Tech Support Forum - View Single Post - NTOSKRNL-HOOK malware

KNewman · 07-05-2009, 01:04 PM

Hello, Chemist

Here's the ComboFix.txt log.

I also ran into a problem restoring my internet connection. The repair didn't work, the message is:

Windows could not finish repairing the problem because the following action cannot be completed: Renewing your IP address.

Any advise how to renew an IP address.

ComboFix 09-07-04.09 - Bob 07/05/2009 13:23.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.50 [GMT -5:00]
Running from: f:\documents and settings\Bob\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1063ad6.msi
c:\windows\Installer\17a06ae.msi
c:\windows\Installer\17a0796.msp
c:\windows\Installer\1a8a316.msp
c:\windows\Installer\23e03.msi
c:\windows\Installer\28d184e.msi
c:\windows\Installer\2a0e3.msp
c:\windows\Installer\3073b2d.msi
c:\windows\Installer\3e4a7.msi
c:\windows\Installer\463b4.msi
c:\windows\Installer\4a581e.msi
c:\windows\Installer\61c880.msi
c:\windows\Installer\6e4c7.msi
c:\windows\Installer\758710.msi
c:\windows\Installer\758777.msp
c:\windows\Installer\758804.msp
c:\windows\Installer\758809.msi
c:\windows\Installer\85593.msp
c:\windows\Installer\855a8.msp
c:\windows\Installer\855bd.msp
c:\windows\Installer\855d2.msp
c:\windows\Installer\855e8.msp
c:\windows\Installer\a49375.msp
c:\windows\Installer\a4938a.msp
c:\windows\Installer\a4939f.msp
c:\windows\Installer\a493d3.msp
c:\windows\Installer\a493ea.msp
c:\windows\Installer\a49400.msp
c:\windows\Installer\a49414.msp
c:\windows\Installer\b0f93.msp
c:\windows\Installer\b0fa8.msp
c:\windows\Installer\b5d8e7a.msi
c:\windows\Installer\b5d8e8b.msi
c:\windows\Installer\b5d8ef2.msi
c:\windows\Installer\b5d8ef7.msi
c:\windows\Installer\c13a.msi
c:\windows\Installer\dfc1f1.msi
c:\windows\Installer\dfc1f2.msi
c:\windows\Installer\f0554.msi
c:\windows\Installer\f055e.msi
f:\windows\system32\Data
f:\windows\system32\drivers\beep.sys
f:\windows\system32\drivers\hjgruixufrlldk.sys
f:\windows\system32\drivers\null.sys
f:\windows\system32\hjgruibxvjdmba.dat
f:\windows\system32\hjgruimxbnykrw.dll
f:\windows\system32\hjgruioqoyppkb.dat
f:\windows\system32\hjgruivbuthqdi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruisfthpyme
-------\Service_hjgruisfthpyme

