Tech Support Forum - View Single Post - ntoskrnl-hook trojan

bildo1 · 06-30-2009, 06:02 PM

Thank you for the quick follow up. Here is the combo-fix log.

ComboFix 09-06-29.07 - Bill 06/30/2009 19:35.10 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.335 [GMT -4:00]
Running from: c:\users\Bill\Desktop\Combo-Fix.exe
"Command switches used" :: "/killall" "| SED "s/\x22//g"
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hjgruitahcfloi.sys
c:\windows\system32\hjgruidtjgrnhr.dll
c:\windows\system32\hjgruifppqulwc.dat
c:\windows\system32\hjgruijmodmevj.dll
c:\windows\system32\hjgruiwjfvmqbj.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiauysmamj
-------\Service_hjgruiauysmamj

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 23:46 . 2009-06-30 23:50 -------- d-----w- c:\users\Bill\AppData\Local\temp
2009-06-30 23:30 . 2009-06-30 23:30 -------- d-sh--w- C:\found.000
2009-06-29 20:21 . 2009-06-29 20:21 -------- d-----w- c:\users\Bill\DoctorWeb
2009-06-29 18:18 . 2009-06-29 18:18 -------- d-----w- c:\windows\McAfee.com
2009-06-29 17:15 . 2009-06-29 17:15 30720 ---ha-w- c:\windows\system32\drivers\rootrepeal3.sys
2009-06-29 16:45 . 2009-06-29 16:45 30720 ---ha-w- c:\windows\system32\drivers\rootrepeal2.sys
2009-06-29 14:53 . 2009-06-30 23:50 117760 ----a-w- c:\users\Bill\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-29 14:53 . 2009-06-29 14:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-06-29 14:48 . 2009-06-29 14:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-29 14:48 . 2009-06-29 14:48 -------- d-----w- c:\users\Bill\AppData\Roaming\SUPERAntiSpyware.com
2009-06-29 14:47 . 2009-06-29 14:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-29 03:27 . 2009-06-29 03:35 -------- d-----w- C:\MGtools
2009-06-29 00:42 . 2009-06-29 00:42 35 ----a-w- c:\users\Bill\AppData\Roaming\SetValue.bat
2009-06-29 00:22 . 2009-06-29 00:22 -------- d-----w- c:\users\Bill\AppData\Roaming\Malwarebytes
2009-06-29 00:22 . 2009-06-17 15:27 38160 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 00:22 . 2009-06-29 00:22 -------- d-----w- c:\programdata\Malwarebytes
2009-06-29 00:22 . 2009-06-29 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 00:22 . 2009-06-17 15:27 19096 ---ha-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 00:03 . 2009-04-30 12:42 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-06-14 00:03 . 2009-04-30 12:52 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-14 00:03 . 2009-04-30 12:44 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-06-10 14:39 . 2009-04-21 12:04 2028032 ----a-w- c:\windows\system32\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 22:21 . 2008-11-19 02:07 -------- d-----w- c:\users\Bill\AppData\Roaming\LimeWire
2009-06-30 16:40 . 2008-06-11 19:51 -------- d-----w- c:\programdata\Google Updater
2009-06-29 16:43 . 2009-02-07 03:10 1356 ----a-w- c:\users\Bill\AppData\Local\d3d9caps.dat
2009-06-29 00:42 . 2009-06-29 00:42 691 ----a-w- c:\users\Bill\AppData\Roaming\GetValue.vbs
2009-06-11 12:33 . 2006-12-06 10:48 -------- d-----w- c:\program files\Microsoft Works
2009-05-27 15:37 . 2009-05-27 15:37 -------- d-----w- c:\programdata\TomTom
2009-05-27 15:37 . 2009-05-27 15:37 -------- d-----w- c:\users\Bill\AppData\Roaming\TomTom
2009-05-27 15:37 . 2009-05-27 15:37 -------- d-----w- c:\program files\TomTom International B.V
2009-05-27 15:36 . 2009-05-27 15:36 -------- d-----w- c:\program files\TomTom HOME 2
2009-05-27 15:35 . 2009-05-27 15:35 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-05-20 14:03 . 2009-05-20 14:03 -------- d-----w- c:\programdata\HP Product Assistant
2009-05-20 13:59 . 2006-12-06 10:40 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-05-20 13:58 . 2006-12-06 10:40 -------- d-----w- c:\program files\Realtek
2009-05-20 13:58 . 2009-05-20 13:58 315392 ----a-w- c:\windows\HideWin.exe
2009-05-19 05:36 . 2009-06-18 01:04 2884832 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 05:36 . 2009-06-18 01:04 28 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 05:36 . 2009-06-18 01:04 25 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 05:36 . 2009-06-18 01:04 1484856 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 05:36 . 2009-06-18 01:04 97072 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 05:36 . 2009-06-18 01:04 142040 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 05:36 . 2009-06-18 01:04 30512 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 05:36 . 2009-06-18 01:04 111920 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-15 12:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-04-24 16:22 . 2009-06-10 14:38 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:14 . 2009-06-10 14:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-04-24 16:14 . 2009-06-10 14:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 16:11 . 2009-06-10 14:38 72704 ----a-w- c:\windows\system32\admparse.dll
2009-04-24 13:53 . 2009-06-10 14:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-24 12:25 . 2009-06-10 14:38 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-04-23 13:01 . 2009-06-10 14:38 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:56 . 2009-06-10 14:38 696832 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_19.12.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-06 10:38 . 2009-06-30 23:35 65918 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-06-30 23:51 67936 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-02-07 03:24 . 2009-06-30 23:51 12914 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3894153940-1004314661-1835172318-1000_UserData.bin
+ 2007-02-07 00:30 . 2009-06-30 22:58 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-02-07 00:30 . 2009-06-29 18:56 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-02-07 00:30 . 2009-06-29 18:56 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-07 00:30 . 2009-06-30 22:58 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-07 00:30 . 2009-06-30 22:58 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-02-07 00:30 . 2009-06-29 18:56 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-02-07 03:16 . 2009-06-28 13:30 3142 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2007-02-07 03:16 . 2009-06-30 07:53 3142 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-06-30 23:48 . 2009-06-30 23:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-30 23:48 . 2009-06-30 23:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-06-30 23:40 618410 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-06-30 23:40 103818 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2006-12-6 34520]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F4A58D1D-2CA8-4CBB-93A8-D8C58A609B56}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{494A0034-C164-4D1C-B055-62161FE104B9}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{1D330436-B627-49F2-A720-776DA9993972}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{00A32700-EC97-46F4-8EF2-7BBEBEF6820C}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{6510483C-5A38-4254-842D-97B93A2CD46F}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{87B1FF95-8300-4339-B548-4A797EF9C780}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{DBEB81E1-64DC-493F-9AAA-A7EB76640D9E}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A8EF4AF7-133A-4B37-9825-07F9350B9DDB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D328B60A-42A0-4C80-ACD0-E158740EAFA6}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7DB51BF5-1A70-47B7-AED0-672033451E22}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EFF7F79B-BDCC-472E-B70F-76572D54DB8B}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D3A83F63-FC55-4F6D-90B7-610EA8A3DE75}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3AFCA708-C472-40C1-9C13-0B42DB9AAA3D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BF9ABCD6-FC4F-4204-A9A1-7855EB1B683A}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{68DEE4F5-2EAD-4337-A167-0AFD08904DF5}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{71E66A83-E890-40E8-AE95-83EBB3E4BA78}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7B28B094-8D9F-4A85-8F79-3146E1D74428}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BB659196-FE93-4895-AF93-E118B61BA9F6}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{72188E16-282F-403F-A59D-FCBCA56A6E13}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{9F472A69-C848-4BE6-B6EE-BF5066CDDD0D}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{096B7C0B-BED0-4A8E-908F-98F042587B0A}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{54AF8D08-8824-4301-B3AA-9981CD4C92DD}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{B1C9E989-B937-4DF1-93D4-1B38D43A3455}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{49052ACE-54C0-4059-85BC-99ABCEFAC9C4}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C4B1C2C7-EB73-42E2-BF63-BF0F92BC07EE}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C445F929-033A-4AD5-AD99-60178F4E12A5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CC8FB4E7-D2A7-428B-A5FE-6598ABDFDE7F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{027BB4A2-3B64-4909-94F9-4AC188AFE152}"= Disabled:UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{442DE6D0-62BA-4C00-A9FD-257DC88C7234}"= Disabled:TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{8EADED8A-0781-4335-ACB1-670569DF3FB5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/24/2009 7:57 AM 92008]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 rootrepeal2;rootrepeal2;c:\windows\System32\drivers\rootrepeal2.sys [6/29/2009 12:45 PM 30720]
