Lingering bugs from Windows Antivirus Pro and Police Pro

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 7th September 2009, 9:40 pm

yes, the last time I ran the scan, it only found 2 and that was yesterday. I don't think McAfee can find it, but I will try again.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 7th September 2009, 9:45 pm

I think if I could figure out how to run malwarebytes, it would help. Is there a backdoor way to get it to run?
I have tried uninstalling it, installing it, renaming it, saving it on a flash drive and then sending it to the desktop to install. This morning I put the installer in the startup folder hoping it would start and run upon startup, no such luck.
As of today, in order to open anything, I have to right click and run as administrator, I still can't get into my security center, it is saying a dll file is missing, malwarebytes crashes before it even starts.

The only good thing is I'm not getting any more fake security alerts and the porn sites have not popped up yet, but it is still early.
I'm going to try and run HiJackThis and if it works I will post the log here.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 7th September 2009, 9:52 pm

These are the ones I have questions about:
02 BHO (no name)
02 BHO Browser address error redirector
013 Gopher prefix
023 PrismXL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:31 PM, on 9/7/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16890)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

[You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

[You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

[You must be registered and logged in to see this link.]

704834&2d68374132e7e862d4931143b094c5cf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

[You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

[You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

[You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

[You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

[You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows

Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program

Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program

Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer -

{3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program

Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program

Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} -

C:\Program Files\BfgBar\bfg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-

76C02E2E7C4E} - C:\Program Files\Google\Google

Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-

A07C3DB8F777} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9}

- C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} -

C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program

Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} -

C:\Program Files\BfgBar\bfg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6

\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NielsenOnline] C:\Program

Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe"

/runkey
O4 - HKLM\..\Run: [B40750EF1C79949C] \\?\globalroot\systemroot\system32

\B40750EF1C79949C.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"

/background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel

FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] "C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DesktopIconToy] C:\Program Files\Desktop Icon

Toy\DesktopIconToy.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe

/detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe

oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Free Ride

Games\GPlayer.exe /runonstartup" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe

/detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Exetender] "C:\Program Files\Free Ride

Games\GPlayer.exe /runonstartup" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Exetender] "C:\Program Files\Free Ride

Games\GPlayer.exe /runonstartup" (User 'Default user')
O4 - Startup: mbam-setup.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program

Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program

Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.]

Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites -

[You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]

\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program

Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3

-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -

[You must be registered and logged in to see this link.]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) -

[You must be registered and logged in to see this link.]

20Angeles/Images/stg_drm.ocx
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} -

[You must be registered and logged in to see this link.]

r.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) -

[You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -

C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) -

[You must be registered and logged in to see this link.]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

[You must be registered and logged in to see this link.]

in/QuickTimeInstaller.exe
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -

[You must be registered and logged in to see this link.]
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

[You must be registered and logged in to see this link.]

cab?1251411638447
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6B9A6E3B-0307-47A7-82B1-F2D215973CAF} (QuickBooks Online Edition

Import Utilities Class v6) -

[You must be registered and logged in to see this link.]
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition

Utilities Class v10) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant

2) - [You must be registered and logged in to see this link.]
O16 - DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} (Clue Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -

[You must be registered and logged in to see this link.]
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} (MysteryPI Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

[You must be registered and logged in to see this link.]
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator)

- [You must be registered and logged in to see this link.]
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) -

[You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program

Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program

Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program

Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google

Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin

Games\iWinTrusted.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program

Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1

\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1

\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1

\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. -

C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program

Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking

Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division

Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner -

C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32

\DRIVERS\xaudio.exe

--
End of file - 14648 bytes

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by Belahzur on 7th September 2009, 11:13 pm

Hello.
I can barely read that. Please turn Word Wrap off.

