Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

sc.videofreeforonline.com in winamp keygen.exe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

sc.videofreeforonline.com in winamp keygen.exe

Unread postby wimpy » November 14th, 2008, 3:33 pm

Hello,

In a glimpse of brilliance downloaded a winamp keygen .exe file. Although it looked suspicious, clicked on it and problems began. Finally determined that I had the sc.videofreeforonline.com spyware which redirects ie or firefox to sc.videofreeforonline.com and suggests to donwload Total Protection 2009 program. DID NOT download or install anything.

Thanks for your help. The Hijack This log is posted below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:23:53, on 14-11-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS
C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe
C:\Archivos de programa\IBM\Director\bin\twgipc.exe
C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe
C:\Archivos de programa\IBM\Director\bin\twgescli.exe
C:\Archivos de programa\IBM\Director\bin\twgmonit.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\IBM\Director\bin\nfUMSagent.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intracorp.cl.bsch/derivador.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intracorp.cl.bsch/derivador.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://vipinter:8080/array.dll?Get.Routing.Script
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,issictrl.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinIss - {17D562A6-DA3D-4F87-B659-86CD06473AB5} - C:\WINDOWS\system32\dzhoil.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Archivos de programa\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp\winampa.exe"
O4 - HKCU\..\Run: [INTRANET] http://intracorp.cl.bsch/derivador.asp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: Servicio del iPod (iPod Service) - Unknown owner - C:\Archivos de programa\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PrismXL - Lanovation - C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Reflection Servers - WRQ, Inc. - C:\Archivos de programa\Reflection\rninetd.exe
O23 - Service: IBM Director Support Program (TWGIPC) - IBM Corporation - C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe
O23 - Service: IBM Director Agent WMI CIM Server (wmicimserver) - Unknown owner - C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe

--
End of file - 7245 bytes
wimpy
Regular Member
 
Posts: 21
Joined: November 14th, 2008, 3:27 pm
Advertisement
Register to Remove

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby Shaba » November 16th, 2008, 6:18 am

Hi wimpy

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby wimpy » November 17th, 2008, 8:04 am

Hi,

Here's the log.

Thanks

Actualización de seguridad para el Reproductor de Windows Media (KB911564)
Adobe Acrobat 6.0 Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Shockwave Player 11
Apple Software Update
CDex extraction audio
EncFlac 1.1.2
EncVorbis 1.1
Extensión de HighMAT para el Asistente para grabación de CD de Microsoft Windows XP
File Writer output plugin for WinAMP 2 v1.17(c) (remove only)
Google Earth
HijackThis 2.0.2
IBM Director Agent
IBM MQSeries Client V5.1
IBM OnDemand AFP Web Viewer
InFlac 1.1.2a
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Java Development Kit 1.1
Java Plug-in 1.1.3
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
McAfee AntiSpyware Enterprise Module
McAfee Host Intrusion Prevention
McAfee VirusScan Enterprise
Microsoft .NET Framework 2.0
Microsoft Firewall Client
Microsoft Office Professional Edition 2003
Microsoft Project 2000
Microsoft Silverlight
Mozilla Firefox (3.0)
MWLib
Photosynth
QuickTime
Reflection Suite for TCP 7.5
SoundMAX
Winamp
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player Firefox Plugin
Windows XP Service Pack 2
WinRAR archiver
WinZip
Xerox Phaser 3150
wimpy
Regular Member
 
Posts: 21
Joined: November 14th, 2008, 3:27 pm

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby Shaba » November 17th, 2008, 9:46 am

Uninstall these:

Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby wimpy » November 17th, 2008, 10:16 am

Hi Shaba,

These are the posts.

I researched the malware I caught and found that, among other things, it installas a couple of .ico files (c,m, p and s) which are Icons that end up in the desktop (I inmediatly deleted the icons in the desktop). The .ico files are installed in C:\WINDOWS\System32.

