Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

computer crashing

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby beynac » October 28th, 2007, 4:58 pm

You seem to have used the previous CFScript.txt file. Please try again using this new script. Use Wordpad if Notepad isn't working properly, but make sure that you save it as a text file.

------------------------------------

Open Notepad and copy/paste the text in the quotebox below into it:
File::
C:\DOCUME~1\User\LOCALS~1\Temp\BLEUFWL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\JXTINIH.exe
C:\DOCUME~1\User\LOCALS~1\Temp\QAL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\CHELA.exe
C:\DOCUME~1\User\LOCALS~1\Temp\GVKST.exe
C:\DOCUME~1\User\LOCALS~1\Temp\NAHDQXNQ.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ZEYMMJX.exe

Rootkit::
C:\WINDOWS\system32\mainsafe.empty.ini
C:\WINDOWS\system32\mainsafe.exe
C:\WINDOWS\system32\mxdefdrv.sys

Driver::
BLEUFWL
JXTINIH
QAL
CHELA
GVKST
NAHDQXNQ
ZEYMMJX

Save this on your Desktop as CFScript.txt

Image
ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall.

------------------------------------------------

Could you please download HijackThis again and try to get a log. Using the old CFScript has deleted the program.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Advertisement
Register to Remove

Unread postby andorusan » October 28th, 2007, 6:30 pm

doh... :oops:

BTW - I tried reinstalling winpatrol but still couldn't get a hijack log. But I do hav a winpatrol log if that helps.

Here is the correct log... hopefully:

ComboFix 07-10-26.4 - User 2007-10-28 16:08:56.4 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\DOCUME~1\User\LOCALS~1\Temp\BLEUFWL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\CHELA.exe
C:\DOCUME~1\User\LOCALS~1\Temp\GVKST.exe
C:\DOCUME~1\User\LOCALS~1\Temp\JXTINIH.exe
C:\DOCUME~1\User\LOCALS~1\Temp\NAHDQXNQ.exe
C:\DOCUME~1\User\LOCALS~1\Temp\QAL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ZEYMMJX.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mainsafe.empty.ini
C:\WINDOWS\system32\mainsafe.exe
C:\WINDOWS\system32\mxdefdrv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BLEUFWL
-------\LEGACY_CHELA
-------\LEGACY_GVKST
-------\LEGACY_JXTINIH
-------\LEGACY_NAHDQXNQ
-------\LEGACY_QAL
-------\LEGACY_ZEYMMJX
-------\BLEUFWL
-------\CHELA
-------\GVKST
-------\JXTINIH
-------\NAHDQXNQ
-------\QAL
-------\ZEYMMJX


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-28 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 18:52 <DIR> d-------- C:\RKR
2007-10-27 17:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 07:42 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-27 07:42 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-27 07:42 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-27 07:42 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-27 07:42 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-27 07:42 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-27 07:42 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-27 07:42 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-27 07:03 <DIR> d-------- C:\Program Files\BillP Studios
2007-10-27 06:49 <DIR> d-------- C:\Documents and Settings\User\Application Data\WinPatrol
2007-10-26 18:39 <DIR> d-------- C:\Program Files\Video Piggy
2007-10-26 18:39 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.jpi_cache
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.housecall6.6
2007-10-23 15:46 <DIR> d-------- C:\Program Files\a-squared Free
2007-10-23 15:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-10-03 17:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 15:34 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-03 15:34 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-03 14:24 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-10-03 14:24 <DIR> d-------- C:\Documents and Settings\User\Contacts
2007-10-03 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-03 14:22 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-10-03 14:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 11:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-26 10:37 --------- d-----w C:\Documents and Settings\User\Application Data\SiteAdvisor
2007-10-24 20:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-24 20:16 --------- d-----w C:\Program Files\Google
2007-10-23 21:13 --------- d-----w C:\Program Files\Napster
2007-10-23 21:13 --------- d-----w C:\Program Files\McAfee
2007-10-23 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-20 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-20 19:27 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-20 19:23 --------- d-----w C:\Program Files\SiteAdvisor
2007-10-03 20:23 --------- d-----w C:\Program Files\Real
2007-10-03 20:21 --------- d-----w C:\Program Files\MSN Messenger
2007-10-01 00:07 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2006-08-10 01:45 50,688 ---ha-w C:\Documents and Settings\User\Application Data\MBSWinPlugin.dll
2006-08-10 01:45 34,304 ---ha-w C:\Documents and Settings\User\Application Data\MBSCalcPlugin.dll
2006-08-10 01:45 31,744 ---ha-w C:\Documents and Settings\User\Application Data\MBSQTFileTransferPlugin.dll
2006-08-10 01:45 31,232 ---ha-w C:\Documents and Settings\User\Application Data\MBSProcessPlugin.dll
2006-08-10 01:45 29,184 ---ha-w C:\Documents and Settings\User\Application Data\BoxControl.DLL
2006-08-10 01:45 26,624 ---ha-w C:\Documents and Settings\User\Application Data\MBSUsernamePlugin.dll
2006-08-10 01:45 26,112 ---ha-w C:\Documents and Settings\User\Application Data\MBSRegistrationPlugin.dll
2006-08-10 01:45 18,432 ---ha-w C:\Documents and Settings\User\Application Data\EHEncrypt.dll
2006-03-19 00:55 25,944 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2005-01-30 13:17 447 ----a-w C:\Program Files\INSTALL.LOG
2005-01-03 01:03 72 ----a-w C:\Documents and Settings\User\Application Data\tvmcwrd.dll
2005-01-03 01:03 44 ----a-w C:\Documents and Settings\User\Application Data\tvmuknwrd.dll
2004-12-04 02:55 7,626 ----a-w C:\Program Files\Account Pro2004.tra
2004-10-30 12:27 246 ----a-w C:\Program Files\Account ProTEST2.tra
2004-10-30 11:51 656 ----a-w C:\Program Files\Account Protest.tra
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\{DA988749-A1CE-460A-82E1-8B94EE0CEF27}.dat
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\system32\{AE65161B-21FA-412F-81C2-23B1CCEC97CB}.dat
.

((((((((((((((((((((((((((((( snapshot@2007-10-27_17.47.38.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-27 16:41:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-28 16:30:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-27 16:41:05 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-28 16:30:36 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" []
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 02:40]
"SiS Tray"="" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 03:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-21 18:38]
"RebateNation0"="C:\Program Files\Rebate_Nation\RebateNation0.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2004-10-22 01:13]
"StandardInstall"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 22:31]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 06:05]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 21:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-26 07:44:19]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-15 15:19:24]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-04-27 07:03:44]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 11:01:04]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-01-30 07:27:40]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-08-10 19:38:09]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S3 AFAOFSDK;AFAOFSDK;C:\DOCUME~1\User\LOCALS~1\Temp\AFAOFSDK.exe
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-28 22:11:08 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2006-07-31 09:53:58 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-02-01 08:02:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 16:16:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 16:18:38 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-28 14:03
C:\ComboFix3.txt ... 2007-10-28 07:51
.
--- E O F ---
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby andorusan » October 28th, 2007, 6:47 pm

i've tried several more times to download and run HJT with no success.

Thanks,

Andrew

Maybe if I download from a differnet site :?:
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » October 29th, 2007, 4:23 am

Good morning.

This thing is being very obstinate but we are making progress. There appears to be a rootkit on the computer and some part of the malware is managing to obstruct us at every turn. For example, the problems with HijackThis, Notepad and Rootkit Revealer. Another service has appeared on the ComboFix log. We'll get rid of that, run a different rootkit scanner and try to sort out HijackThis. As before, use Wordpad if you can't get Notepad to run.

-----------------------------------------------

Open Notepad and copy/paste the text in the quotebox below into it:
Rootkit::
C:\DOCUME~1\User\LOCALS~1\Temp\BLEUFWL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\JXTINIH.exe
C:\DOCUME~1\User\LOCALS~1\Temp\QAL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\CHELA.exe
C:\DOCUME~1\User\LOCALS~1\Temp\GVKST.exe
C:\DOCUME~1\User\LOCALS~1\Temp\NAHDQXNQ.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ZEYMMJX.exe
C:\DOCUME~1\User\LOCALS~1\Temp\AFAOFSDK.exe

Driver::
AFAOFSDK


Save this on your Desktop as CFScript.txt

Image
ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall.

--------------------------------------------

F-Secure BlackLight

Please download F-Secure Blacklight (fsbl.exe) from here.
  • Double click the file to run it, choose I accept the agreement then click Next
  • Click the Scan button
  • It will create a log on your desktop (fsbl-date/time.log).
  • If it finds anything, do not rename any. Legitimate items can also be present.
  • Exit Blacklight
Please post the contents of the log as a reply to this thread.

-------------------------------------------

HijackThis

Downloading from another site, or downloading a different version wouldn't make any difference. I believe that you have installed it but the malware is stopping it running. If we rename it, this should fool the 'nasty' into letting it run.

  • Click on Start then My Computer
  • Navigate to the folder C:\Program Files\Trend Micro\HijackThis\
  • Rename HijackThis.exe as NoHiding.exe
  • Right-click on NoHiding and select Send To then Desktop (create shortcut)
  • Close the window
Always use the new shortcut to run HijackThis (now "NoHiding").

If you still don't get a report, try the following:
  • Open HijackThis (NoHiding)
  • Click on Do a system scan only
  • When it has completed, click on the Save a log button
  • Save the log to your desktop as MyLog
If you haven't got HijackThis.exe in the folder, just let me know.

------------------------------------------

Please post the following (you may need to use more than one post):
  • The ComboFix log
  • The Blacklight log
  • A HijackThis log (run as NoHiding), if possible
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » October 29th, 2007, 6:03 pm

Blacklight didn't find anything.

Still can't get HijackThis to run. I tried changing the name every way I new but no luck.

Glad to hear we are making some progress.

Here's the log from ComboFix:

Combofix

ComboFix 07-10-26.4 - User 2007-10-29 14:10:26.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.85 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\User\LOCALS~1\Temp\AFAOFSDK.exe
C:\DOCUME~1\User\LOCALS~1\Temp\BLEUFWL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\CHELA.exe
C:\DOCUME~1\User\LOCALS~1\Temp\GVKST.exe
C:\DOCUME~1\User\LOCALS~1\Temp\JXTINIH.exe
C:\DOCUME~1\User\LOCALS~1\Temp\NAHDQXNQ.exe
C:\DOCUME~1\User\LOCALS~1\Temp\QAL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ZEYMMJX.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AFAOFSDK
-------\AFAOFSDK


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
.

2007-10-27 18:52 <DIR> d-------- C:\RKR
2007-10-27 17:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 07:42 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-27 07:42 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-27 07:42 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-27 07:42 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-27 07:42 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-27 07:42 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-27 07:42 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-27 07:42 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-27 07:03 <DIR> d-------- C:\Program Files\BillP Studios
2007-10-27 06:49 <DIR> d-------- C:\Documents and Settings\User\Application Data\WinPatrol
2007-10-26 18:39 <DIR> d-------- C:\Program Files\Video Piggy
2007-10-26 18:39 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.jpi_cache
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.housecall6.6
2007-10-23 15:46 <DIR> d-------- C:\Program Files\a-squared Free
2007-10-23 15:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-10-03 17:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 15:34 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-03 15:34 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-03 14:24 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-10-03 14:24 <DIR> d-------- C:\Documents and Settings\User\Contacts
2007-10-03 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-03 14:22 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-10-03 14:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 20:07 --------- d-----w C:\Program Files\McAfee
2007-10-29 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-26 10:37 --------- d-----w C:\Documents and Settings\User\Application Data\SiteAdvisor
2007-10-24 20:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-24 20:16 --------- d-----w C:\Program Files\Google
2007-10-23 21:13 --------- d-----w C:\Program Files\Napster
2007-10-23 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-20 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-20 19:27 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-20 19:23 --------- d-----w C:\Program Files\SiteAdvisor
2007-10-03 20:23 --------- d-----w C:\Program Files\Real
2007-10-03 20:21 --------- d-----w C:\Program Files\MSN Messenger
2007-10-01 00:07 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2006-08-10 01:45 50,688 ---ha-w C:\Documents and Settings\User\Application Data\MBSWinPlugin.dll
2006-08-10 01:45 34,304 ---ha-w C:\Documents and Settings\User\Application Data\MBSCalcPlugin.dll
2006-08-10 01:45 31,744 ---ha-w C:\Documents and Settings\User\Application Data\MBSQTFileTransferPlugin.dll
2006-08-10 01:45 31,232 ---ha-w C:\Documents and Settings\User\Application Data\MBSProcessPlugin.dll
2006-08-10 01:45 29,184 ---ha-w C:\Documents and Settings\User\Application Data\BoxControl.DLL
2006-08-10 01:45 26,624 ---ha-w C:\Documents and Settings\User\Application Data\MBSUsernamePlugin.dll
2006-08-10 01:45 26,112 ---ha-w C:\Documents and Settings\User\Application Data\MBSRegistrationPlugin.dll
2006-08-10 01:45 18,432 ---ha-w C:\Documents and Settings\User\Application Data\EHEncrypt.dll
2006-03-19 00:55 25,944 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2005-01-30 13:17 447 ----a-w C:\Program Files\INSTALL.LOG
2005-01-03 01:03 72 ----a-w C:\Documents and Settings\User\Application Data\tvmcwrd.dll
2005-01-03 01:03 44 ----a-w C:\Documents and Settings\User\Application Data\tvmuknwrd.dll
2004-12-04 02:55 7,626 ----a-w C:\Program Files\Account Pro2004.tra
2004-10-30 12:27 246 ----a-w C:\Program Files\Account ProTEST2.tra
2004-10-30 11:51 656 ----a-w C:\Program Files\Account Protest.tra
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\{DA988749-A1CE-460A-82E1-8B94EE0CEF27}.dat
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\system32\{AE65161B-21FA-412F-81C2-23B1CCEC97CB}.dat
.

