Jump to content

Malwarebytes won't install at all!!


Recommended Posts

I am near to tears. My computer is my work and my life. I couldn't get Malwarebytes to run. And now I can't even get it to install. Please help. My anti-virus shows nothing. But suddenly I have 60 processes running. I don't know much about computers. But I do know that something is very very wrong. Please help!

Link to post
Share on other sites

Download and Run HijackThis

Download HJTInstall.exe to your Desktop.

* Doubleclick HJTInstall.exe to install it.

* By default it will install to C:\Program Files\Trend Micro\HijackThis .

* Click on Install.

* It will create a HijackThis icon on the desktop.

* Once installed, it will launch Hijackthis.

* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.

* Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.

Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

please post new HJT log

Link to post
Share on other sites

Thank you. Here is the hijack this file...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:45:23 PM, on 4/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\providerComcast\bin\tgsrvc.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Documents and Settings\Raven\Desktop\HJTInstall.exe

C:\Documents and Settings\Raven\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.com

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

O23 - Service: SupportSoft Repair Service (providercomcast) (tgsrvc_providercomcast) - SupportSoft, Inc. - C:\Program Files\providerComcast\bin\tgsrvc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

welcome to malwarebytes forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:

  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.

If you can do these things, everything should go smoothly.

  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Installed Programs

Please could you give me a list of the programs that are installed.

  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.

Click on save list button and specify where you would like to save this file.

When you press Save button a notepad will open with the contents of that file.

Simply copy and paste the contents of that notepad into your next post.

I'm seeing traces of Norton was this a previous Anti virus program you were running as I see you run Mcafee?

Are you still with AOL ?

I'm presently looking over your log and hope not to be too long.

Will be back with you as soon as I can.

Thanks dan

Link to post
Share on other sites

Hi Dan,

My name is Raven. Here is the list you asked for. I am still with AOL. I don't use it frequently, but our family still has an account. So I guess I can delete whatever. It won't bother me. I usually only use it when I am down at my parents. I did have Norton before I had McAfee. I prefer McAfee. Did I not uninstall Norton all of the way? Thank you for all of your help.

Adobe Bridge 1.0

Adobe Common File Installer

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Help Center 1.0

Adobe Photoshop CS2

Adobe Reader 7.0.9

Adobe Shockwave Player

Adobe Stock Photos 1.0

AOL Deskbar

AOLIcon

Apple Software Update

Banctec Service Agreement

Blackhawk Striker 2

Bonjour

Broadcom Management Programs

Canon Camera Support Core Library

Canon Camera Window DS for ZoomBrowser EX

Canon Camera Window DVC for ZoomBrowser EX

Canon Camera Window for ZoomBrowser EX

Canon MovieEdit Task for ZoomBrowser EX

Canon PhotoRecord

Canon RAW Image Task for ZoomBrowser EX

Canon RemoteCapture Task for ZoomBrowser EX

Canon Utilities PhotoStitch 3.1

Canon ZoomBrowser EX

Chuzzle Deluxe 1.0

Comcast High-Speed Internet Install Wizard

Comcast Toolbar

Comcast User Setup

Compatibility Pack for the 2007 Office system

Conexant HDA D110 MDC V.92 Modem

ContextTool

dBpowerAMP Mp4 Codec

dBpowerAMP WMA V9.1 Codec

Dell CinePlayer

Dell Driver Reset Tool

Dell Game Console

Dell Support 3.1

Desktop Doctor

Digital Line Detect

EarthLink setup files

ELIcon

GemMaster Mystic

Get High Speed Internet!

Google Desktop

Google Toolbar for Internet Explorer

GTOneCare

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Intel® Graphics Media Accelerator Driver for Mobile

Intel® PROSet/Wireless Software

Internal Network Card Power Management

iTunes

J2SE Runtime Environment 5.0 Update 7

Java 2 Runtime Environment, SE v1.4.2_03

Java 6 Update 12

Learn2 Player (Uninstall Only)

LimeWire 5.0.11

McAfee SecurityCenter

mCore

mDriver

mDrWiFi

mGina

mHlpDell

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Standard Edition 2003

Microsoft Plus! Digital Media Edition Installer

Microsoft Plus! Photo Story 2 LE

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

mIWA

mIWCA

mLogView

mMHouse

Modem Helper

Mozilla Firefox (3.0.8)

mPfMgr

mPfWiz

mProSafe

mSSO

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 6.0 Parser (KB933579)

mToolkit

Musicmatch for Windows Media Player

mWlsSafe

mXML

mZConfig

NetWaiting

NetZeroInstallers

PowerDVD

PX Engine

QuickSet

QuickTime

RealPlayer

Roxio DLA

Roxio MyDVD LE

Roxio RecordNow Audio

Roxio RecordNow Copy

Roxio RecordNow Data

Roxio Update Manager

Search Assist

Secure Game Player

Security Update for CAPICOM (KB931906)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 2.0 (KB928365)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Sonic Activation Module

Sonic Encoders

Synaptics Pointing Device Driver

Tradewinds

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update Rollup 2 for Windows XP Media Center Edition 2005

URL Assistant

Viewpoint Media Player

WebCyberCoach 3.2 Dell

Windows Media Format 11 runtime

Windows Media Format Runtime

Windows Media Player 10

Windows Media Player 11

Windows Media Player 11

Windows Media Player Firefox Plugin

Windows Presentation Foundation

Windows XP Media Center Edition 2005 KB908246

Windows XP Service Pack 3

WinPatrol

WinRAR archiver

Link to post
Share on other sites

We can leave AOL if you use it at your parents,I was just tying up loose ends as I see you use comcast.