Thanks


info.txt logfile of random's system information tool 1.04 2008-11-17 11:08:09

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Actualización de seguridad para el Reproductor de Windows Media (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Adobe Acrobat 6.0 Professional-->MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
CDex extraction audio-->"C:\Archivos de programa\CDex_150\uninstall.exe"
EncFlac 1.1.2-->"C:\Archivos de programa\Winamp\EncFlac-Uninstall.exe"
EncVorbis 1.1-->"C:\Archivos de programa\Winamp\EncVorbis-Uninstall.exe"
Extensión de HighMAT para el Asistente para grabación de CD de Microsoft Windows XP-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
File Writer output plugin for WinAMP 2 v1.17(c) (remove only)-->"C:\Archivos de programa\Winamp\Plugins\uninstfilewrite.exe"
Google Earth-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2-->"C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IBM Director Agent-->MsiExec.exe /I{930B4F57-4AFF-453C-9B06-9371D2616055}
IBM MQSeries Client V5.1-->"C:\Archivos de programa\MQSeries Client\uninst\amqiunin.exe" /u"C:\WINDOWS\ISUN040A.EXE"
IBM OnDemand AFP Web Viewer-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{13AD0029-FB8E-470E-9EFE-84DA4F5A54AB}\Setup.exe" Remove
InFlac 1.1.2a-->"C:\Archivos de programa\Winamp\InFlac-Uninstall.exe"
Intel(R) Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Java Development Kit 1.1-->C:\WINDOWS\uninst.exe -fd:\clienttfc\jdk1.1.8\lib\DeIsL1.isu
Java Plug-in 1.1.3-->C:\WINDOWS\IsUninst.exe -f"d:\clienttfc\Java Plug-in 1.1\Uninst.isu"
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
McAfee AntiSpyware Enterprise Module-->"C:\Archivos de programa\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
McAfee Host Intrusion Prevention-->"C:\Archivos de programa\McAfee\Host Intrusion Prevention\HipManage.exe" -rm -confirm -removeonly
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Firewall Client-->MsiExec.exe /I{8C7A59A8-9ABE-459A-9A93-08C281A4A264}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110C0A-6000-11D3-8CFE-0150048383C9}
Microsoft Project 2000-->MsiExec.exe /I{08B8D820-5A0E-11D3-8A60-00805F9BD2E6}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Mozilla Firefox (3.0)-->C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe
MWLib-->C:\WINDOWS\ST5UNST.EXE -n "C:\WINDOWS\system32\ST5UNST.LOG"
Photosynth-->MsiExec.exe /X{4767A7DE-5B5E-4F91-B122-3CD67CC0C5A0}
QuickTime-->MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Reflection Suite for TCP 7.5-->C:\ARCHIV~1\REFLEC~1\Setup\RSTCP2\Setup.exe /u "C:\Archivos de programa\Reflection\Setup\RSTCP2\UNINSTAL.INF"
SoundMAX-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Winamp-->"C:\Archivos de programa\Winamp\UninstWA.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format Runtime-->"C:\Archivos de programa\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver-->C:\Archivos de programa\WinRAR\uninstall.exe
WinZip-->C:\Archivos de programa\WinZip\WINZIP32.EXE /uninstall
Xerox Phaser 3150-->"C:\WINDOWS\ISUN040A.EXE" -f"C:\WINDOWS\P3150PCL.ISU" -c"C:\WINDOWS\system32\P3150PCL.DLL"

======Security center information======

AV: VirusScan Enterprise + AntiSpyware Enterprise
FW: McAfee Host Intrusion Prevention Firewall (disabled)

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"LOGONSERVER"=PDSIT1
"MQSERVER"=BSRFE1.CH/TCP/BSRFE1
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=C:\WINDOWS\system32;C:\WINDOWS;C:\EXPLO\EXE;C:\EXPLO\VBX;C:\EXPLO\DLL;W:\DLL;C:\ARCHIV~1\REFLEC~1;C:\Archivos de programa\Reflection;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;D:\Clienttfc\jdk1.1.8\bin;v:\;x:\;y:\;C:\ORANT\BIN;C:\Archivos de programa\MQSeries Client\bin;Y:\Sybase\Ocs-12_0\dll;C:\Archivos de programa\IBM\Director\bin;C:\Archivos de programa\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PDS"=PDSIT1
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=0409
"SYBASE"=Y:\SYBASE
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"CLASSPATH"=.;C:\Archivos de programa\Java\jre1.6.0_02\lib\ext\QTJava.zip
"QTJAVA"=C:\Archivos de programa\Java\jre1.6.0_02\lib\ext\QTJava.zip
"VSEDEFLOGDIR"=C:\Documents and Settings\All Users\Datos de programa\McAfee\DesktopProtection
"DEFLOGDIR"=C:\Documents and Settings\All Users\Datos de programa\McAfee\DesktopProtection

-----------------EOF-----------------

Logfile of random's system information tool 1.04 (written by random/random)
Run by ABERGOE at 2008-11-17 11:07:54
Microsoft Windows XP Professional Service Pack 2
System drive C: has 972 MB (12%) free of 8 GB
Total RAM: 501 MB (23% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:05, on 17-11-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS
C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe
C:\Archivos de programa\IBM\Director\bin\twgipc.exe
C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe
C:\Archivos de programa\IBM\Director\bin\twgescli.exe
C:\Archivos de programa\IBM\Director\bin\twgmonit.exe
C:\Archivos de programa\IBM\Director\bin\nfUMSagent.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Archivos de programa\Winamp\winamp.exe
C:\WINDOWS\system32\sv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
D:\Mis documentos\Personal\Downloads\Spyware\RSIT\RSIT.exe
C:\Archivos de programa\Trend Micro\HijackThis\ABERGOE.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intracorp.cl.bsch/derivador.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intracorp.cl.bsch/derivador.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://vipinter:8080/array.dll?Get.Routing.Script
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,issictrl.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinIss - {17D562A6-DA3D-4F87-B659-86CD06473AB5} - C:\WINDOWS\system32\dzhoil.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Archivos de programa\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [INTRANET] http://intracorp.cl.bsch/derivador.asp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: Servicio del iPod (iPod Service) - Unknown owner - C:\Archivos de programa\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PrismXL - Lanovation - C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Reflection Servers - WRQ, Inc. - C:\Archivos de programa\Reflection\rninetd.exe
O23 - Service: IBM Director Support Program (TWGIPC) - IBM Corporation - C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe
O23 - Service: IBM Director Agent WMI CIM Server (wmicimserver) - Unknown owner - C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe

--
End of file - 7469 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17D562A6-DA3D-4F87-B659-86CD06473AB5}]
WinIss - C:\WINDOWS\system32\dzhoil.dll [2008-11-14 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Archivos de programa\McAfee\VirusScan Enterprise\scriptcl.dll [2008-01-24 66880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"=C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe [2007-10-25 136512]
"CTHelper"=CTHELPER.EXE []
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]
"SoundMAXPnP"=C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"QuickTime Task"=C:\Archivos de programa\QuickTime\QTTask.exe [2007-06-29 286720]
"ShStatEXE"=C:\Archivos de programa\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-01-24 111952]
"WinampAgent"=C:\Archivos de programa\Winamp\winampa.exe [2008-07-09 36352]
"SunJavaUpdateSched"=C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"INTRANET"=http://intracorp.cl.bsch/derivador.asp []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-19 15360]

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Acrobat Assistant.lnk - C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Firewall Client Connectivity Monitor.LNK - C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
McAfee Host Intrusion Prevention Tray.lnk - C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe"="C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2008-11-17 11:07:54 ----D---- C:\rsit
2008-11-17 09:08:12 ----A---- C:\WINDOWS\system32\nel32.dll
2008-11-17 09:08:06 ----A---- C:\WINDOWS\system32\stsb.exe
2008-11-17 09:08:00 ----A---- C:\WINDOWS\system32\sv.exe
2008-11-14 16:14:20 ----D---- C:\Archivos de programa\Trend Micro
2008-11-14 12:38:34 ----A---- C:\WINDOWS\k.txt
2008-11-14 09:37:48 ----A---- C:\WINDOWS\system32\dzhoil.dll

======List of files/folders modified in the last 1 months======

2008-11-17 11:06:33 ----D---- C:\Archivos de programa\Java
2008-11-17 11:06:17 ----D---- C:\WINDOWS\system32
2008-11-17 11:06:15 ----SHD---- C:\WINDOWS\Installer
2008-11-17 10:55:57 ----D---- C:\WINDOWS\Temp
2008-11-17 10:38:16 ----A---- C:\WINDOWS\system32\Fxxplfnt.tmp
2008-11-17 10:11:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-17 09:08:00 ----A---- C:\WINDOWS\system32\userinit.exe
2008-11-17 09:07:31 ----D---- C:\Archivos de programa\Mozilla Firefox
2008-11-17 08:57:25 ----D---- C:\WINDOWS\Prefetch
2008-11-14 16:14:20 ----RD---- C:\Archivos de programa
2008-11-14 14:50:27 ----A---- C:\WINDOWS\IE4 Error Log.txt
2008-11-14 13:17:57 ----D---- C:\Quarantine
2008-11-14 12:38:34 ----HD---- C:\WINDOWS
2008-11-14 12:01:53 ----A---- C:\WINDOWS\win.ini
2008-11-14 09:23:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-04 16:00:20 ----D---- C:\Documents and Settings\ABERGOE\Datos de programa\AdobeUM
2008-11-03 16:43:38 ----HD---- C:\WINDOWS\inf
2008-11-03 16:43:35 ----D---- C:\WINDOWS\system32\CatRoot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 FireHook;McAfee HIP Component FireHook; \??\C:\WINDOWS\system32\Drivers\Firehk5x.sys []
R1 FireTDI;McAfee HIP Component FireTDI; \??\C:\WINDOWS\system32\Drivers\FireTDI.sys []
R1 intelppm;Controlador de procesador Intel; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-19 40320]
R1 mferkdk;VSCore mferkdk; \??\C:\Archivos de programa\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-01-24 52104]
R1 TWGGrab;TWGGrab; C:\WINDOWS\system32\drivers\TWGGrab.sys [2005-02-01 8688]
R2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2003-07-29 40448]
R2 PMEM;PMEM; \??\C:\WINDOWS\system32\drivers\pmemnt.sys []
R2 TWGSYSIN;TWGSYSIN; C:\WINDOWS\system32\drivers\TWGSYSIN.sys [2005-02-01 7476]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2005-07-19 163840]
R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2005-03-04 127872]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-03-31 180736]
R3 firelm01;firelm01; \??\C:\WINDOWS\system32\drivers\firelm01.sys []
R3 HDAudBus;Controlador de bus de Microsoft UAA para High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Controlador de clases HID de Microsoft; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-01-24 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-01-24 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-01-24 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-01-24 171400]
R3 mouhid;Controlador HID de mouse; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-22 12416]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2005-10-27 393088]
R3 SMBusHC;SMBus Host Controller; C:\WINDOWS\system32\DRIVERS\smbushc.sys [2007-04-26 29696]
R3 TPM12;NSC Integrated Trusted Platform Module 1.2; C:\WINDOWS\system32\DRIVERS\nsctpm12.sys [2005-04-21 13056]
R3 usbehci;Controlador minipuerto de la controladora mejorada USB 2.0 de Microsoft; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Concentrador habilitado USB2; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Controlador minipuerto de la controladora de host universal USB de Microsoft; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-08-03 120094]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-08-03 96858]
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2005-03-04 127872]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]
S3 usbprint;Clase de impresora USB de Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;Dispositivo de almacenamiento masivo de datos USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 DWMRCS;DameWare Mini Remote Control; C:\WINDOWS\SYSTEM32\DWRCS.EXE [2002-04-12 249856]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service; C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe [2007-10-01 1150976]
R2 ibmsmbus;SMBus Upgrade Service for Windows 2000 and above; C:\WINDOWS\System32\ibmsmbus.exe [2004-07-06 28160]
R2 McAfeeFramework;McAfee Framework Service; C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe [2007-10-25 103744]
R2 McShield;McAfee McShield; C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe [2008-01-24 144704]
R2 McTaskManager;McAfee Task Manager; C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe [2008-01-24 54608]
R2 MDM;Machine Debug Manager; C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 PrismXL;PrismXL; C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS [2007-04-26 57344]
R2 TWGIPC;IBM Director Support Program; C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe [2005-02-01 53327]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 wmicimserver;IBM Director Agent WMI CIM Server; C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe [2005-02-03 401408]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 iPod Service;Servicio del iPod; C:\Archivos de programa\iPod\bin\iPodService.exe []
S3 ose;Office Source Engine; C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Reflection Servers;Reflection Servers; C:\Archivos de programa\Reflection\rninetd.exe [1998-08-28 98816]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Archivos de programa\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------
wimpy
Regular Member
 
Posts: 21
Joined: November 14th, 2008, 3:27 pm

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby Shaba » November 17th, 2008, 11:00 am

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\nel32.dll
C:\WINDOWS\system32\stsb.exe
C:\WINDOWS\system32\sv.exe
C:\WINDOWS\system32\dzhoil.dll


Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby wimpy » November 17th, 2008, 11:23 am

Hi Shaba,

Used Jotti.

These are the results of the scans.

Thanks

File: nel32.dll
Status:
INFECTED/MALWARE
MD5: d18c1895233c9bbc958c29f02ee8b82f
Packers detected:
-
Scanner results
Scan taken on 17 Nov 2008 15:14:21 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Agent.ALDS
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Spambot.3580
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found Trojan.Agent.ALDS
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Agent.anwm
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Agent-IGO
VirusBuster
Found nothing
VBA32
Found nothing

File: stsb.exe
Found Nothing

File: sv.exe
Status:
INFECTED/MALWARE
MD5: b48e703596bd2a7e5f4fe3e3c0ffb769
Packers detected:
-
Scanner results
Scan taken on 17 Nov 2008 15:19:37 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Agent.ALDW
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found Trojan.Agent.ALDW
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Injecter.baq
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Dloadr-BZS
VirusBuster
Found nothing
VBA32
Found Trojan-Spambot.Win32.Inf

File: dzhoil.dll
Status:
INFECTED/MALWARE
MD5: dae426624a63095b6cdf57067159baab
Packers detected:
-
Scanner results
Scan taken on 17 Nov 2008 15:21:48 (GMT)
A-Squared
Found Trojan.BHO.Agent!IK
AntiVir
Found TR/BHO.Gen
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.BHO.Agent.AL
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.BhoWatcher.26
F-Prot Antivirus
Found W32/Dropper.Q.gen!Eldorado
F-Secure Anti-Virus
Found Trojan.Win32.BHO.iaw
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.BHO.iaw
NOD32
Found a variant of Win32/Adware.IeDefender.NHN application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/BHO-IA
VirusBuster
Found nothing
VBA32
Found Trojan.Win32.BHO.iaw
wimpy
Regular Member
 
Posts: 21
Joined: November 14th, 2008, 3:27 pm

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby Shaba » November 17th, 2008, 11:29 am

Thank you for that.

We need samples.

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINDOWS\system32\nel32.dll
C:\WINDOWS\system32\stsb.exe
C:\WINDOWS\system32\sv.exe
C:\WINDOWS\system32\dzhoil.dll

Go to spykiller

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

Reply here after that and we will continue :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby wimpy » November 17th, 2008, 11:42 am

Hi Shaba,

Homework done.

Just one thing, in a hurry wrote "Files for Shaba" as the user and this thread's name as the title.

Thanks
wimpy
Regular Member
 
Posts: 21
Joined: November 14th, 2008, 3:27 pm

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby Shaba » November 17th, 2008, 11:53 am

Thank you :)

Open HijackThis, click do a system scan only and checkmark this:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,issictrl.exe

Close all windows including browser and press fix checked.

Reboot.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    :files
    C:\WINDOWS\system32\nel32.dll
    C:\WINDOWS\system32\stsb.exe
    C:\WINDOWS\system32\sv.exe
    C:\WINDOWS\system32\dzhoil.dll
    C:\WINDOWS\k.txt
    C:\WINDOWS\system32\Fxxplfnt.tmp
    
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17D562A6-DA3D-4F87-B659-86CD06473AB5}]
    
    :commands
    [EmptyTemp]
    
    

  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run rsit.

Post:

- rsit log (only log.txt will appear this time)
- otmoveit3 log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby wimpy » November 17th, 2008, 1:05 pm

Hi Shaba,

Now something weird happened following your instructions (in my experience nothing is plain vanilla easy as some people tend to post...)

Let's get on with this. After running HijackThis and fixing the F2 - REG.... line, rebooted. However, after the reboot, the PC decided that it wanted to reboot again on its own. The "System is going for reboot in 5... 4... 3... 2..." box appeared and freezes during the reboot process.

After manually shutting down the system (i.e. pressed power button until it shut off), turn it on again without any problems (seemingly).

Downloadad OTMoveIt3, run the app, copied the code lines and pressed the red MoveIt button. The app did something very quick and then closed. No log, no script under the green bar. Did the process again, same results. System did not go for another reboot.

Searched for the log you suggested further on, to no avail.

Run RSIT. Log is posted below. There is no OTMoveIt3 log (or could not find it, even searching for it).

Thanks

Logfile of random's system information tool 1.04 (written by random/random)
Run by ABERGOE at 2008-11-17 13:54:57
Microsoft Windows XP Professional Service Pack 2
System drive C: has 1 GB (13%) free of 8 GB
Total RAM: 501 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:05, on 17-11-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS
C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe
C:\Archivos de programa\IBM\Director\bin\twgipc.exe
C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe
C:\Archivos de programa\IBM\Director\bin\twgescli.exe
C:\Archivos de programa\IBM\Director\bin\twgmonit.exe
C:\Archivos de programa\IBM\Director\bin\nfUMSagent.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\userinit.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
D:\Mis documentos\Personal\Downloads\Spyware\RSIT\RSIT.exe
C:\Archivos de programa\Trend Micro\HijackThis\ABERGOE.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intracorp.cl.bsch/derivador.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intracorp.cl.bsch/derivador.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://vipinter:8080/array.dll?Get.Routing.Script
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinIss - {17D562A6-DA3D-4F87-B659-86CD06473AB5} - C:\WINDOWS\system32\dzhoil.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Archivos de programa\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [INTRANET] http://intracorp.cl.bsch/derivador.asp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: Servicio del iPod (iPod Service) - Unknown owner - C:\Archivos de programa\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PrismXL - Lanovation - C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Reflection Servers - WRQ, Inc. - C:\Archivos de programa\Reflection\rninetd.exe
O23 - Service: IBM Director Support Program (TWGIPC) - IBM Corporation - C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe
O23 - Service: IBM Director Agent WMI CIM Server (wmicimserver) - Unknown owner - C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe

--
End of file - 7327 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17D562A6-DA3D-4F87-B659-86CD06473AB5}]
WinIss - C:\WINDOWS\system32\dzhoil.dll [2008-11-14 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Archivos de programa\McAfee\VirusScan Enterprise\scriptcl.dll [2008-01-24 66880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"=C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe [2007-10-25 136512]
"CTHelper"=CTHELPER.EXE []
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]
"SoundMAXPnP"=C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"QuickTime Task"=C:\Archivos de programa\QuickTime\QTTask.exe [2007-06-29 286720]
"ShStatEXE"=C:\Archivos de programa\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-01-24 111952]
"WinampAgent"=C:\Archivos de programa\Winamp\winampa.exe [2008-07-09 36352]
"SunJavaUpdateSched"=C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"INTRANET"=http://intracorp.cl.bsch/derivador.asp []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-19 15360]

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Acrobat Assistant.lnk - C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Firewall Client Connectivity Monitor.LNK - C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
McAfee Host Intrusion Prevention Tray.lnk - C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe"="C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2008-11-17 13:15:10 ----A---- C:\WINDOWS\nel2.ini
2008-11-17 11:07:54 ----D---- C:\rsit
2008-11-17 09:08:12 ----A---- C:\WINDOWS\system32\nel32.dll
2008-11-17 09:08:06 ----A---- C:\WINDOWS\system32\stsb.exe
2008-11-17 09:08:00 ----A---- C:\WINDOWS\system32\sv.exe
2008-11-14 16:14:20 ----D---- C:\Archivos de programa\Trend Micro
2008-11-14 12:38:34 ----A---- C:\WINDOWS\k.txt
2008-11-14 09:37:48 ----A---- C:\WINDOWS\system32\dzhoil.dll

======List of files/folders modified in the last 1 months======

2008-11-17 13:55:04 ----D---- C:\WINDOWS\Prefetch
2008-11-17 13:48:31 ----A---- C:\WINDOWS\IE4 Error Log.txt
2008-11-17 13:47:21 ----D---- C:\Archivos de programa\Mozilla Firefox
2008-11-17 13:47:16 ----D---- C:\WINDOWS\Temp
2008-11-17 13:45:58 ----D---- C:\Quarantine
2008-11-17 13:45:54 ----SHD---- C:\WINDOWS\CSC
2008-11-17 13:31:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-17 13:15:10 ----HD---- C:\WINDOWS
2008-11-17 13:00:55 ----A---- C:\WINDOWS\win.ini
2008-11-17 12:58:04 ----A---- C:\WINDOWS\system32\Fxxplfnt.tmp
2008-11-17 11:06:43 ----SHD---- C:\WINDOWS\Installer
2008-11-17 11:06:33 ----D---- C:\Archivos de programa\Java
2008-11-17 11:06:17 ----D---- C:\WINDOWS\system32
2008-11-17 09:08:00 ----A---- C:\WINDOWS\system32\userinit.exe
2008-11-14 16:14:20 ----RD---- C:\Archivos de programa
2008-11-14 09:23:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-04 16:00:20 ----D---- C:\Documents and Settings\ABERGOE\Datos de programa\AdobeUM
2008-11-03 16:43:38 ----HD---- C:\WINDOWS\inf
2008-11-03 16:43:35 ----D---- C:\WINDOWS\system32\CatRoot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 FireHook;McAfee HIP Component FireHook; \??\C:\WINDOWS\system32\Drivers\Firehk5x.sys []
R1 FireTDI;McAfee HIP Component FireTDI; \??\C:\WINDOWS\system32\Drivers\FireTDI.sys []
R1 intelppm;Controlador de procesador Intel; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-19 40320]
R1 mferkdk;VSCore mferkdk; \??\C:\Archivos de programa\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-01-24 52104]
R1 TWGGrab;TWGGrab; C:\WINDOWS\system32\drivers\TWGGrab.sys [2005-02-01 8688]
R2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2003-07-29 40448]
R2 PMEM;PMEM; \??\C:\WINDOWS\system32\drivers\pmemnt.sys []
R2 TWGSYSIN;TWGSYSIN; C:\WINDOWS\system32\drivers\TWGSYSIN.sys [2005-02-01 7476]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2005-07-19 163840]
R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2005-03-04 127872]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-03-31 180736]
R3 firelm01;firelm01; \??\C:\WINDOWS\system32\drivers\firelm01.sys []
R3 HDAudBus;Controlador de bus de Microsoft UAA para High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Controlador de clases HID de Microsoft; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-01-24 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-01-24 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-01-24 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-01-24 171400]
R3 mouhid;Controlador HID de mouse; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-22 12416]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2005-10-27 393088]
R3 SMBusHC;SMBus Host Controller; C:\WINDOWS\system32\DRIVERS\smbushc.sys [2007-04-26 29696]
R3 TPM12;NSC Integrated Trusted Platform Module 1.2; C:\WINDOWS\system32\DRIVERS\nsctpm12.sys [2005-04-21 13056]
R3 usbehci;Controlador minipuerto de la controladora mejorada USB 2.0 de Microsoft; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Concentrador habilitado USB2; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbprint;Clase de impresora USB de Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbuhci;Controlador minipuerto de la controladora de host universal USB de Microsoft; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-08-03 120094]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-08-03 96858]
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2005-03-04 127872]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]
S3 USBSTOR;Dispositivo de almacenamiento masivo de datos USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 DWMRCS;DameWare Mini Remote Control; C:\WINDOWS\SYSTEM32\DWRCS.EXE [2002-04-12 249856]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service; C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe [2007-10-01 1150976]
R2 ibmsmbus;SMBus Upgrade Service for Windows 2000 and above; C:\WINDOWS\System32\ibmsmbus.exe [2004-07-06 28160]
R2 McAfeeFramework;McAfee Framework Service; C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe [2007-10-25 103744]
R2 McShield;McAfee McShield; C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe [2008-01-24 144704]
R2 McTaskManager;McAfee Task Manager; C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe [2008-01-24 54608]
R2 MDM;Machine Debug Manager; C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 PrismXL;PrismXL; C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS [2007-04-26 57344]
R2 TWGIPC;IBM Director Support Program; C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe [2005-02-01 53327]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 wmicimserver;IBM Director Agent WMI CIM Server; C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe [2005-02-03 401408]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 iPod Service;Servicio del iPod; C:\Archivos de programa\iPod\bin\iPodService.exe []
S3 ose;Office Source Engine; C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Reflection Servers;Reflection Servers; C:\Archivos de programa\Reflection\rninetd.exe [1998-08-28 98816]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Archivos de programa\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------
wimpy
Regular Member
 
Posts: 21
Joined: November 14th, 2008, 3:27 pm

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby Shaba » November 17th, 2008, 1:09 pm

Please download the Killbox.
Save it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\nel32.dll
C:\WINDOWS\system32\stsb.exe
C:\WINDOWS\system32\sv.exe
C:\WINDOWS\system32\dzhoil.dll
C:\WINDOWS\k.txt
C:\WINDOWS\system32\Fxxplfnt.tmp

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Re-run rsit.

Post:

- rsit log (only log.txt will appear this time)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby wimpy » November 17th, 2008, 1:40 pm

Hi Shaba,

Here's the post from RSIT.

Had trouble deleting the nel32.dll file the first time. Then selected delete & reboot option and clicked on all files. Clicked delete and then rebooted. As expected, system freezed on reboot.

Now however, when the system came up again, it does not run the explorer.exe daemon, so I don't have a proper desktop. Mouse is on, can press ctrl+alt+supr and invoke Task Manager and manually make explorer.exe run and have a desktop again.

Any ideas on how to solve this last issue?

Here is RSIT's last post.

Thanks

Logfile of random's system information tool 1.04 (written by random/random)
Run by ABERGOE at 2008-11-17 14:35:19
Microsoft Windows XP Professional Service Pack 2
System drive C: has 1 GB (13%) free of 8 GB
Total RAM: 501 MB (24% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:35:23, on 17-11-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS
C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe
C:\Archivos de programa\IBM\Director\bin\twgipc.exe
C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe
C:\Archivos de programa\IBM\Director\bin\twgescli.exe
C:\Archivos de programa\IBM\Director\bin\twgmonit.exe
C:\Archivos de programa\IBM\Director\bin\nfUMSagent.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireTray.exe
D:\Mis documentos\Personal\Downloads\Spyware\RSIT\RSIT.exe
C:\Archivos de programa\Trend Micro\HijackThis\ABERGOE.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intracorp.cl.bsch/derivador.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intracorp.cl.bsch/derivador.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://vipinter:8080/array.dll?Get.Routing.Script
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinIss - {17D562A6-DA3D-4F87-B659-86CD06473AB5} - C:\WINDOWS\system32\dzhoil.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Archivos de programa\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [INTRANET] http://intracorp.cl.bsch/derivador.asp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: Servicio del iPod (iPod Service) - Unknown owner - C:\Archivos de programa\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PrismXL - Lanovation - C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Reflection Servers - WRQ, Inc. - C:\Archivos de programa\Reflection\rninetd.exe
O23 - Service: IBM Director Support Program (TWGIPC) - IBM Corporation - C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe
O23 - Service: IBM Director Agent WMI CIM Server (wmicimserver) - Unknown owner - C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe

--
End of file - 7375 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17D562A6-DA3D-4F87-B659-86CD06473AB5}]
WinIss - C:\WINDOWS\system32\dzhoil.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Archivos de programa\McAfee\VirusScan Enterprise\scriptcl.dll [2008-01-24 66880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"=C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe [2007-10-25 136512]
"CTHelper"=CTHELPER.EXE []
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]
"SoundMAXPnP"=C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"QuickTime Task"=C:\Archivos de programa\QuickTime\QTTask.exe [2007-06-29 286720]
"ShStatEXE"=C:\Archivos de programa\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-01-24 111952]
"WinampAgent"=C:\Archivos de programa\Winamp\winampa.exe [2008-07-09 36352]
"SunJavaUpdateSched"=C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"INTRANET"=http://intracorp.cl.bsch/derivador.asp []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-19 15360]

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Acrobat Assistant.lnk - C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Firewall Client Connectivity Monitor.LNK - C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
McAfee Host Intrusion Prevention Tray.lnk - C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe"="C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2008-11-17 14:24:34 ----A---- C:\WINDOWS\system32\nel32.dll
2008-11-17 14:19:01 ----D---- C:\!KillBox
2008-11-17 13:15:10 ----A---- C:\WINDOWS\nel2.ini
2008-11-17 11:07:54 ----D---- C:\rsit
2008-11-14 16:14:20 ----D---- C:\Archivos de programa\Trend Micro

======List of files/folders modified in the last 1 months======

2008-11-17 14:34:05 ----D---- C:\WINDOWS\Prefetch
2008-11-17 14:34:05 ----D---- C:\Archivos de programa\Mozilla Firefox
2008-11-17 14:33:13 ----D---- C:\WINDOWS\Temp
2008-11-17 14:31:53 ----SHD---- C:\WINDOWS\CSC
2008-11-17 14:24:34 ----D---- C:\WINDOWS\system32
2008-11-17 14:23:56 ----HD---- C:\WINDOWS
2008-11-17 13:48:31 ----A---- C:\WINDOWS\IE4 Error Log.txt
2008-11-17 13:45:58 ----D---- C:\Quarantine
2008-11-17 13:31:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-17 13:00:55 ----A---- C:\WINDOWS\win.ini
2008-11-17 11:06:43 ----SHD---- C:\WINDOWS\Installer
2008-11-17 11:06:33 ----D---- C:\Archivos de programa\Java
2008-11-17 09:08:00 ----A---- C:\WINDOWS\system32\userinit.exe
2008-11-14 16:14:20 ----RD---- C:\Archivos de programa
2008-11-14 09:23:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-04 16:00:20 ----D---- C:\Documents and Settings\ABERGOE\Datos de programa\AdobeUM
2008-11-03 16:43:38 ----HD---- C:\WINDOWS\inf
2008-11-03 16:43:35 ----D---- C:\WINDOWS\system32\CatRoot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 FireHook;McAfee HIP Component FireHook; \??\C:\WINDOWS\system32\Drivers\Firehk5x.sys []
R1 FireTDI;McAfee HIP Component FireTDI; \??\C:\WINDOWS\system32\Drivers\FireTDI.sys []
R1 intelppm;Controlador de procesador Intel; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-19 40320]
R1 mferkdk;VSCore mferkdk; \??\C:\Archivos de programa\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-01-24 52104]
R1 TWGGrab;TWGGrab; C:\WINDOWS\system32\drivers\TWGGrab.sys [2005-02-01 8688]
R2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2003-07-29 40448]
R2 PMEM;PMEM; \??\C:\WINDOWS\system32\drivers\pmemnt.sys []
R2 TWGSYSIN;TWGSYSIN; C:\WINDOWS\system32\drivers\TWGSYSIN.sys [2005-02-01 7476]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2005-07-19 163840]
R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2005-03-04 127872]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-03-31 180736]
R3 firelm01;firelm01; \??\C:\WINDOWS\system32\drivers\firelm01.sys []
R3 HDAudBus;Controlador de bus de Microsoft UAA para High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Controlador de clases HID de Microsoft; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-01-24 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-01-24 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-01-24 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-01-24 171400]
R3 mouhid;Controlador HID de mouse; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-22 12416]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2005-10-27 393088]
R3 SMBusHC;SMBus Host Controller; C:\WINDOWS\system32\DRIVERS\smbushc.sys [2007-04-26 29696]
R3 TPM12;NSC Integrated Trusted Platform Module 1.2; C:\WINDOWS\system32\DRIVERS\nsctpm12.sys [2005-04-21 13056]
R3 usbehci;Controlador minipuerto de la controladora mejorada USB 2.0 de Microsoft; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Concentrador habilitado USB2; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbprint;Clase de impresora USB de Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbuhci;Controlador minipuerto de la controladora de host universal USB de Microsoft; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-08-03 120094]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-08-03 96858]
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2005-03-04 127872]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]
S3 USBSTOR;Dispositivo de almacenamiento masivo de datos USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 DWMRCS;DameWare Mini Remote Control; C:\WINDOWS\SYSTEM32\DWRCS.EXE [2002-04-12 249856]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service; C:\Archivos de programa\McAfee\Host Intrusion Prevention\FireSvc.exe [2007-10-01 1150976]
R2 ibmsmbus;SMBus Upgrade Service for Windows 2000 and above; C:\WINDOWS\System32\ibmsmbus.exe [2004-07-06 28160]
R2 McAfeeFramework;McAfee Framework Service; C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe [2007-10-25 103744]
R2 McShield;McAfee McShield; C:\Archivos de programa\McAfee\VirusScan Enterprise\Mcshield.exe [2008-01-24 144704]
R2 McTaskManager;McAfee Task Manager; C:\Archivos de programa\McAfee\VirusScan Enterprise\VsTskMgr.exe [2008-01-24 54608]
R2 MDM;Machine Debug Manager; C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 PrismXL;PrismXL; C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS [2007-04-26 57344]
R2 TWGIPC;IBM Director Support Program; C:\Archivos de programa\IBM\Director\bin\twgipcsv.exe [2005-02-01 53327]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 wmicimserver;IBM Director Agent WMI CIM Server; C:\Archivos de programa\IBM\Director\cimom\bin\wmicimserver.exe [2005-02-03 401408]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 iPod Service;Servicio del iPod; C:\Archivos de programa\iPod\bin\iPodService.exe []
S3 ose;Office Source Engine; C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Reflection Servers;Reflection Servers; C:\Archivos de programa\Reflection\rninetd.exe [1998-08-28 98816]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Archivos de programa\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------
wimpy
Regular Member
 
Posts: 21
Joined: November 14th, 2008, 3:27 pm

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby Shaba » November 17th, 2008, 1:57 pm

Looks like that .dll is back.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2

  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: sc.videofreeforonline.com in winamp keygen.exe

Unread postby wimpy » November 17th, 2008, 2:21 pm

Here's the Gmer log.

The original spyware seems to have vanished, as I can freely move through the win explorer without the pop up appearing. However, on startup, the explorer.exe daemon is still not coming up... and the system still freezes during shutdown. Both this behaviors did not occur previously.

Now the log, and thanks.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-17 15:16:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwClose [0xAAC8D370]
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwCreateProcess [0xAAC8D250]
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwCreateProcessEx [0xAAC8D2E0]
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwCreateSection [0xAAC8D1D0]
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.) ZwCreateThread [0xAAC8D3E0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA9F3383B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9F3384F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9F3387B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA9F33827]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9F33865]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA9F33891]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9F338A7]

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1170 5 Bytes JMP A9F338AB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620708 7 Bytes JMP A9F33895 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621A6E 7 Bytes JMP A9F33869 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80622048 5 Bytes JMP A9F3383F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 806224D8 7 Bytes JMP A9F33853 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 806226A8 7 Bytes JMP A9F3387F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806233DE 5 Bytes JMP A9F3382B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0047C5-9478-45F8-BC3D-4A595A16E399}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0047C5-9478-45F8-BC3D-4A595A16E399}@oaeohegcjohnlmheonaohdjkdeaglc 0x6A 0x61 0x66 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED0047C5-9478-45F8-BC3D-4A595A16E399}@naomjaijjdpejjkfaahhmdkkpifc 0x6A 0x61 0x61 0x68 ...

---- EOF - GMER 1.0.14 ----
wimpy
Regular Member
 
Posts: 21
Joined: November 14th, 2008, 3:27 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 342 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware