NTOSKRNL-HOOK Trojan Please Help!

[REfan001]

I ran my virus scan this morning and it detected NTOSKRNL-HOOK Trojan Generic Rootkit.d!rootkit I have no idea what to do. I cant run in normal because I get a blue screen error within minutes of startup so I have to run in safe mode. Malwarebytes and SUPERantiespyware did not get rid of it. Please help!

I have attached the reports as requested

UPDATE: I booted up normal again and I no longer get a blue screen error. NTOSKRNL-HOOK Trojan is still detected by virus scan. Other than that, all programs seem to be running normally.

[mas_pogi]

hi.

Looking at your logs seems you booted in safemode with networking.
We will start from there.

-----------------------------------------------------------------------

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe

-------------------------------------------------------------------------
Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

-----------------------------------------------------------------------
I am sorry to inform you that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

----------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
  
  http://img.photobucket.com/albums/v6...ee_disable.gif
  
  McAfee must be properly disabled or it will interfere with what ComboFix needs to do to remove this rootkit.
  
  Open McAfee Security Centre from START > ALL PROGRAMS > MCAFEE*
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.
    

    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)

  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
  
  
  
• Double click on Combo-Fix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

*important* when it booted up again, start it in normal mode.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Mark

[REfan001]

thankfully I dont do any online banking or shopping

attached is the ComboFix log

Also, here are the files ComboFix said were important to write down:
C:\WINDOWS\System32\drivers\vsfocefviykbqo.sys
C:\WINDOWS\System32\vsfoceltlsbipj.dll
C:\WINDOWS\System32\vsfocedaxhskbl.dat
C:\WINDOWS\System32\vsfocevtleeqtj.dll
C:\WINDOWS\System32\vsfocebwvlnose.dat


ComboFix 09-07-31.02 - Peter Jones 07/31/2009 17:07.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.171 [GMT -4:00]
Running from: c:\documents and settings\Peter Jones\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1fee75.msp
c:\windows\Installer\1fee8d.msp
c:\windows\Installer\48fca8.msi
c:\windows\Installer\49a3f.msi
c:\windows\Installer\505f74.msi
c:\windows\Installer\c85202.msi
c:\windows\Installer\d08908.msp
c:\windows\Installer\e1b58e.msp
c:\windows\Installer\e1b597.msp
c:\windows\Installer\e1b5aa.msp
c:\windows\Installer\e1b5b3.msp
c:\windows\Installer\e1b5bc.msp
c:\windows\Installer\e1b5da.msp
c:\windows\Installer\e1b5e0.msp
c:\windows\Installer\e1b5e8.msp
c:\windows\Installer\e1b5ee.msp
c:\windows\Installer\e658f.msi
c:\windows\Installer\fc328.msi
c:\windows\Mafia
c:\windows\Mafia \uninstall.exe
c:\windows\system32\drivers\vsfocefviykbqo.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\gxvxccounter
c:\windows\system32\kbdgccl.dll
c:\windows\system32\Packet.dll
c:\windows\system32\qgmgotsn.dll
c:\windows\system32\resgbjg.dll
c:\windows\system32\sql.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\vsfocebwulnose.dat
c:\windows\system32\vsfocedaxhskbl.dat
c:\windows\system32\vsfoceltlsbipj.dll
c:\windows\system32\vsfocevtleeqtj.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\Xcite.dll
c:\windows\visfx500.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vsfocepuyarrsr
-------\Legacy_NPF
-------\Legacy_SVCPROC
-------\Legacy_ZESOFT
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-31 13:53 . 2009-07-31 13:53 -------- d-----w- c:\documents and settings\Mom\Application Data\Malwarebytes
2009-07-27 04:55 . 2009-07-27 04:56 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-24 06:01 . 2009-07-24 06:01 -------- d-----w- c:\documents and settings\Peter Jones\Local Settings\Application Data\Identities
2009-07-21 22:26 . 2009-07-21 22:26 -------- d-----w- c:\program files\EA GAMES
2009-07-21 00:50 . 2009-07-21 00:50 -------- d-----w- c:\program files\iPod
2009-07-20 22:36 . 2009-07-20 22:36 49152 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\2\727cabc2-3d1a7ea1-1.10.306.93--n\CitrixBridge.dll
2009-07-20 22:36 . 2009-07-20 22:36 49152 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\2\727cabc2-25dc1abb-1.10.306.93--n\CitrixBridge.dll
2009-07-20 22:36 . 2009-07-20 22:36 241778 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\2\727cabc2-3d1a7ea1-1.10.306.93--n\hpwin32.dll
2009-07-20 22:36 . 2009-07-20 22:36 241778 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\2\727cabc2-25dc1abb-1.10.306.93--n\hpwin32.dll
2009-07-20 21:00 . 2009-07-20 21:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-20 16:13 . 2009-07-20 16:13 -------- d-----w- c:\program files\vol_toolbar
2009-07-20 16:13 . 2009-07-20 16:13 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\vol_toolbar
2009-07-20 16:13 . 2009-07-20 16:13 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\Verizon
2009-07-20 16:13 . 2009-07-20 16:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Verizon
2009-07-20 16:12 . 2009-07-20 16:12 -------- d-----w- c:\windows\bin
2009-07-20 16:11 . 2009-07-20 16:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Motive
2009-07-20 16:10 . 2009-07-20 16:11 -------- d-----w- c:\program files\Common Files\Motive
2009-07-20 16:01 . 2009-07-20 16:28 -------- d-----w- c:\documents and settings\Peter Jones\Local Settings\Application Data\SupportSoft
2009-07-20 15:43 . 2009-07-20 16:28 -------- d-----w- c:\program files\Verizon
2009-07-07 23:55 . 2009-07-07 23:55 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-07-03 23:40 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-03 23:40 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 16:16 . 2007-08-18 15:25 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-31 14:58 . 2009-04-17 03:51 117760 ----a-w- c:\documents and settings\Peter Jones\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-31 11:50 . 2008-01-07 05:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 09:20 . 2008-09-05 01:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-28 16:32 . 2008-10-22 02:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-27 04:58 . 2006-03-19 21:26 -------- d-----w- c:\program files\DivX
2009-07-26 22:27 . 2006-04-14 21:00 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\Azureus
2009-07-23 03:57 . 2006-05-05 20:19 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\Xfire
2009-07-22 12:00 . 2006-05-05 20:19 -------- d-s---w- c:\program files\Xfire
2009-07-21 22:59 . 2003-10-09 00:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-21 22:51 . 2003-10-19 22:14 3303 -c--a-w- c:\windows\eReg.dat
2009-07-21 00:51 . 2009-06-03 06:07 -------- d-----w- c:\program files\iTunes
2009-07-21 00:50 . 2007-07-04 07:01 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 17:57 . 2006-10-16 19:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-20 14:56 . 2006-10-16 20:02 -------- d-----w- c:\program files\McAfee
2009-07-05 03:56 . 2008-12-10 03:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-07-03 17:09 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 01:34 . 2003-10-09 00:10 101000 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 07:08 . 2009-06-28 07:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Last.fm
2009-06-28 07:07 . 2009-06-28 07:07 -------- d-----w- c:\program files\Last.fm
2009-06-16 14:36 . 2002-08-29 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 07:00 . 2009-06-15 07:00 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-15 06:59 . 2003-10-09 00:12 -------- d-----w- c:\program files\Common Files\Real
2009-06-15 04:24 . 2009-06-15 04:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\2DBoy
2009-06-15 04:22 . 2009-06-15 04:21 -------- d-----w- c:\program files\WorldOfGoo
2009-06-14 09:30 . 2008-09-07 16:18 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\U3
2009-06-03 19:25 . 2009-06-06 21:03 51200 ----a-w- c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\FFExternalAlert.dll
2009-06-03 19:25 . 2009-06-06 21:03 114688 ----a-w- c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\npmozax.dll
2009-06-03 19:09 . 2004-01-10 21:48 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 06:02 . 2009-06-03 06:00 -------- d-----w- c:\program files\QuickTime
2009-05-07 15:32 . 2002-08-29 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 18:23 . 2009-05-08 07:39 372736 ----a-w- c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-07-23 03:59 . 2009-05-09 02:45 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-07-12 16:28 . 2004-11-12 00:05 104 -csh--r- c:\windows\SYSTEM32\DB423767E3.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-05-16 13529088]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 245760]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"Ad-watch"="c:\program files\Lavasoft\Ad-aware 6\Ad-watch.exe" [2003-02-13 392192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-15 198160]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2009-01-09 645328]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2009-06-23 562928]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\Peter Jones\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-30 18:31 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\refan101\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Morpheus\\Morpheus.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5000:TCP"= 5000:TCP:AresChatServer

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/21/2008 10:08 PM 210216]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\SYSTEM32\DRIVERS\gbalink.sys [12/26/2003 5:02 PM 19677]
S3 oflpydin;oflpydin;\??\c:\docume~1\PETERJ~1\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\PETERJ~1\LOCALS~1\Temp\oflpydin.sys [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{7E530FE7-B3C5-4B84-8975-D83B296E07F3} - (no file)
WebBrowser-{E976DA18-52AC-4770-8F81-0AA5C46E094E} - (no file)
WebBrowser-{C2BE5319-8C34-4C92-AE23-3BA9AB3CB9AF} - (no file)
WebBrowser-{A1D9FEEF-06EF-34EA-23E2-2B312C01601A} - (no file)
HKCU-Run-E6TaskPanel - c:\program files\EarthLink TotalAccess\TaskPanl.exe
HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
HKLM-Run-Windows AdTools - c:\program files\Windows AdTools\WinAdTools.exe
HKLM-Run-mmtask - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
HKLM-Run-P3p4chk - c:\windows\system32\p3p4chk.exe
HKLM-Run-Free Skip - c:\progra~1\Dogsaveacid\fork plus.exe
HKLM-Run-MMTray - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
HKLM-Run-Propel Accelerator - c:\program files\EarthLink TotalAccess\Accelerator\PropelAC.exe
HKLM-Run-HP Software Update - c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
HKLM-Run-MSVersion - c:\windows\System32\internetfeatures.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
HKLM-Run-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
HKLM-Run-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe
HKLM-Run-updater - c:\program files\Common files\updater\wupdater.exe
HKLM-Run-Host - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://gamefaqs.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:8081
uInternet Settings,ProxyOverride = <local>;*.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-image.html
IE: Transfer with Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\docume~1\PETERJ~1\APPLIC~1\Mozilla\Firefox\Profiles\iyc8o7ef.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/index.html
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\FFExternalAlert.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1578028135-652977769-4156948645-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1578028135-652977769-4156948645-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d7,93,35,f7,aa,8e,61,c5,78,a6,47,05,8c,a4,61,dd,0a,7e,f1,ce,7c,d8,71,
7c,ed,19,3d,d7,6e,e3,c6,ce,41,7a,74,c1,9d,ac,81,16,2e,90,31,8e,b6,4d,ed,ec,\
"??"=hex:18,c2,17,8b,87,7e,0a,83,72,86,d2,c2,2b,34,7a,fc
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2784)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\windows\wanmpsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-07-31 17:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-31 21:45

Pre-Run: 30,141,661,184 bytes free
Post-Run: 30,588,502,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

292 --- E O F --- 2009-07-31 07:00

[mas_pogi]

hi.

Good job. Lets proceed.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/400372-ntoskrnl-hook-trojan-please-help.html#post2269126

COLLECT::
c:\docume~1\PETERJ~1\LOCALS~1\Temp\oflpydin.sys

DRIVER::
oflpydin

REGISTRY::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

DDS::
uInternet Connection Wizard,ShellNext = iexplore

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, it pops out with the CF log and this message box:



Clicking OK will begin the auto-upload of the zipped file.




-----------

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file.[/quote]

-----------------------------------------------------------------------

Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

P2P program ( Perils of P2P File Sharing )

Azureus
LimeWire PRO 4.13.0
Morpheus 5.3

Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_10
Java(TM) 6 Update 2
Java(TM) 6 Update 3

After you uninstall you outdated java, please download the Java(TM) 6 Update 14 here. Install it.

Did you install the following? Otherwise, uninstall them.

AutoUpdate
WinPcap

------------------------------------------------------------------------

Run ESET Online Scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

-------------------------------------------------------------------------

How's your computer now?

In your reply, please post

C:\combofix.txt
ESET scan result
Answer to my questions

Mark

[REfan001]

okay, here is the ComboFix log:

ComboFix 09-07-31.04 - Peter Jones 08/01/2009 1:02.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.236 [GMT -4:00]
Running from: c:\documents and settings\Peter Jones\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Peter Jones\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.dll
c:\windows\Downloaded Program Files\WUInst.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OFLPYDIN
-------\Service_oflpydin


((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-31 13:53 . 2009-07-31 13:53 -------- d-----w- c:\documents and settings\Mom\Application Data\Malwarebytes
2009-07-27 04:55 . 2009-07-27 04:56 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-24 06:01 . 2009-07-24 06:01 -------- d-----w- c:\documents and settings\Peter Jones\Local Settings\Application Data\Identities
2009-07-21 22:26 . 2009-07-21 22:26 -------- d-----w- c:\program files\EA GAMES
2009-07-21 00:50 . 2009-07-21 00:50 -------- d-----w- c:\program files\iPod
2009-07-21 00:31 . 2009-07-21 00:31 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-20 22:36 . 2009-07-20 22:36 49152 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\2\727cabc2-3d1a7ea1-1.10.306.93--n\CitrixBridge.dll
2009-07-20 22:36 . 2009-07-20 22:36 49152 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\2\727cabc2-25dc1abb-1.10.306.93--n\CitrixBridge.dll
2009-07-20 22:36 . 2009-07-20 22:36 241778 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\2\727cabc2-3d1a7ea1-1.10.306.93--n\hpwin32.dll
2009-07-20 22:36 . 2009-07-20 22:36 241778 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\2\727cabc2-25dc1abb-1.10.306.93--n\hpwin32.dll
2009-07-20 21:00 . 2009-07-20 21:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-20 16:13 . 2009-07-20 16:13 -------- d-----w- c:\program files\vol_toolbar
2009-07-20 16:13 . 2009-07-20 16:13 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\vol_toolbar
2009-07-20 16:13 . 2009-07-20 16:13 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\Verizon
2009-07-20 16:13 . 2009-07-20 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2009-07-20 16:12 . 2009-07-20 16:12 -------- d-----w- c:\windows\bin
2009-07-20 16:11 . 2009-07-20 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-07-20 16:10 . 2009-07-20 16:11 -------- d-----w- c:\program files\Common Files\Motive
2009-07-20 16:01 . 2009-07-20 16:28 -------- d-----w- c:\documents and settings\Peter Jones\Local Settings\Application Data\SupportSoft
2009-07-20 15:43 . 2009-07-20 16:28 -------- d-----w- c:\program files\Verizon
2009-07-07 23:55 . 2009-07-07 23:55 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-07-03 23:40 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-03 23:40 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 16:16 . 2007-08-18 15:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-31 14:58 . 2009-04-17 03:51 117760 ----a-w- c:\documents and settings\Peter Jones\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-31 11:50 . 2008-01-07 05:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 09:20 . 2008-09-05 01:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-28 16:32 . 2008-10-22 02:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-27 04:58 . 2006-03-19 21:26 -------- d-----w- c:\program files\DivX
2009-07-26 22:27 . 2006-04-14 21:00 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\Azureus
2009-07-23 03:57 . 2006-05-05 20:19 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\Xfire
2009-07-22 12:00 . 2006-05-05 20:19 -------- d-s---w- c:\program files\Xfire
2009-07-21 22:59 . 2003-10-09 00:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-21 22:51 . 2003-10-19 22:14 3303 -c--a-w- c:\windows\eReg.dat
2009-07-21 00:51 . 2009-06-03 06:07 -------- d-----w- c:\program files\iTunes
2009-07-21 00:50 . 2007-07-04 07:01 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 17:57 . 2006-10-16 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-20 14:56 . 2006-10-16 20:02 -------- d-----w- c:\program files\McAfee
2009-07-05 03:56 . 2008-12-10 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-03 17:09 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 01:34 . 2003-10-09 00:10 101000 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 07:08 . 2009-06-28 07:08 92 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat
2009-06-28 07:08 . 2009-06-28 07:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Last.fm
2009-06-28 07:08 . 2009-06-28 07:08 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstITW\unins000.exe
2009-06-28 07:07 . 2009-06-28 07:07 -------- d-----w- c:\program files\Last.fm
2009-06-16 14:36 . 2002-08-29 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 07:00 . 2009-06-15 07:00 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-15 06:59 . 2003-10-09 00:12 -------- d-----w- c:\program files\Common Files\Real
2009-06-15 04:24 . 2009-06-15 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-15 04:22 . 2009-06-15 04:21 -------- d-----w- c:\program files\WorldOfGoo
2009-06-14 09:30 . 2008-09-07 16:18 -------- d-----w- c:\documents and settings\Peter Jones\Application Data\U3
2009-06-03 19:25 . 2009-06-06 21:03 51200 ----a-w- c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\FFExternalAlert.dll
2009-06-03 19:25 . 2009-06-06 21:03 114688 ----a-w- c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\npmozax.dll
2009-06-03 19:09 . 2004-01-10 21:48 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 06:02 . 2009-06-03 06:00 -------- d-----w- c:\program files\QuickTime
2009-05-07 15:32 . 2002-08-29 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 18:23 . 2009-05-08 07:39 372736 ----a-w- c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-07-23 03:59 . 2009-05-09 02:45 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-07-12 16:28 . 2004-11-12 00:05 104 -csh--r- c:\windows\SYSTEM32\DB423767E3.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-31_21.31.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-31 21:57 . 2009-08-01 02:11 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-09-03 18:45 . 2009-08-01 02:11 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 18:45 . 2009-07-31 16:57 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 18:45 . 2009-08-01 02:11 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-09-03 18:45 . 2009-07-31 16:57 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2008-04-14 15360]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [BU]
"Sonic RecordNow!"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-05-16 13529088]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 245760]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"Ad-watch"="c:\program files\Lavasoft\Ad-aware 6\Ad-watch.exe" [2003-02-13 392192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-15 198160]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [BU]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [BU]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [BU]
"Propel Accelerator"="c:\program files\EarthLink TotalAccess\Accelerator\PropelAC.exe" [BU]
"MSVersion"="c:\windows\System32\internetfeatures.exe" [BU]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [BU]
"P3p4chk"="c:\windows\system32\p3p4chk.exe" [BU]
"Free Skip"="c:\progra~1\Dogsaveacid\fork plus.exe" [BU]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [BU]
"Windows AdTools"="c:\program files\Windows AdTools\WinAdTools.exe" [BU]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [BU]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [BU]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2009-01-09 645328]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2009-06-23 562928]
"updater"="c:\program files\Common files\updater\wupdater.exe" [BU]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"Host"="" [BU]

c:\documents and settings\Peter Jones\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-30 18:31 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\refan101\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Morpheus\\Morpheus.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5000:TCP"= 5000:TCP:AresChatServer

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/21/2008 10:08 PM 210216]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\SYSTEM32\DRIVERS\gbalink.sys [12/26/2003 5:02 PM 19677]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2002-08-29 00:12]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-10-16 15:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://gamefaqs.com/
uInternet Settings,ProxyServer = http=localhost:8081
uInternet Settings,ProxyOverride = <local>;*.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-image.html
IE: Transfer with Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/index.html
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\FFExternalAlert.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Peter Jones\Application Data\Mozilla\Firefox\Profiles\iyc8o7ef.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 01:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1578028135-652977769-4156948645-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1578028135-652977769-4156948645-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d7,93,35,f7,aa,8e,61,c5,78,a6,47,05,8c,a4,61,dd,0a,7e,f1,ce,7c,d8,71,
7c,ed,19,3d,d7,6e,e3,c6,ce,41,7a,74,c1,9d,ac,81,16,2e,90,31,8e,b6,4d,ed,ec,\
"??"=hex:18,c2,17,8b,87,7e,0a,83,72,86,d2,c2,2b,34,7a,fc
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2596)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\windows\wanmpsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-01 1:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 05:37
ComboFix2.txt 2009-07-31 21:45

Pre-Run: 30,807,232,512 bytes free
Post-Run: 30,769,315,840 bytes free

259 --- E O F --- 2009-07-31 07:00

No message box showed up after CF ran, so I checked C:\QooBox\Quarantine\[4]-Submit_date@time.zip, but there was nothing there, so I could not submit the file.

--------

Here is the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=517c8409e1bfd24f8c3ae45ec82fbd60
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-01 07:46:37
# local_time=2009-08-01 03:46:37 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 37 100 88 105026096562500
# scanned=164984
# found=7
# cleaned=0
# scan_time=6195
C:\Documents and Settings\Peter Jones\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.11240 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Documents and Settings\Peter Jones\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.17330 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Documents and Settings\Peter Jones\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.18778 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Documents and Settings\Peter Jones\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.24684 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Documents and Settings\Peter Jones\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.31030 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vsfocevtleeqtj.dll.vir Win32/Olmarik.JU trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1996\A0829158.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I

--------

I also uninstalled the programs you asked and updated my Java.
I ran McAfee again, and NTOSKRNL was not detected! :)

[mas_pogi]

hi.

ESET flagged some file in Malwarebytes. Actually they are already in qurantine. So they are harmless.

Let purge MBAM quarantine folder. Open your Malwarebytes.
Goto Quarantine tab > Then Choose Delete All.

Qoobox is our Tool's Quarantine folder. Those in System Restore point will be extinguished in later thread.

-----------------------------------------------------------------------
Looks like ad-aware is resurrecting the registry we deleted. We need to turn it off.

How to turn off Ad-Watch in Ad-Aware Anniversary Edition (and Pro version)

1. Start Ad-Aware
2. Click the Ad-Watch tab
3. Click the Settings button
4. Ensure all highlighted options bellow are unchecked:(some settings may be used or changed only in the Pro version)
   
   Under the General tab
   • Processes Protection
   • Registry Protection
   • Network Protection
   Under the Detection Layers tab:
   • Spyware heuristics
   • AntiVirus engine
5. OK your way out, and close the main Ad-Aware window.
6. Shut down Ad-Aware and Ad-Watch Live! by right clicking on the system tray icon, and selecting Exit Ad-Aware.
7. OK the change.

*for some reason, it will prompt you that there are changes in registry during the course of our fix . Just allow it.

------------------------------------------------------------------------

Copy and paste the following text into Notepad:

Quote:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E6TaskPanel"=-
"Sonic RecordNow!"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"=-
"VirusScan Online"=-
"HP Software Update"=-
"Propel Accelerator"=-
"MSVersion"=-
"SunJavaUpdateSched"=-
"P3p4chk"=-
"Free Skip"=-
"MMTray"=-
"Windows AdTools"=-
"MPFExe"=-
"mmtask"=-
"updater"=-
"Host"=-

Save this as "fixme.reg" . Choose to save as *all files and place it on your Desktop. It looks like this
Double-click fixme.reg

-------------------------------------------------------------------------

Disable any script blocker then double click dds.scr to run the tool.

• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

Please post the content of DDS.txt and attach attach.txt in your next reply.


Mark

[REfan001]

Quote:

Originally Posted by mas_pogi

Looks like ad-aware is resurrecting the registry we deleted. We need to turn it off.

How to turn off Ad-Watch in Ad-Aware Anniversary Edition (and Pro version)

1. Start Ad-Aware
2. Click the Ad-Watch tab
3. Click the Settings button
4. Ensure all highlighted options bellow are unchecked:(some settings may be used or changed only in the Pro version)
   
   Under the General tab
   • Processes Protection
   • Registry Protection
   • Network Protection
   Under the Detection Layers tab:
   • Spyware heuristics
   • AntiVirus engine
5. OK your way out, and close the main Ad-Aware window.
6. Shut down Ad-Aware and Ad-Watch Live! by right clicking on the system tray icon, and selecting Exit Ad-Aware.
7. OK the change.

*for some reason, it will prompt you that there are changes in registry during the course of our fix . Just allow it.

------------------------------------------------------------------------

Copy and paste the following text into Notepad:



Save this as "fixme.reg" . Choose to save as *all files and place it on your Desktop. It looks like this
Double-click fixme.reg

-------------------------------------------------------------------------

Disable any script blocker then double click dds.scr to run the tool.

• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

Please post the content of DDS.txt and attach attach.txt in your next reply.


Mark

ok, uhhhh I have Ad-Aware 6.0, so all those directions are completely different for me. Also, what is this stuff we are fixing in the registry?

[mas_pogi]

hi.

Please try this one.

AD-AWARE AD-WATCH (Ad-aware 6)

1. Start Ad-Aware
2. Click on Setting. ( Gear looking icon at upper part of ad-aware)
3. Under Ad-watch Settings. Uncheck every item.
   • Lock startup section in registry.
   • Block possible browser hijack attempt
   • Block suspicious processes
   • Lock executable file association
4. Click on proceed, and close the main Ad-Aware window.
5. Shut down Ad-Aware and Ad-Watch Live! by right clicking on the system tray icon, and selecting Exit Ad-Aware.
6. OK the change.

*note for any reason ad-aware will block the registry changes during fixes. Just ok with it.

Then proceed with registry fix.

Quote:

Also, what is this stuff we are fixing in the registry?

These are the keys that was already deleted and was resurrected again by ad-aware.

Adware 6 is already old. You might consider to update to newer version.

Mark

[REfan001]

ok, I double-clicked fixme.reg and all it did was ask me if I wanted to add fixme.reg to the registry and then nothing happened

[mas_pogi]

hi.

That's normal.

Please continue with the rest of my instruction.

Mark

[REfan001]

Quote:

Originally Posted by mas_pogi

hi.

That's normal.

Please continue with the rest of my instruction.

Mark

ok, so I click yes to add it to the registry, then where do I find dds.scr?

[mas_pogi]

hi.

Please download DDS and save it to your desktop.
Disable any script blocker then double click dds.scr to run the tool.

• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

Please post the content of DDS.txt and attach attach.txt in your next reply.

Mark

[REfan001]

sorry, my bad, here are the two logs:

[mas_pogi]

hi

Congratulations! You now appear clean!

We Need to Clean Up Our Mess

1. Uninstall ComboFix
   Remove Combofix now that we're done with it.
   • Click on your Start Menu, then Run....
   • Now copy and paste this one in the runbox. Then HIT enter.
     
     
     Code:

     ComboFix /u

     
     
     
   Uninstalling ComboFix will do the following:
   1. Delete ComboFix and its components from your computer.
   2. Delete other tools commonly used during the malware removal process.
   3. Resets clock settings to standard format.
   4. Re-hides file extensions and hidden/system files.
   5. Clears System Restore cache and creates new restore point.
   
   
2. Please also delete the DDS.scr located at your desktop.
3. Please also delete the fixme.reg located at your desktop.

-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
   
   
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
   
   
3. Install an Anti-Spyware program, and update it regularly
   Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
   SUPERAntiSpyware is another good scanner with high detection and removal rates.
   Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
   
   
4. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   
5. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
   
   
6. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Don't forget to enable your security applications.

Maraming salamat.

Mark

[REfan001]

thanks a lot man, you've been a big help

[mas_pogi]

hi.

It is a pleasure to help you.

Surf safely.

Since the problem appears to be resolved, it will now be archived.


Mark