Share on other sites More sharing options...
Fatdcuk Posted March 19, 2009 ID:65848 Share Posted March 19, 2009 Ok it would appear that you have some real gnarly stuff onboard but hang on in there because i love a challenge Lets see if we can get GMER ARK to deploy on the infected system .http://www.gmer.net/files.phpDownload GMER .exe and rename to foo.exe Next run and if available post back the report log generated. Link to post Share on other sites More sharing options...
SteveT5195 Posted March 19, 2009 Author ID:65860 Share Posted March 19, 2009 I will give that a try.I did have some success this morning.I read about the "randmbam" tool in another thread and downloaded it and ran it. It was able to allow me to run Malwarebytes and I began a full scan. It was still running when it was time to leave for work (an hour and 25 minutes so far) and it had found one infected object. Once I return home I'll follow the prompts and post the log (as well as a fresh Hijack log).I'll then give GMER ARK a try and post it's log (if it will run).I appreciate your help on this. Link to post Share on other sites More sharing options...
SteveT5195 Posted March 21, 2009 Author ID:66266 Share Posted March 21, 2009 Here are the logs...First GMER.... (all the UAC entries were colored red in the output).GMER 1.0.15.14944 - http://www.gmer.netRootkit scan 2009-03-20 16:52:13Windows 5.1.2600 Service Pack 2---- System - GMER 1.0.15 ----Code 86B3DEB0 ZwEnumerateKeyCode 86B3D170 ZwFlushInstructionCacheCode 86A9329E IofCallDriverCode 86B8E266 IofCompleteRequest---- Kernel code sections - GMER 1.0.15 ----.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 86A932A3 .text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 86B8E26B PAGE ntoskrnl.exe!ZwEnumerateKey 8056EEB0 5 Bytes JMP 86B3DEB4 PAGE ntoskrnl.exe!ZwFlushInstructionCache 805769EA 5 Bytes JMP 86B3D174 ? pewd.sys The system cannot find the file specified. !? C:\WINDOWS\TEMP\mc21.tmp The system cannot find the file specified. !---- User code sections - GMER 1.0.15 ----.text C:\WINDOWS\System32\svchost.exe[372] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\System32\svchost.exe[372] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\Documents and Settings\Steve\Desktop\t6d6lsr5.exe[484] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009E000A .text C:\Documents and Settings\Steve\Desktop\t6d6lsr5.exe[484] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009F000A .text C:\Documents and Settings\Steve\Desktop\t6d6lsr5.exe[484] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\WINDOWS\system32\csrss.exe[544] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\system32\csrss.exe[544] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\system32\csrss.exe[544] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\csrss.exe[544] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\csrss.exe[544] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0064000A .text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0065000A .text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\services.exe[620] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\system32\services.exe[620] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\system32\services.exe[620] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0064000A .text C:\WINDOWS\system32\services.exe[620] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0065000A .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\lsass.exe[632] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\system32\lsass.exe[632] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\system32\lsass.exe[632] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006F000A .text C:\WINDOWS\system32\lsass.exe[632] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0072000A .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe[828] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe[828] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe[828] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00BA000A .text C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe[828] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00BB000A .text C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe[828] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe[828] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe[828] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe[828] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\WINDOWS\Explorer.EXE[884] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\Explorer.EXE[884] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\Explorer.EXE[884] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00E3000A .text C:\WINDOWS\Explorer.EXE[884] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00E4000A .text C:\WINDOWS\Explorer.EXE[884] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\Explorer.EXE[884] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\Explorer.EXE[884] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\Explorer.EXE[884] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\svchost.exe[972] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\System32\svchost.exe[972] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\svchost.exe[1024] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\System32\svchost.exe[1024] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A2000A .text C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A3000A .text C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[1136] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[1136] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[1136] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B7000A .text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[1136] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B8000A .text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[1136] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[1136] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[1136] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\spoolsv.exe[1304] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\system32\spoolsv.exe[1304] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\system32\spoolsv.exe[1304] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0097000A .text C:\WINDOWS\system32\spoolsv.exe[1304] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0098000A .text C:\WINDOWS\system32\spoolsv.exe[1304] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\spoolsv.exe[1304] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\spoolsv.exe[1304] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1436] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1436] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1436] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006C000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1436] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 006D000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1436] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1436] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\nvsvc32.exe[1488] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\system32\nvsvc32.exe[1488] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\system32\nvsvc32.exe[1488] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006C000A .text C:\WINDOWS\system32\nvsvc32.exe[1488] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 006D000A .text C:\WINDOWS\system32\nvsvc32.exe[1488] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\nvsvc32.exe[1488] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\nvsvc32.exe[1488] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[1628] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[1628] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[1628] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 007A000A .text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[1628] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 007B000A .text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[1628] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[1628] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\HPZipm12.exe[1788] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E].text C:\WINDOWS\System32\HPZipm12.exe[1788] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [0E, 5F] {PUSH CS; POP EDI}.text C:\WINDOWS\System32\HPZipm12.exe[1788] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006B000A .text C:\WINDOWS\System32\HPZipm12.exe[1788] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 006C000A .text C:\WINDOWS\System32\HPZipm12.exe[1788] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\HPZipm12.exe[1788] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\HPZipm12.exe[1788] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\Program Files\Spyware Doctor\sdhelp.exe[1844] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 007C000A .text C:\Program Files\Spyware Doctor\sdhelp.exe[1844] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 007D000A .text C:\WINDOWS\System32\alg.exe[1880] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0071000A .text C:\WINDOWS\System32\alg.exe[1880] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0072000A .text C:\WINDOWS\System32\alg.exe[1880] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A8000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A9000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00AAFA00 .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00AB0750 .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] WS2_32.dll!send 71AB428A 5 Bytes JMP 00AB0630 .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00AAFDB0 .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00AB0910 .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A0000A .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A1000A .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 033610B0 C:\WINDOWS\system32\mst122.dll.text C:\Program Files\Internet Explorer\Iexplore.exe[2116] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\Iexplore.exe[2116] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A17EF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\Iexplore.exe[2116] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1770 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\Iexplore.exe[2116] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A17B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\Iexplore.exe[2116] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A16FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\Iexplore.exe[2116] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A1736 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\Iexplore.exe[2116] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\Iexplore.exe[2116] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\Iexplore.exe[2116] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00A2FA00 .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00A30750 .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] WS2_32.dll!send 71AB428A 5 Bytes JMP 00A30630 .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00A2FDB0 .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00A2FFE0 .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00A30910 .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] WININET.dll!HttpAddRequestHeadersA 42C1FBBD 5 Bytes JMP 00F0000A .text C:\Program Files\Internet Explorer\Iexplore.exe[2116] WININET.dll!HttpAddRequestHeadersW 42C8CC65 5 Bytes JMP 00F8000A .text C:\Program Files\iTunes\iTunesHelper.exe[2272] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00BA000A .text C:\Program Files\iTunes\iTunesHelper.exe[2272] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00BB000A .text C:\Program Files\iTunes\iTunesHelper.exe[2272] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[2288] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0094000A .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[2288] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0095000A .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[2288] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2328] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B5000A .text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2328] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B6000A .text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2328] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe[2336] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A2000A .text C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe[2336] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A3000A .text C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe[2336] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\WINDOWS\system32\ctfmon.exe[2344] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0098000A .text C:\WINDOWS\system32\ctfmon.exe[2344] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0099000A .text C:\WINDOWS\system32\ctfmon.exe[2344] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\Program Files\WinZip\WZQKPICK.EXE[2432] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009D000A .text C:\Program Files\WinZip\WZQKPICK.EXE[2432] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009E000A .text C:\Program Files\WinZip\WZQKPICK.EXE[2432] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2776] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A1000A .text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2776] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A2000A .text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2776] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\Program Files\iPod\bin\iPodService.exe[2888] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0074000A .text C:\Program Files\iPod\bin\iPodService.exe[2888] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0075000A .text C:\Program Files\iPod\bin\iPodService.exe[2888] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D .text C:\WINDOWS\system32\devldr32.exe[3968] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0088000A .text C:\WINDOWS\system32\devldr32.exe[3968] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0089000A .text C:\WINDOWS\system32\devldr32.exe[3968] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 5F00003D ---- User IAT/EAT - GMER 1.0.15 ----IAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 