Jump to content

\\.\globalroot\svchost.exe virus! help!

chaoschief
 Share

Recommended Posts

chaoschief

chaoschief

Posted
Posted

I have the //./globalroot svchost virus, and it's really hard to fix, safe mode does nothing.

It kills all scanners and I can't kill the process

Here is my DDS log. What can I do !?

DDS (Ver_10-12-12.02) - NTFSx86  
Run by Kayla at 17:03:47.42 on Fri 01/07/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1526.991 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* 

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Program Files\iPod\bin\iPodService.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Kayla\Desktop\dds-1.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: H - No File
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110105220154.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Poker%20Superstars%203/Images/stg_drm.ocx
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Poker%20Superstars%203/Images/armhelper.ocx
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.16.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-1-7 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-1-6 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-1-6 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-1-6 656320]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-5 84072]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-5 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-5 141792]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4e.tmp --> c:\windows\system32\4E.tmp [?]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-5 152960]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-5 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-5 88544]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-1-6 38224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-5 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-5 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-5 271480]
S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-5 271480]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-5 171168]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-1-6 366840]
S2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-1-6 1150936]
S2 zwqnou;zwqnou;\??\c:\windows\system32\drivers\ibjcdwechmczmct.sys --> c:\windows\system32\drivers\ibjcdwechmczmct.sys [?]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-5 55840]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-5 52104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-5 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-5 84264]
S4 SASDIFSV;SASDIFSV;c:\docume~1\kayla\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
S4 SASKUTIL;SASKUTIL;c:\docume~1\kayla\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-15 24652]

=============== Created Last 30 ================

2011-01-07 21:52:30	--------	d-----w-	c:\program files\Sophos
2011-01-07 21:24:01	--------	d-----w-	c:\docume~1\kayla\applic~1\SUPERAntiSpyware.com
2011-01-07 21:24:01	--------	d-----w-	c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-07 20:52:20	28552	----a-w-	c:\windows\system32\drivers\pavboot.sys
2011-01-07 20:52:04	--------	d-----w-	c:\program files\Panda Security
2011-01-07 03:15:01	--------	d-----w-	c:\docume~1\kayla\applic~1\Windows Search
2011-01-07 03:09:17	210248	----a-w-	c:\documents and settings\kayla\pcttFixTool32.dll
2011-01-07 03:05:37	656320	----a-w-	c:\windows\system32\drivers\pctEFA.sys
2011-01-07 03:05:36	338880	----a-w-	c:\windows\system32\drivers\pctDS.sys
2011-01-07 03:05:34	249616	----a-w-	c:\windows\system32\drivers\pctgntdi.sys
2011-01-07 03:05:26	239168	----a-w-	c:\windows\system32\drivers\PCTCore.sys
2011-01-07 03:05:26	160448	----a-w-	c:\windows\system32\drivers\PCTAppEvent.sys
2011-01-07 03:05:17	70536	----a-w-	c:\windows\system32\drivers\pctplsg.sys
2011-01-07 03:05:09	--------	d-----w-	c:\program files\PC Tools Security
2011-01-07 03:05:09	--------	d-----w-	c:\program files\common files\PC Tools
2011-01-07 03:05:09	--------	d-----w-	c:\docume~1\kayla\applic~1\PC Tools
2011-01-07 03:03:49	--------	d-----w-	c:\docume~1\alluse~1\applic~1\PC Tools
2011-01-07 03:00:16	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 03:00:13	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-01-07 03:00:13	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-01-07 02:25:21	139264	----a-w-	c:\windows\system32\igfxres.dll
2011-01-07 02:21:02	61440	----a-w-	c:\windows\system32\iAlmCoIn_v4543.dll
2011-01-07 02:15:23	--------	d-----w-	C:\Intel
2011-01-07 02:11:56	--------	d-----w-	c:\program files\SystemRequirementsLab
2011-01-07 02:08:29	--------	d-----w-	c:\docume~1\kayla\applic~1\TeamViewer
2011-01-07 02:08:12	--------	d-----w-	c:\program files\TeamViewer
2011-01-06 00:39:45	--------	d-----w-	c:\docume~1\kayla\locals~1\applic~1\AIM
2011-01-05 21:28:08	--------	d-----w-	c:\program files\SiteAdvisor
2011-01-05 21:27:12	9344	----a-w-	c:\windows\system32\drivers\mfeclnk.sys
2011-01-05 21:27:02	84072	----a-w-	c:\windows\system32\drivers\mfetdi2k.sys
2011-01-05 21:27:01	88544	----a-w-	c:\windows\system32\drivers\mfendisk.sys
2011-01-05 21:27:01	84264	----a-w-	c:\windows\system32\drivers\mferkdet.sys
2011-01-05 21:27:01	55840	----a-w-	c:\windows\system32\drivers\cfwids.sys
2011-01-05 21:27:01	52104	----a-w-	c:\windows\system32\drivers\mfebopk.sys
2011-01-05 21:27:01	313288	----a-w-	c:\windows\system32\drivers\mfefirek.sys
2011-01-05 21:27:01	152960	----a-w-	c:\windows\system32\drivers\mfeavfk.sys
2011-01-05 21:26:52	--------	d-----w-	c:\program files\McAfee.com
2011-01-05 21:06:58	141792	----a-w-	c:\windows\system32\mfevtps.exe
2011-01-04 01:10:12	--------	d-----w-	c:\program files\World of Warcraft
2010-12-27 19:22:12	--------	d-----w-	c:\docume~1\kayla\locals~1\applic~1\SCE
2010-12-27 19:22:12	--------	d-----w-	c:\docume~1\kayla\applic~1\Sony Online Entertainment
2010-12-27 19:21:34	--------	d-----w-	c:\program files\Sony Online Entertainment
2010-12-15 11:12:45	40960	-c----w-	c:\windows\system32\dllcache\ndproxy.sys
2010-12-11 01:36:25	--------	d-----w-	c:\program files\iPod
2010-12-11 01:36:09	--------	d-----w-	c:\program files\iTunes
2010-12-11 01:10:19	41984	----a-w-	c:\windows\system32\drivers\usbaapl.sys
2010-12-11 01:10:19	4184352	----a-w-	c:\windows\system32\usbaaplrc.dll
2010-12-11 01:07:09	159744	----a-w-	c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-12-11 01:07:09	159744	----a-w-	c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-12-11 01:07:08	159744	----a-w-	c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-12-11 01:07:08	159744	----a-w-	c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-12-11 01:07:08	159744	----a-w-	c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-12-11 01:07:08	159744	----a-w-	c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-12-11 01:07:08	159744	----a-w-	c:\program files\internet explorer\plugins\npqtplugin.dll
2010-12-11 01:03:25	--------	d-----w-	c:\docume~1\kayla\locals~1\applic~1\Apple

==================== Find3M  ====================

2010-12-06 20:26:57	12872	----a-w-	c:\windows\system32\bootdelete.exe
2010-11-29 22:38:30	94208	----a-w-	c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30	69632	----a-w-	c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44	81920	----a-w-	c:\windows\system32\isign32.dll
2010-11-08 06:20:24	89088	-c--a-w-	c:\windows\MBR.exe
2010-11-06 00:26:58	916480	----a-w-	c:\windows\system32\wininet.dll
2010-11-06 00:26:58	43520	----a-w-	c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58	1469440	------w-	c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54	385024	----a-w-	c:\windows\system32\html.iec
2010-10-28 13:13:22	290048	----a-w-	c:\windows\system32\atmfd.dll
2010-10-26 13:25:00	1853312	----a-w-	c:\windows\system32\win32k.sys
2010-10-19 20:51:33	222080	------w-	c:\windows\system32\MpSigStub.exe

============= FINISH: 17:04:44.09 ===============

Link to post
Share on other sites
chaoschief

chaoschief

Posted
  • Author
Posted

I got Combofix running

ComboFix 10-12-04.06 - Erik 12/06/2010  16:02:27.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1526.1043 [GMT -5:00]
Running from: f:\virus removal\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\iexplore.exe
c:\documents and settings\Erik\Local Settings\Application Data\{5B0DED79-5B9E-4F0E-BE90-2361956E8DB1}
c:\documents and settings\Erik\Local Settings\Application Data\{5B0DED79-5B9E-4F0E-BE90-2361956E8DB1}\chrome.manifest
c:\documents and settings\Erik\Local Settings\Application Data\{5B0DED79-5B9E-4F0E-BE90-2361956E8DB1}\chrome\content\overlay.xul
c:\documents and settings\Erik\Local Settings\Application Data\{5B0DED79-5B9E-4F0E-BE90-2361956E8DB1}\install.rdf
c:\documents and settings\Kayla\Local Settings\Application Data\{04B9E550-1EE6-4A74-9868-60650A9D20A9}
c:\documents and settings\Kayla\Local Settings\Application Data\{04B9E550-1EE6-4A74-9868-60650A9D20A9}\chrome.manifest
c:\documents and settings\Kayla\Local Settings\Application Data\{04B9E550-1EE6-4A74-9868-60650A9D20A9}\chrome\content\overlay.xul
c:\documents and settings\Kayla\Local Settings\Application Data\{04B9E550-1EE6-4A74-9868-60650A9D20A9}\install.rdf
c:\documents and settings\Lynda\Local Settings\Application Data\{8278B342-366A-4261-BE91-7E5594E515BC}
c:\documents and settings\Lynda\Local Settings\Application Data\{8278B342-366A-4261-BE91-7E5594E515BC}\chrome.manifest
c:\documents and settings\Lynda\Local Settings\Application Data\{8278B342-366A-4261-BE91-7E5594E515BC}\chrome\content\overlay.xul
c:\documents and settings\Lynda\Local Settings\Application Data\{8278B342-366A-4261-BE91-7E5594E515BC}\install.rdf
c:\program files\Shared
c:\windows\settings.reg

.
(((((((((((((((((((((((((   Files Created from 2010-11-06 to 2010-12-06  )))))))))))))))))))))))))))))))
.

2010-12-06 20:53 . 2010-12-06 20:54	--------	d-----w-	c:\windows\LastGood
2010-12-06 20:40 . 2010-12-06 20:40	--------	d-----w-	c:\program files\CCleaner
2010-12-06 20:36 . 2010-11-29 22:42	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 20:36 . 2010-12-06 20:47	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-12-06 20:36 . 2010-11-29 22:42	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-12-06 20:26 . 2010-12-06 20:26	12872	----a-w-	c:\windows\system32\bootdelete.exe
2010-12-06 20:21 . 2010-12-06 20:52	16968	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2010-12-06 20:21 . 2010-12-06 20:26	--------	d-----w-	c:\documents and settings\All Users\Application Data\Hitman Pro
2010-12-06 20:13 . 2010-12-06 20:20	--------	d-----w-	c:\documents and settings\Administrator
2010-12-06 20:11 . 2010-12-06 20:11	--------	d-----w-	c:\documents and settings\Erik\Application Data\Windows Desktop Search
2010-12-06 20:01 . 2010-12-06 20:01	--------	d-sh--w-	c:\documents and settings\LocalService\IETldCache
2010-12-06 19:57 . 2010-12-06 19:57	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-06 02:41 . 2010-12-06 02:41	--------	d-----w-	c:\program files\Microsoft.NET
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	C:\7047acda71afa17e31
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	c:\documents and settings\Kayla\Local Settings\Application Data\Identities
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	c:\documents and settings\Kayla\Application Data\Windows Desktop Search
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	c:\program files\Windows Desktop Search
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	c:\windows\system32\GroupPolicy
2010-12-06 02:38 . 2008-03-07 17:02	98304	-c----w-	c:\windows\system32\dllcache\nlhtml.dll
2010-12-06 02:38 . 2008-03-07 17:02	29696	-c----w-	c:\windows\system32\dllcache\mimefilt.dll
2010-12-06 02:38 . 2008-03-07 17:02	192000	-c----w-	c:\windows\system32\dllcache\offfilt.dll
2010-12-06 02:24 . 2001-08-17 18:57	16128	-c--a-w-	c:\windows\system32\dllcache\modemcsa.sys
2010-12-06 02:24 . 2001-08-17 18:57	16128	----a-w-	c:\windows\system32\drivers\MODEMCSA.sys
2010-12-05 03:38 . 2010-12-05 03:41	--------	d-----w-	c:\documents and settings\Kayla\Local Settings\Application Data\PMB Files
2010-12-05 03:38 . 2010-12-05 03:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\PMB Files
2010-12-05 03:38 . 2010-12-05 03:38	--------	d-----w-	c:\program files\Pando Networks
2010-12-04 16:19 . 2010-12-04 16:19	--------	d-----w-	c:\documents and settings\Lynda\Application Data\Catalina Marketing Corp
2010-11-27 00:34 . 2010-11-27 00:34	--------	d-----w-	c:\documents and settings\Kayla\Local Settings\Application Data\Temp
2010-11-13 23:13 . 2010-11-13 23:13	--------	d-----w-	c:\documents and settings\Erik\Local Settings\Application Data\Yahoo!

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-04 10:00	974848	----a-w-	c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00	974848	----a-w-	c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00	954368	----a-w-	c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00	953856	------w-	c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-03-04 03:33	916480	----a-w-	c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 10:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 10:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17	94208	----a-w-	c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17	69632	----a-w-	c:\windows\system32\QuickTime.qts
2009-10-14 23:09 . 2009-10-14 23:09	17304	-c--a-w-	c:\program files\Common Files\hivy.pif
2009-10-09 10:24 . 2009-10-09 10:24	18192	-c--a-w-	c:\program files\Common Files\gyfifok.exe
2009-09-29 10:31 . 2009-09-29 10:31	13559	-c--a-w-	c:\program files\Common Files\obedave.dll
2009-09-28 22:51 . 2009-09-28 22:51	10292	-c--a-w-	c:\program files\Common Files\jyqilum.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

c:\documents and settings\Kayla\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-9-19 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-18 17:38	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"stllssvr"=3 (0x3)
"SharedAccess"=2 (0x2)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McciCMService"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"IDriverT"=3 (0x3)
"GoToAssist"=3 (0x3)
"dmadmin"=3 (0x3)
"hkmsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57127:TCP"= 57127:TCP:Pando Media Booster
"57127:UDP"= 57127:UDP:Pando Media Booster

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:35 AM 135664]
S2 zwqnou;zwqnou;\??\c:\windows\system32\drivers\ibjcdwechmczmct.sys --> c:\windows\system32\drivers\ibjcdwechmczmct.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/15/2008 8:59 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 11:34]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 11:34]

2010-12-06 c:\windows\Tasks\User_Feed_Synchronization-{AA4C582D-651D-416D-9F07-9359DEA4AC42}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-06 16:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-12-06  16:08:38
ComboFix-quarantined-files.txt  2010-12-06 21:08

Pre-Run: 55,380,705,280 bytes free
Post-Run: 55,641,698,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E126D926D94EEFDB3F576150D7C63F4C

Link to post
Share on other sites
chaoschief

chaoschief

Posted
  • Author
Posted

I have the //./globalroot svchost virus, and it's really hard to fix, safe mode does nothing.

It kills all scanners and I can't kill the process

Combofix:

ComboFix 10-12-04.06 - Erik 12/06/2010  16:02:27.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1526.1043 [GMT -5:00]
Running from: f:\virus removal\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\iexplore.exe
c:\documents and settings\Erik\Local Settings\Application Data\{5B0DED79-5B9E-4F0E-BE90-2361956E8DB1}
c:\documents and settings\Erik\Local Settings\Application Data\{5B0DED79-5B9E-4F0E-BE90-2361956E8DB1}\chrome.manifest
c:\documents and settings\Erik\Local Settings\Application Data\{5B0DED79-5B9E-4F0E-BE90-2361956E8DB1}\chrome\content\overlay.xul
c:\documents and settings\Erik\Local Settings\Application Data\{5B0DED79-5B9E-4F0E-BE90-2361956E8DB1}\install.rdf
c:\documents and settings\Kayla\Local Settings\Application Data\{04B9E550-1EE6-4A74-9868-60650A9D20A9}
c:\documents and settings\Kayla\Local Settings\Application Data\{04B9E550-1EE6-4A74-9868-60650A9D20A9}\chrome.manifest
c:\documents and settings\Kayla\Local Settings\Application Data\{04B9E550-1EE6-4A74-9868-60650A9D20A9}\chrome\content\overlay.xul
c:\documents and settings\Kayla\Local Settings\Application Data\{04B9E550-1EE6-4A74-9868-60650A9D20A9}\install.rdf
c:\documents and settings\Lynda\Local Settings\Application Data\{8278B342-366A-4261-BE91-7E5594E515BC}
c:\documents and settings\Lynda\Local Settings\Application Data\{8278B342-366A-4261-BE91-7E5594E515BC}\chrome.manifest
c:\documents and settings\Lynda\Local Settings\Application Data\{8278B342-366A-4261-BE91-7E5594E515BC}\chrome\content\overlay.xul
c:\documents and settings\Lynda\Local Settings\Application Data\{8278B342-366A-4261-BE91-7E5594E515BC}\install.rdf
c:\program files\Shared
c:\windows\settings.reg

.
(((((((((((((((((((((((((   Files Created from 2010-11-06 to 2010-12-06  )))))))))))))))))))))))))))))))
.

2010-12-06 20:53 . 2010-12-06 20:54	--------	d-----w-	c:\windows\LastGood
2010-12-06 20:40 . 2010-12-06 20:40	--------	d-----w-	c:\program files\CCleaner
2010-12-06 20:36 . 2010-11-29 22:42	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 20:36 . 2010-12-06 20:47	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-12-06 20:36 . 2010-11-29 22:42	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-12-06 20:26 . 2010-12-06 20:26	12872	----a-w-	c:\windows\system32\bootdelete.exe
2010-12-06 20:21 . 2010-12-06 20:52	16968	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2010-12-06 20:21 . 2010-12-06 20:26	--------	d-----w-	c:\documents and settings\All Users\Application Data\Hitman Pro
2010-12-06 20:13 . 2010-12-06 20:20	--------	d-----w-	c:\documents and settings\Administrator
2010-12-06 20:11 . 2010-12-06 20:11	--------	d-----w-	c:\documents and settings\Erik\Application Data\Windows Desktop Search
2010-12-06 20:01 . 2010-12-06 20:01	--------	d-sh--w-	c:\documents and settings\LocalService\IETldCache
2010-12-06 19:57 . 2010-12-06 19:57	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-06 02:41 . 2010-12-06 02:41	--------	d-----w-	c:\program files\Microsoft.NET
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	C:\7047acda71afa17e31
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	c:\documents and settings\Kayla\Local Settings\Application Data\Identities
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	c:\documents and settings\Kayla\Application Data\Windows Desktop Search
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	c:\program files\Windows Desktop Search
2010-12-06 02:40 . 2010-12-06 02:40	--------	d-----w-	c:\windows\system32\GroupPolicy
2010-12-06 02:38 . 2008-03-07 17:02	98304	-c----w-	c:\windows\system32\dllcache\nlhtml.dll
2010-12-06 02:38 . 2008-03-07 17:02	29696	-c----w-	c:\windows\system32\dllcache\mimefilt.dll
2010-12-06 02:38 . 2008-03-07 17:02	192000	-c----w-	c:\windows\system32\dllcache\offfilt.dll
2010-12-06 02:24 . 2001-08-17 18:57	16128	-c--a-w-	c:\windows\system32\dllcache\modemcsa.sys
2010-12-06 02:24 . 2001-08-17 18:57	16128	----a-w-	c:\windows\system32\drivers\MODEMCSA.sys
2010-12-05 03:38 . 2010-12-05 03:41	--------	d-----w-	c:\documents and settings\Kayla\Local Settings\Application Data\PMB Files
2010-12-05 03:38 . 2010-12-05 03:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\PMB Files
2010-12-05 03:38 . 2010-12-05 03:38	--------	d-----w-	c:\program files\Pando Networks
2010-12-04 16:19 . 2010-12-04 16:19	--------	d-----w-	c:\documents and settings\Lynda\Application Data\Catalina Marketing Corp
2010-11-27 00:34 . 2010-11-27 00:34	--------	d-----w-	c:\documents and settings\Kayla\Local Settings\Application Data\Temp
2010-11-13 23:13 . 2010-11-13 23:13	--------	d-----w-	c:\documents and settings\Erik\Local Settings\Application Data\Yahoo!

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-04 10:00	974848	----a-w-	c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00	974848	----a-w-	c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00	954368	----a-w-	c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00	953856	------w-	c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-03-04 03:33	916480	----a-w-	c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 10:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 10:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17	94208	----a-w-	c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17	69632	----a-w-	c:\windows\system32\QuickTime.qts
2009-10-14 23:09 . 2009-10-14 23:09	17304	-c--a-w-	c:\program files\Common Files\hivy.pif
2009-10-09 10:24 . 2009-10-09 10:24	18192	-c--a-w-	c:\program files\Common Files\gyfifok.exe
2009-09-29 10:31 . 2009-09-29 10:31	13559	-c--a-w-	c:\program files\Common Files\obedave.dll
2009-09-28 22:51 . 2009-09-28 22:51	10292	-c--a-w-	c:\program files\Common Files\jyqilum.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

c:\documents and settings\Kayla\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-9-19 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-18 17:38	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"stllssvr"=3 (0x3)
"SharedAccess"=2 (0x2)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McciCMService"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"IDriverT"=3 (0x3)
"GoToAssist"=3 (0x3)
"dmadmin"=3 (0x3)
"hkmsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57127:TCP"= 57127:TCP:Pando Media Booster
"57127:UDP"= 57127:UDP:Pando Media Booster

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:35 AM 135664]
S2 zwqnou;zwqnou;\??\c:\windows\system32\drivers\ibjcdwechmczmct.sys --> c:\windows\system32\drivers\ibjcdwechmczmct.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/15/2008 8:59 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 11:34]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 11:34]

2010-12-06 c:\windows\Tasks\User_Feed_Synchronization-{AA4C582D-651D-416D-9F07-9359DEA4AC42}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-06 16:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-12-06  16:08:38
ComboFix-quarantined-files.txt  2010-12-06 21:08

Pre-Run: 55,380,705,280 bytes free
Post-Run: 55,641,698,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E126D926D94EEFDB3F576150D7C63F4C

Help!

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

post-32477-1261866970.gif

Please don't attach the scans / logs, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Right Click on My Computer > Right Click on Properties > click Hardware > on the top click Tools > on the top click View

> click on Show Hidden Devices > look under Non-Plug and Play Drivers and System Devices

Look for ibjcdwechmczmct or something like [cmz vmkd] , if found, Right Click on it and select Disable.

Now run a new Combofix scan.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.