Please note, these tools will remove all applications belonging to the relevant company.

Remove Norton

Please click HERE and follow the instructions to download and run the norton removal tool

Optional Fix

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player

Link to post
Share on other sites

I took the first steps to uninstall Norton, however it said this and I didn't know how to answer:

You may need your Product Key when you reinstall your Norton product. To be safe, follow the steps for your product to be sure that you have your Product Key if it is needed.

The steps differ depending on what product you have.

Choose your product:

* I have a Norton product that was purchased from my service provider

* I have Norton 360 Version 3.0

* I have Norton 360

* I have a Norton 2009 product

* I have Norton SystemWorks 12.0

* I have a Norton 2008 product

* I have a Norton 2007 product

* I have a Norton 2006 product

* I have a Norton 2005 or 2004 product

* I have a Norton 2003 product

* I have Norton Ghost or Norton Save & Restore

* I have pcAnywhere or WinFax

I don't know which product I have. What next?

Link to post
Share on other sites

I finished the other steps. No. I had Trend-Micro p cillin when I bought the puter. Then McAfee, then AVG, then Norton, now back to McAfee. Here is your new scan. The last tool, the one that runs a working link to Malwarebytes says it is not installed on my computer.. the Malwarebytes program won't open nor will the installer.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:51:31 PM, on 4/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\providerComcast\bin\tgsrvc.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Documents and Settings\Raven\Desktop\mbam-setup.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Documents and Settings\Raven\Desktop\mbam-setup.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Raven\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [showLOMControl]

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

O23 - Service: SupportSoft Repair Service (providercomcast) (tgsrvc_providercomcast) - SupportSoft, Inc. - C:\Program Files\providerComcast\bin\tgsrvc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

What year did you have the pc?

  • Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • If the file is over about 150 lines or so then DELETE the C:\Windows\ntbtlog.txt file and restart the computer and post the NEW one it creates.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log

RootRepeal - Rootkit Detector

  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.

Post the logs

Link to post
Share on other sites

Ok, I hope I did this right.. First off, here is the ntbtlog..

Service Pack 3 4 1 2009 19:55:49.500

Loaded driver \WINDOWS\system32\ntkrnlpa.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS

Loaded driver compbatt.sys

Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS

Loaded driver pciide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver intelide.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver cercsr6.sys

Loaded driver \WINDOWS\System32\Drivers\SCSIPORT.SYS

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver DRVMCDB.SYS

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver WudfPf.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver sbp2port.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

Loaded driver \SystemRoot\system32\DRIVERS\ialmnt5.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\bcm4sbxp.sys

Loaded driver \SystemRoot\system32\DRIVERS\sdbus.sys

Loaded driver \SystemRoot\system32\DRIVERS\rimmptsk.sys

Loaded driver \SystemRoot\system32\DRIVERS\rimsptsk.sys

Loaded driver \SystemRoot\system32\DRIVERS\rixdptsk.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\Drivers\DLACDBHM.SYS

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys

Loaded driver \SystemRoot\system32\DRIVERS\iwca.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\sthda.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSFHWAZL.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSF_DPV.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSF_CNXT.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\Drivers\DLARTL_N.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \systemroot\system32\drivers\UACpwvyeppf.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipfltdrv.sys

Loaded driver \SystemRoot\System32\Drivers\Mpfp.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\system32\DRIVERS\serial.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\mfehidk.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\System32\Drivers\DRVNDDM.SYS

Loaded driver \SystemRoot\System32\DLA\DLADResN.SYS

Loaded driver \SystemRoot\System32\DLA\DLAIFS_M.SYS

Loaded driver \SystemRoot\System32\DLA\DLAOPIOM.SYS

Loaded driver \SystemRoot\System32\DLA\DLAPoolM.SYS

Loaded driver \SystemRoot\System32\DLA\DLABOIOM.SYS

Loaded driver \SystemRoot\System32\DLA\DLAUDFAM.SYS

Loaded driver \SystemRoot\System32\DLA\DLAUDF_M.SYS

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Loaded driver \SystemRoot\system32\DRIVERS\s24trans.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\mfebopk.sys

Loaded driver \SystemRoot\system32\drivers\mfeavfk.sys

Service Pack 3 4 1 2009 20:17:19.500

Loaded driver \WINDOWS\system32\ntkrnlpa.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS

Loaded driver compbatt.sys

Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS

Loaded driver pciide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver intelide.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver cercsr6.sys

Loaded driver \WINDOWS\System32\Drivers\SCSIPORT.SYS

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver DRVMCDB.SYS

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver WudfPf.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver sbp2port.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

Loaded driver \SystemRoot\system32\DRIVERS\ialmnt5.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\bcm4sbxp.sys

Loaded driver \SystemRoot\system32\DRIVERS\sdbus.sys

Loaded driver \SystemRoot\system32\DRIVERS\rimmptsk.sys

Loaded driver \SystemRoot\system32\DRIVERS\rimsptsk.sys

Loaded driver \SystemRoot\system32\DRIVERS\rixdptsk.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\Drivers\DLACDBHM.SYS

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys

Loaded driver \SystemRoot\system32\DRIVERS\iwca.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\sthda.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSFHWAZL.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSF_DPV.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSF_CNXT.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\Drivers\DLARTL_N.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \systemroot\system32\drivers\UACpwvyeppf.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipfltdrv.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\Drivers\Mpfp.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\system32\DRIVERS\serial.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\mfehidk.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\System32\Drivers\DRVNDDM.SYS

Loaded driver \SystemRoot\System32\DLA\DLADResN.SYS

Loaded driver \SystemRoot\System32\DLA\DLAIFS_M.SYS

Loaded driver \SystemRoot\System32\DLA\DLAOPIOM.SYS

Loaded driver \SystemRoot\System32\DLA\DLAPoolM.SYS

Loaded driver \SystemRoot\System32\DLA\DLABOIOM.SYS

Loaded driver \SystemRoot\System32\DLA\DLAUDFAM.SYS

Loaded driver \SystemRoot\System32\DLA\DLAUDF_M.SYS

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Loaded driver \SystemRoot\system32\DRIVERS\s24trans.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\mfebopk.sys

Loaded driver \SystemRoot\system32\drivers\mfeavfk.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\mfesmfk.sys

Rootrepeal log

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/04/01 20:24

Program Version: Version 1.2.3.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA9E71000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7B01000 Size: 8192 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA8D98000 Size: 45056 File Visible: No

Status: -

Name: UACpwvyeppf.sys

Image Path: C:\WINDOWS\system32\drivers\UACpwvyeppf.sys

Address: 0xAA443000 Size: 77824 File Visible: -

Status: Hidden from Windows API!

SSDT

-------------------

SYSENTER/INT2E Hooked [0x00466550]!

Stealth Objects

-------------------

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: winlogon.exe (PID: 684) Address: 0x00680000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: winlogon.exe (PID: 684) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: services.exe (PID: 732) Address: 0x00680000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: services.exe (PID: 732) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: lsass.exe (PID: 744) Address: 0x00750000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: lsass.exe (PID: 744) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAChlcknsim.dll]

Process: svchost.exe (PID: 924) Address: 0x02e50000 Size: 200704

Object: Hidden Module [Name: UAC7bb3.tmpnsim.dll]

Process: svchost.exe (PID: 924) Address: 0x00be0000 Size: 200704

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: svchost.exe (PID: 924) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACwnuqatao.dll]

Process: svchost.exe (PID: 924) Address: 0x00b20000 Size: 81920

Object: Hidden Module [Name: UACjtculqrs.dll]

Process: svchost.exe (PID: 924) Address: 0x00cd0000 Size: 73728

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: svchost.exe (PID: 924) Address: 0x00e80000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: svchost.exe (PID: 924) Address: 0x02fe0000 Size: 49152

Object: Hidden Module [Name: UACpveywdvn.dll]

Process: svchost.exe (PID: 924) Address: 0x03080000 Size: 57344

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: svchost.exe (PID: 924) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: svchost.exe (PID: 1028) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: svchost.exe (PID: 1028) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: svchost.exe (PID: 1128) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: svchost.exe (PID: 1128) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: svchost.exe (PID: 1172) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: svchost.exe (PID: 1172) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: EvtEng.exe (PID: 1320) Address: 0x00830000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: EvtEng.exe (PID: 1320) Address: 0x00900000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: ZcfgSvc.exe (PID: 1356) Address: 0x00ca0000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: ZcfgSvc.exe (PID: 1356) Address: 0x00d70000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: Explorer.EXE (PID: 1496) Address: 0x00d40000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: Explorer.EXE (PID: 1496) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: S24EvMon.exe (PID: 1504) Address: 0x00a10000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: S24EvMon.exe (PID: 1504) Address: 0x00af0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: Iexplore.exe (PID: 1540) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: Iexplore.exe (PID: 1540) Address: 0x00b50000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: WLKeeper.exe (PID: 1572) Address: 0x00bf0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: WLKeeper.exe (PID: 1572) Address: 0x00b20000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: svchost.exe (PID: 1740) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: svchost.exe (PID: 1740) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: svchost.exe (PID: 1848) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: svchost.exe (PID: 1848) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: ctfmon.exe (PID: 1892) Address: 0x009c0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: ctfmon.exe (PID: 1892) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: mDNSResponder.exe (PID: 280) Address: 0x00750000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: mDNSResponder.exe (PID: 280) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: jqs.exe (PID: 444) Address: 0x00720000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: jqs.exe (PID: 444) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: McSACore.exe (PID: 512) Address: 0x00af0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: McSACore.exe (PID: 512) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: mcmscsvc.exe (PID: 588) Address: 0x008f0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: mcmscsvc.exe (PID: 588) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: mcnasvc.exe (PID: 132) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: mcnasvc.exe (PID: 132) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: mcproxy.exe (PID: 1104) Address: 0x00840000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: mcproxy.exe (PID: 1104) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: mcshield.exe (PID: 1136) Address: 0x00710000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: mcshield.exe (PID: 1136) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: MDM.EXE (PID: 1344) Address: 0x00ae0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: MDM.EXE (PID: 1344) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: MPFSrv.exe (PID: 1604) Address: 0x008d0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: MPFSrv.exe (PID: 1604) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: NICCONFIGSVC.exe (PID: 1732) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: NICCONFIGSVC.exe (PID: 1732) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: HPZipm12.exe (PID: 1984) Address: 0x006f0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: HPZipm12.exe (PID: 1984) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: RegSrvc.exe (PID: 2060) Address: 0x00830000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: RegSrvc.exe (PID: 2060) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: RichVideo.exe (PID: 2160) Address: 0x00b40000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: RichVideo.exe (PID: 2160) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: sprtsvc.exe (PID: 2264) Address: 0x00ae0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: sprtsvc.exe (PID: 2264) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: svchost.exe (PID: 2312) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: svchost.exe (PID: 2312) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: svchost.exe (PID: 2348) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: svchost.exe (PID: 2348) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: tgsrvc.exe (PID: 2460) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: tgsrvc.exe (PID: 2460) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: wdfmgr.exe (PID: 2560) Address: 0x00610000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: wdfmgr.exe (PID: 2560) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: mcrdsvc.exe (PID: 2616) Address: 0x00640000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: mcrdsvc.exe (PID: 2616) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: mcagent.exe (PID: 2648) Address: 0x00d60000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: mcagent.exe (PID: 2648) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: wmiprvse.exe (PID: 3228) Address: 0x00850000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: wmiprvse.exe (PID: 3228) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: alg.exe (PID: 3928) Address: 0x00730000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: alg.exe (PID: 3928) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: ehtray.exe (PID: 216) Address: 0x00960000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: ehtray.exe (PID: 216) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: DLACTRLW.EXE (PID: 292) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: DLACTRLW.EXE (PID: 292) Address: 0x00b20000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: iTunesHelper.exe (PID: 1420) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: iTunesHelper.exe (PID: 1420) Address: 0x00be0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: hkcmd.exe (PID: 1528) Address: 0x003c0000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: hkcmd.exe (PID: 1528) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: igfxpers.exe (PID: 1400) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: igfxpers.exe (PID: 1400) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: SynTPEnh.exe (PID: 1972) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: SynTPEnh.exe (PID: 1972) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: DMXLauncher.exe (PID: 2056) Address: 0x00ab0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: DMXLauncher.exe (PID: 2056) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: ifrmewrk.exe (PID: 2176) Address: 0x00ad0000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: ifrmewrk.exe (PID: 2176) Address: 0x00bb0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: WinPatrol.exe (PID: 2188) Address: 0x00ab0000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: WinPatrol.exe (PID: 2188) Address: 0x00b90000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: issch.exe (PID: 2388) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: issch.exe (PID: 2388) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: sprtcmd.exe (PID: 1712) Address: 0x00ae0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: sprtcmd.exe (PID: 1712) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: jusched.exe (PID: 2420) Address: 0x00cf0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: jusched.exe (PID: 2420) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: igfxsrvc.exe (PID: 2904) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: igfxsrvc.exe (PID: 2904) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: iPodService.exe (PID: 3152) Address: 0x00870000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: iPodService.exe (PID: 3152) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: mcsysmon.exe (PID: 3676) Address: 0x00890000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: mcsysmon.exe (PID: 3676) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: NOTEPAD.EXE (PID: 3044) Address: 0x009b0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: NOTEPAD.EXE (PID: 3044) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: firefox.exe (PID: 1844) Address: 0x009f0000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: firefox.exe (PID: 1844) Address: 0x00ac0000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: WinRAR.exe (PID: 2940) Address: 0x00ab0000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: WinRAR.exe (PID: 2940) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvhsaosef.dll]

Process: RootRepeal.exe (PID: 1252) Address: 0x00f10000 Size: 49152

Object: Hidden Module [Name: UACwrxfruun.dll]

Process: RootRepeal.exe (PID: 1252) Address: 0x10000000 Size: 49152

Hidden Services

-------------------

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UACpwvyeppf.sys

And the rootrepeal came with this warning

20:27:20: Warning - the number of SSDT entries from the kernel and the number on-disk are different (284 and 0).

20:27:20: Could not get our real service table pointers!

Link to post
Share on other sites

Create a NEW folder on your Desktop named: BadFiles

Start Root Repeal and click on the Drivers tab and then click the Scan button.

Then right click on this file: UACpwvyeppf.sys and select Dump File

This will bring up a Dump to file dialog box. Browse or select your Desktop where you created the BadFiles folder.

Then type in the name UACpwvyeppf.sys and save it in that folder.

You can quit Root Repeal now.

Then zip up that file and upload it to: uploads.malwarebytes.org

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Start Root Repeal again and click on the Drivers tab and then click the Scan button.

Then right click on this file: UACpwvyeppf.sys Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

Now update and scan with malwarebytes again, a quick scan

Post the report

Link to post
Share on other sites

Ok, don't worry.

Download and run Combofix

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

----------------------------------------------

Post back:

Combofix report.

A new HijackThis log.

Link to post
Share on other sites

I ran the programs. The first thing that happened is that the program told me

"combofix has detected rootkit activity. Please not on paper the name of each file. You may need it later.

The files were:

c:/windows/system32/uacpwvyeppf.sys

c:/windows/system32/uacjtculqrs.dll

c:/windows/system32/uackggnxotq.dat

c:/windows/system32/uacpveywdvn.dll

c:/windows/system32/uacwrxfruun.dll

c:/windows/system32/uacvhsaosef.dll

c:/windows/system32/uacjwykyfkt.db

c:/windows/system32/uacwnqatao.dll

c:/windows/system32/uacchlcknsim.dll

c:/windows/system32/uacynaiwkre.log

c:/windows/system32/uackugpjsyc.log

c:/windows/system32/uacflojxmik.log

Then it did a restart. Then when it did a restart, it did something called chkdsk. It ran through 5 phases. Verify files, verify indexes, verify security descriptors, verify usn j ournal, verify file data, verify free space.

Then when the computer came back up it did the combofix and the hijack this. The computer went nuts with things that needed to debug, but none of them fixed themselves. and I couldn't keep up with writing them down. Here are the logs.

Combo this log..

ComboFix 09-04-04.01 - Raven 2009-04-05 13:40:14.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.664 [GMT -4:00]

Running from: c:\documents and settings\Raven\Desktop\67.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *disabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\UACpwvyeppf.sys

c:\windows\system32\UACfbkjxmik.log

c:\windows\system32\UAChlcknsim.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjtculqrs.dll

c:\windows\system32\UACjwykyfkt.db

c:\windows\system32\UACkggnxotq.dat

c:\windows\system32\UACkugpjsyc.log

c:\windows\system32\UACpveywdvn.dll

c:\windows\system32\UACvhsaosef.dll

c:\windows\system32\UACwnuqatao.dll

c:\windows\system32\UACwrxfruun.dll

c:\windows\system32\UACynaiwkre.log

c:\windows\Sysvxd.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))

.

2009-04-01 04:47 . 2009-04-01 04:47 61,224 --a------ c:\documents and settings\Raven\GoToAssistDownloadHelper.exe

2009-03-30 16:48 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

2009-03-29 23:33 . 2009-03-30 00:10 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore

2009-03-29 22:25 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll

2009-03-29 22:25 . 2009-04-05 13:45 8,469 --a------ c:\windows\system32\Config.MPF

2009-03-29 22:21 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys

2009-03-29 22:21 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys

2009-03-29 22:21 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys

2009-03-29 22:21 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys

2009-03-29 22:21 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys

2009-03-29 22:20 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys

2009-03-29 22:19 . 2009-03-29 22:20 <DIR> d-------- c:\program files\McAfee.com

2009-03-29 22:19 . 2009-03-31 12:14 <DIR> d-------- c:\program files\McAfee

2009-03-29 22:19 . 2009-03-29 22:21 <DIR> d-------- c:\program files\Common Files\McAfee

2009-03-29 21:00 . 2009-03-29 21:00 <DIR> d-------- C:\mfe

2009-03-29 20:37 . 2009-03-29 20:37 <DIR> d-------- C:\e51e30ab8bb3b01752a8c619c942

2009-03-29 20:37 . 2008-07-06 08:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll

2009-03-29 20:37 . 2008-07-06 06:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-03-29 20:37 . 2008-07-06 08:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll

2009-03-29 20:37 . 2008-07-06 08:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-03-27 11:55 . 2009-03-27 11:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix

2009-03-26 01:34 . 2009-04-05 02:30 4,194,973 --a------ c:\windows\pfirewall.log.old

2009-03-25 23:53 . 2009-03-25 23:53 <DIR> d-------- c:\program files\providerComcast

2009-03-25 23:14 . 2009-04-05 04:21 1,896,749 --a------ c:\windows\system32\uactmp.db

2009-03-15 19:58 . 2009-03-15 19:57 73,728 --a------ c:\windows\system32\javacpl.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-05 06:09 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2009-04-01 21:42 --------- d-----w c:\program files\LimeWire

2009-04-01 04:34 --------- d-----w c:\documents and settings\Raven\Application Data\ComcastToolbar

2009-03-30 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-03-29 23:42 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-29 23:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-20 05:10 --------- d-----w c:\documents and settings\Raven\Application Data\Move Networks

2009-03-15 23:57 --------- d-----w c:\program files\Java

2009-03-01 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\Comcast

2009-03-01 16:02 3,039 ----a-w C:\register.bat

2009-03-01 15:58 3,039 ----a-w c:\documents and settings\Raven\register.bat

2009-02-28 04:49 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-26 08:08 --------- d-----w c:\program files\Google

2009-02-25 04:55 --------- d-----w c:\program files\RegistryPatrol3.0

2009-02-25 04:29 --------- dc----w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}

2009-02-25 01:08 --------- d-----w c:\documents and settings\Raven\Application Data\McAfee

2009-02-24 10:13 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8

2009-02-21 08:52 --------- d-----w c:\program files\Common Files\Scanner

2009-02-21 08:52 --------- d-----w c:\program files\ComcastToolbar

2009-02-21 08:51 --------- d-----w c:\program files\Common Files\SupportSoft

2009-02-21 08:51 --------- d-----w c:\program files\Comcast

2009-02-21 08:51 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft

2009-02-21 08:25 --------- d-----w c:\program files\support.com

2009-02-16 15:01 --------- d-----w c:\program files\MSECache

2009-02-15 06:02 --------- d-----w c:\program files\Roxio

2009-02-08 16:56 --------- d-----w c:\program files\CONEXANT

2009-02-08 16:55 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-08 16:55 --------- d-----w c:\program files\Dell

2009-02-08 16:55 --------- d-----w c:\program files\Common Files\Sonic Shared

2009-02-08 16:55 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink

2009-02-07 16:54 --------- d-----w c:\program files\Common Files\Roxio Shared

2006-12-10 19:32 1,519,800 -c----w c:\program files\dMC-r10.exe

2006-12-07 18:14 88 --sh--r c:\windows\system32\10E31F1BA8.sys

2006-12-07 18:14 3,610 -csh--w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShowLOMControl"="1 (0x1)" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2006-10-01 255552]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]

"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-15 148888]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 18:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"LexBceS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-29 210216]

R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [2008-05-02 148768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{148dd71f-040f-11dc-95e1-00038a000015}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2009-03-30 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-04-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

mStart Page = hxxp://www.comcast.net/

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

Trusted Zone: internet

Trusted Zone: mcafee.com

FF - ProfilePath - c:\documents and settings\Raven\Application Data\Mozilla\Firefox\Profiles\t4jerh97.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-05 14:57:46

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-159392861-630838887-3421650970-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-04-05 15:03:35 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-05 19:03:19

Pre-Run: 44,013,056,000 bytes free

Post-Run: 43,924,725,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

230 --- E O F --- 2009-03-31 07:01:04

Hijack this log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:05:29 PM, on 4/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\providerComcast\bin\tgsrvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Raven\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [showLOMControl]

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

O23 - Service: SupportSoft Repair Service (providercomcast) (tgsrvc_providercomcast) - SupportSoft, Inc. - C:\Program Files\providerComcast\bin\tgsrvc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

Submit a File For Analysis

We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti

Copy/paste the the following file path into the window

c:\program files\dMC-r10.exe

Click Submit/Send File

Please post back, to let me know the results.

Please do the same for the following file

c:\windows\system32\10E31F1BA8.sys

If Jotti is too busy please try Virustotal

-----------------------------

ATF Cleaner

Download ATF Cleaner here by Atribune.

  • Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt

Click Exit on the Main menu to close the program.

----------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::c:\windows\system32\uactmp.dbC:\register.batc:\documents and settings\Raven\register.batFolder::c:\program files\LimeWireDirLook::c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}C:\mfeC:\e51e30ab8bb3b01752a8c619c942Registry::[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{148dd71f-040f-11dc-95e1-00038a000015}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

------------------------------

: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware

    [*] then click Finish.

    [*]If an update is found, it will download and install the latest version.

    [*]Once the program has loaded, select Perform full scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Post:

combofix log

malwarebytes report

jotti's report

Link to post
Share on other sites

So, here are the logs and scans that you asked for. While Malwarebytes was running, my McAfee started to go a little crazy blocking a trojan. I don't know how to copy and paste a McAfee Log.. But it is the DNSChanger.r Trojan.. And it repaired and removed it 11 times during the Malwarebytes scan..

First Scan...

c:\program files\dMC-r10.exe

Service load:

0% 100%

File: dMC-r10.exe

Status:

OK

MD5: 4c772616644d13645bb0a7bc83696706

Packers detected:

-

Scanner results

Scan taken on 05 Apr 2009 22:08:11 (GMT)

A-Squared Found nothing

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Quick Heal Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

Scanner Malware name

A-Squared Packer.PESpin!IK

AntiVir TR/Agent.920064.A

ArcaVir Heur.W32.Generic

Avast Win32:Trojan-gen {Other}

AVG Antivirus X

BitDefender Packer.PESpin.A

ClamAV X

CPsecure X

Dr.Web X

F-Prot Antivirus W32/Heuristic-210!Eldorado

F-Secure Anti-Virus X

Ikarus Packer.PESpin

Kaspersky Anti-Virus X

NOD32 X

Norman Virus Control W32/Packed_PeSpin.B

Panda Antivirus X

Quick Heal X

Sophos Antivirus Mal/Packer

VirusBuster Packed/PeSpin

VBA32 X

Second Scan

c:\windows\system32\10E31F1BA8.sys

Service load:

0% 100%

File: 10E31F1BA8.sys

Status:

OK

MD5: 2fca1be1bac93816b5abc4f20d1518e5

Packers detected:

-

Scanner results

Scan taken on 05 Apr 2009 22:19:41 (GMT)

A-Squared Found nothing

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Quick Heal Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

Scanner Malware name

A-Squared Trojan-Downloader.Win32.Banload!IK

AntiVir TR/Dldr.Delphi.Gen

ArcaVir Variant:Downloader.Banload.Nc

Avast Win32:Banload-FFK

AVG Antivirus X

BitDefender Trojan.Downloader.Svchost.A

ClamAV X

CPsecure Troj.GameThief.W32.OnLineGames.tcdi

Dr.Web Trojan.DownLoader.32543

F-Prot Antivirus X

F-Secure Anti-Virus Trojan-Downloader.Win32.Banload.aht

Ikarus Trojan-Downloader.Win32.Banload

Kaspersky Anti-Virus Trojan-Downloader.Win32.Banload.aht

NOD32 a variant of Win32/TrojanDownloader.Banload.CZK

Norman Virus Control X

Panda Antivirus Trj/Banbra.FQY

Quick Heal Win32.Backdoor.Turkojan.il.3

Sophos Antivirus Mal/Behav-130

VirusBuster X

VBA32 Trojan-Downloader.Win32.Banload.nc

Combo This log

omboFix 09-04-04.01 - Raven 2009-04-05 18:35:07.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.621 [GMT -4:00]

Running from: c:\documents and settings\Raven\Desktop\67.exe

Command switches used :: c:\documents and settings\Raven\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *disabled*

* Created a new restore point

FILE ::

c:\documents and settings\Raven\register.bat

C:\register.bat

c:\windows\system32\uactmp.db

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Raven\register.bat

c:\program files\LimeWire

c:\program files\LimeWire\commons-httpclient.jar.tmp

c:\program files\LimeWire\commons-net.jar.tmp

c:\program files\LimeWire\commons-pool.jar.tmp

c:\program files\LimeWire\forms.jar.tmp

c:\program files\LimeWire\foxtrot.jar.tmp

c:\program files\LimeWire\guice-1.0.jar.tmp

c:\program files\LimeWire\hs_err_pid2132.log

c:\program files\LimeWire\httpcore-nio.jar.tmp

c:\program files\LimeWire\httpcore.jar.tmp

c:\program files\LimeWire\id3v2.jar.tmp

c:\program files\LimeWire\looks.jar.tmp

c:\program files\LimeWire\ProgressTabs.jar.tmp

c:\program files\LimeWire\swt.jar.tmp

c:\program files\LimeWire\themes.jar.tmp

C:\register.bat

c:\windows\system32\uactmp.db

.

((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))

.

2009-04-01 04:47 . 2009-04-01 04:47 61,224 --a------ c:\documents and settings\Raven\GoToAssistDownloadHelper.exe

2009-03-30 16:48 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

2009-03-29 23:33 . 2009-03-30 00:10 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore

2009-03-29 22:25 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll

2009-03-29 22:25 . 2009-04-05 18:33 8,437 --a------ c:\windows\system32\Config.MPF

2009-03-29 22:21 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys

2009-03-29 22:21 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys

2009-03-29 22:21 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys

2009-03-29 22:21 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys

2009-03-29 22:21 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys

2009-03-29 22:20 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys

2009-03-29 22:19 . 2009-03-29 22:20 <DIR> d-------- c:\program files\McAfee.com

2009-03-29 22:19 . 2009-03-31 12:14 <DIR> d-------- c:\program files\McAfee

2009-03-29 22:19 . 2009-03-29 22:21 <DIR> d-------- c:\program files\Common Files\McAfee

2009-03-29 21:00 . 2009-03-29 21:00 <DIR> d-------- C:\mfe

2009-03-29 20:37 . 2009-03-29 20:37 <DIR> d-------- C:\e51e30ab8bb3b01752a8c619c942

2009-03-29 20:37 . 2008-07-06 08:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll

2009-03-29 20:37 . 2008-07-06 06:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-03-29 20:37 . 2008-07-06 08:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll

2009-03-29 20:37 . 2008-07-06 08:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-03-27 11:55 . 2009-03-27 11:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix

2009-03-26 01:34 . 2009-04-05 02:30 4,194,973 --a------ c:\windows\pfirewall.log.old

2009-03-25 23:53 . 2009-03-25 23:53 <DIR> d-------- c:\program files\providerComcast

2009-03-15 19:58 . 2009-03-15 19:57 73,728 --a------ c:\windows\system32\javacpl.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-05 06:09 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2009-04-01 04:34 --------- d-----w c:\documents and settings\Raven\Application Data\ComcastToolbar

2009-03-30 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-03-29 23:42 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-29 23:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-20 05:10 --------- d-----w c:\documents and settings\Raven\Application Data\Move Networks

2009-03-15 23:57 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-03-15 23:57 --------- d-----w c:\program files\Java

2009-03-01 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\Comcast

2009-02-28 04:49 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-26 08:08 --------- d-----w c:\program files\Google

2009-02-25 04:55 --------- d-----w c:\program files\RegistryPatrol3.0

2009-02-25 04:29 --------- dc----w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}

2009-02-25 01:08 --------- d-----w c:\documents and settings\Raven\Application Data\McAfee

2009-02-24 10:13 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8

2009-02-21 08:52 --------- d-----w c:\program files\Common Files\Scanner

2009-02-21 08:52 --------- d-----w c:\program files\ComcastToolbar

2009-02-21 08:51 --------- d-----w c:\program files\Common Files\SupportSoft

2009-02-21 08:51 --------- d-----w c:\program files\Comcast

2009-02-21 08:51 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft

2009-02-21 08:25 --------- d-----w c:\program files\support.com

2009-02-16 15:01 --------- d-----w c:\program files\MSECache

2009-02-15 06:02 --------- d-----w c:\program files\Roxio

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-02-08 16:56 --------- d-----w c:\program files\CONEXANT

2009-02-08 16:55 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-08 16:55 --------- d-----w c:\program files\Dell

2009-02-08 16:55 --------- d-----w c:\program files\Common Files\Sonic Shared

2009-02-08 16:55 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink

2009-02-07 16:54 --------- d-----w c:\program files\Common Files\Roxio Shared

2006-12-10 19:32 1,519,800 -c----w c:\program files\dMC-r10.exe

2006-12-07 18:14 88 --sh--r c:\windows\system32\10E31F1BA8.sys

2006-12-07 18:14 3,610 -csh--w c:\windows\system32\KGyGaAvL.sys

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185} ----

---- Directory of C:\e51e30ab8bb3b01752a8c619c942 ----

2008-07-06 17:36 2936832 --------- c:\e51e30ab8bb3b01752a8c619c942\amd64\xpssvcs.dll

2008-07-06 08:06 89088 --------- c:\e51e30ab8bb3b01752a8c619c942\i386\filterpipelineprintproc.dll

2008-07-06 08:06 765440 --------- c:\e51e30ab8bb3b01752a8c619c942\i386\mxdwdrv.dll

2008-07-06 08:06 748032 --------- c:\e51e30ab8bb3b01752a8c619c942\amd64\mxdwdrv.dll

2008-07-06 08:06 1676288 --------- c:\e51e30ab8bb3b01752a8c619c942\i386\xpssvcs.dll

2008-07-06 08:06 147456 --------- c:\e51e30ab8bb3b01752a8c619c942\amd64\filterpipelineprintproc.dll

2008-07-06 08:06 10929 --------- c:\e51e30ab8bb3b01752a8c619c942\i386\msxpsdrv.cat

2008-07-06 08:06 10929 --------- c:\e51e30ab8bb3b01752a8c619c942\amd64\msxpsdrv.cat

2008-06-19 11:03 73 --------- c:\e51e30ab8bb3b01752a8c619c942\i386\msxpsinc.gpd

2008-06-19 11:03 73 --------- c:\e51e30ab8bb3b01752a8c619c942\amd64\msxpsinc.gpd

2008-06-19 01:33 72 --------- c:\e51e30ab8bb3b01752a8c619c942\i386\msxpsinc.ppd

2008-06-19 01:33 72 --------- c:\e51e30ab8bb3b01752a8c619c942\amd64\msxpsinc.ppd

2008-06-19 01:33 2204 --------- c:\e51e30ab8bb3b01752a8c619c942\i386\msxpsdrv.inf

2008-06-19 01:33 2204 --------- c:\e51e30ab8bb3b01752a8c619c942\amd64\msxpsdrv.inf

---- Directory of C:\mfe ----

2009-03-29 23:47 516 --a------ c:\mfe\rofix.reg

2009-03-29 23:47 495 --a------ c:\mfe\certfix.reg

((((((((((((((((((((((((((((( SnapShot@2009-04-05_15.02.26.31 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-04-05 16:28:12 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-04-05 21:57:51 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-04-05 16:28:12 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-04-05 21:57:51 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-04-05 22:00:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_154.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShowLOMControl"="1 (0x1)" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2006-10-01 255552]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]

"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-15 148888]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 18:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"LexBceS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-29 210216]

R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [2008-05-02 148768]

.

Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2009-03-30 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-04-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

mStart Page = hxxp://www.comcast.net/

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

Trusted Zone: internet

Trusted Zone: mcafee.com

FF - ProfilePath - c:\documents and settings\Raven\Application Data\Mozilla\Firefox\Profiles\t4jerh97.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-05 18:38:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-159392861-630838887-3421650970-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2009-04-05 18:40:55

ComboFix-quarantined-files.txt 2009-04-05 22:40:00

ComboFix2.txt 2009-04-05 19:03:38

Pre-Run: 43,866,488,832 bytes free

Post-Run: 43,851,735,040 bytes free

227 --- E O F --- 2009-03-31 07:01:04

Mal WAre bytes log:

Malwarebytes' Anti-Malware 1.35

Database version: 1942

Windows 5.1.2600 Service Pack 3

4/5/2009 7:55:32 PM

mbam-log-2009-04-05 (19-55-32).txt

Scan type: Full Scan (C:\|)

Objects scanned: 154625

Time elapsed: 1 hour(s), 7 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\pornpro.pornpro_bho (Adware.PlayaZ) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\pornpro.pornpro_bho.1 (Adware.PlayaZ) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Raven\Desktop\badfiles\UACpwvyeppf.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjtculqrs.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpveywdvn.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvhsaosef.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwrxfruun.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP702\A0144102.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP702\A0144103.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP702\A0144104.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP702\A0144105.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

[/color]

Link to post
Share on other sites

Mcafee was only doing it's job. Items flagged are quite safe as I have them in a secure place and will deal with them when I'm happy were clean.

c:\mfe <<You can delete this folder

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Post:

jotti's report

kaspersky report

fresh HJT log

Link to post
Share on other sites

I'm confused.. ow do I delete the file you want me to delete. And what do you want me to Jotti. Sorry, I've been out of town for a few days and I'm a little fuzzy on how to work on this stuff..

c:\mfe <<Just delete this file

Now run the kaspersky scan.

Don't worry about jotti's typo error on my part :D

Link to post
Share on other sites

Ok. So, I still don't know what or how you want me to delete a file... But here is the kaperskys' report.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Saturday, April 11, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Saturday, April 11, 2009 14:09:12

Records in database: 2034660

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 86457

Threat name: 3

Infected objects: 3

Suspicious objects: 0

Duration of the scan: 02:34:01

File name / Threat name / Threats count

C:\Documents and Settings\Raven\My Documents\LimeWire\Saved\call in the calvary.mp3 Infected: Trojan-Downloader.WMA.GetCodec.y 1

C:\Documents and Settings\Raven\My Documents\LimeWire\Saved\cry little sister g tom mac.wma Infected: Trojan-Downloader.WMA.GetCodec.x 1

C:\Documents and Settings\Raven\My Documents\LimeWire\Saved\living on a prayer 1996 2009.mp3 Infected: Trojan-Downloader.WMA.GetCodec.w 1

The selected area was scanned.

Link to post
Share on other sites

Yes, I removed limewire. And I deleted the file you referenced. I looked it up on the dell web site.

My computer went a little install update crazy this morning and installed all of these updates.

Installing Security Update for Windows XP (KB923561) (update 1 of 10)... done!

Installing Security Update for Microsoft Office Excel 2003 (KB959995) (update 2 of 10)... done!

Installing Security Update for Windows XP (KB960803) (update 3 of 10)... done!

Installing Security Update for 2007 Microsoft Office System (KB960003) (update 4 of 10)... done!

Installing Security Update for Windows XP (KB952004) (update 5 of 10)... done!

Installing Security Update for Windows XP (KB956572) (update 6 of 10)... done!

Installing Windows Malicious Software Removal Tool - April 2009 (KB890830) (update 7 of 10)... done!

Installing Cumulative Security Update for Internet Explorer 7 for Windows XP (KB963027) (update 8 of 10)... done!

Installing Security Update for Windows XP (KB961373) (update 9 of 10)... done!

Installing Security Update for Windows XP (KB959426) (update 10 of 10)...

At once.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.