|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-04-2008, 04:46 AM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Trojan Horse Small.AOQ - MCHINJDRV.SYS
Hello
Please assist, The AVG identified (3 October 2008) a trojan - MCHINJDRV.SYS, I have tried to "heal" and "moved to vault" but the trojan is still there. (Trojan horse Small.AOQ - C:\Windows\system32\Drivers\mchInjDrv.sys) I have followed the "first steps" 1: Checked "add and removed programs" 2: Ran "Panda Active Scan" but it did not allow me to "Disinfect" 3. Ran "Spyware Blaster" 4. Loaded "IE-Spyad" into internet explorer 7 5. My the system has theh lastest windows XP updates I have also kept the logs: 1. Panda active scab log - only cookies 2. Trend Micro - HighJackThis Thanks Ivan Last edited by dwking; 10-04-2008 at 05:11 AM. Reason: Corrected file name |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-07-2008, 06:23 AM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Trojan - MCHLNDRV.SYS
Hello and welcome to TSF
========= Logs Required log.txt info.txt If there is no response to this post within 72hrs, this thread will be closed. |
|
|
|
|
10-08-2008, 04:44 AM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
info.txt logfile of random's system information tool 1.04 2008-10-08 23:25:55
======Uninstall list====== -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419} Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7} Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} ASUS Gamer OSD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}\setup.exe" -l0x9 -removeonly Atheros Communications Inc.(R) L2 Fast Ethernet Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0A755762-EED8-47AB-A446-505766F93D43}\Setup.exe" -l0x9 -removeonly AVG Free 8.0-->d:\Program Files\AVG\AVG8\setup.exe /UNINSTALL Big Fish Games Client-->C:\Program Files\bfgclient\Uninstall.exe Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959} Canon iP4200-->C:\WINDOWS\system32\CNMCP78.exe "-PRINTERNAMECanon iP4200" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP4200 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll" Canon Setup Utility 2.0-->"C:\Program Files\Canon\Canon Setup Utility 2.0\Maint.exe" /Uninstall C:\Program Files\Canon\Canon Setup Utility 2.0\uninst.ini Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini Canon Utilities Easy-PrintToolBox-->C:\WINDOWS\BJPSUNST.EXE CD-LabelPrint-->"C:\Program Files\Canon\CD-LabelPrint\Uninstal.exe" Canon.CDLabelPrint.Application Dress Up Rush-->"C:\Program Files\Dress Up Rush\Uninstall.exe" DVD Solution-->"C:\Program Files\Uninstall_CDS.exe" EasyCleaner-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu" FlashGet(JetCar)-->C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29} Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll" Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall HD Tune 2.53-->"C:\Program Files\HD Tune\unins000.exe" High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe" HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Home Sweet Home 2: Kitchens and Baths-->"C:\Program Files\Home Sweet Home 2 - Kitchens and Baths\Uninstall.exe" Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe" Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" InCD-->C:\WINDOWS\NuNInst.exe /UNINSTALL Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843} Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050} Java(TM) 6 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} LEGO Digital Designer-->C:\Program Files\LEGO Company\LEGO Digital Designer\Uninstall.exe LEGO Star Wars II-->C:\Program Files\InstallShield Installation Information\{4E074808-1B86-4230-A9EB-0904942EC4AE}\setup.exe -runfromtemp -l0x0409 LG ODD Auto Firmware Update-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6179550A-3E7C-499E-BCC9-9E8113E0A285}\setup.exe" Lord of the Rings: The Fellowship of the Ring-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{49C98C60-BAC3-4C92-AF4F-E890FD312D60} Media Converter for Philips-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CDA2B02-E0A4-4EB5-8533-050D535BA43A}\Setup.exe" -l0x9 Microsoft Baseline Security Analyzer 2.0.1-->MsiExec.exe /I{7F231232-C309-4401-964A-2A002B6E1ED9} Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE} Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE} Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE} Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE} Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE} Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE} Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE} Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE} Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE} Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE} Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE} Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Motorola SM56 Speakerphone Modem-->C:\WINDOWS\Motorola\SMSERIAL\sm56unst.exe Mozilla Firefox (2.0.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe Multimedia Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9} Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe PhotoScape-->"C:\Program Files\PhotoScape\uninstall.exe" Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe" PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB} RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly SA60xx Device Manager-->C:\Program Files\InstallShield Installation Information\{8A6AD979-8170-49ED-8529-14174317B281}\setup.exe -runfromtemp -l0x0009 -removeonly Security Update for 2007 Microsoft Office System (KB951596)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {1AFF2298-CC00-4A3B-866A-C62B8373794E} Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7} Security Update for Microsoft Office Excel 2007 (KB951546)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26} Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4} Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77} Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00} Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F} Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9} Security Update for Visio 2007 (KB947590)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41} Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe" Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Skype™ 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82} Spell Checker For OE 2.1-->C:\Program Files\Common Files\Microsoft Shared\proof\Uninstal.exe Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003} Spider-Man (tm) Movie-->C:\PROGRA~1\ACTIVI~1\SPIDER~1\UNINST~1\UNWISE.EXE C:\PROGRA~1\ACTIVI~1\SPIDER~1\UNINST~1\INSTALL.LOG Spyware Doctor 5.5-->C:\Program Files\Spyware Doctor\unins000.exe /LOG SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe" The Great Chocolate Chase-->"C:\Program Files\The Great Chocolate Chase\Uninstall.exe" Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278} Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" XviD MPEG-4 Video Codec-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_XviD 132 C:\WINDOWS\INF\xvid.inf ZoneAlarm Spy Blocker-->rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe ======Security center information====== AV: AVG Anti-Virus Free FW: ZoneAlarm Firewall ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel "PROCESSOR_REVISION"=0407 "NUMBER_OF_PROCESSORS"=2 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "tvdumpflags"=8 "CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip -----------------EOF----------------- |
|
|
|
|
10-08-2008, 04:47 AM
|
#4 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
Part 1 of 2 of logfile
Logfile of random's system information tool 1.04 (written by random/random) Run by Banking8 at 2008-10-08 23:24:25 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 30 GB (30%) free of 100 GB Total RAM: 2047 MB (63% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:25:48 PM, on 08-Oct-08 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Spyware Doctor\pctsTray.exe d:\PROGRA~1\AVG\AVG8\avgrsx.exe d:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe d:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Downloads\RSIT.exe C:\Program Files\Trend Micro\HijackThis\Banking8.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/NZStartPage%202008%20Feb.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 10544 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\MP Scheduled Scan.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}] IeCatch5 Class - C:\PROGRA~1\FlashGet\jccatch.dll [2006-05-16 81920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-05-23 308856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}] AVG Safe Search - d:\Program Files\AVG\AVG8\avgssie.dll [2008-08-29 455960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}] AVG Security Toolbar - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-03 2055960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-03-29 2554944] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll [2008-03-29 654320] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}] ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-03 262144] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-03-29 2554944] {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - ZoneAlarm Spy Blocker - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-03 262144] {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504] {E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar - C:\PROGRA~1\FlashGet\fgiebar.dll [2005-06-07 86016] {A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-03 2055960] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-11-08 141848] "HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-11-08 166424] "Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-11-08 137752] "RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-10-25 16855552] "SkyTel"=C:\WINDOWS\SkyTel.EXE [2007-10-11 1826816] "Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632] "SMSERIAL"=C:\WINDOWS\sm56hlpr.exe [2005-06-06 544768] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] "Easy-PrintToolBox"=C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE [2004-01-14 409600] "RemoteControl"=C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [2004-11-02 32768] "InCD"=C:\Program Files\Ahead\InCD\InCD.exe [2006-03-14 1397760] "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648] "TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-05-23 185896] "AVG8_TRAY"=d:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-30 1234712] "ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-06-29 8466432] "nwiz"=nwiz.exe /install [] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-06-29 81920] "ASUSGamerOSD"=C:\Program Files\ASUS\GamerOSD\GamerOSD.exe [2007-07-12 380928] "Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576] "ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-02-01 1103240] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="avgrsstx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxdev.dll [2007-10-30 208896] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224] "{F552DDE6-2090-4bf4-B924-6141E87789A5}"= [] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "D:\Program Files\AVG\AVG8\avgupd.exe"="D:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe" "D:\Program Files\AVG\AVG8\avgemc.exe"="D:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe" "C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" |
|
|
|
|
10-08-2008, 05:00 AM
|
#5 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
Hello
The last part of the log file has the following message: You have included 34 images in your message. You are limited to using 25 images How do i coorcet the file? Thanks |
|
|
|
|
10-09-2008, 02:29 AM
|
#7 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
Hi TheBruce1
Below are both logs Thanks info.txt logfile of random's system information tool 1.04 2008-10-08 23:25:55 ======Uninstall list====== -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419} Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7} Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} ASUS Gamer OSD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}\setup.exe" -l0x9 -removeonly Atheros Communications Inc.(R) L2 Fast Ethernet Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0A755762-EED8-47AB-A446-505766F93D43}\Setup.exe" -l0x9 -removeonly AVG Free 8.0-->d:\Program Files\AVG\AVG8\setup.exe /UNINSTALL Big Fish Games Client-->C:\Program Files\bfgclient\Uninstall.exe Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959} Canon iP4200-->C:\WINDOWS\system32\CNMCP78.exe "-PRINTERNAMECanon iP4200" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP4200 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll" Canon Setup Utility 2.0-->"C:\Program Files\Canon\Canon Setup Utility 2.0\Maint.exe" /Uninstall C:\Program Files\Canon\Canon Setup Utility 2.0\uninst.ini Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini Canon Utilities Easy-PrintToolBox-->C:\WINDOWS\BJPSUNST.EXE CD-LabelPrint-->"C:\Program Files\Canon\CD-LabelPrint\Uninstal.exe" Canon.CDLabelPrint.Application Dress Up Rush-->"C:\Program Files\Dress Up Rush\Uninstall.exe" DVD Solution-->"C:\Program Files\Uninstall_CDS.exe" EasyCleaner-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu" FlashGet(JetCar)-->C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29} Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll" Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall HD Tune 2.53-->"C:\Program Files\HD Tune\unins000.exe" High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe" HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Home Sweet Home 2: Kitchens and Baths-->"C:\Program Files\Home Sweet Home 2 - Kitchens and Baths\Uninstall.exe" Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe" Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" InCD-->C:\WINDOWS\NuNInst.exe /UNINSTALL Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843} Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050} Java(TM) 6 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} LEGO Digital Designer-->C:\Program Files\LEGO Company\LEGO Digital Designer\Uninstall.exe LEGO Star Wars II-->C:\Program Files\InstallShield Installation Information\{4E074808-1B86-4230-A9EB-0904942EC4AE}\setup.exe -runfromtemp -l0x0409 LG ODD Auto Firmware Update-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6179550A-3E7C-499E-BCC9-9E8113E0A285}\setup.exe" Lord of the Rings: The Fellowship of the Ring-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{49C98C60-BAC3-4C92-AF4F-E890FD312D60} Media Converter for Philips-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CDA2B02-E0A4-4EB5-8533-050D535BA43A}\Setup.exe" -l0x9 Microsoft Baseline Security Analyzer 2.0.1-->MsiExec.exe /I{7F231232-C309-4401-964A-2A002B6E1ED9} Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE} Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE} Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE} Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE} Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE} Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE} Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE} Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE} Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE} Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE} Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE} Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Motorola SM56 Speakerphone Modem-->C:\WINDOWS\Motorola\SMSERIAL\sm56unst.exe Mozilla Firefox (2.0.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe Multimedia Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9} Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe PhotoScape-->"C:\Program Files\PhotoScape\uninstall.exe" Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe" PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB} RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly SA60xx Device Manager-->C:\Program Files\InstallShield Installation Information\{8A6AD979-8170-49ED-8529-14174317B281}\setup.exe -runfromtemp -l0x0009 -removeonly Security Update for 2007 Microsoft Office System (KB951596)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {1AFF2298-CC00-4A3B-866A-C62B8373794E} Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7} Security Update for Microsoft Office Excel 2007 (KB951546)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26} Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4} Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77} Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00} Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F} Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9} Security Update for Visio 2007 (KB947590)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41} Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe" Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Skype™ 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82} Spell Checker For OE 2.1-->C:\Program Files\Common Files\Microsoft Shared\proof\Uninstal.exe Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003} Spider-Man (tm) Movie-->C:\PROGRA~1\ACTIVI~1\SPIDER~1\UNINST~1\UNWISE.EXE C:\PROGRA~1\ACTIVI~1\SPIDER~1\UNINST~1\INSTALL.LOG Spyware Doctor 5.5-->C:\Program Files\Spyware Doctor\unins000.exe /LOG SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe" The Great Chocolate Chase-->"C:\Program Files\The Great Chocolate Chase\Uninstall.exe" Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278} Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" XviD MPEG-4 Video Codec-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_XviD 132 C:\WINDOWS\INF\xvid.inf ZoneAlarm Spy Blocker-->rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe ======Security center information====== AV: AVG Anti-Virus Free FW: ZoneAlarm Firewall ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel "PROCESSOR_REVISION"=0407 "NUMBER_OF_PROCESSORS"=2 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "tvdumpflags"=8 "CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip -----------------EOF----------------- Logfile of random's system information tool 1.04 (written by random/random) Run by Banking8 at 2008-10-08 23:24:25 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 30 GB (30%) free of 100 GB Total RAM: 2047 MB (63% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:25:48 PM, on 08-Oct-08 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Spyware Doctor\pctsTray.exe d:\PROGRA~1\AVG\AVG8\avgrsx.exe d:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe d:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Downloads\RSIT.exe C:\Program Files\Trend Micro\HijackThis\Banking8.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/NZStartPage%202008%20Feb.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 10544 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\MP Scheduled Scan.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}] IeCatch5 Class - C:\PROGRA~1\FlashGet\jccatch.dll [2006-05-16 81920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-05-23 308856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}] AVG Safe Search - d:\Program Files\AVG\AVG8\avgssie.dll [2008-08-29 455960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}] AVG Security Toolbar - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-03 2055960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-03-29 2554944] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll [2008-03-29 654320] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}] ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-03 262144] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-03-29 2554944] {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - ZoneAlarm Spy Blocker - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-03 262144] {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504] {E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar - C:\PROGRA~1\FlashGet\fgiebar.dll [2005-06-07 86016] {A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-03 2055960] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-11-08 141848] "HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-11-08 166424] "Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-11-08 137752] "RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-10-25 16855552] "SkyTel"=C:\WINDOWS\SkyTel.EXE [2007-10-11 1826816] "Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632] "SMSERIAL"=C:\WINDOWS\sm56hlpr.exe [2005-06-06 544768] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] "Easy-PrintToolBox"=C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE [2004-01-14 409600] "RemoteControl"=C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [2004-11-02 32768] "InCD"=C:\Program Files\Ahead\InCD\InCD.exe [2006-03-14 1397760] "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648] "TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-05-23 185896] "AVG8_TRAY"=d:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-30 1234712] "ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-06-29 8466432] "nwiz"=nwiz.exe /install [] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-06-29 81920] "ASUSGamerOSD"=C:\Program Files\ASUS\GamerOSD\GamerOSD.exe [2007-07-12 380928] "Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576] "ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-02-01 1103240] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="avgrsstx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxdev.dll [2007-10-30 208896] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224] "{F552DDE6-2090-4bf4-B924-6141E87789A5}"= [] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "D:\Program Files\AVG\AVG8\avgupd.exe"="D:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe" "D:\Program Files\AVG\AVG8\avgemc.exe"="D:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe" "C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" ======List of files/folders created in the last 1 months====== 2008-10-08 23:24:25 ----D---- C:\rsit 2008-10-07 23:23:12 ----D---- C:\Program Files\Trend Micro 2008-10-07 23:22:54 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-07 23:22:33 ----D---- C:\Program Files\The Great Chocolate Chase 2008-10-07 23:22:31 ----D---- C:\Program Files\Greatis 2008-10-07 21:00:40 ----D---- C:\Program Files\Realtek AC97 2008-10-07 20:17:04 ----D---- C:\Program Files\NVIDIA Corporation 2008-10-07 20:15:31 ----D---- C:\Program Files\NVIDIA nTune Performance Application 2008-10-07 18:51:44 ----D---- C:\Program Files\MagicTune Premium(2) 2008-10-07 18:30:57 ----D---- C:\Program Files\SEC 2008-10-05 21:55:45 ----D---- C:\Documents and Settings\Banking8\Application Data\Reflexive Arcade 2008-10-05 18:39:28 ----D---- C:\Documents and Settings\Banking8\Application Data\BigFish Games 2008-10-05 18:23:01 ----D---- C:\Program Files\Jump Jump Jelly Reactor 2008-10-04 22:22:46 ----N---- C:\WINDOWS\system32\vxblock.dll 2008-10-04 22:22:46 ----N---- C:\WINDOWS\system32\pxwave.dll 2008-10-04 22:22:46 ----N---- C:\WINDOWS\system32\pxhpinst.exe 2008-10-04 22:22:46 ----N---- C:\WINDOWS\system32\pxdrv.dll 2008-10-04 22:22:45 ----N---- C:\WINDOWS\system32\pxmas.dll 2008-10-04 22:22:45 ----N---- C:\WINDOWS\system32\px.dll 2008-10-04 22:22:32 ----D---- C:\Program Files\Picasa2 2008-10-04 21:39:43 ----D---- C:\Program Files\PhotoScape 2008-10-04 19:55:18 ----D---- C:\ie-spyad_zo 2008-10-04 19:38:07 ----D---- C:\Program Files\SpywareBlaster 2008-10-04 19:02:38 ----D---- C:\Program Files\Panda Security 2008-10-03 20:45:08 ----D---- C:\Program Files\iPod 2008-10-03 20:45:03 ----D---- C:\Program Files\iTunes 2008-10-02 23:49:56 ----RASHOT---- C:\WINDOWS\winstart.bat 2008-09-30 17:56:41 ----D---- C:\Program Files\Noodolbuddy 2008-09-26 18:29:05 ----D---- C:\Program Files\Dream Day First Home 2008-09-25 17:41:25 ----D---- C:\Documents and Settings\Banking8\Application Data\SecuROM 2008-09-25 17:32:12 ----D---- C:\Program Files\Electronic Arts 2008-09-22 21:30:58 ----D---- C:\Documents and Settings\Banking8\Application Data\Apple Computer 2008-09-22 21:30:33 ----A---- C:\WINDOWS\system32\GEARAspi.dll 2008-09-22 21:29:27 ----D---- C:\Program Files\Bonjour 2008-09-22 21:28:13 ----D---- C:\Program Files\QuickTime 2008-09-22 21:28:08 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-09-22 21:27:41 ----D---- C:\Program Files\Apple Software Update 2008-09-22 21:26:54 ----D---- C:\Program Files\Common Files\Apple 2008-09-22 21:26:53 ----D---- C:\Documents and Settings\All Users\Application Data\Apple 2008-09-22 20:44:00 ----D---- C:\Program Files\Dress Up Rush 2008-09-21 20:33:59 ----D---- C:\Program Files\Windows Defender 2008-09-21 19:32:53 ----D---- C:\Program Files\Home Sweet Home 2 - Kitchens and Baths 2008-09-21 15:24:07 ----D---- C:\Documents and Settings\Banking8\Application Data\PowerChallenge 2008-09-14 17:52:41 ----D---- C:\Documents and Settings\Banking8\Application Data\Amaranth Games 2008-09-13 21:31:45 ----D---- C:\Documents and Settings\Banking8\Application Data\LEGO Company 2008-09-13 21:30:54 ----D---- C:\Program Files\LEGO Company 2008-09-13 18:27:07 ----D---- C:\Program Files\directx 2008-09-13 18:08:15 ----D---- C:\Program Files\Activision 2008-09-13 15:16:17 ----D---- C:\Program Files\My Company Name 2008-09-13 15:11:51 ----A---- C:\WINDOWS\system32\vfwwdm32.dll 2008-09-13 15:06:43 ----A---- C:\WINDOWS\nvgpio.dll 2008-09-13 15:06:43 ----A---- C:\WINDOWS\nVGA_i2c.dll 2008-09-13 15:06:43 ----A---- C:\WINDOWS\nvapi9x.dll 2008-09-13 15:06:43 ----A---- C:\WINDOWS\i2c_i.dll 2008-09-13 15:06:43 ----A---- C:\WINDOWS\i2c.dll 2008-09-13 15:06:43 ----A---- C:\WINDOWS\ATKKBService.exe 2008-09-13 15:06:43 ----A---- C:\WINDOWS\atistclk.dll 2008-09-13 15:06:43 ----A---- C:\WINDOWS\atipdlxx.dll 2008-09-13 15:06:43 ----A---- C:\WINDOWS\aticlocklib.dll 2008-09-13 15:06:42 ----A---- C:\WINDOWS\R5ClkLib.dll 2008-09-13 15:06:42 ----A---- C:\WINDOWS\OneTouchVga.dll 2008-09-13 15:06:42 ----A---- C:\WINDOWS\HyperDrive.exe 2008-09-13 15:06:42 ----A---- C:\WINDOWS\EIO.dll 2008-09-13 15:06:42 ----A---- C:\WINDOWS\ASUSRC.dll 2008-09-13 15:06:42 ----A---- C:\WINDOWS\ASMT_CE.dll 2008-09-13 15:06:40 ----D---- C:\Program Files\ASUS 2008-09-13 15:06:40 ----A---- C:\WINDOWS\system32\ATKOSDMini.DLL 2008-09-13 15:06:40 ----A---- C:\WINDOWS\system32\atkid.ini 2008-09-13 15:06:40 ----A---- C:\WINDOWS\system32\ATKDispCPL.dll 2008-09-13 15:06:40 ----A---- C:\WINDOWS\system32\ATKDISP.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\xvidvfw.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\xvidcore.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\DPInst.exe 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\devcon.exe 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\ATKOSDX32.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\ATKOGL32.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\asrussian.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\askorean.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\asjapan.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\asgerman.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\asfrench.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\aseng.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\ASCHT.dll 2008-09-13 15:06:39 ----A---- C:\WINDOWS\system32\aschs.dll 2008-09-13 15:05:20 ----D---- C:\WINDOWS\nview 2008-09-13 15:05:19 ----A---- C:\WINDOWS\system32\nvudisp.exe 2008-09-13 15:04:28 ----A---- C:\WINDOWS\system32\NVUNINST.EXE 2008-09-11 01:27:25 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$ 2008-09-11 01:26:35 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$ 2008-09-10 23:01:35 ----D---- C:\WINDOWS\system32\ACE 2008-09-10 17:54:51 ----A---- C:\WINDOWS\Spiderman.INI ======List of files/folders modified in the last 1 months====== 2008-10-08 23:25:48 ----D---- C:\WINDOWS\Temp 2008-10-08 23:24:45 ----D---- C:\WINDOWS\Prefetch 2008-10-08 23:23:54 ----D---- C:\Program Files\FlashGet 2008-10-08 23:21:24 ----D---- C:\Downloads 2008-10-08 23:18:21 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-08 22:47:54 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater 2008-10-08 21:28:05 ----D---- C:\WINDOWS\Internet Logs 2008-10-08 15:41:27 ----D---- C:\WINDOWS\system32 2008-10-08 15:41:27 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-08 15:39:56 ----SD---- C:\WINDOWS\Tasks 2008-10-08 15:39:22 ----D---- C:\WINDOWS\system32\CatRoot2 2008-10-08 00:32:35 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-10-07 23:23:35 ----RSHDC---- C:\WINDOWS\system32\dllcache 2008-10-07 23:23:35 ----D---- C:\Program Files\Spyware Doctor 2008-10-07 23:23:34 ----D---- C:\WINDOWS\system32\drivers 2008-10-07 23:23:31 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache 2008-10-07 23:23:30 ----RD---- C:\Program Files 2008-10-07 23:23:30 ----D---- C:\WINDOWS 2008-10-07 23:23:29 ----SHD---- C:\WINDOWS\Installer 2008-10-07 23:23:29 ----HD---- C:\Program Files\InstallShield Installation Information 2008-10-07 23:23:21 ----HD---- C:\WINDOWS\inf 2008-10-07 23:23:07 ----D---- C:\Config.Msi 2008-10-07 23:22:50 ----DC---- C:\WINDOWS\system32\DRVSTORE 2008-10-07 23:22:32 ----D---- C:\Documents and Settings\All Users\Application Data\PlayFirst 2008-10-07 23:22:13 ----D---- C:\Program Files\LucasArts 2008-10-07 23:21:53 ----D---- C:\Program Files\lg_fwupdate 2008-10-07 23:21:50 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-10-07 21:28:54 ----D---- C:\WINDOWS\system32\CatRoot 2008-10-07 21:24:43 ----D---- C:\WINDOWS\system32\config 2008-10-07 21:24:27 ----D---- C:\WINDOWS\system32\wbem 2008-10-07 21:24:26 ----D---- C:\WINDOWS\Registration 2008-10-06 13:55:31 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft 2008-10-04 22:05:41 ----A---- C:\WINDOWS\NeroDigital.ini 2008-10-04 19:02:16 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-10-03 16:11:31 ----D---- C:\Documents and Settings\Banking8\Application Data\PlayFirst 2008-10-02 23:33:38 ----A---- C:\WINDOWS\lgfwup.ini 2008-09-30 19:36:40 ----D---- C:\Program Files\Cooking Academy 2008-09-30 17:29:53 ----SD---- C:\Documents and Settings\Banking8\Application Data\Microsoft 2008-09-25 18:25:28 ----D---- C:\WINDOWS\system32\DirectX 2008-09-22 21:26:54 ----D---- C:\Program Files\Common Files 2008-09-22 18:48:03 ----D---- C:\Program Files\bfgclient 2008-09-20 01:07:05 ----D---- C:\WINDOWS\Help 2008-09-11 01:27:25 ----D---- C:\WINDOWS\WinSxS 2008-09-11 01:26:52 ----A---- C:\WINDOWS\imsins.BAK ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 asuskbnt;Enhanced Display Driver Helper Service; C:\WINDOWS\system32\drivers\atkkbnt.sys [2007-07-12 11136] R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-29 97928] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-07-03 26824] R1 EIO;EIO; \??\C:\WINDOWS\system32\drivers\EIO.sys [] R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2007-12-10 66952] R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2007-12-10 81288] R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2005-07-08 29696] R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2006-03-14 28672] R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352] R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592] R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2007-07-19 127768] R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-07-09 394952] R2 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-03 76040] R3 asusgsb;ASUS Virtual Video Capture Device Driver; C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 12416] R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller; C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-10-18 30720] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384] R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-11-01 4620288] R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128] R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-03-01 12160] R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-06-29 6807328] R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2005-06-06 925192] R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520] R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608] R3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984] R3 Video3D;ASUS Video3D Service; C:\WINDOWS\System32\Drivers\Video3D32.sys [2007-07-12 10752] R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2005-07-08 99584] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024] S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-14 206976] S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928] S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808] S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-18 27165] S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-10-30 5851488] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880] S3 RegGuard;RegGuard; \??\C:\WINDOWS\system32\Drivers\regguard.sys [] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232] S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856] S3 VIAudio;VIA AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\ac97via.sys [2004-08-03 84480] S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040] R2 ATKKeyboardService;ATK Keyboard Service; C:\WINDOWS\ATKKBService.exe [2007-07-12 257024] R2 avg8emc;AVG8 E-mail Scanner; d:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288] R2 avg8wd;AVG8 WatchDog; d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888] R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-29 138680] R2 InCDsrv;InCD Helper; C:\Program Files\Ahead\InCD\InCDsrv.exe [2005-07-08 871424] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-06-29 155716] R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912] R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-02-01 948616] R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-07-09 75304] R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592] R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632] S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] -----------------EOF----------------- |
|
|
|
|
10-09-2008, 07:37 AM
|
#8 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Trojan - MCHLNDRV.SYS
Hello again
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please DO NOT Attach logs to your posts unless you are advised to do so. ========== Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Java(TM) 6 Update 5 Java(TM) 6 Update 6 Leave Java(TM) 6 Update 7 installed ============ Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Download this file from Microsoft`s webpage: For XP Home >> http://www.microsoft.com/downloads/d...displaylang=en Save it as it is originally named to your Desktop. Now close all open windows and programs, including all antivirus and antispyware programs. Get help here  Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console. As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Recovery Console is installed, this blue window will appear:  Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. ========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========== Logs Required C:\Combofix.txt Hijackthis Log |
|
|
|
|
10-11-2008, 05:02 AM
|
#9 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
Hi TheBruce1
removed Java(TM) 6 Update 5 removed Java(TM) 6 Update 6 retained (Leave) Java(TM) 6 Update 7 installed Created Windows Recovery console Ran Combofix Below are the Logs Required C:\Combofix.txt Hijackthis Log: ComboFix 08-10-10.09 - Banking8 2008-10-11 23:34:33.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1561 [GMT 13:00] Running from: C:\Documents and Settings\Banking8\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 ))))))))))))))))))))))))))))))) . 2008-10-09 23:12 . 2008-10-10 21:43 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-10-08 23:24 . 2008-10-08 23:51 <DIR> d-------- C:\rsit 2008-10-07 23:23 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-07 23:22 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\The Great Chocolate Chase 2008-10-07 23:22 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\Greatis 2008-10-07 23:22 . 2008-10-07 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-07 21:29 . 2008-04-14 06:45 60,032 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2008-10-07 21:29 . 2008-04-14 12:12 20,992 --a------ C:\WINDOWS\system32\dshowext.ax 2008-10-07 21:02 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav 2008-10-07 21:00 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\Realtek AC97 2008-10-07 20:17 . 2008-10-07 20:17 <DIR> d-------- C:\Program Files\NVIDIA Corporation 2008-10-07 20:15 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application 2008-10-07 18:51 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\MagicTune Premium(2) 2008-10-07 18:30 . 2008-10-07 18:30 <DIR> d-------- C:\Program Files\SEC 2008-10-06 22:16 . 2008-10-07 23:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR 2008-10-06 13:23 . 2008-04-14 06:45 60,032 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys 2008-10-06 13:23 . 2008-04-14 12:12 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax 2008-10-05 21:55 . 2008-10-05 21:55 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Reflexive Arcade 2008-10-05 18:39 . 2008-10-05 18:39 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\BigFish Games 2008-10-05 18:23 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\Jump Jump Jelly Reactor 2008-10-04 22:22 . 2008-10-08 22:47 <DIR> d-------- C:\Program Files\Picasa2 2008-10-04 22:22 . 2006-10-05 15:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-10-04 22:22 . 2006-10-05 15:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-10-04 21:39 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\PhotoScape 2008-10-04 19:55 . 2008-10-04 19:55 <DIR> d-------- C:\ie-spyad_zo 2008-10-04 19:38 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-10-04 19:02 . 2008-10-04 19:02 <DIR> d-------- C:\Program Files\Panda Security 2008-10-04 19:02 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-10-03 20:45 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\iTunes 2008-10-03 20:45 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\iPod 2008-10-02 23:49 . 2008-10-04 11:32 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys 2008-10-02 23:49 . 2008-10-02 23:58 (2) -rahs-ot- C:\WINDOWS\winstart.bat 2008-09-30 17:56 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\Noodolbuddy 2008-09-26 18:29 . 2008-09-27 19:49 <DIR> d-------- C:\Program Files\Dream Day First Home 2008-09-25 17:41 . 2008-09-25 17:41 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\SecuROM 2008-09-25 17:32 . 2008-09-25 17:32 <DIR> d-------- C:\Program Files\Electronic Arts 2008-09-22 21:30 . 2008-09-22 23:57 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Apple Computer 2008-09-22 21:30 . 2008-04-17 14:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll 2008-09-22 21:30 . 2008-04-17 14:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys 2008-09-22 21:29 . 2008-09-22 21:29 <DIR> d-------- C:\Program Files\Bonjour 2008-09-22 21:28 . 2008-09-22 21:29 <DIR> d-------- C:\Program Files\QuickTime 2008-09-22 21:28 . 2008-09-22 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-09-22 21:27 . 2008-09-22 21:27 <DIR> d-------- C:\Program Files\Apple Software Update 2008-09-22 21:26 . 2008-09-22 21:28 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-09-22 21:26 . 2008-09-22 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-09-22 20:44 . 2008-09-22 20:45 <DIR> d-------- C:\Program Files\Dress Up Rush 2008-09-21 20:33 . 2008-09-21 20:34 <DIR> d-------- C:\Program Files\Windows Defender 2008-09-21 19:32 . 2008-09-22 19:44 <DIR> d-------- C:\Program Files\Home Sweet Home 2 - Kitchens and Baths 2008-09-21 15:24 . 2008-09-21 15:46 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\PowerChallenge 2008-09-14 17:52 . 2008-09-14 17:52 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Amaranth Games 2008-09-13 21:31 . 2008-09-13 21:31 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\LEGO Company 2008-09-13 21:30 . 2008-09-13 21:30 <DIR> d-------- C:\Program Files\LEGO Company 2008-09-13 18:27 . 2008-09-13 18:27 <DIR> d-------- C:\Program Files\directx 2008-09-13 18:08 . 2008-09-13 18:08 <DIR> d-------- C:\Program Files\Activision 2008-09-13 15:18 . 2007-07-12 11:03 12,288 --a------ C:\WINDOWS\system32\drivers\EIO.sys 2008-09-13 15:16 . 2008-09-13 15:16 <DIR> d-------- C:\Program Files\My Company Name 2008-09-13 15:11 . 2008-04-14 13:12 91,136 --a------ C:\WINDOWS\system32\kswdmcap.ax 2008-09-13 15:11 . 2008-04-14 13:12 91,136 --a--c--- C:\WINDOWS\system32\dllcache\kswdmcap.ax 2008-09-13 15:11 . 2008-04-14 13:12 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax 2008-09-13 15:11 . 2008-04-14 13:12 61,952 --a--c--- C:\WINDOWS\system32\dllcache\kstvtune.ax 2008-09-13 15:11 . 2008-04-14 13:12 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2008-09-13 15:11 . 2008-04-14 13:12 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll 2008-09-13 15:11 . 2008-04-14 13:12 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax 2008-09-13 15:11 . 2008-04-14 13:12 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax 2008-09-13 15:06 . 2008-09-13 15:06 <DIR> d-------- C:\Program Files\ASUS 2008-09-13 15:05 . 2008-09-13 15:05 <DIR> d-------- C:\WINDOWS\nview 2008-09-13 15:05 . 2007-06-29 05:43 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe 2008-09-13 15:05 . 2008-10-07 20:23 127,254 --a------ C:\WINDOWS\system32\nvapps.xml 2008-09-13 15:05 . 2007-06-29 05:43 17,463 --a------ C:\WINDOWS\system32\nvdisp.nvu 2008-09-13 15:04 . 2007-06-29 02:54 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-11 10:42 174,096,416 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-10-11 10:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-11 10:25 --------- d-----w C:\Program Files\Spyware Doctor 2008-10-11 10:17 2,045,072 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-10-11 10:03 --------- d-----w C:\Program Files\FlashGet 2008-10-11 09:02 --------- d-----w C:\Program Files\Java 2008-10-11 06:52 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin 2008-10-10 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-10-10 10:30 9,395,804 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2008-10-07 10:23 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-10-07 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache 2008-10-07 10:22 --------- d-----w C:\Program Files\LucasArts 2008-10-07 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst 2008-10-07 10:21 --------- d-----w C:\Program Files\lg_fwupdate 2008-10-07 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-10-05 00:21 2,276,864 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp 2008-10-04 11:28 1,879,552 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp 2008-10-03 03:11 --------- d-----w C:\Documents and Settings\Banking8\Application Data\PlayFirst 2008-10-01 00:06 24 ----a-w C:\Documents and Settings\Banking8\jagex_runescape_preferences.dat 2008-09-30 06:36 --------- d-----w C:\Program Files\Cooking Academy 2008-09-23 11:13 1,780,224 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp 2008-09-22 05:48 --------- d-----w C:\Program Files\bfgclient 2008-09-13 00:10 15,694,541 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_09_13_11_21_51_full.dmp.zip 2008-09-12 23:21 2,621,440 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp 2008-09-07 08:58 --------- d-----w C:\Documents and Settings\Banking8\Application Data\Skype 2008-09-07 07:59 --------- d-----w C:\Documents and Settings\Banking8\Application Data\skypePM 2008-09-06 04:53 1,662,976 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp 2008-09-04 12:23 --------- d-----w C:\Program Files\HD Tune 2008-08-29 04:37 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-28 22:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe 2008-08-28 21:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll 2008-08-28 06:01 1,619,456 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp 2008-08-23 02:54 --------- d-----w C:\Program Files\Giant 2008-08-22 08:26 1,603,584 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp 2008-08-19 07:05 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-16 00:52 --------- d-----w C:\Documents and Settings\Banking8\Application Data\CD-LabelPrint 2008-08-12 07:27 --------- d-----w C:\Documents and Settings\Banking8\Application Data\FrimaStudio 2008-08-01 08:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-07-26 07:02 1,440,256 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp 2008-07-19 07:46 1,401,856 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp 2008-07-18 10:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 10:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 10:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 10:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 10:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 10:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 10:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 10:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 10:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 10:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-15 20:11 267,112 ----a-w C:\WINDOWS\system32\xactengine2_9.dll 2008-04-10 05:29 0 ----a-w C:\Program Files\temp01 2008-04-03 10:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2004-10-01 03:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2008-05-16 11:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-11-08 141848] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-11-08 166424] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-11-08 137752] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600] "RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 1397760] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-23 185896] "AVG8_TRAY"="d:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920] "ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2007-10-11 C:\WINDOWS\SkyTel.exe] "SMSERIAL"="sm56hlpr.exe" [2005-06-06 C:\WINDOWS\sm56hlpr.exe] "nwiz"="nwiz.exe" [2007-06-29 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968] C:\Documents and Settings\Internet.NEWCOMPUTER\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "D:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "D:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928] R2 avg8emc;AVG8 E-mail Scanner;d:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288] R2 avg8wd;AVG8 WatchDog;d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 76040] R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 12416] R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-10-18 30720] R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10752] S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [ ] S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-10-04 25773] *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-10-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34] 2008-10-11 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Banking8\Application Data\Mozilla\Firefox\Profiles\k59nb8jo.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///D:/NZStartPage%202008%20Feb.html . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-11 23:42:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-11 23:44:00 ComboFix-quarantined-files.txt 2008-10-11 10:43:53 Pre-Run: 27,040,419,840 bytes free Post-Run: 28,745,805,824 bytes free 226 --- E O F --- 2008-10-11 02:12:04 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:55:19 PM, on 11-Oct-08 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe d:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ASUS\GamerOSD\GamerOSD.exe d:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE d:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\igfxsrvc.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/NZStartPage%202008%20Feb.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 9918 bytes |
|
|
|
|
10-11-2008, 11:48 AM
|
#10 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Trojan - MCHLNDRV.SYS
Hello again
Download ATF-Cleaner by Atribune to your desktop. Double-click ATF Cleaner.exe to open it Under Main choose: Windows Temp Current User Temp All Users Temp Cookies Temporary Internet Files Prefetch Java Cache *The other boxes are optional* Then click the Empty Selected button. If you have Firefox installed: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. If you have Opera installed: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. ========== Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Click Accept, when prompted to download and install the program files and database of malware definitions.
This animation will guide you through the process:  To optimize scanning time and produce a more sensible report for review:
========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========== Logs Required Kaspersky Scan Report Hijackthis Log How is your system running now. |
|
|
|
|
10-13-2008, 12:23 AM
|
#11 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
Hi TheBruce1
Ran the ATF-Cleaner by Atribune The KAS ran for over 2 and half hours Ran the HiJackthis My machine seems to be running normally. The Trojan error has not re-appeared. Once in a while the machine does not shut down and I have to press the restart button on the PC. Below are the two logs: Kaspersky Scan Report Hijackthis Log -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Monday, October 13, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, October 13, 2008 04:14:13 Records in database: 1307882 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ H:\ I:\ J:\ K:\ Scan statistics: Files scanned: 107616 Threat name: 3 Infected objects: 8 Suspicious objects: 0 Duration of the scan: 02:44:45 File name / Threat name / Threats count C:\Documents and Settings\Banking8\Local Settings\Temporary Internet Files\Content.IE5\66WFN2GM\v53[1].js Infected: Trojan.JS.Agent.db 1 D:\Backup of Drive C\Documents\EA Games\kf14 finder key ms code.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2 D:\Downloads\EA Games\kf14 finder key ms code.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2 D:\Magazines\PCW March 2008\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.h 1 E:\Backup Downloads New Computer\Downloads\EA Games\kf14 finder key ms code.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2 The selected area was scanned. ****************************************** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:02, on 2008-10-13 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\svchost.exe d:\PROGRA~1\AVG\AVG8\avgrsx.exe d:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe d:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Documents and Settings\Banking8\Local Settings\temp\jkos-Banking8\binaries\ScanningProcess.exe C:\Documents and Settings\Banking8\Local Settings\temp\jkos-Banking8\binaries\ScanningProcess.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/NZStartPage%202008%20Feb.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 10831 bytes Last edited by dwking; 10-13-2008 at 12:29 AM. Reason: inclide atf cleaner done and time |
|
|
|
|
10-13-2008, 05:39 AM
|
#12 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Trojan - MCHLNDRV.SYS
Hello again
Please turn off Word Wrap in notepad. ========= Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========== Logs Required C:\Combofix.txt Hijackthis Log |
|
|
|
|
|
10-14-2008, 02:07 AM
|
#13 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
Hello TheBruce1
Wordwrap is turned off Combofix ran with the Cfscript.txt (paste from quotebox) New version of combofix was loaded - was this correct? The "famous windows blue screen appeared" and I had to reboot with the power switch Windows then corrected the problem - the system appears to be running Two logs were produced but I found only the mini101408.dmp file C:\DOCUME~1\Banking8\LOCALS~1\Temp\WERa744.dir00\Mini101408-01.dmp C:\DOCUME~1\Banking8\LOCALS~1\Temp\WERa744.dir00\sysdata.xml Attached are the logs C:\Combofix.txt Hijackthis Log Thanks ComboFix 08-10-12.01 - Banking8 2008-10-14 20:19:15.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1514 [GMT 13:00] Running from: C:\Documents and Settings\Banking8\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Banking8\Desktop\Cfscript.txt.txt * Created a new restore point FILE :: C:\Documents and Settings\Banking8\Local Settings\Temporary Internet Files\Content.IE5\66WFN2GM\v53[1].js D:\Backup of Drive C\Documents\EA Games\kf14 finder key ms code.zip D:\Downloads\EA Games\kf14 finder key ms code.zip D:\Magazines\PCW March 2008\ProduKey.exe E:\Backup Downloads New Computer\Downloads\EA Games\kf14 finder key ms code.zip . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Banking8\Local Settings\Temporary Internet Files\Content.IE5\66WFN2GM\v53[1].js C:\WINDOWS\system32\drivers\regguard.sys D:\Backup of Drive C\Documents\EA Games\kf14 finder key ms code.zip D:\Downloads\EA Games\kf14 finder key ms code.zip D:\Magazines\PCW March 2008\ProduKey.exe E:\Backup Downloads New Computer\Downloads\EA Games\kf14 finder key ms code.zip . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_REGGUARD -------\Service_RegGuard ((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 ))))))))))))))))))))))))))))))) . 2008-10-13 22:21 . 2008-10-13 23:12 <DIR> d-------- C:\Program Files\WinDirStat 2008-10-11 23:52 . 2008-10-12 12:46 <DIR> d-------- C:\RECYCLER(2) 2008-10-09 23:12 . 2008-10-10 21:43 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-10-08 23:24 . 2008-10-08 23:51 <DIR> d-------- C:\rsit 2008-10-07 23:23 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-07 23:22 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\The Great Chocolate Chase 2008-10-07 23:22 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\Greatis 2008-10-07 23:22 . 2008-10-07 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-07 21:29 . 2008-04-14 06:45 60,032 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2008-10-07 21:29 . 2008-04-14 12:12 20,992 --a------ C:\WINDOWS\system32\dshowext.ax 2008-10-07 21:02 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav 2008-10-07 21:00 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\Realtek AC97 2008-10-07 20:17 . 2008-10-07 20:17 <DIR> d-------- C:\Program Files\NVIDIA Corporation 2008-10-07 20:15 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application 2008-10-07 18:51 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\MagicTune Premium(2) 2008-10-07 18:30 . 2008-10-07 18:30 <DIR> d-------- C:\Program Files\SEC 2008-10-06 22:16 . 2008-10-07 23:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR 2008-10-06 13:23 . 2008-04-14 06:45 60,032 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys 2008-10-06 13:23 . 2008-04-14 12:12 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax 2008-10-05 21:55 . 2008-10-05 21:55 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Reflexive Arcade 2008-10-05 18:39 . 2008-10-05 18:39 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\BigFish Games 2008-10-05 18:23 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\Jump Jump Jelly Reactor 2008-10-04 22:22 . 2008-10-08 22:47 <DIR> d-------- C:\Program Files\Picasa2 2008-10-04 22:22 . 2006-10-05 15:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-10-04 22:22 . 2006-10-05 15:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-10-04 21:39 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\PhotoScape 2008-10-04 19:55 . 2008-10-04 19:55 <DIR> d-------- C:\ie-spyad_zo 2008-10-04 19:38 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-10-04 19:02 . 2008-10-04 19:02 <DIR> d-------- C:\Program Files\Panda Security 2008-10-04 19:02 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-10-03 20:45 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\iTunes 2008-10-03 20:45 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\iPod 2008-10-02 23:49 . 2008-10-02 23:58 (2) -rahs-ot- C:\WINDOWS\winstart.bat 2008-09-30 17:56 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\Noodolbuddy 2008-09-26 18:29 . 2008-09-27 19:49 <DIR> d-------- C:\Program Files\Dream Day First Home 2008-09-25 17:41 . 2008-09-25 17:41 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\SecuROM 2008-09-25 17:32 . 2008-09-25 17:32 <DIR> d-------- C:\Program Files\Electronic Arts 2008-09-22 21:30 . 2008-09-22 23:57 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Apple Computer 2008-09-22 21:30 . 2008-04-17 14:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll 2008-09-22 21:30 . 2008-04-17 14:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys 2008-09-22 21:29 . 2008-09-22 21:29 <DIR> d-------- C:\Program Files\Bonjour 2008-09-22 21:28 . 2008-09-22 21:29 <DIR> d-------- C:\Program Files\QuickTime 2008-09-22 21:28 . 2008-09-22 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-09-22 21:27 . 2008-09-22 21:27 <DIR> d-------- C:\Program Files\Apple Software Update 2008-09-22 21:26 . 2008-09-22 21:28 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-09-22 21:26 . 2008-09-22 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-09-22 20:44 . 2008-09-22 20:45 <DIR> d-------- C:\Program Files\Dress Up Rush 2008-09-21 20:33 . 2008-09-21 20:34 <DIR> d-------- C:\Program Files\Windows Defender 2008-09-21 19:32 . 2008-09-22 19:44 <DIR> d-------- C:\Program Files\Home Sweet Home 2 - Kitchens and Baths 2008-09-21 15:24 . 2008-09-21 15:46 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\PowerChallenge 2008-09-14 17:52 . 2008-09-14 17:52 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Amaranth Games . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-14 07:26 10,172,321 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2008-10-14 07:25 2,051,648 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-10-14 07:25 175,003,680 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-10-14 07:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-14 04:18 24 ----a-w C:\Documents and Settings\Banking8\jagex_runescape_preferences.dat 2008-10-13 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-10-13 10:12 --------- d-----w C:\Program Files\Spyware Doctor 2008-10-13 09:21 --------- d-----w C:\Program Files\FlashGet 2008-10-12 09:34 1,904,128 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp 2008-10-11 09:02 --------- d-----w C:\Program Files\Java 2008-10-11 06:52 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin 2008-10-07 10:23 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-10-07 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache 2008-10-07 10:22 --------- d-----w C:\Program Files\LucasArts 2008-10-07 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst 2008-10-07 10:21 --------- d-----w C:\Program Files\lg_fwupdate 2008-10-07 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-10-05 00:21 2,276,864 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp 2008-10-04 11:28 1,879,552 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp 2008-10-03 03:11 --------- d-----w C:\Documents and Settings\Banking8\Application Data\PlayFirst 2008-09-30 06:36 --------- d-----w C:\Program Files\Cooking Academy 2008-09-23 11:13 1,780,224 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp 2008-09-22 05:48 --------- d-----w C:\Program Files\bfgclient 2008-09-13 08:31 --------- d-----w C:\Documents and Settings\Banking8\Application Data\LEGO Company 2008-09-13 08:30 --------- d-----w C:\Program Files\LEGO Company 2008-09-13 05:27 --------- d-----w C:\Program Files\directx 2008-09-13 05:08 --------- d-----w C:\Program Files\Activision 2008-09-13 02:16 --------- d-----w C:\Program Files\My Company Name 2008-09-13 02:06 --------- d-----w C:\Program Files\ASUS 2008-09-13 00:10 15,694,541 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_09_13_11_21_51_full.dmp.zip 2008-09-12 23:21 2,621,440 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp 2008-09-07 08:58 --------- d-----w C:\Documents and Settings\Banking8\Application Data\Skype 2008-09-07 07:59 --------- d-----w C:\Documents and Settings\Banking8\Application Data\skypePM 2008-09-06 04:53 1,662,976 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp 2008-09-04 12:23 --------- d-----w C:\Program Files\HD Tune 2008-08-29 04:37 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-28 22:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe 2008-08-28 21:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll 2008-08-28 06:01 1,619,456 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp 2008-08-23 02:54 --------- d-----w C:\Program Files\Giant 2008-08-22 08:26 1,603,584 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp 2008-08-19 07:05 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-16 00:52 --------- d-----w C:\Documents and Settings\Banking8\Application Data\CD-LabelPrint 2008-08-01 08:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-07-26 07:02 1,440,256 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp 2008-07-19 07:46 1,401,856 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp 2008-07-18 10:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 10:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 10:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 10:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 10:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 10:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 10:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 10:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 10:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 10:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-15 20:11 267,112 ----a-w C:\WINDOWS\system32\xactengine2_9.dll 2008-04-10 05:29 0 ----a-w C:\Program Files\temp01 2008-04-03 10:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2004-10-01 03:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2008-05-16 11:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 13:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-11-08 20:56 141848] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-11-08 20:56 166424] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-11-08 20:56 137752] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 14:10 409600] "RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 15:06 1397760] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-23 22:37 185896] "AVG8_TRAY"="d:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 23:35 1234712] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 10:05 919016] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 05:43 8466432] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 05:43 81920] "ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 11:03 380928] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 16:09 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 18:57 289576] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 05:27 144784] "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16:57 16855552 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2007-10-11 16:04 1826816 C:\WINDOWS\SkyTel.exe] "SMSERIAL"="sm56hlpr.exe" [2005-06-06 22:40 544768 C:\WINDOWS\sm56hlpr.exe] "nwiz"="nwiz.exe" [2007-06-29 05:43 1626112 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 14:18 443968] C:\Documents and Settings\Internet.NEWCOMPUTER\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 21:44:36 101440] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "D:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "D:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24 28544] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 17:37 97928] R2 avg8emc;AVG8 E-mail Scanner;d:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 17:37 875288] R2 avg8wd;AVG8 WatchDog;d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 17:37 231704] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 23:25 76040] R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 11:03 12416] R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-10-18 01:12 30720] R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 11:03 10752] S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [ ] . Contents of the 'Scheduled Tasks' folder 2008-10-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34] 2008-10-14 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file) ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-14 20:27:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:53, on 2008-10-14 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe d:\PROGRA~1\AVG\AVG8\avgrsx.exe d:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE d:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/NZStartPage%202008%20Feb.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 9857 bytes Last edited by dwking; 10-14-2008 at 02:09 AM. Reason: Corrected file name |
|
|
|
|
10-14-2008, 06:06 AM
|
#14 (permalink) | |||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Trojan - MCHLNDRV.SYS
Hello again
Quote:
Quote:
========= Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ======== Logs Required C:\Combofix.txt Hijackthis Log |
|||
|
|
|
|
10-15-2008, 01:12 AM
|
#15 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
Hi TheBruce1
The Combofix displayed load new version Entered "N" Can't recall the details as the "windows blue screen" displayed a lot of numbers Ran the Combofix with CFscript Ran HiJackThis Below are the logs: C:\Combofix.txt Hijackthis Log Thanks ComboFix 08-10-12.01 - Banking8 2008-10-15 19:43:02.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1462 [GMT 13:00] Running from: C:\Documents and Settings\Banking8\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Banking8\Desktop\Cfscript.txt * Created a new restore point FILE :: C:\DOCUME~1\Banking8\LOCALS~1\Temp\WERa744.dir00\Mini101408-01.dmp C:\DOCUME~1\Banking8\LOCALS~1\Temp\WERa744.dir00\sysdata.xml C:\Program Files\temp01 C:\WINDOWS\system32\drivers\Partizan.sys C:\WINDOWS\winstart.bat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Greatis C:\Program Files\temp01 C:\WINDOWS\winstart.bat . ---- Previous Run ------- . C:\Documents and Settings\Banking8\Local Settings\Temporary Internet Files\Content.IE5\66WFN2GM\v53[1].js C:\WINDOWS\system32\drivers\regguard.sys D:\Backup of Drive C\Documents\EA Games\kf14 finder key ms code.zip D:\Downloads\EA Games\kf14 finder key ms code.zip D:\Magazines\PCW March 2008\ProduKey.exe E:\Backup Downloads New Computer\Downloads\EA Games\kf14 finder key ms code.zip . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_REGGUARD -------\Service_RegGuard -------\Legacy_PARTIZAN -------\Service_Partizan ((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 ))))))))))))))))))))))))))))))) . 2008-10-13 22:21 . 2008-10-13 23:12 <DIR> d-------- C:\Program Files\WinDirStat 2008-10-11 23:52 . 2008-10-12 12:46 <DIR> d-------- C:\RECYCLER(2) 2008-10-09 23:12 . 2008-10-10 21:43 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-10-08 23:24 . 2008-10-08 23:51 <DIR> d-------- C:\rsit 2008-10-07 23:23 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-07 23:22 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\The Great Chocolate Chase 2008-10-07 23:22 . 2008-10-07 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-07 21:29 . 2008-04-14 06:45 60,032 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2008-10-07 21:29 . 2008-04-14 12:12 20,992 --a------ C:\WINDOWS\system32\dshowext.ax 2008-10-07 21:02 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav 2008-10-07 21:00 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\Realtek AC97 2008-10-07 20:17 . 2008-10-07 20:17 <DIR> d-------- C:\Program Files\NVIDIA Corporation 2008-10-07 20:15 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application 2008-10-07 18:51 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\MagicTune Premium(2) 2008-10-07 18:30 . 2008-10-07 18:30 <DIR> d-------- C:\Program Files\SEC 2008-10-06 22:16 . 2008-10-07 23:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR 2008-10-06 13:23 . 2008-04-14 06:45 60,032 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys 2008-10-06 13:23 . 2008-04-14 12:12 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax 2008-10-05 21:55 . 2008-10-05 21:55 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Reflexive Arcade 2008-10-05 18:39 . 2008-10-05 18:39 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\BigFish Games 2008-10-05 18:23 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\Jump Jump Jelly Reactor 2008-10-04 22:22 . 2008-10-08 22:47 <DIR> d-------- C:\Program Files\Picasa2 2008-10-04 22:22 . 2006-10-05 15:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-10-04 22:22 . 2006-10-05 15:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-10-04 21:39 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\PhotoScape 2008-10-04 19:55 . 2008-10-04 19:55 <DIR> d-------- C:\ie-spyad_zo 2008-10-04 19:38 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-10-04 19:02 . 2008-10-04 19:02 <DIR> d-------- C:\Program Files\Panda Security 2008-10-04 19:02 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-10-03 20:45 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\iTunes 2008-10-03 20:45 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\iPod 2008-09-30 17:56 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\Noodolbuddy 2008-09-26 18:29 . 2008-09-27 19:49 <DIR> d-------- C:\Program Files\Dream Day First Home 2008-09-25 17:41 . 2008-09-25 17:41 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\SecuROM 2008-09-25 17:32 . 2008-09-25 17:32 <DIR> d-------- C:\Program Files\Electronic Arts 2008-09-22 21:30 . 2008-09-22 23:57 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Apple Computer 2008-09-22 21:30 . 2008-04-17 14:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll 2008-09-22 21:30 . 2008-04-17 14:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys 2008-09-22 21:29 . 2008-09-22 21:29 <DIR> d-------- C:\Program Files\Bonjour 2008-09-22 21:28 . 2008-09-22 21:29 <DIR> d-------- C:\Program Files\QuickTime 2008-09-22 21:28 . 2008-09-22 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-09-22 21:27 . 2008-09-22 21:27 <DIR> d-------- C:\Program Files\Apple Software Update 2008-09-22 21:26 . 2008-09-22 21:28 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-09-22 21:26 . 2008-09-22 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-09-22 20:44 . 2008-09-22 20:45 <DIR> d-------- C:\Program Files\Dress Up Rush 2008-09-21 20:33 . 2008-09-21 20:34 <DIR> d-------- C:\Program Files\Windows Defender 2008-09-21 19:32 . 2008-09-22 19:44 <DIR> d-------- C:\Program Files\Home Sweet Home 2 - Kitchens and Baths 2008-09-21 15:24 . 2008-09-21 15:46 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\PowerChallenge . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-15 06:47 2,051,648 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-10-15 06:47 175,003,680 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-10-15 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-10-14 10:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-14 09:28 --------- d-----w C:\Program Files\Spyware Doctor 2008-10-14 07:26 10,172,321 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2008-10-14 04:18 24 ----a-w C:\Documents and Settings\Banking8\jagex_runescape_preferences.dat 2008-10-13 09:21 --------- d-----w C:\Program Files\FlashGet 2008-10-12 09:34 1,904,128 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp 2008-10-11 09:02 --------- d-----w C:\Program Files\Java 2008-10-11 06:52 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin 2008-10-07 10:23 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-10-07 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache 2008-10-07 10:22 --------- d-----w C:\Program Files\LucasArts 2008-10-07 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst 2008-10-07 10:21 --------- d-----w C:\Program Files\lg_fwupdate 2008-10-07 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-10-05 00:21 2,276,864 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp 2008-10-04 11:28 1,879,552 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp 2008-10-03 03:11 --------- d-----w C:\Documents and Settings\Banking8\Application Data\PlayFirst 2008-09-30 06:36 --------- d-----w C:\Program Files\Cooking Academy 2008-09-23 11:13 1,780,224 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp 2008-09-22 05:48 --------- d-----w C:\Program Files\bfgclient 2008-09-14 04:52 --------- d-----w C:\Documents and Settings\Banking8\Application Data\Amaranth Games 2008-09-13 08:31 --------- d-----w C:\Documents and Settings\Banking8\Application Data\LEGO Company 2008-09-13 08:30 --------- d-----w C:\Program Files\LEGO Company 2008-09-13 05:27 --------- d-----w C:\Program Files\directx 2008-09-13 05:08 --------- d-----w C:\Program Files\Activision 2008-09-13 02:16 --------- d-----w C:\Program Files\My Company Name 2008-09-13 02:06 --------- d-----w C:\Program Files\ASUS 2008-09-13 00:10 15,694,541 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_09_13_11_21_51_full.dmp.zip 2008-09-12 23:21 2,621,440 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp 2008-09-07 08:58 --------- d-----w C:\Documents and Settings\Banking8\Application Data\Skype 2008-09-07 07:59 --------- d-----w C:\Documents and Settings\Banking8\Application Data\skypePM 2008-09-06 04:53 1,662,976 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp 2008-09-04 12:23 --------- d-----w C:\Program Files\HD Tune 2008-08-29 04:37 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-28 22:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe 2008-08-28 21:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll 2008-08-28 06:01 1,619,456 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp 2008-08-23 02:54 --------- d-----w C:\Program Files\Giant 2008-08-22 08:26 1,603,584 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp 2008-08-19 07:05 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-16 00:52 --------- d-----w C:\Documents and Settings\Banking8\Application Data\CD-LabelPrint 2008-08-01 08:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-07-26 07:02 1,440,256 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp 2008-07-19 07:46 1,401,856 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp 2008-07-18 10:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 10:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 10:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 10:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 10:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 10:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 10:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 10:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 10:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 10:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-15 20:11 267,112 ----a-w C:\WINDOWS\system32\xactengine2_9.dll 2008-04-03 10:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2004-10-01 03:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2008-05-16 11:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-11-08 141848] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-11-08 166424] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-11-08 137752] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600] "RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 1397760] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-23 185896] "AVG8_TRAY"="d:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920] "ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2007-10-11 C:\WINDOWS\SkyTel.exe] "SMSERIAL"="sm56hlpr.exe" [2005-06-06 C:\WINDOWS\sm56hlpr.exe] "nwiz"="nwiz.exe" [2007-06-29 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968] C:\Documents and Settings\Internet.NEWCOMPUTER\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "D:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "D:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928] R2 avg8emc;AVG8 E-mail Scanner;d:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288] R2 avg8wd;AVG8 WatchDog;d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 76040] R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 12416] R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-10-18 30720] R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10752] . Contents of the 'Scheduled Tasks' folder 2008-10-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34] 2008-10-15 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file) ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-15 19:49:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe D:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-10-15 19:53:10 - machine was rebooted [Banking8] ComboFix-quarantined-files.txt 2008-10-15 06:53:01 ComboFix2.txt 2008-10-11 10:44:02 Pre-Run: 23,939,567,616 bytes free Post-Run: 23,967,277,056 bytes free 246 --- E O F --- 2008-10-11 02:12:04 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:06:04 PM, on 15-Oct-08 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe d:\PROGRA~1\AVG\AVG8\avgrsx.exe d:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wscntfy.exe d:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe D:\Program Files\AVG\AVG8\avgui.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/NZStartPage%202008%20Feb.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 9784 bytes |
|
|
|
|
10-15-2008, 07:43 AM
|
#16 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Trojan - MCHLNDRV.SYS
Hello again
Quote:
========= Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ========= Download Malwarebytes ' Anti-Malware from Here or Here Double-click on mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform Full Scan, then click Scan. * The scan may take some time to finish, so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below). * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy & paste the entire report into your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. ========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========== Logs Required C:\Combofix.txt MBAM Log Hijackthis Log |
||
|
|
|
|
10-17-2008, 12:49 AM
|
#17 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
Hello TheBruce1
Three logs attached C:\Combofix.txt MBAM Log Hijackthis Log ComboFix 08-10-12.01 - Banking8 2008-10-17 18:42:54.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1391 [GMT 13:00] Running from: C:\Documents and Settings\Banking8\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Banking8\Desktop\CFscript.txt * Created a new restore point * Resident AV is active . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((( Files Created from 2008-09-17 to 2008-10-17 ))))))))))))))))))))))))))))))) . 2008-10-17 09:39 . 2008-10-17 12:07 <DIR> d-------- C:\Documents and Settings\Internet.NEWCOMPUTER\Application Data\LEGO Company 2008-10-16 22:03 . 2008-10-17 16:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-16 22:03 . 2008-10-16 22:03 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Malwarebytes 2008-10-16 22:03 . 2008-10-16 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-16 22:03 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-16 22:03 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-16 16:11 . 2008-09-08 23:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys 2008-10-16 16:10 . 2008-08-14 23:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-10-16 16:10 . 2008-08-14 23:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-10-16 16:10 . 2008-08-14 22:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-10-16 16:10 . 2008-08-14 22:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-10-16 16:10 . 2008-09-16 01:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys 2008-10-13 22:21 . 2008-10-13 23:12 <DIR> d-------- C:\Program Files\WinDirStat 2008-10-11 23:52 . 2008-10-12 12:46 <DIR> d-------- C:\RECYCLER(2) 2008-10-09 23:12 . 2008-10-17 10:08 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-10-08 23:24 . 2008-10-08 23:51 <DIR> d-------- C:\rsit 2008-10-07 23:23 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-07 23:22 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\The Great Chocolate Chase 2008-10-07 23:22 . 2008-10-07 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-07 21:29 . 2008-04-14 06:45 60,032 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2008-10-07 21:29 . 2008-04-14 12:12 20,992 --a------ C:\WINDOWS\system32\dshowext.ax 2008-10-07 21:02 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav 2008-10-07 21:00 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\Realtek AC97 2008-10-07 20:17 . 2008-10-07 20:17 <DIR> d-------- C:\Program Files\NVIDIA Corporation 2008-10-07 20:15 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application 2008-10-07 18:51 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\MagicTune Premium(2) 2008-10-07 18:30 . 2008-10-07 18:30 <DIR> d-------- C:\Program Files\SEC 2008-10-06 22:16 . 2008-10-07 23:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR 2008-10-06 13:23 . 2008-04-14 06:45 60,032 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys 2008-10-06 13:23 . 2008-04-14 12:12 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax 2008-10-05 21:55 . 2008-10-05 21:55 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Reflexive Arcade 2008-10-05 18:39 . 2008-10-05 18:39 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\BigFish Games 2008-10-05 18:23 . 2008-10-07 23:19 <DIR> d-------- C:\Program Files\Jump Jump Jelly Reactor 2008-10-04 22:22 . 2008-10-08 22:47 <DIR> d-------- C:\Program Files\Picasa2 2008-10-04 22:22 . 2006-10-05 15:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-10-04 22:22 . 2006-10-05 15:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-10-04 21:39 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\PhotoScape 2008-10-04 19:55 . 2008-10-04 19:55 <DIR> d-------- C:\ie-spyad_zo 2008-10-04 19:38 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-10-04 19:02 . 2008-10-04 19:02 <DIR> d-------- C:\Program Files\Panda Security 2008-10-04 19:02 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-10-03 20:45 . 2008-10-07 23:23 <DIR> d-------- C:\Program Files\iTunes 2008-10-03 20:45 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\iPod 2008-09-30 17:56 . 2008-10-07 23:22 <DIR> d-------- C:\Program Files\Noodolbuddy 2008-09-26 18:29 . 2008-09-27 19:49 <DIR> d-------- C:\Program Files\Dream Day First Home 2008-09-25 17:41 . 2008-09-25 17:41 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\SecuROM 2008-09-25 17:32 . 2008-09-25 17:32 <DIR> d-------- C:\Program Files\Electronic Arts 2008-09-22 21:30 . 2008-09-22 23:57 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\Apple Computer 2008-09-22 21:30 . 2008-04-17 14:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll 2008-09-22 21:30 . 2008-04-17 14:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys 2008-09-22 21:29 . 2008-09-22 21:29 <DIR> d-------- C:\Program Files\Bonjour 2008-09-22 21:28 . 2008-09-22 21:29 <DIR> d-------- C:\Program Files\QuickTime 2008-09-22 21:28 . 2008-09-22 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-09-22 21:27 . 2008-09-22 21:27 <DIR> d-------- C:\Program Files\Apple Software Update 2008-09-22 21:26 . 2008-09-22 21:28 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-09-22 21:26 . 2008-09-22 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-09-22 20:44 . 2008-09-22 20:45 <DIR> d-------- C:\Program Files\Dress Up Rush 2008-09-21 20:33 . 2008-09-21 20:34 <DIR> d-------- C:\Program Files\Windows Defender 2008-09-21 19:32 . 2008-09-22 19:44 <DIR> d-------- C:\Program Files\Home Sweet Home 2 - Kitchens and Baths 2008-09-21 15:24 . 2008-09-21 15:46 <DIR> d-------- C:\Documents and Settings\Banking8\Application Data\PowerChallenge . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-17 02:01 2,051,648 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-10-17 02:01 175,003,680 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-10-16 08:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-16 08:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-10-16 06:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-10-15 08:02 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin 2008-10-15 07:32 --------- d-----w C:\Program Files\Spyware Doctor 2008-10-14 07:26 10,172,321 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2008-10-14 04:18 24 ----a-w C:\Documents and Settings\Banking8\jagex_runescape_preferences.dat 2008-10-13 09:21 --------- d-----w C:\Program Files\FlashGet 2008-10-12 09:34 1,904,128 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp 2008-10-11 09:02 --------- d-----w C:\Program Files\Java 2008-10-07 10:23 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-10-07 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache 2008-10-07 10:22 --------- d-----w C:\Program Files\LucasArts 2008-10-07 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst 2008-10-07 10:21 --------- d-----w C:\Program Files\lg_fwupdate 2008-10-05 00:21 2,276,864 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp 2008-10-04 11:28 1,879,552 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp 2008-10-03 03:11 --------- d-----w C:\Documents and Settings\Banking8\Application Data\PlayFirst 2008-09-30 06:36 --------- d-----w C:\Program Files\Cooking Academy 2008-09-23 11:13 1,780,224 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp 2008-09-22 05:48 --------- d-----w C:\Program Files\bfgclient 2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-14 04:52 --------- d-----w C:\Documents and Settings\Banking8\Application Data\Amaranth Games 2008-09-13 08:31 --------- d-----w C:\Documents and Settings\Banking8\Application Data\LEGO Company 2008-09-13 08:30 --------- d-----w C:\Program Files\LEGO Company 2008-09-13 05:27 --------- d-----w C:\Program Files\directx 2008-09-13 05:08 --------- d-----w C:\Program Files\Activision 2008-09-13 02:16 --------- d-----w C:\Program Files\My Company Name 2008-09-13 02:06 --------- d-----w C:\Program Files\ASUS 2008-09-13 00:10 15,694,541 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_09_13_11_21_51_full.dmp.zip 2008-09-12 23:21 2,621,440 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp 2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-09-07 08:58 --------- d-----w C:\Documents and Settings\Banking8\Application Data\Skype 2008-09-07 07:59 --------- d-----w C:\Documents and Settings\Banking8\Application Data\skypePM 2008-09-06 04:53 1,662,976 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp 2008-09-04 12:23 --------- d-----w C:\Program Files\HD Tune 2008-08-29 04:37 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-28 22:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe 2008-08-28 21:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll 2008-08-28 06:01 1,619,456 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp 2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-08-23 02:54 --------- d-----w C:\Program Files\Giant 2008-08-22 08:26 1,603,584 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp 2008-08-19 07:05 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-08-01 08:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-07-26 07:02 1,440,256 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp 2008-07-19 07:46 1,401,856 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp 2008-07-18 10:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 10:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 10:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 10:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 10:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 10:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 10:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 10:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 10:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 10:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-04-03 10:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2004-10-01 03:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2008-05-16 11:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} ---- 2008-07-04 13:35 54632 --a------ C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe 2008-04-24 08:25 11168 --a------ C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat 2008-04-17 13:12 319456 --a------ C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll 2008-04-17 13:12 2761 --a------ C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf 2008-04-17 13:12 15464 --a------ C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys 2008-04-17 13:12 107368 --a------ C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll ---- Directory of C:\Program Files\WinDirStat ---- 2005-07-16 23:00 51514 --a------ C:\Program Files\WinDirStat\windirstat.chm ((((((((((((((((((((((((((((( snapshot@2008-10-16_22.21.44.07 ))))))))))))))))))))))))))))))))))))))))) . - 2008-10-16 08:50:06 7,002 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{C2C7A21A-56F5-40E5-9839-D6F7248898EB}.bin + 2008-10-17 03:01:10 2,244 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{C2C7A21A-56F5-40E5-9839-D6F7248898EB}.bin - 2008-10-16 09:00:23 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-10-17 02:59:07 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-10-16 09:00:23 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-10-17 02:59:07 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-11-08 141848] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-11-08 166424] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-11-08 137752] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600] "RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 1397760] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-23 185896] "AVG8_TRAY"="d:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920] "ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2007-10-11 C:\WINDOWS\SkyTel.exe] "SMSERIAL"="sm56hlpr.exe" [2005-06-06 C:\WINDOWS\sm56hlpr.exe] "nwiz"="nwiz.exe" [2007-06-29 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968] C:\Documents and Settings\Internet.NEWCOMPUTER\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "D:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "D:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928] R2 avg8emc;AVG8 E-mail Scanner;d:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288] R2 avg8wd;AVG8 WatchDog;d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 76040] R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 12416] R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-10-18 30720] R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10752] . Contents of the 'Scheduled Tasks' folder 2008-10-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34] 2008-10-17 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-17 18:43:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-17 18:45:47 ComboFix-quarantined-files.txt 2008-10-17 05:45:39 ComboFix2.txt 2008-10-16 09:22:27 ComboFix3.txt 2008-10-15 06:53:13 ComboFix4.txt 2008-10-11 10:44:02 Pre-Run: 23,855,251,456 bytes free Post-Run: 23,862,390,784 bytes free 242 --- E O F --- 2008-10-17 03:01:00 Malwarebytes' Anti-Malware 1.27 Database version: 1127 Windows 5.1.2600 Service Pack 3 16-Oct-08 11:12:22 PM mbam-log-2008-10-16 (23-12-22).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 102566 Time elapsed: 47 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{1A6F69A3-56C9-47D7-A13D-63CDC11FFAD1}\RP260\A0102030.dll (Trojan.Agent) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.29 Database version: 1276 Windows 5.1.2600 Service Pack 3 17-Oct-08 6:38:58 PM mbam-log-2008-10-17 (18-38-58).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 175728 Time elapsed: 1 hour(s), 19 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:48:20 PM, on 17-Oct-08 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\ATKKBService.exe d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe d:\PROGRA~1\AVG\AVG8\avgrsx.exe d:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/NZStartPage%202008%20Feb.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 9514 bytes |
|
|
|
|
10-17-2008, 06:18 AM
|
#18 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Trojan - MCHLNDRV.SYS
Hello again
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) If you recognise this entry you can leave in place, if not, have hijackthis fix it R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/NZStartPage%202008%20Feb.html Please remember to close all other windows, including browsers then click Fix checked. Delete this folder in blue: C:\Program Files\WinDirStat Are you still getting notifications about MCHLNDRV.SYS from AVG, been any reboots lately? Just to let you know, will not be here on Saturday, will be back on Sunday. |
|
|
|
|
10-21-2008, 03:02 AM
|
#19 (permalink) |
|
Registered User
Join Date: Oct 2008
Location: New Zealand
Posts: 11
OS: win xp with service pack 3
|
Re: Trojan - MCHLNDRV.SYS
Hello TheBruce1
Thanks for your assistance. No more notification of MCHLNDRV.SYS from AVG The system is much cleaner after all the stuff was deleted. Thanks Again |
|
|
|
|
10-21-2008, 05:56 AM
|
#20 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Trojan - MCHLNDRV.SYS
Glad to hear.
If there are no further issues, continue below. ======== Delete RSIT from your desktop, also delete this folder c:\rsit. Uninstall Hijackthis via add/remove, you can keep ATF-Cleaner if you wish. ========= Well done, your logs are clean. Click start>run>type(or copy/paste command into run box): ComboFix /u Click ok. ========== Clear IE7 cookies *On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab. *On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too]. *Click OK, and then click OK again. Clear Firefox cookies/cache • Select "Tools" • Select "Options". • Select "Privacy". • In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want. • Click OK. • In Private area click "Clear Now". ------------------------------------------------------------------------------------------- MICROSOFT UPDATES 1.Click Start,Run, type sysdm.cpl, and then press OK. 2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended). Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday". ------------------------------------------------------------------------------------------ Useful Information and Programs to keep you safe. TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages: * Content category * Phishing scam detection * Site reputation * Page reputation WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites. WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites. Note:Only compatible with Firefox 1.5 and higher. -------------------------------------------------------------------------------------- Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Avant Firefox Opera K-Meleon ------------------------------------------------------------------------------------------ Free Antispyware Products SuperAntiSpyware Malwarebytes ' Anti-Malware SpywareBlaster to help prevent spyware from installing in the first place.
------------------------------------------------------------------ IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List. Download and installation instructions for IE-Spyad™ Here ----------------------------------------- The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. If your having trouble downloading & extracting,see link below for guidance: http://www.mvps.org/winhelp2002/hosts2.htm Once you have extracted the host file,double click on it and a new window will open. Double-click on mvps.batand follow the prompts --------------------------------------------------------------- Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ---------------------------------------- SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. ============================================== Also, please take a look at this well written article: PC Safety and Security--What Do I Need? **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Please reply to this thread once more, as we may mark this as resolved, thanks. |
|
|
|
| Thread Tools | |
|
|