((((((((((((((((((((((((((((( snapshot@2007-10-27_17.47.38.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-14 00:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2007-10-27 16:41:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-29 19:52:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-27 16:41:05 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-29 19:52:10 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-27 16:41:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-29 19:52:10 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-14 00:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" []
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 02:40]
"SiS Tray"="" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 03:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-21 18:38]
"RebateNation0"="C:\Program Files\Rebate_Nation\RebateNation0.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2004-10-22 01:13]
"StandardInstall"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 22:31]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 06:05]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 21:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-26 07:44:19]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-15 15:19:24]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-04-27 07:03:44]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 11:01:04]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-01-30 07:27:40]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-08-10 19:38:09]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-29 20:11:07 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2006-07-31 09:53:58 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-02-01 08:02:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-29 14:17:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-29 14:20:31 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-28 16:18
C:\ComboFix3.txt ... 2007-10-28 14:03
.
--- E O F ---

Thanks as always,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » October 29th, 2007, 7:06 pm

This is getting frustrating. Those services were a bit of a red herring. They were the result of the failed Rootkit Revealer scans. Some questions:

What happens when you try to run HijackThis? Is it just not running, or does it run a scan but not allow you to produce a log? Have you checked to see whether there are any logs (C:\Program Files\Trend Micro\HijackThis\hijackthis.log)? Did you try doing a scan only and then saving the log with a different name?

Are you still unable to produce a log with WinPatrol? Have you checked to see whether one was produced (C:\HijackPatrol.log)?

-------------------------------------------

Let's try running HijackThis in Safe Mode.

Important: If you have an 'always on' connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. I suggest that you print out these instructions.
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting a menu appears.
  • Use up-arrow key to select Safe Mode and press Enter.
  • When the computer has booted, open HijackThis (NoHiding)
  • Click on Do a system scan only
  • When it has completed, click on the Save a log button
  • Save the log to your desktop as MyLog
------------------------------------------------

Reboot Windows normally.

------------------------------------------------

If you get a HijackThis log in Safe Mode, please post it and then move on to the next step (GMER).

Please run a GMER rootkit scan:
Important: Close all open windows and do not use the computer during the scan.
  • Download GMER's application from here.
  • Extract the contents of the zip file to your desktop
  • Double-click GMER.exe to start the program.
  • Do not select the Show all checkbox.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
  • If no warning, click the Rootkit tab and then the Scan button.
  • When the scan has completed, click the Copy button.
  • Paste the results in your next reply.
Note: Once you have clicked the Copy button in GMER the report has been copied to your clipboard. No file is created. When you come to post it, right-click in the reply box and select Paste. The report should now be there. If you want to save a copy, you can open Wordpad and paste it into a blank document and save it to your desktop.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » October 29th, 2007, 8:22 pm

With HJT I can unzip the file but when I try to set up the program I get the same error message I had posted before:

The procedure entry point... Kernal 32.dll

The log below seemed to be created in only a couple of seconds. Maybe winpatrol was making a log but I assumed it wasn't working because it took so little time.