((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-06-28 16:12 . 2009-06-28 16:12 152576 ----a-w- f:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-28 00:26 . 2009-06-27 22:34 15688 ----a-w- f:\windows\system32\lsdelete.exe
2009-06-27 22:35 . 2009-06-27 22:34 64160 ----a-w- f:\windows\system32\drivers\Lbd.sys
2009-06-27 22:31 . 2009-03-12 08:17 2902048 -c--a-w- f:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-27 22:31 . 2009-06-27 22:31 -------- dc-h--w- f:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 18:46 . 2009-06-27 18:46 -------- d-----w- f:\documents and settings\Bob\Application Data\McAfee
2009-06-27 18:46 . 2009-06-27 18:46 49152 ----a-r- f:\documents and settings\Bob\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-06-27 18:46 . 2009-06-27 18:46 49152 ----a-r- f:\documents and settings\Bob\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-06-11 02:54 . 2009-04-30 21:22 12800 -c----w- f:\windows\system32\dllcache\xpshims.dll
2009-06-11 02:54 . 2009-04-30 21:22 246272 -c----w- f:\windows\system32\dllcache\ieproxy.dll
2009-06-09 00:52 . 2009-06-09 00:52 60744 ----a-w- f:\documents and settings\Bob\g2mdlhlpx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 18:36 . 2009-03-07 16:38 720 ----a-w- f:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-06-29 22:44 . 2009-06-27 22:34 0 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-29 22:43 . 2009-06-27 22:34 25440 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-29 22:42 . 2009-06-27 22:34 169312 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-29 22:42 . 2009-06-27 22:34 348496 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-29 22:42 . 2009-06-27 22:34 298336 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-29 22:42 . 2009-06-27 22:34 84832 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-29 22:42 . 2009-06-27 22:34 1630560 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-29 22:40 . 2009-06-27 22:34 246128 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-29 22:40 . 2009-06-27 22:34 40288 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-29 22:40 . 2009-06-27 22:34 85352 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-29 22:40 . 2009-06-27 22:34 664424 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-29 22:40 . 2009-06-27 22:34 563064 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-29 22:39 . 2009-06-27 22:34 566632 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-29 22:39 . 2009-06-27 22:34 2352968 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-29 22:39 . 2009-06-27 22:34 629072 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-29 22:38 . 2009-06-27 22:34 520024 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-29 22:38 . 2009-06-27 22:34 1029456 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-29 02:03 . 2006-06-01 19:29 -------- d--h--w- f:\program files\InstallShield Installation Information
2009-06-28 16:13 . 2006-06-24 22:08 -------- d-----w- f:\program files\Java
2009-06-27 22:34 . 2009-06-27 22:34 15688 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-27 22:34 . 2009-06-27 22:34 64160 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-27 22:31 . 2008-02-09 03:25 -------- d-----w- f:\program files\Lavasoft
2009-06-27 22:31 . 2008-02-09 03:25 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft
2009-06-27 19:28 . 2008-01-19 16:20 -------- d-----w- f:\documents and settings\Bob\Application Data\SiteAdvisor
2009-06-27 18:46 . 2008-01-19 16:17 -------- d-----w- f:\program files\McAfee
2009-06-27 18:46 . 2008-01-19 16:16 -------- d-----w- f:\documents and settings\All Users\Application Data\McAfee
2009-06-01 00:57 . 2009-06-01 00:57 -------- d-----w- f:\program files\Citrix
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- f:\windows\system32\wininet.dll
2009-05-10 11:15 . 2006-06-01 22:23 52872 -c--a-w- f:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 00:59 . 2009-05-10 00:59 -------- d-----w- f:\program files\MSBuild
2009-05-10 00:58 . 2009-05-10 00:58 -------- d-----w- f:\program files\Reference Assemblies
2009-05-10 00:21 . 2009-05-10 00:22 170952 ----a-w- f:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- f:\windows\system32\localspl.dll
2009-05-07 01:37 . 2009-05-07 01:37 -------- d-----w- f:\program files\LibUSB-Win32
2009-05-07 01:36 . 2009-05-07 01:34 -------- d-----w- f:\program files\QuickFreedom
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- f:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- f:\windows\system32\rpcrt4.dll
2009-04-12 13:00 . 2009-04-12 13:00 679936 -c--a-w- f:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\17175-17182.dll
2009-04-12 13:00 . 2009-04-12 13:00 634880 -c--a-w- f:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\17182-17192.dll
2009-04-12 13:00 . 2008-01-12 14:14 242976 ----a-w- f:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VerizonServicepoint.exe"="f:\program files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"mcagent_exe"="f:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"SiteAdvisor"="f:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"UpdReg"="f:\windows\UpdReg.EXE" [2000-05-11 90112]
"EPSON Stylus Photo R200 Series (Copy 1)"="f:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Verizon_McciTrayApp"="f:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"ArcSoft Connection Service"="f:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-27 180269]
"Ad-Watch"="f:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-27 518488]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"P17Helper"="P17.dll" - f:\windows\system32\P17.dll [2005-05-03 64512]

f:\documents and settings\Bob\Start Menu\Programs\Startup\
msimn.lnk - f:\program files\Outlook Express\msimn.exe [2006-5-31 60416]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=f:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=f:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=f:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=f:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"UPS"=3 (0x3)
"PhotoshopElementsDeviceConnect"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"f:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= f:\program files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"f:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"= f:\program files\Firefly Studios\Stronghold 2\Stronghold2.exe:*:Enabled:Stronghold 2
"f:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= f:\program files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"= f:\program files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
"f:\\Program Files\\iTunes\\iTunes.exe"= f:\program files\iTunes\iTunes.exe:*:Enabled:iTunes
"f:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"= f:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server

R0 Lbd;Lbd;f:\windows\system32\drivers\Lbd.sys [6/27/2009 5:35 PM 64160]
R2 Viewpoint Manager Service;Viewpoint Manager Service;f:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 6:14 PM 24652]
S2 RDFLabel;RDFLabel;f:\program files\ICRAplus\RDFLabel\RDFLabel.exe -PICRAplusID01F --> f:\program files\ICRAplus\RDFLabel\RDFLabel.exe -PICRAplusID01F [?]
S3 idmc1aud;Intel(r) Play(tm) USB Audio Filter (WDM);f:\windows\system32\drivers\idmc1aud.sys [1/9/2007 7:31 PM 15188]
S3 IDMC1Blk;Intel Play DMC Download Driver;f:\windows\system32\drivers\IDMC1Blk.sys [1/9/2007 7:31 PM 14628]
S3 IDMC1Vxp;Intel(r) Play(tm) DMC Camera;f:\windows\system32\drivers\idmc1vme.sys [1/9/2007 7:31 PM 416564]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1003344]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;f:\windows\system32\drivers\libusb0.sys [5/6/2009 8:37 PM 28672]
S3 p17filt;p17filt;f:\windows\system32\drivers\p17filt.sys [3/20/2006 7:34 PM 1452032]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;f:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S4 IntuitUpdateService;Intuit Update Service;f:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2/25/2009 6:06 PM 13088]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;f:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter
DcomLaunch REG_MULTI_SZ DcomLaunch TermService
WudfServiceGroup REG_MULTI_SZ WUDFSvc
eapsvcs REG_MULTI_SZ eaphost
dot3svc REG_MULTI_SZ dot3svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"f:\windows\system32\rundll32.exe" "f:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 f:\windows\Tasks\Ad-Aware Update (Weekly).job
- f:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:34]

2007-12-27 f:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8190810616.job
- f:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]

2009-06-14 f:\windows\Tasks\McDefragTask.job
- f:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 16:53]

2009-06-06 f:\windows\Tasks\QuickClean.job
- f:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 13:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\appcompat.txt 20152 bytes
f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\manifest.txt 1740 bytes
f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\msimn.exe.hdmp 7458872 bytes
f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\msimn.exe.mdmp 64243 bytes

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
@="{8D8763AB-E93B-4812-964E-F04E0008FD50}"
"GlobalState"=hex:78,06,b0,32,5d,06,20,b5,8b,a7,1e,69,85,06,ec,8f,8c,1e,5e,c1
"RevocationList"=hex:78,6c,36,dd,1e,f9,49,01,7a,29,4f,a8,73,e4,50,1f,e6,43,85,
25
"{E3E513EA-C130-4082-88A7-4314AD485440}"=hex:22,eb,82,50,00,a0,a0,90,78,cc,4d,
ad,3e,7a,de,bf,36,15,bc,d1
"{431FF505-5F2D-4E42-9A0B-882BFFD80DDB}"=hex:d3,94,77,73,e3,59,88,40,fa,07,09,
31,db,ab,dd,28,a8,a3,cf,b5
"{03F8C7D2-6A16-48A6-A5FD-8F46FAB9A8AC}"=hex:f2,5f,e9,29,20,8c,d5,84,3b,3b,23,
eb,8f,81,9c,9e,50,f8,6a,da
"{04B06814-3FE9-4666-9157-51631027590F}"=hex:b9,29,ff,4c,c6,9f,f2,20,bb,58,56,
d5,60,10,f8,cf,b4,19,54,c9
"{C20FB55E-686E-40CB-98AA-2E091493CC05}"=hex:19,04,dd,35,a3,e1,c6,27,ec,fa,c2,
38,02,26,39,73,6a,84,05,e9

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3656)
f:\windows\system32\WININET.dll
f:\program files\SiteAdvisor\6172\saHook.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\IEFRAME.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\system32\rundll32.exe
f:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
f:\program files\Bonjour\mDNSResponder.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
f:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
f:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
f:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
f:\progra~1\McAfee\MSC\mcmscsvc.exe
f:\progra~1\McAfee.com\Agent\mcagent.exe
f:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-07-05 13:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 18:48
ComboFix2.txt 2009-06-30 03:35

Pre-Run: 32,531,853,312 bytes free
Post-Run: 32,435,544,064 bytes free

382 --- E O F --- 2009-06-11 23:41

07-05-2009, 01:04 PM	#3 (permalink)
KNewman Registered User Join Date: Jun 2009 Posts: 16 OS: XP	Re: NTOSKRNL-HOOK malware Hello, Chemist Here's the ComboFix.txt log. I also ran into a problem restoring my internet connection. The repair didn't work, the message is: Windows could not finish repairing the problem because the following action cannot be completed: Renewing your IP address. Any advise how to renew an IP address. ComboFix 09-07-04.09 - Bob 07/05/2009 13:23.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.50 [GMT -5:00] Running from: f:\documents and settings\Bob\Desktop\ComboFix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall enabled {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Installer\1063ad6.msi c:\windows\Installer\17a06ae.msi c:\windows\Installer\17a0796.msp c:\windows\Installer\1a8a316.msp c:\windows\Installer\23e03.msi c:\windows\Installer\28d184e.msi c:\windows\Installer\2a0e3.msp c:\windows\Installer\3073b2d.msi c:\windows\Installer\3e4a7.msi c:\windows\Installer\463b4.msi c:\windows\Installer\4a581e.msi c:\windows\Installer\61c880.msi c:\windows\Installer\6e4c7.msi c:\windows\Installer\758710.msi c:\windows\Installer\758777.msp c:\windows\Installer\758804.msp c:\windows\Installer\758809.msi c:\windows\Installer\85593.msp c:\windows\Installer\855a8.msp c:\windows\Installer\855bd.msp c:\windows\Installer\855d2.msp c:\windows\Installer\855e8.msp c:\windows\Installer\a49375.msp c:\windows\Installer\a4938a.msp c:\windows\Installer\a4939f.msp c:\windows\Installer\a493d3.msp c:\windows\Installer\a493ea.msp c:\windows\Installer\a49400.msp c:\windows\Installer\a49414.msp c:\windows\Installer\b0f93.msp c:\windows\Installer\b0fa8.msp c:\windows\Installer\b5d8e7a.msi c:\windows\Installer\b5d8e8b.msi c:\windows\Installer\b5d8ef2.msi c:\windows\Installer\b5d8ef7.msi c:\windows\Installer\c13a.msi c:\windows\Installer\dfc1f1.msi c:\windows\Installer\dfc1f2.msi c:\windows\Installer\f0554.msi c:\windows\Installer\f055e.msi f:\windows\system32\Data f:\windows\system32\drivers\beep.sys f:\windows\system32\drivers\hjgruixufrlldk.sys f:\windows\system32\drivers\null.sys f:\windows\system32\hjgruibxvjdmba.dat f:\windows\system32\hjgruimxbnykrw.dll f:\windows\system32\hjgruioqoyppkb.dat f:\windows\system32\hjgruivbuthqdi.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_hjgruisfthpyme -------\Service_hjgruisfthpyme ((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 ))))))))))))))))))))))))))))))) . 2009-06-28 16:12 . 2009-06-28 16:12 152576 ----a-w- f:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-06-28 00:26 . 2009-06-27 22:34 15688 ----a-w- f:\windows\system32\lsdelete.exe 2009-06-27 22:35 . 2009-06-27 22:34 64160 ----a-w- f:\windows\system32\drivers\Lbd.sys 2009-06-27 22:31 . 2009-03-12 08:17 2902048 -c--a-w- f:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe 2009-06-27 22:31 . 2009-06-27 22:31 -------- dc-h--w- f:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-06-27 18:46 . 2009-06-27 18:46 -------- d-----w- f:\documents and settings\Bob\Application Data\McAfee 2009-06-27 18:46 . 2009-06-27 18:46 49152 ----a-r- f:\documents and settings\Bob\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe 2009-06-27 18:46 . 2009-06-27 18:46 49152 ----a-r- f:\documents and settings\Bob\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe 2009-06-11 02:54 . 2009-04-30 21:22 12800 -c----w- f:\windows\system32\dllcache\xpshims.dll 2009-06-11 02:54 . 2009-04-30 21:22 246272 -c----w- f:\windows\system32\dllcache\ieproxy.dll 2009-06-09 00:52 . 2009-06-09 00:52 60744 ----a-w- f:\documents and settings\Bob\g2mdlhlpx.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-05 18:36 . 2009-03-07 16:38 720 ----a-w- f:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll 2009-06-29 22:44 . 2009-06-27 22:34 0 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-06-29 22:43 . 2009-06-27 22:34 25440 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-06-29 22:42 . 2009-06-27 22:34 169312 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-06-29 22:42 . 2009-06-27 22:34 348496 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-06-29 22:42 . 2009-06-27 22:34 298336 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-06-29 22:42 . 2009-06-27 22:34 84832 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-06-29 22:42 . 2009-06-27 22:34 1630560 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-06-29 22:40 . 2009-06-27 22:34 246128 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-06-29 22:40 . 2009-06-27 22:34 40288 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-06-29 22:40 . 2009-06-27 22:34 85352 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe 2009-06-29 22:40 . 2009-06-27 22:34 664424 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-06-29 22:40 . 2009-06-27 22:34 563064 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-06-29 22:39 . 2009-06-27 22:34 566632 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-06-29 22:39 . 2009-06-27 22:34 2352968 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-06-29 22:39 . 2009-06-27 22:34 629072 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe 2009-06-29 22:38 . 2009-06-27 22:34 520024 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-06-29 22:38 . 2009-06-27 22:34 1029456 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2009-06-29 02:03 . 2006-06-01 19:29 -------- d--h--w- f:\program files\InstallShield Installation Information 2009-06-28 16:13 . 2006-06-24 22:08 -------- d-----w- f:\program files\Java 2009-06-27 22:34 . 2009-06-27 22:34 15688 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-06-27 22:34 . 2009-06-27 22:34 64160 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys 2009-06-27 22:31 . 2008-02-09 03:25 -------- d-----w- f:\program files\Lavasoft 2009-06-27 22:31 . 2008-02-09 03:25 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft 2009-06-27 19:28 . 2008-01-19 16:20 -------- d-----w- f:\documents and settings\Bob\Application Data\SiteAdvisor 2009-06-27 18:46 . 2008-01-19 16:17 -------- d-----w- f:\program files\McAfee 2009-06-27 18:46 . 2008-01-19 16:16 -------- d-----w- f:\documents and settings\All Users\Application Data\McAfee 2009-06-01 00:57 . 2009-06-01 00:57 -------- d-----w- f:\program files\Citrix 2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- f:\windows\system32\wininet.dll 2009-05-10 11:15 . 2006-06-01 22:23 52872 -c--a-w- f:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-10 00:59 . 2009-05-10 00:59 -------- d-----w- f:\program files\MSBuild 2009-05-10 00:58 . 2009-05-10 00:58 -------- d-----w- f:\program files\Reference Assemblies 2009-05-10 00:21 . 2009-05-10 00:22 170952 ----a-w- f:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- f:\windows\system32\localspl.dll 2009-05-07 01:37 . 2009-05-07 01:37 -------- d-----w- f:\program files\LibUSB-Win32 2009-05-07 01:36 . 2009-05-07 01:34 -------- d-----w- f:\program files\QuickFreedom 2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- f:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- f:\windows\system32\rpcrt4.dll 2009-04-12 13:00 . 2009-04-12 13:00 679936 -c--a-w- f:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\17175-17182.dll 2009-04-12 13:00 . 2009-04-12 13:00 634880 -c--a-w- f:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\17182-17192.dll 2009-04-12 13:00 . 2008-01-12 14:14 242976 ----a-w- f:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VerizonServicepoint.exe"="f:\program files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064] "mcagent_exe"="f:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328] "SiteAdvisor"="f:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640] "UpdReg"="f:\windows\UpdReg.EXE" [2000-05-11 90112] "EPSON Stylus Photo R200 Series (Copy 1)"="f:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840] "Verizon_McciTrayApp"="f:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960] "ArcSoft Connection Service"="f:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728] "TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-27 180269] "Ad-Watch"="f:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-27 518488] "SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "P17Helper"="P17.dll" - f:\windows\system32\P17.dll [2005-05-03 64512] f:\documents and settings\Bob\Start Menu\Programs\Startup\ msimn.lnk - f:\program files\Outlook Express\msimn.exe [2006-5-31 60416] f:\documents and settings\All Users\Start Menu\Programs\Startup\ hpoddt01.exe.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672] Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys] @="FSFilter System Recovery" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService] @="Service" [HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=f:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=f:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk] path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk backup=f:\windows\pss\Forget Me Not.lnkCommon Startup [HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk] path=f:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk backup=f:\windows\pss\hp psc 2000 Series.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "UPS"=3 (0x3) "PhotoshopElementsDeviceConnect"=2 (0x2) "mnmsrvc"=3 (0x3) "Lavasoft Ad-Aware Service"=2 (0x2) "iPod Service"=3 (0x3) "IntuitUpdateService"=2 (0x2) "Apple Mobile Device"=2 (0x2) "AdobeActiveFileMonitor"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "f:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"= "f:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "f:\\Program Files\\Bonjour\\mDNSResponder.exe"= "f:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019 "%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019 "f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= f:\program files\Common Files\AOL\Loader\aolload.exe::Enabled:AOL Loader "%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000 "f:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"= f:\program files\Firefly Studios\Stronghold 2\Stronghold2.exe::Enabled:Stronghold 2 "f:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= f:\program files\Common Files\McAfee\MNA\McNASvc.exe::Enabled:McAfee Network Agent "f:\\Program Files\\Bonjour\\mDNSResponder.exe"= f:\program files\Bonjour\mDNSResponder.exe::Enabled:Bonjour "f:\\Program Files\\iTunes\\iTunes.exe"= f:\program files\iTunes\iTunes.exe::Enabled:iTunes "f:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"= f:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server R0 Lbd;Lbd;f:\windows\system32\drivers\Lbd.sys [6/27/2009 5:35 PM 64160] R2 Viewpoint Manager Service;Viewpoint Manager Service;f:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 6:14 PM 24652] S2 RDFLabel;RDFLabel;f:\program files\ICRAplus\RDFLabel\RDFLabel.exe -PICRAplusID01F --> f:\program files\ICRAplus\RDFLabel\RDFLabel.exe -PICRAplusID01F [?] S3 idmc1aud;Intel(r) Play(tm) USB Audio Filter (WDM);f:\windows\system32\drivers\idmc1aud.sys [1/9/2007 7:31 PM 15188] S3 IDMC1Blk;Intel Play DMC Download Driver;f:\windows\system32\drivers\IDMC1Blk.sys [1/9/2007 7:31 PM 14628] S3 IDMC1Vxp;Intel(r) Play(tm) DMC Camera;f:\windows\system32\drivers\idmc1vme.sys [1/9/2007 7:31 PM 416564] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1003344] S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;f:\windows\system32\drivers\libusb0.sys [5/6/2009 8:37 PM 28672] S3 p17filt;p17filt;f:\windows\system32\drivers\p17filt.sys [3/20/2006 7:34 PM 1452032] S4 AdobeActiveFileMonitor;Adobe Active File Monitor;f:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304] S4 IntuitUpdateService;Intuit Update Service;f:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2/25/2009 6:06 PM 13088] S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;f:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HTTPFilter REG_MULTI_SZ HTTPFilter DcomLaunch REG_MULTI_SZ DcomLaunch TermService WudfServiceGroup REG_MULTI_SZ WUDFSvc eapsvcs REG_MULTI_SZ eaphost dot3svc REG_MULTI_SZ dot3svc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService Alerter LmHosts [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "f:\windows\system32\rundll32.exe" "f:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-29 f:\windows\Tasks\Ad-Aware Update (Weekly).job - f:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:34] 2007-12-27 f:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8190810616.job - f:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52] 2009-06-14 f:\windows\Tasks\McDefragTask.job - f:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 16:53] 2009-06-06 f:\windows\Tasks\QuickClean.job - f:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 16:53] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.yahoo.com/ uInternet Settings,ProxyOverride = .local Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: turbotax.com DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-05 13:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\appcompat.txt 20152 bytes f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\manifest.txt 1740 bytes f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\msimn.exe.hdmp 7458872 bytes f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\msimn.exe.mdmp 64243 bytes scan completed successfully hidden files: 4 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32] @="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version] @Denied: (A) (Everyone) @="{8D8763AB-E93B-4812-964E-F04E0008FD50}" "GlobalState"=hex:78,06,b0,32,5d,06,20,b5,8b,a7,1e,69,85,06,ec,8f,8c,1e,5e,c1 "RevocationList"=hex:78,6c,36,dd,1e,f9,49,01,7a,29,4f,a8,73,e4,50,1f,e6,43,85, 25 "{E3E513EA-C130-4082-88A7-4314AD485440}"=hex:22,eb,82,50,00,a0,a0,90,78,cc,4d, ad,3e,7a,de,bf,36,15,bc,d1 "{431FF505-5F2D-4E42-9A0B-882BFFD80DDB}"=hex:d3,94,77,73,e3,59,88,40,fa,07,09, 31,db,ab,dd,28,a8,a3,cf,b5 "{03F8C7D2-6A16-48A6-A5FD-8F46FAB9A8AC}"=hex:f2,5f,e9,29,20,8c,d5,84,3b,3b,23, eb,8f,81,9c,9e,50,f8,6a,da "{04B06814-3FE9-4666-9157-51631027590F}"=hex:b9,29,ff,4c,c6,9f,f2,20,bb,58,56, d5,60,10,f8,cf,b4,19,54,c9 "{C20FB55E-686E-40CB-98AA-2E091493CC05}"=hex:19,04,dd,35,a3,e1,c6,27,ec,fa,c2, 38,02,26,39,73,6a,84,05,e9 [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}] @Denied: (A 2) (Everyone) @="IFlashBroker2" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}] @Denied: (A 2) (Everyone) [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0] @="Shockwave Flash" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}] @Denied: (A 2) (Everyone) @="" [HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0] @="FlashBroker" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3656) f:\windows\system32\WININET.dll f:\program files\SiteAdvisor\6172\saHook.dll f:\windows\system32\webcheck.dll f:\windows\system32\IEFRAME.dll f:\windows\system32\WPDShServiceObj.dll f:\windows\system32\PortableDeviceTypes.dll f:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . f:\windows\system32\rundll32.exe f:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe f:\program files\Bonjour\mDNSResponder.exe f:\program files\Java\jre6\bin\jqs.exe f:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe f:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe f:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe f:\progra~1\McAfee\VIRUSS~1\Mcshield.exe f:\progra~1\McAfee\MSC\mcmscsvc.exe f:\progra~1\McAfee.com\Agent\mcagent.exe f:\program files\McAfee\MPF\MpfSrv.exe . ************************************************************************ . Completion time: 2009-07-05 13:49 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-05 18:48 ComboFix2.txt 2009-06-30 03:35 Pre-Run: 32,531,853,312 bytes free Post-Run: 32,435,544,064 bytes free 382 --- E O F --- 2009-06-11 23:41