Jump to content

Help Removing Trojan: NTOSKRNL-HOOK 2 Posting Series


Recommended Posts

Maurice:

OK, finished running AVZ and GMER, both ran successfully - but only in safe mode; kept getting crash dumps.

Also, I hope I understood you correctly about opening a new post, and have done so here.

In your last email you asked "Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip Attach virusinfo_syscheck.htm to your next reply"

Also, you asked for "Please attach the gmer.txt to your reply:

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and

Click Upload."

I've attached the two logs, and added the date in the GMER log.

Let me know what's next step.

Don

Gmer_4Aug09.txt

virusinfo_syscheck.htm

Gmer_4Aug09.txt

virusinfo_syscheck.htm

Link to post
Share on other sites

Don,

I did not intend nor ask for you to open a new thread.

Here is the GMER log:

GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-08-04 10:21:26

Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

Code 87A3A130 ZwEnumerateKey

Code 87A54130 ZwFlushInstructionCache

Code 874CD12E ZwSaveKey

Code 87A6F12E ZwSaveKeyEx

Code 884454B5 IofCallDriver

Code 884462BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 82241FE2 5 Bytes JMP 884462C3

.text ntkrnlpa.exe!IofCallDriver 822C3F6F 5 Bytes JMP 884454BA

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 823BA30B 5 Bytes JMP 87A54134

PAGE ntkrnlpa.exe!ZwEnumerateKey 8240FBA2 5 Bytes JMP 87A3A134

PAGE ntkrnlpa.exe!ZwSaveKey 8245D523 5 Bytes JMP 874CD132

PAGE ntkrnlpa.exe!ZwSaveKeyEx 8245D62A 5 Bytes JMP 87A6F132

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\winlogon.exe[544] ntdll.dll!LdrLoadDll 776E7933 5 Bytes JMP 002B000A

.text C:\Windows\system32\lsm.exe[612] ntdll.dll!LdrLoadDll 776E7933 5 Bytes JMP 0021000A

.text C:\Windows\system32\wbem\unsecapp.exe[636] ntdll.dll!LdrLoadDll 776E7933 5 Bytes JMP 000B000A

.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[724] ntdll.dll!LdrLoadDll 776E7933 5 Bytes JMP 003C000A

.text C:\Users\Don\Desktop\gmer.exe[736] ntdll.dll!LdrLoadDll 776E7933 5 Bytes JMP 001B000A

.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74747BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [747898C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7474D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7473F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74747599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7473E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7477B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7474D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7474012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74740095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747371F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [747CD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [747675E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7473DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7473668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [747366BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74741E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [516] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\winlogon.exe [544] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [588] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\lsass.exe [604] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\lsm.exe [612] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\wbem\unsecapp.exe [636] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ c:\PROGRA~1\mcafee.com\agent\mcagent.exe [724] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Users\Don\Desktop\gmer.exe [736] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [836] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [944] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [980] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1016] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1048] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1088] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\wbem\wmiprvse.exe [1188] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1204] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Program Files\McAfee\MPF\MPFSrv.exe [1336] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1376] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [1696] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [1732] 0x10000000

Library \\?\globalroot\systemroot\system32\geyekrnntptbvt.dll (*** hidden *** ) @ C:\Program Files\Windows Media Player\wmpnscfg.exe [1984] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\geyekrocdmwyxp.sys (*** hidden *** ) [sYSTEM] geyekrxdxiwesy <-- ROOTKIT !!!

Service system32\drivers\SKYNEThiwqcpmy.sys (*** hidden *** ) [sYSTEM] SKYNETrpbltdkt <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt@imagepath \systemroot\system32\drivers\SKYNEThiwqcpmy.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\main@aid 10063

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\main@sid 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\main@cmddelay 7200

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\main\injector@* SKYNETwsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNEThiwqcpmy.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxctihped.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\modules@SKYNETlog.dat \systemroot\system32\SKYNETmisjusmt.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\modules@SKYNETwsp.dll \systemroot\system32\SKYNETevnbwcxi.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETrpbltdkt\modules@SKYNET.dat \systemroot\system32\SKYNETyiqrpnfq.dat

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt@start 1

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt@type 1

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt@group file system

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt@imagepath \systemroot\system32\drivers\SKYNEThiwqcpmy.sys

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\main@aid 10063

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\main@sid 0

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\main@cmddelay 7200

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\main\injector@* SKYNETwsp.dll

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNEThiwqcpmy.sys

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxctihped.dll

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\modules@SKYNETlog.dat \systemroot\system32\SKYNETmisjusmt.dat

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\modules@SKYNETwsp.dll \systemroot\system32\SKYNETevnbwcxi.dll

Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETrpbltdkt\modules@SKYNET.dat \systemroot\system32\SKYNETyiqrpnfq.dat

---- Files - GMER 1.0.15 ----

File C:\Users\Don\AppData\Local\temp\geyekr000 0 bytes

File C:\Windows\System32\drivers\geyekrocdmwyxp.sys 69632 bytes <-- ROOTKIT !!!

File C:\Windows\System32\geyekrcitdecti.dat 166565 bytes

File C:\Windows\System32\geyekrdfepqgwh.dll 43008 bytes

File C:\Windows\System32\geyekrnntptbvt.dll 18432 bytes

File C:\Windows\System32\geyekrvrivrnlm.dat 91 bytes

File C:\Windows\Temp\geyekreevuxmryit.tmp 91 bytes

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

For the time being, we will be using this thread. Let's have you go forward with the following:

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not dsjNeedsHelp and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Next, RIGHT-click on avenger.exe and select Run as Administrator to start The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in between the **** stars lines **** below to the clibpboard by highlighting it and then pressing Ctrl+C.
    ********************************************************
    Files to delete:
    C:\Users\Don\AppData\Local\temp\geyekr000
    C:\Windows\System32\drivers\geyekrocdmwyxp.sys
    C:\Windows\system32\drivers\SKYNEThiwqcpmy.sys
    C:\Windows\system32\geyekrnntptbvt.dll
    C:\Windows\system32\SKYNETyiqrpnfq.dat
    C:\Windows\system32\SKYNETxctihped.dll
    C:\Windows\system32\SKYNETmisjusmt.dat
    C:\Windows\system32\SKYNETevnbwcxi.dll
    C:\Windows\System32\geyekrcitdecti.dat
    C:\Windows\System32\geyekrdfepqgwh.dll
    C:\Windows\System32\geyekrvrivrnlm.dat
    C:\Windows\Temp\geyekreevuxmryit.tmp
    c:\windows\system32\drivers\msqpdxserv.sys
    C:\WINDOWS\system32\drivers\TDSSmqlt.sys
    C:\windows\system32\drivers\tdssserv.sys
    C:\WINDOWS\system32\drivers\TDSSmact.sys
    c:\windows\sysguard.exe
    c:\windows\system32\sdra64.exe
    Drivers to delete:
    SKYNETrpbltdkt
    geyekrocdmwyxp
    SKYNEThiwqcpmy
    geyekrxdxiwesy
    gxvxcserv
    ovfsthx
    UACd.sys
    UACd
    gaopdxserv.sys
    gaopdxserv
    gaopdx
    tdss
    tdssserv
    msqpdxserv
    Folders to delete:
    C:\Users\Don\AppData\Local\temp\geyekr000
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
    ********************************************************
  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

When that is finished, a new run of GMER

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

RIGHT-click gmer.exe. and select Run as Administrator

The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

Pleae attach the gmer.txt to your reply:

  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
  2. Click Upload.