00EC5140IAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00EC5140IAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00EC508CIAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00EC5027IAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00EC4FF5IAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00EC56ABIAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!GetClipboardData] 00EC53F9IAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!TranslateMessage] 00EC56ABIAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00EC5140IAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!TranslateMessage] 00EC56ABIAT C:\WINDOWS\system32\services.exe[620] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!GetClipboardData] 00EC53F9IAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00FE5140IAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00FE508CIAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00FE5027IAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00FE4FF5IAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00FE508CIAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00FE5140IAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00FE508CIAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00FE5027IAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!GetClipboardData] 00FE53F9IAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!TranslateMessage] 00FE56ABIAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 00FE56ABIAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 00FE53F9IAT C:\WINDOWS\system32\lsass.exe[632] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00FE56ABIAT C:\WINDOWS\system32\svchost.exe[816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00DB4FF5IAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00DD5140IAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00DD508CIAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00DD5027IAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00DD4FF5IAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!GetClipboardData] 00DD53F9IAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!TranslateMessage] 00DD56ABIAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 00DD56ABIAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 00DD53F9IAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00DD56ABIAT C:\WINDOWS\system32\svchost.exe[896] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00DD5140IAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 019F5140IAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 019F508CIAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 019F5027IAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 019F4FF5IAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!GetClipboardData] 019F53F9IAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!TranslateMessage] 019F56ABIAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 019F56ABIAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 019F53F9IAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 019F56ABIAT C:\WINDOWS\System32\svchost.exe[972] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 019F5140IAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00135140IAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0013508CIAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00135027IAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134FF5IAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00135140IAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 001356ABIAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 001356ABIAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 001353F9IAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!GetClipboardData] 001353F9IAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[1056] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!TranslateMessage] 001356ABIAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\user32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\advapi32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\Program Files\Spyware Doctor\sdhelp.exe[1844] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd)IAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00405140IAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0040508CIAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00405027IAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00404FF5IAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!GetClipboardData] 004053F9IAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!TranslateMessage] 004056ABIAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00405140IAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 004056ABIAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 004053F9IAT C:\WINDOWS\System32\alg.exe[1880] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 004056ABIAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00135140IAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0013508CIAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00135027IAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134FF5IAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!GetClipboardData] 001353F9IAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!TranslateMessage] 001356ABIAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 001356ABIAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00135140IAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!TranslateMessage] 001356ABIAT C:\Program Files\iPod\bin\iPodService.exe[2888] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!GetClipboardData] 001353F9---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Ntfs \Ntfs ikhfile.sys (PCTools Research Pty Ltd.)AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 sdcplh.sysDevice \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sdcplh.sysDevice \Driver\atapi \Device\Ide\IdePort0 sdcplh.sysDevice \Driver\atapi \Device\Ide\IdePort1 sdcplh.sysDevice \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f sdcplh.sysAttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)Device \FileSystem\Fastfat \Fat B7F6BC8AAttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)AttachedDevice \FileSystem\Fastfat \Fat ikhfile.sys (PCTools Research Pty Ltd.)---- Modules - GMER 1.0.15 ----Module \systemroot\system32\drivers\UACcoihaiqd.sys (*** hidden *** ) F51DF000-F51F2000 (77824 bytes) ---- Processes - GMER 1.0.15 ----Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [372] 0x007F0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Documents and Settings\Steve\Desktop\t6d6lsr5.exe [484] 0x00AF0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [572] 0x00750000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [620] 0x00750000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [632] 0x00820000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe [828] 0x00540000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [884] 0x001E0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [896] 0x007F0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [972] 0x007F0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1024] 0x007F0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [1056] 0x00B30000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe [1136] 0x00390000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1164] 0x007F0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1304] 0x00A80000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1436] 0x007D0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [1488] 0x007D0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe [1628] 0x008B0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\System32\HPZipm12.exe [1788] 0x007C0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\Spyware Doctor\sdhelp.exe [1844] 0x008D0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1880] 0x00820000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1908] 0x00BC0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [2116] 0x00B40000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [2272] 0x00CB0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2288] 0x00A50000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe [2328] 0x00C60000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe [2336] 0x00B30000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2344] 0x00A90000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\WinZip\WZQKPICK.EXE [2432] 0x00AE0000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\Logitech\MouseWare\system\em_exec.exe [2776] 0x00B20000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [2888] 0x00850000 Library \\?\globalroot\systemroot\system32\UACbnringes.dll (*** hidden *** ) @ C:\WINDOWS\system32\devldr32.exe [3968] 0x00990000 ---- Services - GMER 1.0.15 ----Service C:\WINDOWS\system32\drivers\UACcoihaiqd.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcoihaiqd.sysReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file systemReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACcoihaiqd.sysReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACfdrxfvne.dllReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACobykotvy.datReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACwujfbgke.dllReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACekolxjeo.dllReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACxaqxfpkk.dllReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACkjwukfyl.logReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACpvydpebp.logReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACvbkdfwrm.logReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACbnringes.dllReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcoihaiqd.sysReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file systemReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACcoihaiqd.sysReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACfdrxfvne.dllReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACobykotvy.datReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACwujfbgke.dllReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACekolxjeo.dllReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACxaqxfpkk.dllReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACkjwukfyl.logReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACpvydpebp.logReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACvbkdfwrm.logReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACbnringes.dll---- Files - GMER 1.0.15 ----File C:\Documents and Settings\Steve\Local Settings\Temp\UACc01c.tmp 343040 bytes executableFile C:\Avenger\uacinit.dll 5531 bytesFile C:\WINDOWS\system32\drivers\UACcoihaiqd.sys 65536 bytes executable <-- ROOTKIT !!!File C:\WINDOWS\system32\UACbnringes.dll 18944 bytes executableFile C:\WINDOWS\system32\UACekolxjeo.dll 24576 bytes executableFile C:\WINDOWS\system32\UACfdrxfvne.dll 31232 bytes executableFile C:\WINDOWS\system32\uacinit.dll 5531 bytesFile C:\WINDOWS\system32\UACkjwukfyl.log 55739 bytesFile C:\WINDOWS\system32\UACobykotvy.dat 127 bytesFile C:\WINDOWS\system32\UACwujfbgke.dll 27136 bytes executableFile C:\WINDOWS\system32\UACxaqxfpkk.dll 65536 bytesFile C:\WINDOWS\Temp\UACf0e9.tmp 65536 bytes---- EOF - GMER 1.0.15 ----Here is my Malybytes Log.... (it found 12 infections all of which it removed)Malwarebytes' Anti-Malware 1.34Database version: 1749Windows 5.1.2600 Service Pack 23/19/2009 5:10:51 PMMalwarebytes Log FileScan type: Full Scan (C:\|)Objects scanned: 331677Time elapsed: 3 hour(s), 2 minute(s), 30 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 3Registry Data Items Infected: 0Folders Infected: 0Files Infected: 8Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> No action taken.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> No action taken.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Program Files\Common\helper.dll (Trojan.BHO) -> No action taken.C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> No action taken.C:\Documents and Settings\LocalService.NT AUTHORITY\protect.dll (Trojan.Agent) -> No action taken.C:\Documents and Settings\Steve\protect.dll (Trojan.Agent) -> No action taken.C:\Documents and Settings\Steve\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.C:\Documents and Settings\Steve\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> No action taken.C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> No action taken.And here is my latest Hijack This log....Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:25:13 AM, on 3/20/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\nvsvc32.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\System32\HPZipm12.exeC:\Program Files\Spyware Doctor\sdhelp.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\WINDOWS\System32\alg.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\Trend Micro\Internet Security 2005\pccguide.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\iPod\bin\iPodService.exeC:\Documents and Settings\Steve\Desktop\HijackThis.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.comcast.net/login?s=portal&am...3D1236860560388R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by ComcastR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: (no name) - {ABE9C052-8DBA-36A6-CB42-D2DD0083434C} - NSYSCPLSTR.dll (file missing)R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: {9636d4e2-f0ed-533b-1754-2ed9ba71116e} - {e61117ab-9de2-4571-b335-de0f2e4d6369} - (no file)O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /serverO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"O4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exeO4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO15 - Trusted Zone: *.passport.comO16 - DPF: {028518E1-9FA8-44FC-92D7-5C54244B5F36} - http://activex.microsoft.com/objects/ocget.dllO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237055561203O16 - DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} (SFImageUpload1_8.ImageUpload) - http://riteaid.storefront.com/images/globa...geUpload1_8.CABO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO18 - Filter hijack: text/html - {933750af-5c45-45f5-be94-783239a5f0f6} - C:\WINDOWS\system32\mst122.dllO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeO23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe--End of file - 9475 bytesI am still having an issue with search engine redirects. Link to post Share on other sites More sharing options...
Fatdcuk Posted March 21, 2009 ID:66393 Share Posted March 21, 2009 Hi Steve,Your computer is still infected hence why there is still issue's Ok CLB is still present but at least GMER was able to run for this particular variant.We need to attack 1 file only listed in the GMER report so you will need to follow these instructions to the letter.Open GMER again and allow it to perform full scan.When completed you need to locate the following entry onlyFile C:\WINDOWS\system32\drivers\UACcoihaiqd.sys 65536 bytes executable <-- ROOTKIT !!!** Module/service etc leave well alone as this is the only file and path to attack it from.Highlight the line in GMER and then right click on mouse and select *Kill file*Reboot immediately!Next open MBAM and see if it will update to curent DB= 1880, If it dose then run full scan and post back the log generated.Last steps please repeat the instructions in this post>>>http://www.malwarebytes.org/forums/index.p...ost&p=65563 Link to post Share on other sites More sharing options...
SteveT5195 Posted March 24, 2009 Author ID:66931 Share Posted March 24, 2009 I ran the GMER scan (took 6+ hours - yikes!) and deleted the file.Ran Malwarebytes (updated). Here's the log.Malwarebytes' Anti-Malware 1.34Database version: 1883Windows 5.1.2600 Service Pack 23/23/2009 6:17:46 AMMalwarebytes Log FileScan type: Full Scan (C:\|)Objects scanned: 342307Time elapsed: 2 hour(s), 6 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Steve\Local Settings\Temp\UACc01c.tmp (Rootkit.Agent) -> No action taken.C:\WINDOWS\system32\UACbnringes.dll (Trojan.TDSS) -> No action taken.C:\WINDOWS\system32\UACkjwukfyl.log (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\UACobykotvy.dat (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\UACxaqxfpkk.dll (Trojan.Agent) -> No action taken. Link to post Share on other sites More sharing options...
Fatdcuk Posted March 24, 2009 ID:66936 Share Posted March 24, 2009 Ok i think were getiing somewhere now Hopefully this time Combofix will run so please can you follow the earliar instructions here>>>http://www.malwarebytes.org/forums/index.p...ost&p=65563 Link to post Share on other sites More sharing options...
SteveT5195 Posted March 24, 2009 Author ID:67040 Share Posted March 24, 2009 ComboFix ran BUT it didn't create a log file. The last thing it did was give me a message that it was rebooting windows. However it did indicate that it was deleting files while running.I did run a Malwarebytes scan (quick) and the log file is below. It detected no malware.Malwarebytes' Anti-Malware 1.34Database version: 1883Windows 5.1.2600 Service Pack 22009-03-24 05:14:39mbam-log-2009-03-24 (05-14-39).txtScan type: Quick ScanObjects scanned: 129748Time elapsed: 25 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Fatdcuk Posted March 24, 2009 ID:67052 Share Posted March 24, 2009 Can you please post a new HJT log as i need to see whether Combofix has deleted the following bot ?F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, Link to post Share on other sites More sharing options...
SteveT5195 Posted March 25, 2009 Author ID:67176 Share Posted March 25, 2009 I ran it and I do not appear to have that file...Here's the log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:03, on 2009-03-24Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Tall Emu\Online Armor\oacat.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\System32\HPZipm12.exeC:\Program Files\Spyware Doctor\sdhelp.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Tall Emu\Online Armor\oaui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Tall Emu\Online Armor\oahlp.exeC:\Documents and Settings\Steve\Desktop\HijackThis.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.comcast.net/login?s=portal&am...3D1236860560388R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htmR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: (no name) - {ABE9C052-8DBA-36A6-CB42-D2DD0083434C} - NSYSCPLSTR.dll (file missing)R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: {9636d4e2-f0ed-533b-1754-2ed9ba71116e} - {e61117ab-9de2-4571-b335-de0f2e4d6369} - (no file)O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /serverO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"O4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF14418.exe /c C:\ComboFix\Combobatch.batO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exeO4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO15 - Trusted Zone: *.passport.comO16 - DPF: {028518E1-9FA8-44FC-92D7-5C54244B5F36} - http://activex.microsoft.com/objects/ocget.dllO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237055561203O16 - DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} (SFImageUpload1_8.ImageUpload) - http://riteaid.storefront.com/images/globa...geUpload1_8.CABO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeO23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exeO23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe--End of file - 10054 bytes Link to post Share on other sites More sharing options...
Fatdcuk Posted March 25, 2009 ID:67184 Share Posted March 25, 2009 Ok well your log is looking fairly clear now are your search's still being hijacked ?Have HJT fixcheck the following entries only by placing a check in the box next to the relevent lines.R3 - URLSearchHook: (no name) - {ABE9C052-8DBA-36A6-CB42-D2DD0083434C} - NSYSCPLSTR.dll (file missing)O2 - BHO: {9636d4e2-f0ed-533b-1754-2ed9ba71116e} - {e61117ab-9de2-4571-b335-de0f2e4d6369} - (no file)Also i can see from your HJT log that you have older vulnerable version of Java software installed.You will need to uninstall all versions via add/remove control panel and make sure you have only the most recent version installed version 6- Update 13http://java.com/en/download/index.jsp Link to post Share on other sites More sharing options...
SteveT5195 Posted March 25, 2009 Author ID:67340 Share Posted March 25, 2009 Done and done.No, searches appear to be working correctly now.Does this mean I'm clean? Link to post Share on other sites More sharing options...
Fatdcuk Posted March 25, 2009 ID:67504 Share Posted March 25, 2009 Can i see one more log from Updated MBAM quick scan + fresh HJT log before i can sound the all clear Link to post Share on other sites More sharing options...
SteveT5195 Posted March 26, 2009 Author ID:67678 Share Posted March 26, 2009 Will do.I haven't had a chance to update Java yet. Link to post Share on other sites More sharing options...
SteveT5195 Posted March 27, 2009 Author ID:67924 Share Posted March 27, 2009 Here are the logs (I have not installed the Java update yet - it's on my "to do" list)MalwarebytesMalwarebytes' Anti-Malware 1.34Database version: 1883Windows 5.1.2600 Service Pack 22009-03-26 15:46:27mbam-log-2009-03-26 (15-46-27).txtScan type: Quick ScanObjects scanned: 132012Time elapsed: 7 minute(s), 9 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)HiJack ThisLogfile of Trend Micro HijackThis v2.0.2Scan saved at 16:10, on 2009-03-26Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Tall Emu\Online Armor\oacat.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\System32\HPZipm12.exeC:\Program Files\Spyware Doctor\sdhelp.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Tall Emu\Online Armor\oaui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Tall Emu\Online Armor\oahlp.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\AIM6\aim6.exeC:\Program Files\AIM6\aolsoftware.exeC:\Program Files\Malwarebytes' Anti-Malware\148045142148.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\Steve\Desktop\HijackThis.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.comcast.net/login?s=portal&am...3D1236860560388R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htmR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dllO4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /serverO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"O4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF14418.exe /c C:\ComboFix\Combobatch.batO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exeO4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO15 - Trusted Zone: *.passport.comO16 - DPF: {028518E1-9FA8-44FC-92D7-5C54244B5F36} - http://activex.microsoft.com/objects/ocget.dllO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237055561203O16 - DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} (SFImageUpload1_8.ImageUpload) - http://riteaid.storefront.com/images/globa...geUpload1_8.CABO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeO23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exeO23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe--End of file - 10056 bytes Link to post Share on other sites More sharing options...
Fatdcuk Posted March 27, 2009 ID:68010 Share Posted March 27, 2009 Hi ya Steve,HJT log is looking clear but i'm still concerened that the MBAM log is showing an old DB used.Malwarebytes' Anti-Malware 1.34Database version: 1883In the last 36hrs Version 1.35 was rolled out via check for updates options and we have had a lot of DB updates since 1883.Open MBAM,Goto Updates tab and select "check for updates"Please post back with scan log from quick scan after checking for updates.Thanks in advance Link to post Share on other sites More sharing options...
Recommended Posts