I'll try HJT in safe mode.

Don't give up - I'm desperate to get this fixed!!

Thanks,

Andrew


Log created by WinPatrol version 12.2.2007.0:12.2.2007.0
Scan saved at 6:11:39 PM, on 10/29/2007
Platform: Windows XP SP2 Service Pack 2 (Build 2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\A-SQUARED FREE\A2SERVICE.EXE
C:\PROGRAM FILES\EWIDO ANTI-MALWARE\EWIDOCTRL.EXE
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\PROGRAM FILES\COMMON FILES\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7Debug\mdm.exe
C:\PROGRAM FILES\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\explorer.exe
C:\PROGRAM FILES\SITEADVISOR\6172\SASERVICE.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRAM FILES\QUICKTIME\qttask.exe
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\hpwuSchd.exe
C:\PROGRAM FILES\HP\HPCORETECH\hpcmpmgr.exe
C:\Program Files\NetAssistant\SmartBridge\MotiveSB.exe
C:\PROGRAM FILES\Java\JRE1.5.0_01\bin\jusched.exe
C:\PROGRAM FILES\COMMON FILES\Real\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SITEADVISOR\6172\SiteAdv.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\Google\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\bin\hpqtra08.exe
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SonyTray.exe
C:\PROGRAM FILES\WinZip\WZQKPICK.EXE
C:\PROGRAM FILES\NETASSISTANT\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\PROGRAM FILES\MSN MESSENGER\msnmsgr.exe
C:\PROGRAM FILES\WINDOWS NT\ACCESSORIES\wordpad.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SiteAdv - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: - {7E853D72-626A-48EC-A868-BA8D5E23E045} -
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\Google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\googletoolbar5.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [WinampAgent]C:\Program Files\Winamp\Winampa.exe
O4 - HKLM\..\Run: [HTpatch]C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [AGRSMMSG]AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task]C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [HP Software Update]C:\Program Files\HP\HP Software Update\hpwuSchd.exe
O4 - HKLM\..\Run: [HP Component Manager]C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
O4 - HKLM\..\Run: [RebateNation0]C:\Program Files\Rebate_Nation\RebateNation0.exe
O4 - HKLM\..\Run: [NeroFilterCheck]C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge]C:\Program Files\NetAssistant\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe]C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [SiteAdvisor]C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe]C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe]C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager]C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg]C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk=C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk=C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk=C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk=C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetAssistant.lnk=C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk=C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?032242654a15478386af5974d99b9dbf
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?032242654a15478386af5974d99b9dbf
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.5.0_01\bin
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O16 - DPF: DirectAnimation Java Classes (dajava) - file://C:\WINDOWS\Java\classes\dajava.cab
O16 - DPF: Microsoft XML Parser for Java (xmldso) - file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/fl ... wflash.cab
O21 - WPDShServiceObj - WPDShServiceObj Class - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent - McAfee, Inc. - c:\program files\common files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service - McAfee, Inc. - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SiteAdvisor Service - - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SmartLinkService - Smart Link - slserv.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--- Additional WinPatrol Info ---
Default Browser: Windows® Internet Explorer - Internet Explorer version 7.00.6000.16544
MSIE: Internet Explorer (7.00.6000.16544)
60 IE Cookies in Folder: C:\Documents and Settings\User\Cookies\

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe

WP03 - Windows Automatic Update = 4:Automatically download recommended updates for my computer and install them.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://

WP31 - Scheduled Tasks: [McQcTask.job]c:\program files\McAfee\MQC\QcConsol.exe 02/01/2007 1:00 AM
WP31 - Scheduled Tasks: [McDefragTask.job]C:\WINDOWS\system32\defrag.exe Never
WP31 - Scheduled Tasks: [Check Updates for Windows Live Toolbar.job]C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE 10/29/2007 6:11 PM

WP32 - Hidden File: C:\boot.ini
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\NTDETECT.COM
WP32 - Hidden File: C:\ntldr
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\_NavCClt.Log
WP32 - Hidden File: C:\WINDOWS\QTFont.qfn
WP32 - Hidden File: C:\WINDOWS\WindowsShell.Manifest
WP32 - Hidden File: C:\WINDOWS\winnt.bmp
WP32 - Hidden File: C:\WINDOWS\winnt256.bmp
WP32 - Hidden File: C:\WINDOWS\{DA988749-A1CE-460A-82E1-8B94EE0CEF27}.dat
WP32 - Hidden File: C:\WINDOWS\system32\cdplayer.exe.manifest
WP32 - Hidden File: C:\WINDOWS\system32\config\default.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\default.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\SAM.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\SAM.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\SECURITY.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\SECURITY.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\software.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\software.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\system.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\system.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\TempKey.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\userdiff.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\userdifr.LOG
WP32 - Hidden File: C:\WINDOWS\system32\logonui.exe.manifest
WP32 - Hidden File: C:\WINDOWS\system32\ncpa.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\nwc.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\Restore\filelist.xml
WP32 - Hidden File: C:\WINDOWS\system32\sapi.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\WindowsLogon.manifest
WP32 - Hidden File: C:\WINDOWS\system32\wuaucpl.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\{AE65161B-21FA-412F-81C2-23B1CCEC97CB}.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\CommonClient.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\CommonClient_old.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\IAM.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\IAM_old.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\{F093D63E-BE8E-4AD3-B2C4-7519ACDEB6BE}.dat

WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [WinZip File]C:\PROGRA~1\WINZIP\winzip32.exe %1
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .CSS: [Cascading Style Sheet Document]C:\PROGRA~1\MICROS~2\Office10\FRONTPG.EXE %1
WP33 - File Type .DOC: [Microsoft Word Document]C:\Program Files\Microsoft Office\Office10\WINWORD.EXE /n /dde
WP33 - File Type .DOC: [Microsoft Word Document]C:\Program Files\Microsoft Office\Office10\WINWORD.EXE /n /dde
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MSG: [Outlook Item]C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE /f %1
WP33 - File Type .MID: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .MP3: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [RealPlayer Presentation]C:\Program Files\Real\RealOne Player\RealPlay.exe %1
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Format]C:\Program Files\Microsoft Office\Office10\WINWORD.EXE /n /dde
WP33 - File Type .SBS: [Spyware supplemental file]C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]rundll32.exe ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .XLS: [Microsoft Excel Worksheet]C:\Program Files\Microsoft Office\Office10\EXCEL.EXE /e

Memory currently in use: 62%
Physical Memory Free: 136,100 KB
Paging File Free: 578,960 KB
Virtual Memory Free: 2,054,480 KB


--
End of file
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby andorusan » October 29th, 2007, 9:17 pm

Was able to get a GMER log! Hope this helps.

Thankd,

Andrew


GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-10-29 19:13:28
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcessEx
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwEnumerateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwEnumerateValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwNotifyChangeKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryMultipleValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwReplaceKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRestoreKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetContextThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetInformationProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnloadKey
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys NtSetInformationProcess

---- User code sections - GMER 1.0.13 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1368] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1368] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F38B82C7] mfehidk.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F39FC10E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F39FC10E] Mpfp.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F38B82C7] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F38B82C7] mfehidk.sys

---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@??????????????cdfview.dll?
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\Class\{CE5939AE-EBDE-11D0-B181-0000F8753EC4}@??
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BITS\0000@????
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\Class\{CE5939AE-EBDE-11D0-B181-0000F8753EC4}@??
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_03f0&Pid_3d11&MI_00\6&acc4c24&2&0000@??
Reg \Registry\USER\S-1-5-21-1417001333-2111687655-725345543-1003\Control Panel\Appearance\New Schemes\21\Sizes\2@???
Reg \Registry\USER\S-1-5-21-1417001333-2111687655-725345543-1003\Control Panel\Appearance\New Schemes\21\Sizes\2@???
Reg \Registry\USER\S-1-5-21-1417001333-2111687655-725345543-1003\Control Panel\Appearance\New Schemes\21\Sizes\2@???
Reg \Registry\USER\S-1-5-21-1417001333-2111687655-725345543-1003\Software\Disney Interactive\Disney's Magic Artist Deluxe\1.0@??????
Reg \Registry\USER\S-1-5-21-1417001333-2111687655-725345543-1003\Software\Microsoft\MediaPlayer\Player\PlaylistColumnInfo2\CDPlaylist@?????
Reg \Registry\USER\S-1-5-21-1417001333-2111687655-725345543-1003\Software\Microsoft\Office\10.0\Common\Assistant@??????????
Reg \Registry\USER\S-1-5-21-1417001333-2111687655-725345543-1003\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Insert Picture\File Name MRU@???????
Reg \Registry\USER\S-1-5-21-1417001333-2111687655-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\0\1\8\1@????
Reg \Registry\USER\S-1-5-21-1417001333-2111687655-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\304\Shell@???

---- EOF - GMER 1.0.13 ----
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » October 30th, 2007, 5:56 am

Good morning.

Don't give up - I'm desperate to get this fixed!!

Don't worry. I'm not about to give up on this. The GMER scan is a bit strange. There are a number of items which should appear on it, but don't. A lot of these are connected to our old friend kernel32.dll. There doesn't seem to be any malware (except for a bit of minor adware) on the computer. We have now run two rootkit scans and both came up clean.

At the start of this I asked you to run the System File Checker. I would still like you to do this if possible. From what you say, you haven't got an original system disk. The system files are often retained on the computer after installation. Have you got a folder called C:\i386? If so, please do the following. If not, please let me know.

-----------------------------------------

Backup the Windows Registry
  • Download Erunt to your desktop from here
  • Double-click on the file to install the program
  • Untick the NTREGOPT desktop shortcut option
  • Click No when you get the option to run Erunt at Windows startup.
  • During the installation, tick Launch Erunt
  • Accept the defaults for running a backup
  • Erunt will then backup your registry
-------------------------------------

Select the following text (make sure that you get it all), right-click and click Copy to copy it to your clipboard.

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup /v SourcePath /d C:\ /f

Click on Start then Run. Type cmd to open a command prompt. Right-click on the black window and select Paste. You should get a message informing you that the operation completed successfully. Close the Command Prompt window

This will tell the System File Checker to look in the i386 folder for any files it needs.

Go to Start > Run, enter sfc /scannow (note the space between the "c" and "/" ) and click on OK.

This will look for and attempt to replace any corrupt system files that can be found.

Please let me know how you get on. If you are unsure of any of this, please stop and ask. In the meantime, I am going to ask my colleagues for some help with your problem.
Last edited by beynac on October 30th, 2007, 8:40 am, edited 1 time in total.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » October 30th, 2007, 7:17 am

Howdy beynac,

The system file checker didn't work - wanted a CD even after I told it where to look.

I was able to back up the system files.

I think I have windows XP CDs at work. If I can't find them in the computer room - then I'll check with informatics with whom I'm friendly.

Always be on good terms with the tech geeks at work ;)

I'll let you know waht I have in 8 hours.

Thanks,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » October 30th, 2007, 9:06 am

Hi Andrew.

Make sure that you use a disc with the correct version of XP (Home or Professional).
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » October 30th, 2007, 9:56 am

I've got an installation disk - is that what I need? Or should I have some kind of utility disk?
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » October 30th, 2007, 10:00 am

If it's a Windows XP installation disk for the same version, it should be fine. Let me know how you get on.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » October 30th, 2007, 4:27 pm

Hi Beynac,

I ran SFC and it seemed to work. Every time it wanted the CD I clicked retry and it seemed to take info from the disk. Still can't run HJT or open notepad.

Is thee a report somwhere for me to look at for SFC?

Thanks,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » October 30th, 2007, 4:42 pm

Hi Andrew.

Well at least we've eliminated something else. :) I don't think that there is a report for SFC. I have asked for help with this - it's got me stumped at the moment. I'll let you know as soon as I hear anything. In the meantime, I'll keep looking into it.

There's one thing that I would like you to try. There should be two copies of Notepad on an XP computer. I would like to know whether both of them are not working.

Click Start then Run. Copy/paste the following into the text box and click OK:

C:\Windows\System32\notepad.exe

If Notepad opens, close it and then repeat the exercise with the following:

C:\Windows\notepad.exe

Please let me know if either, or both, of them work. I am trying to find out whether Notepad is corrupted or if something is preventing it from opening.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 269 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware