Jump to content

rundll32 remnant


TheRaptor
 Share

Recommended Posts

I got hit by the fake Anti-virus 2010 program a few days ago. I tried several cleanup programs and yours was the one that finally got rid of it. Thanks for a great product - my group will very likely be purchasing several licenses. There is one thing that your program did not clean. I am still getting a rogue rundll32.exe process that is apparently being launched from an svchost routine. I've downloaded and run procexp.exe and the command line from the svchost execution is:

C:\WINDOWS\System32\svchost.exe -k netsvcs

The rundll32.exe process launched under that one has this command line:

C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\fizisoyi.dll",d

I've searched my XP SP3 system for that file and it does not exist. I've noticed that if I clobber the rundll32 process it restarts a few minutes later, and when it does the system emits a loud deep bell tone which I'm pretty sure means rundll32 was unable to find the fizisoyi.dll routine. I don't think the rundll32 launch is causing any real problems but I'd still like to clean that up just to be safe. Any ideas what I can do? What other info do you need from me?

Link to post
Share on other sites

Thanks for your quick reply. I ran a few Hijack logs with an earlier version. Here's the one I just ran from the version I downloaded from the link.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 6:13:20 AM, on 2/16/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\FreeDNS Update\FDNSUSVC.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\FreeDNS Update\freednsupdate.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe

C:\Program Files\TightVNC\WinVNC.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\2Wire\2PortalMon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\DynDNS Updater\DynDNS.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Radagast\Personal\CalTrack\bin\Debug\CalTrack.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.66.124.146:8081

R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll

O1 - Hosts: 63.171.25.73 ASP3

O2 - BHO: RCTPlugin.BHO - {3e6685db-8c0a-4a37-9ac9-9574e97c4e0b} - c:\windows\system32\mscoree.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

O4 - HKLM\..\Run: [AutoMate6] C:\Program Files\AutoMate 6\AMEM.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DynDNS Updater.lnk = C:\Program Files\DynDNS Updater\DynDNS.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Open/Close CC dialog - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - c:\windows\system32\mscoree.dll

O9 - Extra 'Tools' menuitem: Open/Close CC dialog - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - c:\windows\system32\mscoree.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL

O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dave\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dave\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)

O9 - Extra button: Easy Play Poker - {16f4ad81-6455-4924-87fb-f77a7d5b7601} - C:\Documents and Settings\Dave\Start Menu\Programs\Easy Play Poker\Easy Play Poker.lnk (HKCU)

O9 - Extra button: BigBetPoker.com - {1ca24684-a693-418e-a430-79d070271843} - C:\Documents and Settings\Dave\Start Menu\Programs\BigBetPoker.com\BigBetPoker.com.lnk (HKCU)

O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)

O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)

O9 - Extra button: WassPoker - {4053ebe6-a54d-4bb9-b118-ce1d8f99a548} - C:\Documents and Settings\Dave\Start Menu\Programs\WassPoker\WassPoker.lnk (HKCU)

O9 - Extra button: ReeferPoker - {60a501e4-a078-4cb2-8728-3fab4264f3c1} - C:\Documents and Settings\Dave\Start Menu\Programs\ReeferPoker\ReeferPoker.lnk (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O9 - Extra button: FeltStars - {fbd780d2-c26b-46dd-9002-fdf30465c9d2} - C:\Documents and Settings\Dave\Start Menu\Programs\FeltStars\FeltStars.lnk (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://radagast.dyndns.biz

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll

O16 - DPF: {50580095-16DB-4B28-BCFC-70989E09AA5F} (XTunnelCtrl Class) - https://206.81.55.237/XTunnel.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.cushioneer.com/Remote/msrdp.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Dave\Local Settings\Temp\EI40_\msxml4.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...410/mcfscan.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: jugezatag - {c4f68668-fa4d-48db-90db-15d14d99a96a} - (no file)

O23 - Service: ACE Client Service - YCN Group - C:\Program Files\YCN Group\Ace Client\AceClient.exe

O23 - Service: ACE Server Service - YCN Group - C:\Program Files\YCN Group\Ace Server\AceServer.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: auditOL Notification Service - Radagast Systems Corp - C:\Program Files\YCN Group\auditOL Notification Service\auditOLNotices.exe

O23 - Service: AutoMate 6 (AutoMate6) - Network Automation, Inc. - C:\Program Files\AutoMate 6\AMTS.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: BrowserHawk BDF (BrowserHawk_BDF) - Unknown owner - C:\Program Files\cyScape\BrowserHawk\BrowserHawk.exe (file missing)

O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe

O23 - Service: FreeDNS Update (FreeDNSUpdate) - TechKnow Professional Services - C:\Program Files\FreeDNS Update\FDNSUSVC.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe

O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)

O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Visual WebGui Scalable Server (VWG_ENTERPRISE_SERVICE) - Gizmox - C:\Program Files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

O23 - Service: XMail Server (XMail) - Unknown owner - D:\InstallSets\xmail-1.20\MailRoot\bin\XMail.exe (file missing)

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--

End of file - 18723 bytes

Link to post
Share on other sites

  • Staff

Hi,

Do you still get the rundll32 error message after reboot? Because I see the startup reference to that bad dll is not present anymore.

Extra note.. I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Link to post
Share on other sites

Yes - I still get the rogue process. I've been using procexp to watch what's going on. If I kill the process it resurrects itself anywhere from 5 minutes to an hour later. I decided to try something else - I fired up procexp immediately after my system booted instead of waiting for everything else to finish loading. When I did that I also noticed a weird process with a random name followed by .tmp. I suspended it. In the description it says Heroes of Might and Magic III and claims to be from the 3DO Company. I've never downloaded that (at least not on purpose). That process apparently does not run very long since I've never seen it until I ran procexp very early in a reboot. I also checked the directory it claimed to load from (c:\windows\temp) and that file does not exist.

I did notice 1 other very suspicious looking entry in the Hijack log:

O22 - SharedTaskScheduler: jugezatag - {c4f68668-fa4d-48db-90db-15d14d99a96a} - (no file)

I removed it and rebooted - no difference.

Link to post
Share on other sites

  • Staff

Hi,

Ok, first of all, please update malwarebytes, because we have added detection for these "3DO Company" ones today.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

That got rid of the rundll32 problem but the 3DO thing is still happening. I suspended the process again.

Malwarebytes' Anti-Malware 1.44

Database version: 3751

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/17/2010 1:39:38 PM

mbam-log-2010-02-17 (13-39-38).txt

Scan type: Full Scan (C:\|)

Objects scanned: 552384

Time elapsed: 2 hour(s), 7 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.60,93.188.161.31 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fb492367-eafb-42d8-b37c-080e2554d8d6}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.60,93.188.161.31 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\spool\prtprocs\w32x86\000026ef.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\00003a7e.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\00006715 (Rootkit.TDSS) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 1:49:09 PM, on 2/17/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\FreeDNS Update\FDNSUSVC.exe

C:\Program Files\FreeDNS Update\freednsupdate.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe

C:\Program Files\TightVNC\WinVNC.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\2Wire\2PortalMon.exe

C:\Program Files\D4\D4.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\DynDNS Updater\DynDNS.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\InstallSets\ProcessExplorer\procexp.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\WINDOWS\TEMP\dba899e6.tmp

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.66.124.146:8081

R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll

O1 - Hosts: 63.171.25.73 ASP3

O2 - BHO: RCTPlugin.BHO - {3e6685db-8c0a-4a37-9ac9-9574e97c4e0b} - c:\windows\system32\mscoree.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

O4 - HKLM\..\Run: [AutoMate6] C:\Program Files\AutoMate 6\AMEM.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DynDNS Updater.lnk = C:\Program Files\DynDNS Updater\DynDNS.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Open/Close CC dialog - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - c:\windows\system32\mscoree.dll

O9 - Extra 'Tools' menuitem: Open/Close CC dialog - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - c:\windows\system32\mscoree.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL

O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dave\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dave\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)

O9 - Extra button: Easy Play Poker - {16f4ad81-6455-4924-87fb-f77a7d5b7601} - C:\Documents and Settings\Dave\Start Menu\Programs\Easy Play Poker\Easy Play Poker.lnk (HKCU)

O9 - Extra button: BigBetPoker.com - {1ca24684-a693-418e-a430-79d070271843} - C:\Documents and Settings\Dave\Start Menu\Programs\BigBetPoker.com\BigBetPoker.com.lnk (HKCU)

O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)

O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)

O9 - Extra button: WassPoker - {4053ebe6-a54d-4bb9-b118-ce1d8f99a548} - C:\Documents and Settings\Dave\Start Menu\Programs\WassPoker\WassPoker.lnk (HKCU)

O9 - Extra button: ReeferPoker - {60a501e4-a078-4cb2-8728-3fab4264f3c1} - C:\Documents and Settings\Dave\Start Menu\Programs\ReeferPoker\ReeferPoker.lnk (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O9 - Extra button: FeltStars - {fbd780d2-c26b-46dd-9002-fdf30465c9d2} - C:\Documents and Settings\Dave\Start Menu\Programs\FeltStars\FeltStars.lnk (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://radagast.dyndns.biz

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll

O16 - DPF: {50580095-16DB-4B28-BCFC-70989E09AA5F} (XTunnelCtrl Class) - https://206.81.55.237/XTunnel.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.cushioneer.com/Remote/msrdp.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Dave\Local Settings\Temp\EI40_\msxml4.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...410/mcfscan.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\..\{FB492367-EAFB-42D8-B37C-080E2554D8D6}: NameServer = 93.188.164.60,93.188.161.31

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.60,93.188.161.31

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: ACE Client Service - YCN Group - C:\Program Files\YCN Group\Ace Client\AceClient.exe

O23 - Service: ACE Server Service - YCN Group - C:\Program Files\YCN Group\Ace Server\AceServer.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: auditOL Notification Service - Radagast Systems Corp - C:\Program Files\YCN Group\auditOL Notification Service\auditOLNotices.exe

O23 - Service: AutoMate 6 (AutoMate6) - Network Automation, Inc. - C:\Program Files\AutoMate 6\AMTS.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: BrowserHawk BDF (BrowserHawk_BDF) - Unknown owner - C:\Program Files\cyScape\BrowserHawk\BrowserHawk.exe (file missing)

O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe

O23 - Service: FreeDNS Update (FreeDNSUpdate) - TechKnow Professional Services - C:\Program Files\FreeDNS Update\FDNSUSVC.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe

O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)

O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Visual WebGui Scalable Server (VWG_ENTERPRISE_SERVICE) - Gizmox - C:\Program Files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

O23 - Service: XMail Server (XMail) - Unknown owner - D:\InstallSets\xmail-1.20\MailRoot\bin\XMail.exe (file missing)

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--

End of file - 18320 bytes

Link to post
Share on other sites

  • Staff

Hi,

If you suspend processes, I can't see it in logs either. So please do not suspend anything and do the following...

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

I went ahead and took the chance that there was not really a trojan in that code. Here's the log:

ComboFix 10-02-16.03 - Dave 02/17/2010 19:33:57.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.473 [GMT -6:00]

Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: F-Secure Anti-Virus 2007 7.01 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Dave\Application Data\inst.exe

C:\hzUu.exe

c:\program files\WinPCap

c:\program files\WinPCap\daemon_mgm.exe

c:\program files\WinPCap\INSTALL.LOG

c:\program files\WinPCap\NetMonInstaller.exe

c:\program files\WinPCap\npf_mgm.exe

c:\program files\WinPCap\rpcapd.exe

c:\program files\WinPCap\Uninstall.exe

c:\windows\EventSystem.log

c:\windows\patch.exe

c:\windows\system32\_000228_.tmp.dll

c:\windows\system32\_005182_.tmp.dll

c:\windows\system32\_005183_.tmp.dll

c:\windows\system32\_005184_.tmp.dll

c:\windows\system32\_005185_.tmp.dll

c:\windows\system32\_005192_.tmp.dll

c:\windows\system32\_005193_.tmp.dll

c:\windows\system32\_005194_.tmp.dll

c:\windows\system32\_005195_.tmp.dll

c:\windows\system32\_005197_.tmp.dll

c:\windows\system32\_005198_.tmp.dll

c:\windows\system32\_005201_.tmp.dll

c:\windows\system32\_005202_.tmp.dll

c:\windows\system32\_005204_.tmp.dll

c:\windows\system32\_005205_.tmp.dll

c:\windows\system32\_005206_.tmp.dll

c:\windows\system32\_005208_.tmp.dll

c:\windows\system32\_005210_.tmp.dll

c:\windows\system32\_005211_.tmp.dll

c:\windows\system32\_005212_.tmp.dll

c:\windows\system32\_005216_.tmp.dll

c:\windows\system32\_005217_.tmp.dll

c:\windows\system32\_005219_.tmp.dll

c:\windows\system32\_005222_.tmp.dll

c:\windows\system32\_005224_.tmp.dll

c:\windows\system32\_005225_.tmp.dll

c:\windows\system32\_005226_.tmp.dll

c:\windows\system32\_005227_.tmp.dll

c:\windows\system32\_005228_.tmp.dll

c:\windows\system32\_005231_.tmp.dll

c:\windows\system32\_005232_.tmp.dll

c:\windows\system32\_005233_.tmp.dll

c:\windows\system32\_005234_.tmp.dll

c:\windows\system32\_005235_.tmp.dll

c:\windows\system32\_005240_.tmp.dll

c:\windows\system32\_005242_.tmp.dll

c:\windows\system32\_005243_.tmp.dll

c:\windows\system32\Cache

c:\windows\system32\drivers\npf.sys

c:\windows\system32\drivers\shfqgdqi.sys

c:\windows\system32\pthreadVC.dll

c:\windows\system32\server.log

c:\windows\system32\spool\prtprocs\w32x86\000034da.tmp

c:\windows\system32\spool\prtprocs\w32x86\00003ecd.tmp

c:\windows\system32\vbzlib1.dll

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

c:\windows\Tasks\fdnjcpec.job

c:\windows\Temp\0220841266453456mcinst.exe

----- BITS: Possible infected sites -----

hxxp://85.12.18.119

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_NPF

-------\Legacy_shfqgdqi

-------\Service_shfqgdqi

((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))

.

2010-02-16 12:12 . 2010-02-16 12:12 -------- d-----w- c:\program files\TrendMicro

2010-02-14 13:32 . 2010-02-14 13:34 -------- d-----w- c:\documents and settings\MaryJo\Local Settings\Application Data\TSVNCache

2010-02-14 13:32 . 2010-02-14 13:32 -------- d-sh--w- c:\documents and settings\MaryJo\IETldCache

2010-02-14 05:16 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-14 05:16 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-14 03:32 . 2010-02-14 03:32 -------- d-----w- c:\documents and settings\Dave\Application Data\Malwarebytes

2010-02-14 03:19 . 2010-02-14 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-14 03:19 . 2010-02-14 14:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-13 17:43 . 2010-02-14 05:10 -------- d-----w- c:\program files\NoAdware

2010-01-30 21:55 . 2010-01-30 21:55 -------- d-----w- c:\program files\Teratrax

2010-01-28 23:24 . 2010-01-28 23:24 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\AnjLab

2010-01-25 19:23 . 2010-01-25 19:23 -------- d-----w- c:\program files\Gizmox

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-18 00:58 . 2009-07-03 05:16 -------- d-----w- c:\program files\McAfee

2010-02-16 12:12 . 2010-02-16 12:12 388096 ----a-r- c:\documents and settings\Dave\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-02-14 14:45 . 2010-02-14 14:45 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-14 13:32 . 2007-02-11 00:53 58624 ----a-w- c:\documents and settings\MaryJo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-14 02:45 . 2010-02-14 02:45 52224 ----a-w- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-02-14 02:45 . 2010-02-14 02:45 117760 ----a-w- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-02-14 02:44 . 2007-10-30 23:20 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-02-14 02:44 . 2007-10-30 23:20 -------- d-----w- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com

2010-02-14 02:44 . 2007-10-30 23:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-02-12 21:15 . 2007-02-13 21:22 -------- d-----w- c:\documents and settings\Dave\Application Data\uTorrent

2010-02-12 03:41 . 2009-10-22 02:16 -------- d-----w- c:\program files\FeltStars

2010-02-10 17:53 . 2004-08-20 12:57 -------- d-----w- c:\documents and settings\Dave\Application Data\WeatherBug

2010-02-06 22:03 . 2009-01-17 16:39 -------- d-----w- c:\program files\Full Tilt Poker

2010-02-06 01:47 . 2009-05-09 19:40 -------- d-----w- c:\program files\PokerStars

2010-02-05 22:17 . 2009-01-29 23:34 -------- d-----w- c:\program files\DoylesRoom

2010-02-05 16:42 . 2006-07-07 22:34 -------- d-----w- c:\documents and settings\Dave\Application Data\AdobeUM

2010-02-05 16:42 . 2004-02-14 06:20 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-05 02:44 . 2010-01-07 21:25 -------- d-----w- c:\program files\BigBetPoker.com

2010-02-05 02:43 . 2009-01-17 18:04 -------- d-----w- c:\program files\ReeferPoker

2010-02-05 02:41 . 2009-10-06 16:52 -------- d-----w- c:\program files\PowerPoker

2010-02-05 02:41 . 2009-03-20 11:51 -------- d-----w- c:\program files\Cake Poker

2010-02-05 02:40 . 2008-11-30 15:04 -------- d-----w- c:\program files\UltimateBet

2010-02-05 00:17 . 2009-06-10 21:21 -------- d-----w- c:\program files\Absolute Poker

2010-02-02 21:47 . 2008-10-14 21:38 -------- d-----w- c:\program files\YCN Group

2010-02-02 21:43 . 2004-02-19 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-01-25 19:25 . 2008-07-05 12:10 1360064 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\visualstudio\9.0\1033\ResourceCache.dll

2010-01-25 19:22 . 2008-06-16 20:57 176384 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll

2010-01-25 19:22 . 2008-06-16 19:50 -------- d-----w- c:\program files\MSBuild

2010-01-18 18:19 . 2009-06-18 13:59 -------- d-----w- c:\program files\PowerPokerClub

2010-01-14 17:12 . 2009-10-03 06:34 181120 ------w- c:\windows\system32\MpSigStub.exe

2010-01-13 14:42 . 2010-01-13 14:42 -------- d-----w- c:\program files\IIS

2010-01-13 14:37 . 2010-01-13 14:37 -------- d-----w- c:\program files\Microsoft

2009-12-31 16:50 . 2009-12-15 01:23 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-30 18:18 . 2009-12-30 18:18 49152 ----a-r- c:\documents and settings\Dave\Application Data\Microsoft\Installer\{49FA793C-785E-47E9-93DF-BD442B0B45D1}\Icon49FA793C.exe

2009-12-24 22:23 . 2008-07-05 12:10 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll

2009-12-24 22:15 . 2004-09-21 00:18 -------- d-----w- c:\program files\Common Files\Merge Modules

2009-12-24 22:08 . 2008-06-16 19:57 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0

2009-12-24 16:17 . 2009-09-26 23:58 -------- d-----w- c:\documents and settings\Dave\Application Data\BitTorrent

2009-12-21 19:14 . 2004-08-03 13:56 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2004-02-14 06:03 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-15 13:09 . 2004-02-14 06:51 58624 ----a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-15 12:37 . 2004-02-14 06:06 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

2009-12-15 02:15 . 2009-12-15 02:15 529 ----a-w- C:\resetreg.cmd

2009-12-14 07:08 . 2009-12-15 01:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-13 04:08 . 2004-02-14 06:04 27872 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-11 17:28 . 2009-12-11 17:28 0 ----a-w- c:\windows\SET4C.tmp

2009-12-08 19:27 . 2009-12-15 01:23 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2009-12-15 01:23 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2009-12-15 01:23 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11 . 2004-08-03 13:56 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07 . 2001-08-18 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07 . 2004-08-03 13:56 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2004-08-03 13:56 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-21 15:51 . 2004-08-03 13:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2006-05-05 11:14 . 2006-05-05 11:14 28672 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2006-05-05 11:14 . 2006-05-05 11:14 98304 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2004-06-26 04:20 . 2004-06-26 04:20 13 --sha-w- c:\windows\CPSYSDLG.SYS

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e6685db-8c0a-4a37-9ac9-9574e97c4e0b}]

2008-07-25 17:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-07-30 1593344]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2003-01-10 32768]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]

"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]

"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]

"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]

"2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2003-10-10 393216]

"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2003-08-01 474624]

"Dimension4"="c:\program files\D4\D4.exe" [2004-02-04 200704]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-11-06 200704]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-12-06 163840]

"AutoMate6"="c:\program files\AutoMate 6\AMEM.exe" [2008-05-16 3325320]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

DynDNS Updater.lnk - c:\program files\DynDNS Updater\DynDNS.exe [2005-6-5 1353216]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\D4\\D4.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\XPressUpdate\\XPressUpdate.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\McAfee\\MSC\\mcupdmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"51139:TCP"= 51139:TCP:@xpsp2res.dll,-22005

"28990:TCP"= 28990:TCP:@xpsp2res.dll,-22005

"12925:TCP"= 12925:TCP:@xpsp2res.dll,-22005

"56384:TCP"= 56384:TCP:@xpsp2res.dll,-22005

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]

R2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [12/18/2008 10:27 AM 447848]

R2 FreeDNSUpdate;FreeDNS Update;c:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate --> c:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate [?]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/2/2009 11:20 PM 93320]

R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe [2/7/2007 11:06 PM 49152]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2009 7:43 PM 24652]

R2 VWG_ENTERPRISE_SERVICE;Visual WebGui Scalable Server;c:\program files\Gizmox\Visual WebGUI\Scalable Server Service\Gizmox.WebGUI.Enterprise.Services.exe [12/4/2008 2:18 PM 16384]

R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [12/18/2008 10:27 AM 20736]

R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [12/18/2008 10:27 AM 18944]

R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [1/5/2006 3:11 PM 17136]

S2 0220841266453456mcinstcleanup;McAfee Application Installer Cleanup (0220841266453456);c:\windows\TEMP\022084~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\022084~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 BrowserHawk_BDF;BrowserHawk BDF;"c:\program files\cyScape\BrowserHawk\BrowserHawk.exe" --> c:\program files\cyScape\BrowserHawk\BrowserHawk.exe [?]

S2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\DRIVERS\nvtvsnd.sys --> c:\windows\system32\DRIVERS\nvtvsnd.sys [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

S3 ACE Client Service;ACE Client Service;c:\program files\YCN Group\Ace Client\AceClient.exe [4/7/2009 3:50 PM 20992]

S3 ACE Server Service;ACE Server Service;c:\program files\YCN Group\Ace Server\AceServer.exe [4/21/2009 12:05 PM 20992]

S3 Advc1394f1 Filter;Advc1394f1 Filter;c:\windows\system32\drivers\advc1394f1.sys [6/22/2004 5:25 PM 23424]

S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\Dave\LOCALS~1\Temp\ATICDSDr.sys --> c:\docume~1\Dave\LOCALS~1\Temp\ATICDSDr.sys [?]

S3 auditOL Notification Service;auditOL Notification Service;c:\program files\YCN Group\auditOL Notification Service\auditOLNotices.exe [2/2/2010 4:50 PM 12800]

S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [12/18/2008 3:30 PM 20992]

S3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [9/9/2009 12:13 PM 55176]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

S3 XMail;XMail Server;d:\installsets\xmail-1.20\MailRoot\bin\XMail.exe --> d:\installsets\xmail-1.20\MailRoot\bin\XMail.exe [?]

S4 FixIP;FixIP;d:\radagast\tix21\scheduler.net\output\fixip.service.exe --> d:\radagast\tix21\scheduler.net\output\fixip.service.exe [?]

S4 LumiSoft Mail Server;LumiSoft Mail Server;d:\radagast\rct\lumisoft\mailserver\application\release\lsmailserver.exe --> d:\radagast\rct\lumisoft\mailserver\application\release\lsmailserver.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

.

Contents of the 'Scheduled Tasks' folder

2010-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-03 17:22]

2010-02-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-03 17:22]

2010-02-17 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-02-14 22:24]

.

.

------- Supplementary Scan -------

.

uLocal Page = \blank.htm

uStart Page = hxxp://www.google.com

uInternet Settings,ProxyServer = 82.66.124.146:8081

uInternet Settings,ProxyOverride = <local>

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe

IE: {{C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - {F5FC01C8-9039-45E1-8AB2-7D04D4D72197} - c:\progra~1\HTTPAN~1\IEHTTP~1.DLL

Trusted Zone: dyndns.biz\radagast

Trusted Zone: internet

Trusted Zone: localhost

Trusted Zone: mcafee.com

Trusted Zone: strategicsoftware.net\screensafe

TCP: {FB492367-EAFB-42D8-B37C-080E2554D8D6} = 93.188.164.60,93.188.161.31

DPF: {50580095-16DB-4B28-BCFC-70989E09AA5F} - hxxps://206.81.55.237/XTunnel.cab

FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\q3xo1rdh.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Ask.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: keyword.URL -

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll

FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Sonic RecordNow! - (no file)

HKLM-Run-SoundMAXPnP - c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

HKLM-Run-Mirabilis ICQ - c:\program files\ICQ\NDetect.exe

AddRemove-SBC Yahoo! UMUninstaller - c:\program files\SBC Yahoo!\umuninst.exe

AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-17 19:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8676A8C8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf78c7f28

\Driver\ACPI -> ACPI.sys @ 0xf781acb8

\Driver\atapi -> atapi.sys @ 0xf7681b3a

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

user & kernel MBR OK

copy of MBR has been found in sector 0x00

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MsDepSvc]

"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]

"ImagePath"="c:\mysql\bin\mysqld-max-nt MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,97,a8,df,9a,d5,64,46,a9,01,46,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,97,a8,df,9a,d5,64,46,a9,01,46,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1892)

c:\windows\system32\WININET.dll

c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

c:\program files\TortoiseSVN\bin\TortoiseStub.dll

c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

c:\program files\TortoiseSVN\bin\intl3_tsvn.dll

c:\program files\TortoiseCVS\TrtseShl.dll

c:\program files\Iomega\DriveIcons\IMGHOOK.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\FreeDNS Update\FDNSUSVC.exe

c:\program files\FreeDNS Update\freednsupdate.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\DisplayLink Core Software\DisplayLinkManager.exe

c:\program files\DisplayLink Core Software\DisplayLinkUI.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\Iomega\AutoDisk\ADService.exe

c:\program files\TortoiseSVN\bin\TSVNCache.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

.

**************************************************************************

.

Completion time: 2010-02-17 20:09:28 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-18 02:09

Pre-Run: 1,418,058,952,704 bytes free

Post-Run: 1,419,718,365,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

- - End Of File - - C8C10178BB40A4798677565AF11F9E63

Link to post
Share on other sites

  • Staff

Hi,

Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.

  • Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click the exe file.
  • The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
  • In any case, after the initial scan is complete, click on the Save button, and save the log file somewhere you can easily find it, such as your desktop, and attach it in reply

Link to post
Share on other sites

  • Staff

Hi,

Yes, this has reported many times with gmer, even on clean computers..

Try the following please;

RootRepeal - Rootkit Detector

  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.

Link to post
Share on other sites

Apparently you are correct.

TDSS rootkit removing tool, Kaspersky Lab, 2010

version 2.2.4 Feb 15 2010 19:38:31

Scanning Services ...

Scanning Kernel memory ...

Driver "atapi" Irp handler infected by TDSS rootkit ... cured

File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... will be

cured on next reboot

Completed

Results:

Memory objects infected / cured / cured on reboot: 1 / 1 / 0

Registry objects infected / cured / cured on reboot: 0 / 0 / 0

File objects infected / cured / cured on reboot: 1 / 0 / 1

To finalize removal of infection and avoid loosing of data program will

reboot your PC now.

Close all programs and choose Y to restart or N to continue

Link to post
Share on other sites

  • Staff

Good!

Please rescan one more time with malwarebytes to get rid of the leftovers.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Done - the last run of your program found a DNS changer, but I think it's valid. I use FreeDNS for DDNS. Also - I changed my passwords when this stuff 1st hit. Are any of these remnants serious enough that I need to worry about changing those again?

Malwarebytes' Anti-Malware 1.44

Database version: 3761

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/19/2010 1:24:17 PM

mbam-log-2010-02-19 (13-24-17).txt

Scan type: Full Scan (C:\|)

Objects scanned: 500350

Time elapsed: 2 hour(s), 25 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fb492367-eafb-42d8-b37c-080e2554d8d6}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.60,93.188.161.31 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Those are not related with FreeDNS though.

Just let malwarebytes delete those, then flush your DNS cache.

I don't know what the DNS entries are for FreeDNS, but if you use it, you should have an account there to check what DNS server to set there.

I never tried FreeDNS, so I cannot tell either how reliable it it. I know OpenDNS and Google has a similar service since recently as well now: http://googleblog.blogspot.com/2009/12/int...public-dns.html

Also, Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.