Jump to content

MalwareBytes Unable to Delete Infected Keys/Files


Recommended Posts

I've become infected with a rootkit that MalwareBytes seems to only have partially taken care of. I've run several scans now both normally and under WinXP Home's SafeMode. After the scan, MalwareBytes reports on the infected files/keys and says it has marked them for deletion after reboot. After reboot the files/keys remain. I've even tried FileAssassin on the files without success. FileAssassin errors out saying, "FindRemoteFileHandles returned NULL value. This may affect deletion of file. Please report this error to the FileAssassin support team." or simply, "This file could not be deleted!"

Any help/advice would be greatly appreciated!!!

Here are the logs from MalwareBytes and HijackThis:

Malwarebytes' Anti-Malware 1.34

Database version: 1893

Windows 5.1.2600 Service Pack 2

3/24/2009 7:49:49 PM

mbam-log-2009-03-24 (19-49-45).txt

Scan type: Quick Scan

Objects scanned: 102645

Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b09f6159-ea4b-49e7-a8e7-3b9995a6696b} (Trojan.BHO.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{b09f6159-ea4b-49e7-a8e7-3b9995a6696b} (Trojan.BHO.H) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b09f6159-ea4b-49e7-a8e7-3b9995a6696b} (Trojan.Agent) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\certcl.dll (Trojan.BHO.H) -> No action taken.

C:\Documents and Settings\John\Local Settings\Temp\smjgpqep.dat (Rootkit.Agent) -> No action taken.

------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:56:44 PM, on 3/24/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\nHancer\nHancerService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\SAFEBO~1\SBEVMON.EXE

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\AOL\1206148340\ee\AOLSoftware.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\nHancer\nHancer.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbbam.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\FileASSASSIN\FileASSASSIN.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: (no name) - {B09F6159-EA4B-49E7-A8E7-3B9995A6696B} - C:\WINDOWS\system32\certcl.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sBEVMON.EXE] C:\PROGRA~1\SAFEBO~1\SBEVMON.EXE -WinLogon

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1206148340\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [nHancer] "C:\Program Files\nHancer\nHancer.exe" /tray

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://preview.evite.com/js/ImageUploader5.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205988890984

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205989320312

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A21731A-5BC9-427F-A29F-97AF9DD2C4B3}: NameServer = 68.87.66.196,68.87.64.196

O23 - Service: McAfee Application Installer Cleanup (0071911237840933) (0071911237840933mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007191~1.EXE (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: nHancer Support (nHancer) - KSE - Kornd

Link to post
Share on other sites

Hi and welcome to the MBAM forums :(

Yes you do have Rootkit.Sentinel on board and it has a second driver which is not being hit reinstalling the whole infection everytime you reboot .

We will need to locate and identify this driver inorder to affect a killshot on this this infection!

So without further ado please do the following.

Download and install Autoruns.

http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.

At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.

Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt

Can you please then copy and paste the contents of that text file into your next reply for analysis.

Thanks in advance

Link to post
Share on other sites

Yes you do have Rootkit.Sentinel on board and it has a second driver which is not being hit reinstalling the whole infection everytime you reboot .

We will need to locate and identify this driver inorder to affect a killshot on this this infection!

So without further ado please do the following.

Download and install Autoruns.

Hi Gill,

Wow! Thanks for the quick response.

Here is the requested log from Autoruns:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ Acrobat Assistant 8.0 AcroTray (Verified) Adobe Systems, Incorporated c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe

+ ControlCenter2.0 ControlCenter2.0 Main Program (Not verified) Brother Industries, Ltd. c:\program files\brother\controlcenter2\brctrcen.exe

+ HostManager AOL (Verified) AOL LLC c:\program files\common files\aol\1206148340\ee\aolsoftware.exe

+ ISUSPM Startup InstallShield Update Service Update Manager (Not verified) InstallShield Software Corporation c:\program files\common files\installshield\updateservice\isuspm.exe

+ ISUSScheduler InstallShield Update Service Scheduler (Not verified) InstallShield Software Corporation c:\program files\common files\installshield\updateservice\issch.exe

+ mcagent_exe McAfee Integrated Security Platform (Verified) McAfee, Inc. c:\program files\mcafee.com\agent\mcagent.exe

+ NeroFilterCheck NeroCheck (Not verified) Nero AG c:\windows\system32\nerocheck.exe

+ nwiz NVIDIA nView Wizard, Version 111.32 (Not verified) NVIDIA Corporation c:\windows\system32\nwiz.exe

+ PDVDDXSrv CyberLink PowerCinema Resident Program (Not verified) CyberLink Corp. c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe

+ SBEVMON.EXE SafeBoot VDisk Monitor (Not verified) Control Break International c:\program files\safeboot vdisk\sbevmon.exe

+ SetDefPrt BrStDvPt (Not verified) Brother Industories, Ltd. c:\program files\brother\brmfl04a\brstdvpt.exe

+ SunJavaUpdateSched Java Platform SE binary (Verified) Sun Microsystems, Inc. c:\program files\java\jre1.6.0_07\bin\jusched.exe

+ WinampAgent c:\program files\winamp\winampa.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

+ Malwarebytes Anti-Malware (reboot) Malwarebytes' Anti-Malware (Verified) Malwarebytes c:\program files\malwarebytes' anti-malware\mbbam.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ Adobe Gamma Loader.lnk Adobe Gamma Loader (Not verified) Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe

+ Logitech SetPoint.lnk Logitech SetPoint Event Manager (UNICODE) (Verified) Logitech c:\program files\logitech\setpoint\setpoint.exe

+ Microsoft Office.lnk Microsoft Office 2000 component (Not verified) Microsoft Corporation c:\program files\microsoft office\office\osa9.exe

+ Status Monitor.lnk Status Monitor (Main) (Not verified) Brother Industries, Ltd. c:\program files\brother\brmfcmon\brmfcwnd.exe

+ Symantec Fax Starter Edition Port.lnk Symantec Fax Starter Edition Port Launcher (Not verified) Microsoft Corporation c:\program files\microsoft office\office\1033\olfsnt40.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ nHancer nHancer (Not verified) KSE - Kornd

Link to post
Share on other sites

Ok we have a contender :(

The following entry is almost certainly the restoring Sentinel driver-

+ pznnpjkb Microsoft Kernel DRM Audio Descrambler Filter (Not verified) Microsoft Corporation c:\windows\system32\drivers\pznnpjkb.sys

If possible i will need to inspect the file to confirm 100% and at which point i can give new instructions to MBAM to attack that driver.

Please can you retrieve a copy of pznnpjkb.sys and the zip it up and upload to a new topic in the following forum so i can take a peek inside of it :D

http://www.malwarebytes.org/forums/index.php?showforum=55

Thanks in advance.

Link to post
Share on other sites

Ok we have a contender :(

Please can you retrieve a copy of pznnpjkb.sys and the zip it up and upload to a new topic in the following forum so i can take a peek inside of it :D

Will do Ade. I'll be back home in a couple hours and get it off to you ASAP.

Thanks again!

Link to post
Share on other sites

I can confirm that is our culprit and that MBAM will be updated shortly(1898 or 1899) with attack for this particular driver.

Can you please back MBAM quick scan log from scan after thoes updates :)

Hi Ade,

I downloaded 1899 and the scan found 5 more infected files, values and keys than it did before. After reboot, I scanned again and it's coming up clean :( You did it!!! (I'll do a full scan just to make sure)

Now, of course, the paranoia comes into play... am I *really* clean??? :( Now I have to ask myself if I should backup important files, reformat, lay down the OS again and try to reinstall/reconfigure everything all over again (ugh!).

At any rate, I owe you a brew mate. Great job! I can't believe you guys. I'll be purchasing the full version if for no other reason than to show my support for the good work you all do.

Here is the scan log after downloading 1899:

Malwarebytes' Anti-Malware 1.34

Database version: 1899

Windows 5.1.2600 Service Pack 2

3/25/2009 9:21:01 PM

mbam-log-2009-03-25 (21-21-01).txt

Scan type: Quick Scan

Objects scanned: 102207

Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b09f6159-ea4b-49e7-a8e7-3b9995a6696b} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{b09f6159-ea4b-49e7-a8e7-3b9995a6696b} (Trojan.BHO.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pznnpjkb (Rootkit.Sentinel) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pznnpjkb (Rootkit.Sentinel) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pznnpjkb (Rootkit.Sentinel) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\certcl.dll (Trojan.BHO.H) -> Delete on reboot.

C:\WINDOWS\system32\drivers\orbbtmlf.sys (Rootkit.Sentinel) -> Delete on reboot.

C:\WINDOWS\system32\drivers\pznnpjkb.sys (Rootkit.Sentinel) -> Delete on reboot.

C:\RECYCLER\S-1-5-21-1644491937-1123561945-839522115-1004\Dc165.sys (Rootkit.Sentinel) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\smjgpqep.dat (Rootkit.Agent) -> Delete on reboot.

Link to post
Share on other sites

Great :(

I love nothing more then ripping this stuff of PC's

I cant help too much with the paranoia,but a little is healthy when it comes to PC security!

That said if you want to run a few more diagnostic tool and grab the logs i will happily review them :(

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

That said if you want to run a few more diagnostic tool and grab the logs i will happily review them :(

Hi Ade,

I've run ComboFix and am posting its log and the Hijack This log for your review.

Thanks again.

COMBOFIX:

ComboFix 09-03-26.02 - John 2009-03-26 19:13:19.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2796 [GMT -7:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *disabled*

.

((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))

.

2009-03-24 23:19 . 2009-03-24 23:25 <DIR> d-------- C:\autorun

2009-03-24 19:21 . 2009-03-24 19:21 552 --a------ c:\windows\system32\d3d8caps.dat

2009-03-24 19:09 . 2009-03-24 19:09 <DIR> d-------- c:\documents and settings\Administrator

2009-03-24 19:04 . 2009-03-24 19:04 <DIR> d-------- c:\program files\FileASSASSIN

2009-03-24 12:22 . 2009-03-24 12:22 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes

2009-03-23 14:44 . 2009-03-25 11:45 <DIR> d-------- c:\temp\temp virus files

2009-03-23 13:53 . 2009-03-26 18:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-23 13:53 . 2009-03-23 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-23 13:53 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-23 13:53 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-23 13:49 . 2009-03-23 13:49 <DIR> d-------- c:\program files\Enigma Software Group

2009-03-23 13:42 . 2009-03-23 13:42 <DIR> d-------- c:\program files\Trend Micro

2009-03-23 05:18 . 2009-03-23 05:18 127 --a------ c:\windows\system32\MRT.INI

2009-03-21 23:06 . 2009-03-21 23:12 <DIR> d-------- C:\downloads

2009-03-21 23:06 . 2009-03-23 00:17 <DIR> d-------- c:\documents and settings\John\Application Data\Orbit

2009-03-21 23:06 . 2009-03-21 23:06 <DIR> d-------- c:\documents and settings\John\Application Data\GrabPro

2009-03-18 22:08 . 2009-03-18 22:08 <DIR> d-------- c:\program files\SmartFTP Client

2009-03-18 22:08 . 2009-03-18 22:08 <DIR> d-------- c:\documents and settings\John\Application Data\SmartFTP

2009-03-18 22:07 . 2009-03-18 22:07 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files

2009-03-12 17:18 . 2009-03-12 17:19 <DIR> d-------- c:\program files\Broadcast Analyzer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-27 01:43 --------- d-----w c:\program files\Common Files\Akamai

2009-03-26 10:30 --------- d-----w c:\program files\SyncBack

2009-03-26 06:23 --------- d-----w c:\program files\nbpro

2009-03-25 01:05 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-24 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-03-23 21:12 --------- d-----w c:\program files\McAfee

2009-03-23 20:38 --------- d-----w c:\program files\BOINC

2009-03-23 20:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-22 20:29 --------- d-----w c:\program files\GameSpy Arcade

2009-03-09 16:38 --------- d-----w c:\program files\WinMX

2009-03-05 17:44 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-15 19:21 --------- d-----w c:\documents and settings\Guest\Application Data\Viewpoint

2009-02-15 19:20 --------- d-----w c:\documents and settings\Guest\Application Data\AOL

2009-02-15 00:51 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys

1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL

1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL

2006-12-08 02:34 8 --sha-r c:\windows\neoqaz2.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-19 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"nHancer"="c:\program files\nHancer\nHancer.exe" [2007-10-31 1519616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"SBEVMON.EXE"="c:\progra~1\SAFEBO~1\SBEVMON.EXE" [2003-06-03 176128]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]

"HostManager"="c:\program files\Common Files\AOL\1206148340\ee\AOLSoftware.exe" [2007-05-25 42032]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]

"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 c:\windows\RTHDCPL.exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe]

"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-21 113664]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-03-25 789008]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-03-28 815104]

Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-01-09 12:30 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1206148340\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

"4151:TCP"= 4151:TCP:Akamai NetSession Interface

"4158:TCP"= 4158:TCP:Akamai NetSession Interface

"1279:TCP"= 1279:TCP:Akamai NetSession Interface

"1464:TCP"= 1464:TCP:Akamai NetSession Interface

"1472:TCP"= 1472:TCP:Akamai NetSession Interface

"3257:TCP"= 3257:TCP:Akamai NetSession Interface

"3162:TCP"= 3162:TCP:Akamai NetSession Interface

"3176:TCP"= 3176:TCP:Akamai NetSession Interface

"4273:TCP"= 4273:TCP:Akamai NetSession Interface

"4316:TCP"= 4316:TCP:Akamai NetSession Interface

"2656:TCP"= 2656:TCP:Akamai NetSession Interface

"2678:TCP"= 2678:TCP:Akamai NetSession Interface

"2691:TCP"= 2691:TCP:Akamai NetSession Interface

"2934:TCP"= 2934:TCP:Akamai NetSession Interface

"1426:TCP"= 1426:TCP:Akamai NetSession Interface

"3182:TCP"= 3182:TCP:Akamai NetSession Interface

"1294:TCP"= 1294:TCP:Akamai NetSession Interface

"1628:TCP"= 1628:TCP:Akamai NetSession Interface

"1109:TCP"= 1109:TCP:Akamai NetSession Interface

"1150:TCP"= 1150:TCP:Akamai NetSession Interface

"1554:TCP"= 1554:TCP:Akamai NetSession Interface

"1782:TCP"= 1782:TCP:Akamai NetSession Interface

"1791:TCP"= 1791:TCP:Akamai NetSession Interface

"1989:TCP"= 1989:TCP:Akamai NetSession Interface

"2248:TCP"= 2248:TCP:Akamai NetSession Interface

"1110:TCP"= 1110:TCP:Akamai NetSession Interface

"2260:TCP"= 2260:TCP:Akamai NetSession Interface

"2981:TCP"= 2981:TCP:Akamai NetSession Interface

"3169:TCP"= 3169:TCP:Akamai NetSession Interface

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-02-08 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-02-08 44688]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-06-03 35988]

R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [2004-08-04 14336]

S2 0071911237840933mcinstcleanup;McAfee Application Installer Cleanup (0071911237840933);c:\windows\TEMP\007191~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\007191~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 14:17]

2009-03-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-03-26 c:\windows\Tasks\SyncBack Broadcast music archive.job

- c:\program files\SyncBack\SyncBack.exe [2006-02-24 12:07]

2009-03-23 c:\windows\Tasks\SyncBack Critical Data Backup.job

- c:\program files\SyncBack\SyncBack.exe [2006-02-24 12:07]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{71FE276A-28E3-442B-A524-B3D6530FBD78} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = www.cnn.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 68.87.66.196,68.87.64.196

FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\1tq31uhb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.slate.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.mcafee.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://preview.evite.com/js/ImageUploader5.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205988890984

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205989320312

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A21731A-5BC9-427F-A29F-97AF9DD2C4B3}: NameServer = 68.87.66.196,68.87.64.196

O23 - Service: McAfee Application Installer Cleanup (0071911237840933) (0071911237840933mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007191~1.EXE (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: nHancer Support (nHancer) - KSE - Kornd

Link to post
Share on other sites

Hi ya,

Well both the logs are looking good to go :(

Here's some handy reading Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Safe surfing :(

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.