Next, a new run of OTL

Locate the OTL.exe on your Destop

RIGHT-click OTL.exe otlDesktopIcon.png and choose Run As Administrator to start it.

Look at the upper left of window. Press the pink color Quick Scan button.

Have patience while it runs.

It will produce a new log. Save it.

Copy and paste back here a copy of C:\Avenger.txt

the new log from GMER

the new OTL.txt

Link to post
Share on other sites

Maurice:

Here's the three scan reports. Had trouble with the GMER scan; had several crash dumps during teh scan, and finally had to boot in safe mode. Then, scan ran OK.

One thing I noticed is that after running McaFee quick scan, after the reboot, the pc acts OK until either another scan, or a reboot. Then continue to get crash dump screen. Anyway, here are the results of the scans:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: could not delete file "C:\Users\Don\AppData\Local\temp\geyekr000"

Deletion of file "C:\Users\Don\AppData\Local\temp\geyekr000" failed!

Status: 0xc0000156

Error: could not delete file "C:\Windows\System32\drivers\geyekrocdmwyxp.sys"

Deletion of file "C:\Windows\System32\drivers\geyekrocdmwyxp.sys" failed!

Status: 0xc0000156

Error: file "C:\Windows\system32\drivers\SKYNEThiwqcpmy.sys" not found!

Deletion of file "C:\Windows\system32\drivers\SKYNEThiwqcpmy.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not delete file "C:\Windows\system32\geyekrnntptbvt.dll"

Deletion of file "C:\Windows\system32\geyekrnntptbvt.dll" failed!

Status: 0xc0000156

Error: file "C:\Windows\system32\SKYNETyiqrpnfq.dat" not found!

Deletion of file "C:\Windows\system32\SKYNETyiqrpnfq.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\Windows\system32\SKYNETxctihped.dll" not found!

Deletion of file "C:\Windows\system32\SKYNETxctihped.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\Windows\system32\SKYNETmisjusmt.dat" not found!

Deletion of file "C:\Windows\system32\SKYNETmisjusmt.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\Windows\system32\SKYNETevnbwcxi.dll" not found!

Deletion of file "C:\Windows\system32\SKYNETevnbwcxi.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not delete file "C:\Windows\System32\geyekrcitdecti.dat"

Deletion of file "C:\Windows\System32\geyekrcitdecti.dat" failed!

Status: 0xc0000156

Error: could not delete file "C:\Windows\System32\geyekrdfepqgwh.dll"

Deletion of file "C:\Windows\System32\geyekrdfepqgwh.dll" failed!

Status: 0xc0000156

Error: could not delete file "C:\Windows\System32\geyekrvrivrnlm.dat"

Deletion of file "C:\Windows\System32\geyekrvrivrnlm.dat" failed!

Status: 0xc0000156

Error: file "C:\Windows\Temp\geyekreevuxmryit.tmp" not found!

Deletion of file "C:\Windows\Temp\geyekreevuxmryit.tmp" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!

Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!

Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\sysguard.exe" not found!

Deletion of file "c:\windows\sysguard.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\sdra64.exe" not found!

Deletion of file "c:\windows\system32\sdra64.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "SKYNETrpbltdkt" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\geyekrocdmwyxp" not found!

Deletion of driver "geyekrocdmwyxp" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\SKYNEThiwqcpmy" not found!

Deletion of driver "SKYNEThiwqcpmy" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "geyekrxdxiwesy" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv" not found!

Deletion of driver "gxvxcserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthx" not found!

Deletion of driver "ovfsthx" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!

Deletion of driver "UACd.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!

Deletion of driver "UACd" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv.sys" not found!

Deletion of driver "gaopdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv" not found!

Deletion of driver "gaopdxserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdx" not found!

Deletion of driver "gaopdx" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!

Deletion of driver "tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!

Deletion of driver "tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!

Deletion of driver "msqpdxserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: "C:\Users\Don\AppData\Local\temp\geyekr000" is not a folder! It may instead be a file.

Deletion of folder "C:\Users\Don\AppData\Local\temp\geyekr000" failed!

Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)

--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Error: folder "C:\recycler" not found!

Deletion of folder "C:\recycler" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open folder "D:\recycler"

Deletion of folder "D:\recycler" failed!

Status: 0xc0000013

Error: could not open folder "e:\recycler"

Deletion of folder "e:\recycler" failed!

Status: 0xc0000013

Error: folder "f:\recycler" not found!

Deletion of folder "f:\recycler" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open folder "g:\recycler"

Deletion of folder "g:\recycler" failed!

Status: 0xc0000013

Error: could not open folder "h:\recycler"

Deletion of folder "h:\recycler" failed!

Status: 0xc0000013

Completed script processing.

*******************

Finished! Terminate.

Here's the GMER report:

GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-08-04 22:07:49

Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

Code 87396130 ZwEnumerateKey

Code 87361130 ZwFlushInstructionCache

Code 884262CE ZwSaveKey

Code 8737C12E ZwSaveKeyEx

Code 8842134D IofCallDriver

Code 868B3976 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 8226DFE2 5 Bytes JMP 868B397B

.text ntkrnlpa.exe!IofCallDriver 822EFF6F 5 Bytes JMP 88421352

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 823E630B 5 Bytes JMP 87361134

PAGE ntkrnlpa.exe!ZwEnumerateKey 8243BBA2 5 Bytes JMP 87396134

PAGE ntkrnlpa.exe!ZwSaveKey 82489523 5 Bytes JMP 884262D2

PAGE ntkrnlpa.exe!ZwSaveKeyEx 8248962A 5 Bytes JMP 8737C132

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Media Player\wmpnscfg.exe[220] ntdll.dll!LdrLoadDll 774E7933 5 Bytes JMP 002F000A

.text C:\Windows\system32\wbem\unsecapp.exe[500] ntdll.dll!LdrLoadDll 774E7933 5 Bytes JMP 001B000A

.text C:\Windows\system32\winlogon.exe[544] ntdll.dll!LdrLoadDll 774E7933 5 Bytes JMP 0074000A

.text C:\Windows\system32\lsm.exe[612] ntdll.dll!LdrLoadDll 774E7933 5 Bytes JMP 001C000A

.text C:\Windows\system32\svchost.exe[760] ntdll.dll!LdrLoadDll 774E7933 5 Bytes JMP 0026000A

.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74377BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [743B98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7437D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7436F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74377599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7436E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [743AB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7437D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7437012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74370095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743671F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [743FD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [743975E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7436DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7436668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743666BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74371E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\geyekrocdmwyxp.sys (*** hidden *** ) [sYSTEM] geyekrxdxiwesy <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrcireqlfo.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrbrbexmob.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrmyrdwjqx.dll

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\ControlSet004\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrdfepqgwh.dll

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrcitdecti.dat

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrnntptbvt.dll

Reg HKLM\SYSTEM\ControlSet005\Services\geyekrxdxiwesy\modules@geyekr.dat \systemroot\system32\geyekrvrivrnlm.dat

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy@start 1

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy@type 1

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy@group file system

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy@imagepath \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main@aid 10063

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main@sid 0

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrocdmwyxp.sys

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules@geyekrcmd.dll \systemroot\system32\geyekrcireqlfo.dll

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules@geyekrlog.dat \systemroot\system32\geyekrbrbexmob.dat

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrxdxiwesy\modules@geyekrwsp.dll \systemroot\system32\geyekrmyrdwjqx.dll

---- Files - GMER 1.0.15 ----

File C:\Users\Don\AppData\Local\temp\geyekr000 0 bytes

File C:\Windows\System32\drivers\geyekrocdmwyxp.sys 69632 bytes <-- ROOTKIT !!!

File C:\Windows\System32\geyekrvrivrnlm.dat 91 bytes

File C:\Windows\System32\geyekrbrbexmob.dat 1549 bytes

File C:\Windows\System32\geyekrcireqlfo.dll 43008 bytes

File C:\Windows\System32\geyekrcitdecti.dat 174392 bytes

File C:\Windows\System32\geyekrdfepqgwh.dll 43008 bytes

File C:\Windows\System32\geyekrhicpjcmu.dat 91 bytes

File C:\Windows\System32\geyekrmyrdwjqx.dll 19456 bytes

File C:\Windows\System32\geyekrnntptbvt.dll 18432 bytes

---- EOF - GMER 1.0.15 ----

And here is the OTL log:

OTL logfile created on: 8/4/2009 10:09:14 PM - Run 6

OTL by OldTimer - Version 3.0.10.3 Folder = C:\Users\Don\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 372.61 Gb Total Space | 331.79 Gb Free Space | 89.04% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 698.63 Gb Total Space | 602.31 Gb Free Space | 86.21% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DON-PC

Current User Name: Don

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe

PRC - [2008/10/29 08:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE

PRC - [2008/01/19 09:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe

PRC - [2008/01/19 09:33:33 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe

PRC - [2009/03/03 04:16:04 | 00,247,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiprvse.exe

PRC - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe

PRC - [2009/01/08 20:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe

PRC - [2009/07/31 21:49:55 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/05/15 16:08:40 | 00,182,576 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca [Auto | Stopped])

SRV - [2009/02/02 02:33:18 | 00,317,440 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent [Auto | Stopped])

SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Stopped])

SRV - [2008/11/05 17:35:08 | 00,085,096 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])

SRV - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Stopped])

SRV - [2008/07/27 20:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

SRV - [2008/01/19 09:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])

SRV - [2006/11/02 14:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])

SRV - [2006/11/02 14:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])

SRV - [2008/01/19 09:36:53 | 01,013,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])

SRV - [2008/06/20 03:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])

SRV - File not found -- -- (FYMMY [On_Demand | Stopped])

SRV - [2009/03/22 15:59:04 | 00,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe -- (GoToAssist [On_Demand | Stopped])

SRV - [2005/11/14 02:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

SRV - [2008/06/20 03:14:31 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [unknown | Stopped])

SRV - [2007/04/13 17:49:00 | 00,101,528 | ---- | M] () -- C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE -- (IJPLMSVC [Auto | Stopped])

SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Stopped])

SRV - [2009/06/05 13:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])

SRV - [2006/12/15 02:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Stopped])

SRV - [2008/07/26 08:27:42 | 00,141,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher [Auto | Stopped])

SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Stopped])

SRV - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])

SRV - [2009/01/09 11:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Stopped])

SRV - [2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])

SRV - [2009/01/09 08:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Stopped])

SRV - [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [unknown | Stopped])

SRV - [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Stopped])

SRV - [2007/08/24 07:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])

SRV - File not found -- -- (MicrosoftTHREADORDER [Auto | Stopped])

SRV - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])

SRV - [2008/06/20 03:14:31 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])

SRV - [2006/12/24 02:54:04 | 00,262,144 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])

SRV - [2008/11/04 22:34:50 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto | Stopped])

SRV - [2007/08/24 04:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])

SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

SRV - [2008/01/19 09:35:27 | 00,052,736 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Stopped])

SRV - [2007/01/25 19:31:34 | 00,093,048 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])

SRV - [2009/06/02 10:10:08 | 00,637,952 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer [On_Demand | Stopped])

SRV - [2008/01/19 09:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [On_Demand | Stopped])

SRV - [2008/01/19 09:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"

FF - prefs.js..browser.search.defaulturl: "http://search.aol.com/aolcom/search?invocationType=tbff50ie7&query="

FF - prefs.js..browser.search.selectedEngine: "AIM Search"

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - prefs.js..keyword.URL: "http://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query="

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/09/20 16:12:48 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/03/20 19:41:03 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/06/24 10:59:19 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/07/14 17:20:50 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2009/07/17 17:14:51 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2009/07/14 15:32:40 | 00,000,000 | ---D | M]

[2008/09/06 20:11:48 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions

[2007/12/09 15:46:29 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2008/09/10 17:49:01 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}

[2008/09/06 20:11:46 | 00,000,246 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\AIM Search.src

[2008/09/10 17:49:10 | 00,001,010 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\aimsearch.gif

[2008/09/10 17:49:10 | 00,000,301 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\aimsearch.src

[2008/11/22 12:00:04 | 00,000,275 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\search.xml

[2009/07/30 17:20:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions

[2007/10/06 11:21:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2007/10/06 11:20:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009/07/30 17:20:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

[2007/10/06 11:20:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\realplayer@partners.mozilla.com

[2007/10/06 11:20:50 | 00,060,526 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll

[2007/10/06 11:20:51 | 00,049,256 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll

[2007/10/06 11:20:50 | 00,166,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll

[2003/03/18 21:20:00 | 01,060,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\mfc71.dll

[2003/02/21 04:42:22 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcr71.dll

[2009/07/30 17:19:52 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll

[2008/01/04 23:57:08 | 01,335,600 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll

[2008/01/08 01:14:26 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll

[2009/05/19 10:05:00 | 00,155,648 | ---- | M] (IBM Corporation) -- C:\Program Files\mozilla firefox\plugins\npmfv.dll

[2007/10/06 11:20:51 | 00,017,032 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll

[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL

[2007/05/10 23:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll

[2007/10/06 11:22:06 | 00,140,624 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll

[2007/10/06 11:22:18 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll

[2007/10/06 11:21:56 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll

[2005/08/09 20:42:53 | 00,057,344 | ---- | M] (America Online, Inc.) -- C:\Program Files\mozilla firefox\plugins\npunagi2.dll

[2007/10/06 11:20:52 | 00,000,680 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.png

[2007/10/06 11:20:52 | 00,000,741 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.src

[2007/10/06 11:20:52 | 00,001,150 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.png

[2007/10/06 11:20:52 | 00,000,539 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.src

[2007/10/06 11:20:52 | 00,000,356 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.png

[2007/10/06 11:20:52 | 00,001,007 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.src

[2007/10/06 11:20:52 | 00,000,210 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.gif

[2007/10/06 11:20:52 | 00,001,056 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.src

[2007/10/06 11:20:52 | 00,001,076 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.gif

[2007/10/06 11:20:52 | 00,000,718 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.src

[2007/10/06 11:20:52 | 00,000,088 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.gif

[2007/10/06 11:20:52 | 00,001,122 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.src

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (PE_IE_Helper Class) - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll (IBM Corporation)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O3 - HKLM\..\Toolbar: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)

O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\system32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\system32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)

O4 - HKCU..\Run: [Replay AV] C:\Program Files\Replay AV 8\ReplayAV.exe (Applian Technologies Inc.)

O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...678/mcfscan.cab (McFreeScan Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.185.33 83.169.185.97

O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 23:43:36 | 00,000,024 | ---- | M] () - F:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/08/04 21:29:44 | 00,000,000 | ---D | C] -- C:\Avenger

[2009/08/04 21:27:25 | 02,880,620 | -H-- | C] () -- C:\Users\Don\AppData\Local\IconCache.db

[2009/08/04 17:51:10 | 00,000,000 | ---D | C] -- C:\Users\Don\Desktop\Avenger

[2009/08/04 17:35:38 | 00,021,189 | ---- | C] () -- C:\Users\Don\Desktop\Fix-instructions 4 Aug 09.docx

[2009/08/04 08:33:16 | 00,278,846 | ---- | C] () -- C:\Users\Don\Desktop\gmer.zip

[2009/08/04 08:27:46 | 04,626,422 | ---- | C] () -- C:\Users\Don\Desktop\avz4.zip

[2009/08/04 08:27:22 | 00,000,000 | ---D | C] -- C:\Users\Don\Desktop\avz4

[2009/08/03 15:14:31 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com

[2009/08/03 15:14:22 | 00,000,902 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

[2009/08/03 15:14:21 | 00,000,000 | ---D | C] -- C:\Users\Don\AppData\Roaming\SUPERAntiSpyware.com

[2009/08/03 15:14:21 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2009/08/03 14:57:51 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2009/08/02 21:03:33 | 03,153,042 | R--- | C] () -- C:\Users\Don\Desktop\Combo-Fix.exe

[2009/08/02 20:13:40 | 00,000,000 | ---D | C] -- C:\Users\Don\Desktop\FixPolicies

[2009/08/02 20:12:00 | 00,185,065 | ---- | C] () -- C:\Users\Don\Desktop\FixPolicies.exe

[2009/08/01 21:54:44 | 00,000,000 | ---D | C] -- C:\Users\Don\Desktop\Fix1Aug09

[2009/07/31 21:49:53 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

[2009/07/31 16:47:15 | 00,000,706 | ---- | C] () -- C:\Users\Don\Desktop\opera.exe - Shortcut.lnk

[2009/07/30 21:37:04 | 00,000,000 | ---D | C] -- C:\DCE

[2009/07/30 21:05:36 | 00,035,127 | ---- | C] () -- C:\Users\Public\Documents\Malwarebytes Forum 30 July 09.docx

[2009/07/30 17:19:50 | 00,000,000 | ---D | C] -- C:\Program Files\Java

[2009/07/30 16:52:09 | 00,000,000 | ---D | C] -- C:\_OTL

[2009/07/30 11:16:36 | 00,287,232 | ---- | C] () -- C:\Users\Don\Desktop\gmer.exe

[2009/07/25 19:42:17 | 00,562,539 | ---- | C] () -- C:\Users\Don\Desktop\SecurityCheck.exe

[2009/07/24 15:53:43 | 00,000,733 | ---- | C] () -- C:\Users\Don\Desktop\NTREGOPT.lnk

[2009/07/24 15:53:43 | 00,000,714 | ---- | C] () -- C:\Users\Don\Desktop\ERUNT.lnk

[2009/07/24 15:53:42 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT

========== Files - Modified Within 14 Days ==========

[2009/08/04 21:51:14 | 02,514,382 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2009/08/04 21:51:14 | 00,757,910 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2009/08/04 21:51:14 | 00,005,064 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2009/08/04 21:47:14 | 00,005,349 | ---- | M] () -- C:\Windows\System32\Config.MPF

[2009/08/04 21:44:45 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2009/08/04 21:42:04 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2009/08/04 21:42:04 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2009/08/04 21:42:03 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2009/08/04 21:40:51 | 26,177,6476 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2009/08/04 21:40:48 | 00,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs

[2009/08/04 21:27:25 | 02,880,620 | -H-- | M] () -- C:\Users\Don\AppData\Local\IconCache.db

[2009/08/04 21:21:18 | 00,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2009/08/04 17:35:38 | 00,021,189 | ---- | M] () -- C:\Users\Don\Desktop\Fix-instructions 4 Aug 09.docx

[2009/08/04 16:10:23 | 00,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{09FC0A04-5003-4B4F-9F6B-0F4197BFE6BC}.job

[2009/08/04 08:34:01 | 00,287,232 | ---- | M] () -- C:\Users\Don\Desktop\gmer.exe

[2009/08/04 08:33:17 | 00,278,846 | ---- | M] () -- C:\Users\Don\Desktop\gmer.zip

[2009/08/04 08:27:49 | 04,626,422 | ---- | M] () -- C:\Users\Don\Desktop\avz4.zip

[2009/08/03 15:14:22 | 00,000,902 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

[2009/08/03 14:52:18 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini

[2009/08/03 14:51:59 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/08/02 21:03:43 | 03,153,042 | R--- | M] () -- C:\Users\Don\Desktop\Combo-Fix.exe

[2009/08/02 20:12:01 | 00,185,065 | ---- | M] () -- C:\Users\Don\Desktop\FixPolicies.exe

[2009/08/02 11:45:57 | 00,142,944 | ---- | M] () -- C:\Users\Don\AppData\Local\GDIPFONTCACHEV1.DAT

[2009/08/02 10:53:04 | 00,474,304 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2009/08/02 00:19:48 | 00,002,032 | ---- | M] () -- C:\Users\Don\AppData\Local\d3d9caps.dat

[2009/07/31 21:49:55 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

[2009/07/31 16:47:15 | 00,000,706 | ---- | M] () -- C:\Users\Don\Desktop\opera.exe - Shortcut.lnk

[2009/07/30 21:05:37 | 00,035,127 | ---- | M] () -- C:\Users\Public\Documents\Malwarebytes Forum 30 July 09.docx

[2009/07/25 19:42:19 | 00,562,539 | ---- | M] () -- C:\Users\Don\Desktop\SecurityCheck.exe

[2009/07/24 15:53:43 | 00,000,733 | ---- | M] () -- C:\Users\Don\Desktop\NTREGOPT.lnk

[2009/07/24 15:53:43 | 00,000,714 | ---- | M] () -- C:\Users\Don\Desktop\ERUNT.lnk

========== LOP Check ==========

[2009/08/03 15:14:21 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming

[2008/09/02 21:18:52 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\acccore

[2008/07/13 12:53:47 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Ahead

[2008/09/02 21:18:23 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\AIM

[2008/11/12 19:38:04 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Autodesk

[2009/06/07 18:28:28 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Canon

[2007/08/20 18:47:38 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Centra

[2008/04/13 12:34:35 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Intuit

[2008/09/02 19:07:40 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Leadertech

[2006/11/02 14:37:34 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Media Center Programs

[2009/03/27 00:41:46 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Nokia

[2008/10/13 16:41:07 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\NSeries

[2007/05/11 16:28:15 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Opera

[2008/10/13 16:41:20 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\PC Suite

[2009/06/12 17:43:15 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\PureEdge

[2008/04/11 13:13:00 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\ScanSoft

[2007/07/03 22:59:14 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Share-to-Web Upload Folder

[2007/05/10 18:21:16 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Template

[2009/07/20 10:18:00 | 00,000,472 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job

[2009/07/15 01:00:00 | 00,000,336 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job

[2009/06/01 01:00:10 | 00,000,328 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job

[2009/08/04 21:42:04 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT

[2009/08/04 21:27:26 | 00,032,588 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2009/08/04 16:10:23 | 00,000,414 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{09FC0A04-5003-4B4F-9F6B-0F4197BFE6BC}.job

========== Purity Check ==========

< End of report >

What's next?

Don

Link to post
Share on other sites

Don,

Let's have you do a special scripted run of Combofix.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

1. Close any open browsers. Close/exit any other window you have open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

geyekrxdxiwesy

geyekrrk

SKYNETrpbltdkt

geyekrocdmwyxp

File::

C:\Users\Don\AppData\Local\temp\geyekr000

C:\Windows\System32\drivers\geyekrocdmwyxp.sys

C:\Windows\System32\geyekrvrivrnlm.dat

C:\Windows\System32\geyekrbrbexmob.dat

C:\Windows\System32\geyekrcireqlfo.dll

C:\Windows\System32\geyekrcitdecti.dat

C:\Windows\System32\geyekrdfepqgwh.dll

C:\Windows\System32\geyekrhicpjcmu.dat

C:\Windows\System32\geyekrmyrdwjqx.dll

C:\Windows\System32\geyekrnntptbvt.dll

C:\$RECYCLE.BIN

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\geyekrxdxiwesy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\geyekrxdxiwesy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\geyekrxdxiwesy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\geyekrxdxiwesy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\geyekrxdxiwesy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\geyekrxdxiwesy]

Save this as CFScript.txt, in the same location as Combo-Fix.exe (your Desktop)

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator

At the command-prompt window, type in the following to begin a scripted run of Combofix

C:\Users\Don\Desktop\Combo-Fix.exe "C:\Users\Don\Desktop\CFscript.txt"

and press Enter key

Note there is 1 space before the 1st double-quote-mark. and there are a pair of double-quote marks too.

Have plenty, plenty of patience as Combofix runs. It has many phases.

If needed, Copy and paste the Quote above onto the command window prompt --- if typing it is too much

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Re-enable your antivirus program after this is complete, upon the next boot or startup.

Kindly have lots of patience. Hopefully this will remove rootkit more thoroughly.

But in any event, I'll have to see the log and then have time to digest and review further.

I must also remind you, that there is NO guarantee or NO warranty of any kind, that we'll be able to find and remove all of this infection. As always, the safest thing to do is for you to consider, wiping clean this system and loading Vista as a new (clean) install. Your documents & personal files would be lost; unless you make a backup to offline media beforehand.

~~~ Added note ~~~

After Combofix is finished, do a new run of GMER

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

RIGHT-click gmer.exe. and select Run as Administrator

The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

Pleae attach the gmer.txt to your reply:

  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
  2. Click Upload.

Next, Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

It should download the new version 1.40 and likely will ask you to allow a Restart/reboot. If so, allow it to do that.

After a restart of Windows, start MBAM again.

click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Reply with copy of C:\Combofix.txt

the GMER log

and the latest MBAM scan log

Link to post
Share on other sites

Afternoon Maurice:

Just read and tried to comply wiht your last post. Am having problems. Please clarify the following:

1. During run of Combofix, I got the "New update is available...." Should I click Yes or No?

2. Iclicked No, and the program started to "prepare to run", then rebooted, then I received crash dump. So, I rebooted in safe mode, and now combofix is not running. Do I restart the process?

Thanks

Don

Link to post
Share on other sites

Don,

Physically disconnet the pc from internet. Keep it disconnected during the C-F run.

Then start fresh in normal mode. and do the steps I outlined.

This has got a extremely persistent rootkit (needless to say, with multiple facets). If only we can get a good run of this Combofix, you'd get in a better spot.

Reconnect pc to internet -after- the Combofix is all finished.

Link to post
Share on other sites

OK, will do it shortly. If it only runs in safe mode is this ok? Also, I did click on the update version button since that was the only way I could get it to run. However, it still crashed each time - but it was still connected to the internet.

Don

Link to post
Share on other sites

Maurice:

Finally, things seem to be looking up! Here's the results of the scans. Once I disconnected from the internet, the system rebooted nicely in normal mode and Combofix came right up and completed the scan. Everythign seems to be runnign well, but I have not rebooted since the successful MBAM scan - NO Virus found, althouht McaFee poped up and said Trojan found and removed - during the MBAM scan??

Here's the logs:

ComboFix:

ComboFix 09-08-04.03 - Don 08/05/2009 21:17.5.2 - NTFSx86

Microsoft

Link to post
Share on other sites

See what you can do about deleting this file. It's in a temporary area of one of your login accounts

c:\users\DON2~1\AppData\Local\Temp\FYMMY.exe

where DON2~1 is one of your user accounts

Do the cleanup steps outline here http://bertk.mvps.org/html/diskcleanupv.html

Followed up by also "creating" a new Restore point http://bertk.mvps.org/html/createrpv.html

I'd like to have that done so we can have some bit of safety at this point.

If you have either ATF Cleaner or CCleaner, use one to delete all temporary files & temp areas.

We are finsished with S-A-S, so you can de-install it.

I'd like for you to test your AV: Get it fully updated and run a full scan.

Have a cool brew and stay tuned for my next response.

Link to post
Share on other sites

Don,

Do the following soonest you can.

Make sure you have no open work or programs. Let these run by themselves.

  • RIGHT-click on avenger.exe and select Run as Administrator to start The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in between the **** stars lines **** below to the clibpboard by highlighting it and then pressing Ctrl+C.
    ********************************************************
    Files to delete:
    c:\windows\system32\geyekrbrbexmob.dat
    C:\windows\system32\geyekrmyrdwjqx.dll
    c:\windows\system32\geyekrcireqlfo.dll
    c:\windows\system32\geyekrvrivrnlm.dat
    c:\windows\system32\geyekrnntptbvt.dll
    c:\windows\system32\geyekrdfepqgwh.dll
    c:\windows\system32\drivers\geyekrocdmwyxp.sys
    c:\windows\system32\geyekrcitdecti.dat
    Drivers to delete:
    geyekrxdxiwesy
    ********************************************************
  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Next, a new run of OTL

Locate the OTL.exe on your Destop

RIGHT-click OTL.exe otlDesktopIcon.png and choose Run As Administrator to start it.

Look at the upper left of window. Press the pink color Quick Scan button.

Have patience while it runs.

It will produce a new log. Save it.

Copy and paste back here a copy of C:\Avenger.txt

the new OTL.txt

Link to post
Share on other sites

Maurice:

Everything seems t be running 99% correct; not crash dumps, or other system freezes!

Here's the result of the last set of scans:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "c:\windows\system32\geyekrbrbexmob.dat" deleted successfully.

File "C:\windows\system32\geyekrmyrdwjqx.dll" deleted successfully.

File "c:\windows\system32\geyekrcireqlfo.dll" deleted successfully.

File "c:\windows\system32\geyekrvrivrnlm.dat" deleted successfully.

File "c:\windows\system32\geyekrnntptbvt.dll" deleted successfully.

File "c:\windows\system32\geyekrdfepqgwh.dll" deleted successfully.

File "c:\windows\system32\drivers\geyekrocdmwyxp.sys" deleted successfully.

File "c:\windows\system32\geyekrcitdecti.dat" deleted successfully.

Driver "geyekrxdxiwesy" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

OTL logfile created on: 8/6/2009 6:04:23 PM - Run 7

OTL by OldTimer - Version 3.0.10.3 Folder = C:\Users\Don\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 372.61 Gb Total Space | 327.63 Gb Free Space | 87.93% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 698.63 Gb Total Space | 602.31 Gb Free Space | 86.21% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DON-PC

Current User Name: Don

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2008/11/04 22:34:50 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe

PRC - [2007/05/15 16:08:40 | 00,182,576 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe

PRC - [2009/02/02 02:33:18 | 00,317,440 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

PRC - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe

PRC - [2007/05/15 16:08:38 | 00,095,024 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe

PRC - [2007/04/13 17:49:00 | 00,101,528 | ---- | M] () -- C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

PRC - [2006/12/15 02:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe

PRC - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

PRC - [2009/01/09 08:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe

PRC - [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe

PRC - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe

PRC - [2008/01/19 09:33:40 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe

PRC - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe

PRC - [2009/01/08 20:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe

PRC - [2008/10/29 08:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE

PRC - [2007/05/15 16:08:08 | 00,293,168 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

PRC - [2009/07/30 17:19:52 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe

PRC - [2007/04/06 11:01:07 | 00,782,848 | ---- | M] (Applian Technologies Inc.) -- C:\Program Files\Replay AV 8\ReplayAV.exe

PRC - [2008/01/19 09:33:09 | 00,125,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehtray.exe

PRC - [2008/01/19 09:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe

PRC - [2009/07/28 10:53:12 | 01,830,128 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

PRC - [2007/05/15 16:08:00 | 00,130,864 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

PRC - [2008/01/19 09:33:09 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehmsas.exe

PRC - [2008/01/19 09:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe

PRC - [2007/05/15 16:08:38 | 00,095,024 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe

PRC - [2008/01/19 09:33:33 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe

PRC - [2009/03/03 04:16:04 | 00,247,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiprvse.exe

PRC - [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe

PRC - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

PRC - [2009/01/09 11:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe

PRC - [2009/03/03 04:16:04 | 00,247,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiprvse.exe

PRC - [2009/07/31 21:49:55 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/05/15 16:08:40 | 00,182,576 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca [Auto | Running])

SRV - [2009/02/02 02:33:18 | 00,317,440 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent [Auto | Running])

SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])

SRV - [2008/11/05 17:35:08 | 00,085,096 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])

SRV - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])

SRV - [2008/07/27 20:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

SRV - [2008/01/19 09:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])

SRV - [2006/11/02 14:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])

SRV - [2006/11/02 14:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])

SRV - [2008/01/19 09:36:53 | 01,013,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])

SRV - [2008/06/20 03:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])

SRV - File not found -- -- (FYMMY [On_Demand | Stopped])

SRV - [2009/03/22 15:59:04 | 00,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe -- (GoToAssist [On_Demand | Stopped])

SRV - [2005/11/14 02:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

SRV - [2008/06/20 03:14:31 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [unknown | Stopped])

SRV - [2007/04/13 17:49:00 | 00,101,528 | ---- | M] () -- C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE -- (IJPLMSVC [Auto | Running])

SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Running])

SRV - [2009/06/05 13:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])

SRV - [2006/12/15 02:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])

SRV - [2008/07/26 08:27:42 | 00,141,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher [Auto | Stopped])

SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])