S3 rootrepeal3;rootrepeal3;c:\windows\System32\drivers\rootrepeal3.sys [6/29/2009 1:15 PM 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-06-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-11 04:15]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-05 14:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-04-05 14:53]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\kekd6eon.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\kekd6eon.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 19:49
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\microsoft shared\VS7Debug\mdm.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-30 19:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 23:57
ComboFix2.txt 2009-06-29 23:52
ComboFix3.txt 2009-06-29 23:38
ComboFix4.txt 2009-06-29 23:19
ComboFix5.txt 2009-06-30 23:18

Pre-Run: 185,019,265,024 bytes free
Post-Run: 184,735,674,368 bytes free

290 --- E O F --- 2009-06-29 15:44

06-30-2009, 06:02 PM	#3 (permalink)
bildo1 Registered User Join Date: Jun 2009 Posts: 6 OS: Vista Home Premium	Re: ntoskrnl-hook trojan Thank you for the quick follow up. Here is the combo-fix log. ComboFix 09-06-29.07 - Bill 06/30/2009 19:35.10 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.335 [GMT -4:00] Running from: c:\users\Bill\Desktop\Combo-Fix.exe "Command switches used" :: "/killall" "\| SED "s/\x22//g" AV: McAfee VirusScan On-access scanning disabled (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall disabled {94894B63-8C7F-4050-BDA4-813CA00DA3E8} SP: McAfee VirusScan disabled (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6} SP: SUPERAntiSpyware disabled (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender disabled (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\hjgruitahcfloi.sys c:\windows\system32\hjgruidtjgrnhr.dll c:\windows\system32\hjgruifppqulwc.dat c:\windows\system32\hjgruijmodmevj.dll c:\windows\system32\hjgruiwjfvmqbj.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_hjgruiauysmamj -------\Service_hjgruiauysmamj ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 ))))))))))))))))))))))))))))))) . 2009-06-30 23:46 . 2009-06-30 23:50 -------- d-----w- c:\users\Bill\AppData\Local\temp 2009-06-30 23:30 . 2009-06-30 23:30 -------- d-sh--w- C:\found.000 2009-06-29 20:21 . 2009-06-29 20:21 -------- d-----w- c:\users\Bill\DoctorWeb 2009-06-29 18:18 . 2009-06-29 18:18 -------- d-----w- c:\windows\McAfee.com 2009-06-29 17:15 . 2009-06-29 17:15 30720 ---ha-w- c:\windows\system32\drivers\rootrepeal3.sys 2009-06-29 16:45 . 2009-06-29 16:45 30720 ---ha-w- c:\windows\system32\drivers\rootrepeal2.sys 2009-06-29 14:53 . 2009-06-30 23:50 117760 ----a-w- c:\users\Bill\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-06-29 14:53 . 2009-06-29 14:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2009-06-29 14:48 . 2009-06-29 14:48 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-06-29 14:48 . 2009-06-29 14:48 -------- d-----w- c:\users\Bill\AppData\Roaming\SUPERAntiSpyware.com 2009-06-29 14:47 . 2009-06-29 14:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-06-29 03:27 . 2009-06-29 03:35 -------- d-----w- C:\MGtools 2009-06-29 00:42 . 2009-06-29 00:42 35 ----a-w- c:\users\Bill\AppData\Roaming\SetValue.bat 2009-06-29 00:22 . 2009-06-29 00:22 -------- d-----w- c:\users\Bill\AppData\Roaming\Malwarebytes 2009-06-29 00:22 . 2009-06-17 15:27 38160 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-29 00:22 . 2009-06-29 00:22 -------- d-----w- c:\programdata\Malwarebytes 2009-06-29 00:22 . 2009-06-29 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-29 00:22 . 2009-06-17 15:27 19096 ---ha-w- c:\windows\system32\drivers\mbam.sys 2009-06-14 00:03 . 2009-04-30 12:42 428032 ----a-w- c:\windows\system32\EncDec.dll 2009-06-14 00:03 . 2009-04-30 12:52 292352 ----a-w- c:\windows\system32\psisdecd.dll 2009-06-14 00:03 . 2009-04-30 12:44 1244672 ----a-w- c:\windows\system32\mcmde.dll 2009-06-10 14:39 . 2009-04-21 12:04 2028032 ----a-w- c:\windows\system32\win32k.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-30 22:21 . 2008-11-19 02:07 -------- d-----w- c:\users\Bill\AppData\Roaming\LimeWire 2009-06-30 16:40 . 2008-06-11 19:51 -------- d-----w- c:\programdata\Google Updater 2009-06-29 16:43 . 2009-02-07 03:10 1356 ----a-w- c:\users\Bill\AppData\Local\d3d9caps.dat 2009-06-29 00:42 . 2009-06-29 00:42 691 ----a-w- c:\users\Bill\AppData\Roaming\GetValue.vbs 2009-06-11 12:33 . 2006-12-06 10:48 -------- d-----w- c:\program files\Microsoft Works 2009-05-27 15:37 . 2009-05-27 15:37 -------- d-----w- c:\programdata\TomTom 2009-05-27 15:37 . 2009-05-27 15:37 -------- d-----w- c:\users\Bill\AppData\Roaming\TomTom 2009-05-27 15:37 . 2009-05-27 15:37 -------- d-----w- c:\program files\TomTom International B.V 2009-05-27 15:36 . 2009-05-27 15:36 -------- d-----w- c:\program files\TomTom HOME 2 2009-05-27 15:35 . 2009-05-27 15:35 -------- d-----w- c:\program files\TomTom DesktopSuite 2009-05-20 14:03 . 2009-05-20 14:03 -------- d-----w- c:\programdata\HP Product Assistant 2009-05-20 13:59 . 2006-12-06 10:40 319456 ----a-w- c:\windows\DIFxAPI.dll 2009-05-20 13:58 . 2006-12-06 10:40 -------- d-----w- c:\program files\Realtek 2009-05-20 13:58 . 2009-05-20 13:58 315392 ----a-w- c:\windows\HideWin.exe 2009-05-19 05:36 . 2009-06-18 01:04 2884832 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe 2009-05-19 05:36 . 2009-06-18 01:04 28 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat 2009-05-19 05:36 . 2009-06-18 01:04 25 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat 2009-05-19 05:36 . 2009-06-18 01:04 1484856 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe 2009-05-19 05:36 . 2009-06-18 01:04 97072 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe 2009-05-19 05:36 . 2009-06-18 01:04 142040 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe 2009-05-19 05:36 . 2009-06-18 01:04 30512 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe 2009-05-19 05:36 . 2009-06-18 01:04 111920 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll 2009-05-15 12:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2009-04-24 16:22 . 2009-06-10 14:38 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-24 16:14 . 2009-06-10 14:38 56320 ----a-w- c:\windows\system32\iesetup.dll 2009-04-24 16:14 . 2009-06-10 14:38 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-24 16:11 . 2009-06-10 14:38 72704 ----a-w- c:\windows\system32\admparse.dll 2009-04-24 13:53 . 2009-06-10 14:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe 2009-04-24 12:25 . 2009-06-10 14:38 48128 ----a-w- c:\windows\system32\mshtmler.dll 2009-04-23 13:01 . 2009-06-10 14:38 788992 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-23 12:56 . 2009-06-10 14:38 696832 ----a-w- c:\windows\system32\localspl.dll . ((((((((((((((((((((((((((((( SnapShot@2009-06-29_19.12.32 ))))))))))))))))))))))))))))))))))))))))) . + 2006-12-06 10:38 . 2009-06-30 23:35 65918 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2006-11-02 13:05 . 2009-06-30 23:51 67936 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2007-02-07 03:24 . 2009-06-30 23:51 12914 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3894153940-1004314661-1835172318-1000_UserData.bin + 2007-02-07 00:30 . 2009-06-30 22:58 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2007-02-07 00:30 . 2009-06-29 18:56 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2007-02-07 00:30 . 2009-06-29 18:56 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2007-02-07 00:30 . 2009-06-30 22:58 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2007-02-07 00:30 . 2009-06-30 22:58 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2007-02-07 00:30 . 2009-06-29 18:56 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2007-02-07 03:16 . 2009-06-28 13:30 3142 c:\windows\System32\WDI\ERCQueuedResolutions.dat + 2007-02-07 03:16 . 2009-06-30 07:53 3142 c:\windows\System32\WDI\ERCQueuedResolutions.dat + 2009-06-30 23:48 . 2009-06-30 23:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2009-06-30 23:48 . 2009-06-30 23:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2006-11-02 10:33 . 2009-06-30 23:40 618410 c:\windows\System32\perfh009.dat + 2006-11-02 10:33 . 2009-06-30 23:40 103818 c:\windows\System32\perfc009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328] "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2006-12-6 34520] HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 "AntiVirusDisableNotify"="0x00000000" "UpdatesDisableNotify"="0x00000000" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiSpywareOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{F4A58D1D-2CA8-4CBB-93A8-D8C58A609B56}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections "{494A0034-C164-4D1C-B055-62161FE104B9}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections "{1D330436-B627-49F2-A720-776DA9993972}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections "{00A32700-EC97-46F4-8EF2-7BBEBEF6820C}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections "{6510483C-5A38-4254-842D-97B93A2CD46F}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections "{87B1FF95-8300-4339-B548-4A797EF9C780}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections "{DBEB81E1-64DC-493F-9AAA-A7EB76640D9E}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections "{A8EF4AF7-133A-4B37-9825-07F9350B9DDB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl "{D328B60A-42A0-4C80-ACD0-E158740EAFA6}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl "{7DB51BF5-1A70-47B7-AED0-672033451E22}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl "{EFF7F79B-BDCC-472E-B70F-76572D54DB8B}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl "{D3A83F63-FC55-4F6D-90B7-610EA8A3DE75}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl "{3AFCA708-C472-40C1-9C13-0B42DB9AAA3D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl "{BF9ABCD6-FC4F-4204-A9A1-7855EB1B683A}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{68DEE4F5-2EAD-4337-A167-0AFD08904DF5}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{71E66A83-E890-40E8-AE95-83EBB3E4BA78}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{7B28B094-8D9F-4A85-8F79-3146E1D74428}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{BB659196-FE93-4895-AF93-E118B61BA9F6}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{72188E16-282F-403F-A59D-FCBCA56A6E13}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{9F472A69-C848-4BE6-B6EE-BF5066CDDD0D}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{096B7C0B-BED0-4A8E-908F-98F042587B0A}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{54AF8D08-8824-4301-B3AA-9981CD4C92DD}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent "{B1C9E989-B937-4DF1-93D4-1B38D43A3455}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent "{49052ACE-54C0-4059-85BC-99ABCEFAC9C4}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{C4B1C2C7-EB73-42E2-BF63-BF0F92BC07EE}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{C445F929-033A-4AD5-AD99-60178F4E12A5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{CC8FB4E7-D2A7-428B-A5FE-6598ABDFDE7F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{027BB4A2-3B64-4909-94F9-4AC188AFE152}"= Disabled:UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{442DE6D0-62BA-4C00-A9FD-257DC88C7234}"= Disabled:TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{8EADED8A-0781-4335-ACB1-670569DF3FB5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722\|UDP:%SystemRoot%\system32\svchost.exe\|Svc=DFSR:Allow inbound TCP traffic\| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe::Enabled:Earthlink R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/24/2009 7:57 AM 92008] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408] S3 rootrepeal2;rootrepeal2;c:\windows\System32\drivers\rootrepeal2.sys [6/29/2009 12:45 PM 30720] S3 rootrepeal3;rootrepeal3;c:\windows\System32\drivers\rootrepeal3.sys [6/29/2009 1:15 PM 30720] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr . Contents of the 'Scheduled Tasks' folder 2009-06-30 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-11 04:15] 2009-06-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2009-04-05 14:53] 2009-06-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2009-04-05 14:53] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\kekd6eon.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - yahoo.com FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - plugin: c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\kekd6eon.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-30 19:49 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\nvvsvc.exe c:\windows\System32\audiodg.exe c:\windows\System32\rundll32.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\microsoft shared\VS7Debug\mdm.exe c:\windows\System32\rundll32.exe c:\windows\System32\drivers\XAudio.exe c:\windows\System32\WUDFHost.exe c:\windows\ehome\ehmsas.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\program files\McAfee\MPF\MpfSrv.exe . ************************************************************************ . Completion time: 2009-06-30 19:58 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-30 23:57 ComboFix2.txt 2009-06-29 23:52 ComboFix3.txt 2009-06-29 23:38 ComboFix4.txt 2009-06-29 23:19 ComboFix5.txt 2009-06-30 23:18 Pre-Run: 185,019,265,024 bytes free Post-Run: 184,735,674,368 bytes free 290 --- E O F --- 2009-06-29 15:44