See this image:


Post a new log with Word Wrap off.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 7th September 2009, 11:23 pm

These are the ones I have questions about:
02 BHO (no name)
02 BHO Browser address error redirector
013 Gopher prefix
023 PrismXL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:31 PM, on 9/7/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16890)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [B40750EF1C79949C] \\?\globalroot\systemroot\system32\B40750EF1C79949C.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DesktopIconToy] C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'Default user')
O4 - Startup: mbam-setup.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - [You must be registered and logged in to see this link.]
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - [You must be registered and logged in to see this link.]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [You must be registered and logged in to see this link.]
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6B9A6E3B-0307-47A7-82B1-F2D215973CAF} (QuickBooks Online Edition Import Utilities Class v6) - [You must be registered and logged in to see this link.]
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - [You must be registered and logged in to see this link.]
O16 - DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} (Clue Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} (MysteryPI Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - [You must be registered and logged in to see this link.]
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin Games\iWinTrusted.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 14648 bytes

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by Belahzur on 7th September 2009, 11:30 pm

Hello.

02 BHO (no name)
02 BHO Browser address error redirector

Both of them are empty items within the registry, you can fix them.

013 Gopher prefix

Is part of Vista, you can't remove it anyhow, just re-appears.

023 PrismXL

This one is more interesting. If you look at the line in HJT, you can see the company name. Their website here:
[You must be registered and logged in to see this link.]


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - (no file)
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight Ask Toolbar
  • Click on the Uninstall/Change button at the top.

Did you run MBAM? if so, please post the log.

If not, please try running it now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 7th September 2009, 11:39 pm

Ok, did what you said, and I can't run MBAM, it crashes and says this:

Problem signature:
Problem Event Name: APPCRASH
Application Name: mbam.exe
Application Version: 1.40.0.0
Application Timestamp: 4a74a456
Fault Module Name: mbam.exe
Fault Module Version: 1.40.0.0
Fault Module Timestamp: 4a74a456
Exception Code: 80000003
Exception Offset: 00002fd0
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1033
Additional Information 1: 62f3
Additional Information 2: c9d4c40a680b669dba468f72ec73b8fc
Additional Information 3: cd57
Additional Information 4: edd70c8330e9977f731b260694264aae

I have tried different ways to try and get it to run, and it does not work. I've also tried to run Kapersky and ESET scanners and they don't work either.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by Belahzur on 8th September 2009, 1:20 am

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 2:49 am

Ok, lets see if this works. I can't post the log, but maybe this will post.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 2:51 am

GMER 1.0.15.15077 [r202sxgy.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-07 20:29:05
Windows 6.0.6000


---- System - GMER 1.0.15 ----

Code 84D41838 ZwEnumerateKey
Code 84D5BF98 ZwFlushInstructionCache
Code 84A70D25 IofCallDriver
Code 84D5D3D6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 82427F37 5 Bytes JMP 84A70D2A
.text ntkrnlpa.exe!IofCompleteRequest 82427FA4 5 Bytes JMP 84D5D3DB
PAGE ntkrnlpa.exe!ZwEnumerateKey 82537F06 5 Bytes JMP 84D4183C
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 825E849F 5 Bytes JMP 84D5BF9C
? C:\Windows\System32\Drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload 86882ACF 5 Bytes JMP 84A70550
? System32\Drivers\an7gmgeg.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8072B604] \SystemRoot\System32\Drivers\sptd.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8072AABA] \SystemRoot\System32\Drivers\sptd.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8072B72E] \SystemRoot\System32\Drivers\sptd.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8072AB82] \SystemRoot\System32\Drivers\sptd.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8072AC00] \SystemRoot\System32\Drivers\sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8073DA9A] \SystemRoot\System32\Drivers\sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 83F661D8
Device \FileSystem\fastfat \FatCdrom 84E411D8
Device \Driver\volmgr \Device\VolMgrControl 83B441D8
Device \Driver\00000457 \Device\00000050 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-0 84A721D8
Device \Driver\usbuhci \Device\USBPDO-1 84A721D8
Device \Driver\usbuhci \Device\USBPDO-2 84A721D8
Device \Driver\usbuhci \Device\USBPDO-3 84A721D8
Device \Driver\usbehci \Device\USBPDO-4 84A75980
Device \Driver\volmgr \Device\HarddiskVolume1 83B441D8
Device \Driver\volmgr \Device\HarddiskVolume2 83B441D8
Device \Driver\volmgr \Device\HarddiskVolume3 83B441D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 83F651D8
Device \Driver\atapi \Device\Ide\IdePort0 83F651D8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 83F651D8
Device \Driver\atapi \Device\Ide\IdePort1 83F651D8
Device \Driver\atapi \Device\Ide\IdePort2 83F651D8
Device \Driver\atapi \Device\Ide\IdePort3 83F651D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-1 83F651D8
Device \Driver\USBSTOR \Device\00000066 84D611D8
Device \Driver\volmgr \Device\HarddiskVolume4 83B441D8
Device \Driver\USBSTOR \Device\00000067 84D611D8
Device \Driver\USBSTOR \Device\00000069 84D611D8
Device \Driver\USBSTOR \Device\0000006a 84D611D8
Device \Driver\USBSTOR \Device\0000006b 84D611D8
Device \Driver\usbuhci \Device\USBFDO-0 84A721D8
Device \Driver\USBSTOR \Device\0000006c 84D611D8
Device \Driver\USBSTOR \Device\0000006d 84D611D8
Device \Driver\usbuhci \Device\USBFDO-1 84A721D8
Device \Driver\usbuhci \Device\USBFDO-2 84A721D8
Device \Driver\usbuhci \Device\USBFDO-3 84A721D8
Device \Driver\usbehci \Device\USBFDO-4 84A75980
Device \Driver\VClone \Device\Scsi\VClone1 83F641D8
Device \Driver\VClone \Device\Scsi\VClone1Port0Path0Target0Lun0 83F641D8
Device \Driver\an7gmgeg \Device\Scsi\an7gmgeg1 84BB4880
Device \FileSystem\fastfat \Fat 84E411D8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACvqjkckrcao.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [736] 0x10000000
Library \\?\globalroot\systemroot\system32\UACvqjkckrcao.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [828] 0x10000000
Library \\?\globalroot\systemroot\system32\UACvqjkckrcao.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [856] 0x10000000
Library \\?\globalroot\systemroot\system32\UACvqjkckrcao.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [908] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\kbiwkmycwrtlmj.sys (*** hidden *** ) [SYSTEM] kbiwkmcxvdnpgy <-- ROOTKIT !!!
Service C:\Windows\system32\drivers\kbiwkmpdljgpcy.sys (*** hidden *** ) [SYSTEM] kbiwkmvpsbcrra <-- ROOTKIT !!!
Service C:\Windows\system32\drivers\UACpxbaewqipu.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 2:55 am

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy@imagepath \systemroot\system32\drivers\kbiwkmycwrtlmj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmycwrtlmj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmfrofusnf.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra@imagepath \systemroot\system32\drivers\kbiwkmpdljgpcy.sys
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\main@aid 10081
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmpdljgpcy.sys
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmswcpxxdk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmwysdngkk.dat
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmcvvcdrid.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra\modules@kbiwkm.dat \systemroot\system32\kbiwkmjamyrajd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAD 0xD8 0x9A 0x41 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x13 0x8E 0xAF 0x7F ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xB5 0xDE 0xAF 0xE8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy@imagepath \systemroot\system32\drivers\kbiwkmycwrtlmj.sys

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 2:58 am

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmycwrtlmj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmfrofusnf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra@imagepath \systemroot\system32\drivers\kbiwkmpdljgpcy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\main@aid 10081
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmpdljgpcy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmswcpxxdk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmwysdngkk.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmcvvcdrid.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra\modules@kbiwkm.dat \systemroot\system32\kbiwkmjamyrajd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -40325308
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1539431237
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAD 0xD8 0x9A 0x41 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x13 0x8E 0xAF 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xB5 0xDE 0xAF 0xE8 ...