SRV - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])

SRV - [2009/01/09 11:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])

SRV - [2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])

SRV - [2009/01/09 08:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])

SRV - [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [unknown | Running])

SRV - [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])

SRV - [2007/08/24 07:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])

SRV - File not found -- -- (MicrosoftTHREADORDER [Auto | Stopped])

SRV - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])

SRV - [2008/06/20 03:14:31 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])

SRV - [2006/12/24 02:54:04 | 00,262,144 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])

SRV - [2008/11/04 22:34:50 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto | Running])

SRV - [2007/08/24 04:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])

SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

SRV - [2008/01/19 09:35:27 | 00,052,736 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Running])

SRV - [2007/01/25 19:31:34 | 00,093,048 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])

SRV - [2009/06/02 10:10:08 | 00,637,952 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer [On_Demand | Stopped])

SRV - [2008/01/19 09:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [On_Demand | Stopped])

SRV - [2008/01/19 09:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto | Running])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"

FF - prefs.js..browser.search.defaulturl: "http://search.aol.com/aolcom/search?invocationType=tbff50ie7&query="

FF - prefs.js..browser.search.selectedEngine: "AIM Search"

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - prefs.js..keyword.URL: "http://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query="

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/09/20 16:12:48 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/03/20 19:41:03 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/06/24 10:59:19 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/07/14 17:20:50 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2009/07/17 17:14:51 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2009/07/14 15:32:40 | 00,000,000 | ---D | M]

[2008/09/06 20:11:48 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions

[2007/12/09 15:46:29 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2008/09/10 17:49:01 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}

[2008/09/06 20:11:46 | 00,000,246 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\AIM Search.src

[2008/09/10 17:49:10 | 00,001,010 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\aimsearch.gif

[2008/09/10 17:49:10 | 00,000,301 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\aimsearch.src

[2008/11/22 12:00:04 | 00,000,275 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\search.xml

[2009/07/30 17:20:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions

[2007/10/06 11:21:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2007/10/06 11:20:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009/07/30 17:20:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

[2007/10/06 11:20:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\realplayer@partners.mozilla.com

[2007/10/06 11:20:50 | 00,060,526 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll

[2007/10/06 11:20:51 | 00,049,256 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll

[2007/10/06 11:20:50 | 00,166,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll

[2003/03/18 21:20:00 | 01,060,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\mfc71.dll

[2003/02/21 04:42:22 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcr71.dll

[2009/07/30 17:19:52 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll

[2008/01/04 23:57:08 | 01,335,600 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll

[2008/01/08 01:14:26 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll

[2009/05/19 10:05:00 | 00,155,648 | ---- | M] (IBM Corporation) -- C:\Program Files\mozilla firefox\plugins\npmfv.dll

[2007/10/06 11:20:51 | 00,017,032 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll

[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL

[2007/05/10 23:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll

[2007/10/06 11:22:06 | 00,140,624 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll

[2007/10/06 11:22:18 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll

[2007/10/06 11:21:56 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll

[2005/08/09 20:42:53 | 00,057,344 | ---- | M] (America Online, Inc.) -- C:\Program Files\mozilla firefox\plugins\npunagi2.dll

[2007/10/06 11:20:52 | 00,000,680 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.png

[2007/10/06 11:20:52 | 00,000,741 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.src

[2007/10/06 11:20:52 | 00,001,150 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.png

[2007/10/06 11:20:52 | 00,000,539 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.src

[2007/10/06 11:20:52 | 00,000,356 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.png

[2007/10/06 11:20:52 | 00,001,007 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.src

[2007/10/06 11:20:52 | 00,000,210 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.gif

[2007/10/06 11:20:52 | 00,001,056 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.src

[2007/10/06 11:20:52 | 00,001,076 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.gif

[2007/10/06 11:20:52 | 00,000,718 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.src

[2007/10/06 11:20:52 | 00,000,088 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.gif

[2007/10/06 11:20:52 | 00,001,122 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.src

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (PE_IE_Helper Class) - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll (IBM Corporation)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O3 - HKLM\..\Toolbar: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)

O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\system32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\system32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)

O4 - HKCU..\Run: [Replay AV] C:\Program Files\Replay AV 8\ReplayAV.exe (Applian Technologies Inc.)

O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...678/mcfscan.cab (McFreeScan Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.185.33 83.169.185.97

O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 23:43:36 | 00,000,024 | ---- | M] () - F:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/08/06 17:53:56 | 00,015,867 | ---- | C] () -- C:\Users\Don\Desktop\Malwearbytes Fix 6 Aug 2009.docx

[2009/08/05 22:26:17 | 02,744,341 | -H-- | C] () -- C:\Users\Don\AppData\Local\IconCache.db

[2009/08/05 21:36:48 | 00,000,000 | ---D | C] -- C:\Users\Don\AppData\Local\temp

[2009/08/05 21:29:55 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2009/08/05 21:15:34 | 32,207,58528 | -HS- | C] () -- C:\hiberfil.sys

[2009/08/04 21:55:50 | 00,000,091 | ---- | C] () -- C:\Windows\System32\geyekrhicpjcmu.dat

[2009/08/04 21:29:44 | 00,000,000 | ---D | C] -- C:\Avenger

[2009/08/04 17:51:10 | 00,000,000 | ---D | C] -- C:\Users\Don\Desktop\Avenger

[2009/08/04 17:35:38 | 00,021,189 | ---- | C] () -- C:\Users\Don\Desktop\Fix-instructions 4 Aug 09.docx

[2009/08/04 08:33:16 | 00,278,846 | ---- | C] () -- C:\Users\Don\Desktop\gmer.zip

[2009/08/04 08:27:46 | 04,626,422 | ---- | C] () -- C:\Users\Don\Desktop\avz4.zip

[2009/08/04 08:27:22 | 00,000,000 | ---D | C] -- C:\Users\Don\Desktop\avz4

[2009/08/03 15:14:31 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com

[2009/08/03 15:14:22 | 00,000,902 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

[2009/08/03 15:14:21 | 00,000,000 | ---D | C] -- C:\Users\Don\AppData\Roaming\SUPERAntiSpyware.com

[2009/08/03 15:14:21 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2009/08/02 20:13:40 | 00,000,000 | ---D | C] -- C:\Users\Don\Desktop\FixPolicies

[2009/08/02 20:12:00 | 00,185,065 | ---- | C] () -- C:\Users\Don\Desktop\FixPolicies.exe

[2009/08/01 21:54:44 | 00,000,000 | ---D | C] -- C:\Users\Don\Desktop\Fix1Aug09

[2009/07/31 21:49:53 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

[2009/07/31 16:47:15 | 00,000,706 | ---- | C] () -- C:\Users\Don\Desktop\opera.exe - Shortcut.lnk

[2009/07/30 21:37:04 | 00,000,000 | ---D | C] -- C:\DCE

[2009/07/30 21:05:36 | 00,035,127 | ---- | C] () -- C:\Users\Public\Documents\Malwarebytes Forum 30 July 09.docx

[2009/07/30 17:19:50 | 00,000,000 | ---D | C] -- C:\Program Files\Java

[2009/07/30 16:52:09 | 00,000,000 | ---D | C] -- C:\_OTL

[2009/07/30 11:16:36 | 00,287,232 | ---- | C] () -- C:\Users\Don\Desktop\gmer.exe

[2009/07/25 19:42:17 | 00,562,539 | ---- | C] () -- C:\Users\Don\Desktop\SecurityCheck.exe

[2009/07/24 15:53:43 | 00,000,733 | ---- | C] () -- C:\Users\Don\Desktop\NTREGOPT.lnk

[2009/07/24 15:53:43 | 00,000,714 | ---- | C] () -- C:\Users\Don\Desktop\ERUNT.lnk

[2009/07/24 15:53:42 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT

========== Files - Modified Within 14 Days ==========

[2009/08/06 18:02:25 | 00,006,331 | ---- | M] () -- C:\Windows\System32\Config.MPF

[2009/08/06 18:01:34 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2009/08/06 18:01:34 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2009/08/06 18:01:31 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2009/08/06 18:01:29 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2009/08/06 18:01:26 | 32,207,58528 | -HS- | M] () -- C:\hiberfil.sys

[2009/08/06 18:01:21 | 00,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs

[2009/08/06 17:58:27 | 02,744,341 | -H-- | M] () -- C:\Users\Don\AppData\Local\IconCache.db

[2009/08/06 17:53:56 | 00,015,867 | ---- | M] () -- C:\Users\Don\Desktop\Malwearbytes Fix 6 Aug 2009.docx

[2009/08/05 22:54:37 | 02,628,876 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2009/08/05 22:54:37 | 00,797,160 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2009/08/05 22:54:37 | 00,005,064 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2009/08/05 22:10:16 | 00,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{09FC0A04-5003-4B4F-9F6B-0F4197BFE6BC}.job

[2009/08/05 21:30:14 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini

[2009/08/05 21:29:49 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2009/08/05 18:19:41 | 00,000,091 | ---- | M] () -- C:\Windows\System32\geyekrhicpjcmu.dat

[2009/08/05 18:08:19 | 24,275,8748 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2009/08/04 21:21:18 | 00,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2009/08/04 17:35:38 | 00,021,189 | ---- | M] () -- C:\Users\Don\Desktop\Fix-instructions 4 Aug 09.docx

[2009/08/04 08:34:01 | 00,287,232 | ---- | M] () -- C:\Users\Don\Desktop\gmer.exe

[2009/08/04 08:33:17 | 00,278,846 | ---- | M] () -- C:\Users\Don\Desktop\gmer.zip

[2009/08/04 08:27:49 | 04,626,422 | ---- | M] () -- C:\Users\Don\Desktop\avz4.zip

[2009/08/03 15:14:22 | 00,000,902 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/08/02 20:12:01 | 00,185,065 | ---- | M] () -- C:\Users\Don\Desktop\FixPolicies.exe

[2009/08/02 11:45:57 | 00,142,944 | ---- | M] () -- C:\Users\Don\AppData\Local\GDIPFONTCACHEV1.DAT

[2009/08/02 10:53:04 | 00,474,304 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2009/08/02 00:19:48 | 00,002,032 | ---- | M] () -- C:\Users\Don\AppData\Local\d3d9caps.dat

[2009/07/31 21:49:55 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

[2009/07/31 16:47:15 | 00,000,706 | ---- | M] () -- C:\Users\Don\Desktop\opera.exe - Shortcut.lnk

[2009/07/30 21:05:37 | 00,035,127 | ---- | M] () -- C:\Users\Public\Documents\Malwarebytes Forum 30 July 09.docx

[2009/07/25 19:42:19 | 00,562,539 | ---- | M] () -- C:\Users\Don\Desktop\SecurityCheck.exe

[2009/07/24 15:53:43 | 00,000,733 | ---- | M] () -- C:\Users\Don\Desktop\NTREGOPT.lnk

[2009/07/24 15:53:43 | 00,000,714 | ---- | M] () -- C:\Users\Don\Desktop\ERUNT.lnk

========== LOP Check ==========

[2009/08/03 15:14:21 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming

[2008/09/02 21:18:52 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\acccore

[2008/07/13 12:53:47 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Ahead

[2008/09/02 21:18:23 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\AIM

[2008/11/12 19:38:04 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Autodesk

[2009/06/07 18:28:28 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Canon

[2007/08/20 18:47:38 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Centra

[2008/04/13 12:34:35 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Intuit

[2008/09/02 19:07:40 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Leadertech

[2006/11/02 14:37:34 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Media Center Programs

[2009/03/27 00:41:46 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Nokia

[2008/10/13 16:41:07 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\NSeries

[2007/05/11 16:28:15 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Opera

[2008/10/13 16:41:20 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\PC Suite

[2009/06/12 17:43:15 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\PureEdge

[2008/04/11 13:13:00 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\ScanSoft

[2007/07/03 22:59:14 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Share-to-Web Upload Folder

[2007/05/10 18:21:16 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Template

[2009/07/20 10:18:00 | 00,000,472 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job

[2009/07/15 01:00:00 | 00,000,336 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job

[2009/06/01 01:00:10 | 00,000,328 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job

[2009/08/06 18:01:31 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT

[2009/08/06 17:58:29 | 00,032,588 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2009/08/05 22:10:16 | 00,000,414 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{09FC0A04-5003-4B4F-9F6B-0F4197BFE6BC}.job

========== Purity Check ==========

< End of report >

What's next step?

I am have several minor glitches, which started when the Trojan activity began.

1. Am getting MS windows notice that "Windows host process (Rundll32) has stopped ....." What do I do about this? Does not seem to be affecting operations.

2. Windows Defender failed to initialize and msut be started manually..... What do I do about this?

Thanks!!!!

Don

Link to post
Share on other sites

Don,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of tools.

Close/save your open work documents, if any, and close your open programs.

A run of OTL to delete a couple of files and empty out temporary file areas.

  • Please Right-click OTL.exe otlDesktopIcon.png and choose Run As Administrator to run it.
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesC:\Windows\System32\geyekrhicpjcmu.datC:\$RECYCLE.BIN
    :Commands[purity][emptytemp]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

A new run of MBAM after getting it updated:

Start MBAM. Click the Update Tab. Press the Check for Updates button.

When that is good, press the Scanner Tab. Have the Quick Scan selection set.

Press the Scan button.

When it finishes, save the report to your desktop. I'll want a copy of it.

=

Delete the prior copy of Combofix now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator

At the command-prompt window, type in the following to begin Combofix

C:\Users\Don\Desktop\Combo-Fix.exe

and press Enter key

  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once without asking me first.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

=

Logoff and Restart the system fresh.

Check and insure that your antivirus is re-enabled and ON.

Start HijackThis. Do a Scan and Save log.

Please post copies of OTL MovedFiles log

the new MBAM scan log

the C:\ComboFix.txt

along with a new HijackThis log for further review.

Link to post
Share on other sites

OK, here is the lastest set of logs for 7 Aug 09. While running Combo-Fix, it stalled after the log file opened and I was trying to save a copy. Had to do a hard reboot. The log was created.

Also, during the running - near the start of scanning using Combo-Fix, Mcafee poped up and indicated that it quaranteened a Trojan; was only on the screen for about three seconds and I did not see the details. Everything seemed to proceed normally.

Here are the logs:

All processes killed

========== FILES ==========

C:\Windows\System32\geyekrhicpjcmu.dat moved successfully.

C:\$RECYCLE.BIN\S-1-5-21-4041010409-2044806714-3416792504-1002 moved successfully.

C:\$RECYCLE.BIN moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Don

->Temp folder emptied: 505779 bytes

->Temporary Internet Files folder emptied: 22693008 bytes

->Java cache emptied: 13425503 bytes

->FireFox cache emptied: 0 bytes

->Opera cache emptied: 21524395 bytes

User: Don 2

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Opera cache emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

User: Tien

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Opera cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 12888 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 55.47 mb

OTL by OldTimer - Version 3.0.10.3 log created on 08072009_175049

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Malwarebytes' Anti-Malware 1.40

Database version: 2574

Windows 6.0.6001 Service Pack 1

8/7/2009 6:03:51 PM

mbam-log-2009-08-07 (18-03-51).txt

Scan type: Quick Scan

Objects scanned: 103318

Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:30:22 PM, on 8/7/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18248)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Trend Micro\HijackThis\FINDEM.exe

C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [NvMediaCenter] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay AV 8\ReplayAV.exe" -quiet

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...678/mcfscan.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe

O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FYMMY - Unknown owner - C:\Users\DON2~1\AppData\Local\Temp\FYMMY.exe (file missing)

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: Microsoft Office Groove Audit Service MicrosoftTHREADORDER (MicrosoftTHREADORDER) - Unknown owner - C:\Windows\system32\acpkcs201n.exe (file missing)

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 7953 bytes

Link to post
Share on other sites

The MBAM scan found nothing. The Combofix run is very good. The HJT log is good.

We have reached the end of hunt for malware. :)

You are extremely fortunate in getting this far.

De-install SUPERAntiSpyware. You don't need it. Logoff and Restart the system after.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator

At the command-prompt window, type in the following

C:\Users\Don\Desktop\Combo-Fix.exe /u

and press Enter key

Be certain you have 1 space before the /u

This removes Combofix and it's folders, frees up a lot of space and sets a new Restore point.

=

Right-click on OTL on your desktop otlDesktopIcon.png and select Run as Administrator to start it.

Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet.

If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so.

After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.

This step removes the files, folders, and shortcuts created by the tools Ron & I had you download and run.

=

On the next pass, I'll give you more to cleanup after the other remaining items & tools.

Link to post
Share on other sites

There are a few tools and programs that ought to be removed. (see below)

A purchase of MBAM would be a low cost investment for your safety. The fee is a one time license payment; good forever.

More than that, I'd urge you to do system backups on a regular basis, to offline media, like DVD/CD/ or a external USB mass storage.

Also, invest in a image backup software, like Acronis True Image, or the free Macrium Reflect http://www.macrium.com/reflectfree.asp

The rootkits ( geyekrxdxiwesy / geyekr / skynet ) having been removed, I am proceeding to close this case.

I would highly advise you to make a offline backup of this system (after these steps below) so you have a good snapshot.

In addition, I'd highly advise your make imaging backup of the system.

Remove some programs from your Vista system:

Click Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).

{In Classic view, double click Program and features}.

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it.

{If needed in future, you can download at that time}.

Look for it and click the line for it. Select Change/Remove to de-install it.

Un-install HijackThis if found.

Un-install SuperAntiSpyware if still present

OK & Exit out of Control Panel

=

Delete the following tools, if still present:

The SYSCLEAN downloads and the C:\DCE folder

The SYSPROT download & file

On your dekstop: delete

Gmer.zip + Gmer.exe

Avz4.zip + AVZ4 folder

Securitycheck.exe

We are finished here. Best regards.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.