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 2:59 am

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACpxbaewqipu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACpxbaewqipu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwmpfsmvbnv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACvqjkckrcao.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACvagjoxextr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACppypijkvdw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACsbcplgasti.dll
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy@imagepath \systemroot\system32\drivers\kbiwkmycwrtlmj.sys
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmycwrtlmj.sys
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmfrofusnf.dll
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra@imagepath \systemroot\system32\drivers\kbiwkmpdljgpcy.sys
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\main@aid 10081
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\main@sid 0
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmpdljgpcy.sys
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmswcpxxdk.dll
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmwysdngkk.dat
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmcvvcdrid.dll
Reg HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra\modules@kbiwkm.dat \systemroot\system32\kbiwkmjamyrajd.dat

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 2:59 am

Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAD 0xD8 0x9A 0x41 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x13 0x8E 0xAF 0x7F ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xB5 0xDE 0xAF 0xE8 ...
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACpxbaewqipu.sys
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACpxbaewqipu.sys
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACwmpfsmvbnv.dll
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACvqjkckrcao.dll
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACvagjoxextr.dat
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACppypijkvdw.dll
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACsbcplgasti.dll

---- Files - GMER 1.0.15 ----

File C:\perflogs\System\Diagnostics\20090426-0002\UAC Settings.xml 1571 bytes
File C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\UACmd.exe 39776 bytes executable
File C:\Users\Specter\AppData\Local\Temp\uac1a26.tmp 49152 bytes executable
File C:\Users\Specter\AppData\Local\Temp\uac2250.tmp 31232 bytes executable
File C:\Users\Specter\AppData\Local\Temp\uac275f.tmp 44032 bytes executable
File C:\Users\Specter\AppData\Local\Temp\uac364d.tmp 53248 bytes executable
File C:\Users\Specter\AppData\Local\Temp\uac3eb6.tmp 2535424 bytes executable
File C:\Users\Specter\AppData\Local\Temp\uac5947.tmp 2005140 bytes
File C:\Users\Specter\AppData\Local\Temp\uac9e23.tmp 3478520 bytes
File C:\Users\Specter\AppData\Local\Temp\nscE67F.tmp\uac.dll 16896 bytes executable
File C:\Users\Specter\AppData\Local\Temp\nsk358F.tmp\uac.dll 16896 bytes executable
File C:\Users\Specter\AppData\Local\Temp\nsu3669.tmp\uac.dll 16896 bytes executable

---- EOF - GMER 1.0.15 ----

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 3:01 am

Geez, that's a long log file. I was having problems posting it because it was so big. I had to do it in parts.
Is this everything that is wrong with my pc, all the malware, or is it a log of everything that got scanned?

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by Belahzur on 8th September 2009, 1:58 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
kbiwkmcxvdnpgy
kbiwkmvpsbcrra
UACd.sys

Drivers to delete:
kbiwkmcxvdnpgy
kbiwkmvpsbcrra
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\kbiwkmycwrtlmj.sys
C:\WINDOWS\system32\drivers\kbiwkmpdljgpcy.sys
C:\WINDOWS\system32\drivers\UACpxbaewqipu.sys

Registry keys to delete:
HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy
HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra
HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy
HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra
HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy
HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra
HKLM\SYSTEM\ControlSet009\Services\UACd.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 9:17 pm

I am going to have to save it to my flash drive, send it to my desktop and open it from there. That is the only way I am able to download anything, and most of the time I have to do it twice.
So I am hoping that this problem I am having with having to right click and run as admin to open things will cease. I'm also figuring out that when I open an email to read it, and then try to close the box, it won't close. I am so praying that this will fix my problems. I am an online college student in my bachelor's degree program right now, and it is annoying when I can't even open a word window.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 9:57 pm

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6000)
Tue Sep 08 15:22:43 2009

15:21:43: Warning: Skipping potentially dangerous line:
"HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmvpsbcrra" (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "adxiu3m1" found!
Could not open driver adxiu3m1 for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Rootkit scan completed.

Driver "kbiwkmcxvdnpgy" disabled successfully.
Driver "kbiwkmvpsbcrra" disabled successfully.
Disablement of driver "UACd.sys" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Driver "kbiwkmcxvdnpgy" deleted successfully.
Driver "kbiwkmvpsbcrra" deleted successfully.
Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\kbiwkmycwrtlmj.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\kbiwkmpdljgpcy.sys" deleted successfully.

Error: could not delete file "C:\WINDOWS\system32\drivers\UACpxbaewqipu.sys"
Deletion of file "C:\WINDOWS\system32\drivers\UACpxbaewqipu.sys" failed!
Status: 0xc0000156

Registry key "HKLM\SYSTEM\ControlSet001\Services\kbiwkmcxvdnpgy" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet001\Services\kbiwkmvpsbcrra" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmcxvdnpgy" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet009\Services\kbiwkmcxvdnpgy" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet009\Services\kbiwkmvpsbcrra" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet009\Services\UACd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 10:00 pm

Here is the malware log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6000

9/8/2009 3:59:29 PM
mbam-log-2009-09-08 (15-58-50).txt

Scan type: Quick Scan
Objects scanned: 93409
Time elapsed: 15 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreGuard2009) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\Windows\system32\desote.exe "%1" %*) Good: ("%1" %*) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\UACvqjkckrcao.dll (Rogue.Agent) -> No action taken.
C:\Windows\Temp\UAC7944.tmp (Rogue.Agent) -> No action taken.
C:\Users\Specter\AppData\Local\Temp\uac3eb6.tmp (Rogue.ProtectionSystem) -> No action taken.
C:\Windows\System32\uacinit.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> No action taken.
C:\Windows\System32\UACppypijkvdw.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\UACvagjoxextr.dat (Trojan.Agent) -> No action taken.
C:\Windows\System32\UACwmpfsmvbnv.dll (Trojan.Agent) -> No action taken.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 10:55 pm

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6000

9/8/2009 4:01:12 PM
mbam-log-2009-09-08 (16-01-12).txt

Scan type: Quick Scan
Objects scanned: 93409
Time elapsed: 15 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreGuard2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\Windows\system32\desote.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\UACvqjkckrcao.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\UAC7944.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Users\Specter\AppData\Local\Temp\uac3eb6.tmp (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Windows\System32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\UACppypijkvdw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\UACvagjoxextr.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\UACwmpfsmvbnv.dll (Trojan.Agent) -> Quarantined and deleted successfully.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 8th September 2009, 10:57 pm

Cool, the pc is running somewhat normal. I still can't open and turn on my security center. I don't have to right click on anything to get it to run, just a normal click works. I'll check the rest that I was having problems and see what happens.
Thank you, we are on the right track.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by Belahzur on 9th September 2009, 12:10 am

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 9th September 2009, 1:10 am

I don't know what happened, but combofix is on my desktop and i was not given the option to rename it, also it says that I have spybot and adware running. Yes I have spybot and no clue how to shut it off short of uninstalling it, and I uninstalled adaware when I first started having problems with my pc.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by Belahzur on 9th September 2009, 7:27 pm

Hello.
See if you can run it without renaming it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by jness80537 on 10th September 2009, 7:38 am

My McAfee is saying that combofix is an Artemis Trojan and won't let me download it. I have managed to get my malwarebytes and mcafee to run, I still can't turn on my windows defender though.

jness80537
Novice
Novice

Posts Posts : 48
Joined Joined : 2009-08-27
Gender Gender : Female
OS OS : Vista
Points Points : 26673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by Belahzur on 10th September 2009, 6:48 pm

Uninstall Mcafee, it interferes way too much.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Lingering bugs from Windows Antivirus Pro and Police Pro

Post by Dr Jay on 16th September 2009, 9:02 pm

Due to lack of response, this topic is now closed.

If you need the topic reopened, PM an administrator or moderator.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum