Trojan.SVCHost/Fake.Process

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Trojan.SVCHost/Fake.Process

Post by Voods on Mon 03 May 2010, 1:58 pm

Hi..

I seem to be infected with the Trojan.SVCHost/Fake.Process

I ran a Super Anti-Spyware scan, and this was in the result...After rebooting and another scan, I got another display of the same threat. Is there a way to get ridof this completely?
Also, is this a serious threat, don't know how I managed to get infected with this.

Regards

Voods

Senior Surfer
Senior Surfer

Posts: 229
Joined: 2008-12-07
Operating System: Windows 7 Professional

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Belahzur on Mon 03 May 2010, 10:55 pm

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Voods on Tue 04 May 2010, 2:18 am

Hi there

Thanks for the reply.

OTL is freezing when scanning :

hkey_current_user internet explorer settings...

I did have this problem last when running this.

Regards

Voods

Senior Surfer
Senior Surfer

Posts: 229
Joined: 2008-12-07
Operating System: Windows 7 Professional

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Belahzur on Tue 04 May 2010, 11:37 pm

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Voods on Wed 05 May 2010, 10:23 am

ComboFix 10-05-04.05 - Voodoo 05/05/2010 9:50.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.198 [GMT 1:00]
Running from: c:\documents and settings\Voodoo\Desktop\Combo-Fix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\games\[You must be registered and logged in to see this link.] Pinball Thrillride\cshtr\Desktop_.ini
c:\program files\WindowsUpdate
c:\windows\system32\msvcsv60.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-04 22:51 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 09:52 . 2010-05-04 09:52 63488 ----a-w- c:\documents and settings\Voodoo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-02 23:23 . 2009-08-02 17:49 3036024 ----a-w- c:\documents and settings\Voodoo\Application Data\Simply Super Software\Trojan Remover\vuq8F07.exe
2010-04-30 23:38 . 2010-04-30 23:38 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Waves Audio
2010-04-30 20:06 . 2010-04-30 20:06 -------- d-----w- C:\g3LicenseBackup
2010-04-30 19:47 . 2006-12-10 00:08 139264 ----a-w- c:\windows\system32\wstrm32.dll
2010-04-30 19:47 . 2010-04-30 19:47 -------- d-----w- c:\program files\Tascam
2010-04-30 18:58 . 2010-04-26 17:08 2227712 ----a-w- c:\documents and settings\Voodoo\Application Data\Mozilla\Firefox\Profiles\55x8pt7q.default\extensions\firetorrent@radicalsoft.com\components\firetorrent.dll
2010-04-30 18:37 . 2010-04-30 18:37 -------- d-----w- c:\program files\Waves
2010-04-30 17:04 . 2010-04-30 17:04 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Sammsoft
2010-04-30 17:04 . 2010-04-30 17:05 -------- d-----w- c:\program files\Hard Disk Tune-Up
2010-04-22 20:49 . 2010-04-22 20:49 -------- d-----w- c:\program files\LoveChess Age Of Egypt
2010-04-20 13:32 . 2010-04-20 13:32 -------- d-----w- C:\ConvertTemp
2010-04-20 10:53 . 2010-04-20 10:53 -------- d-----w- c:\program files\MSXML 4.0
2010-04-19 13:34 . 2010-04-19 13:34 -------- d-----w- c:\program files\ConvertHelper
2010-04-19 13:19 . 2010-04-22 08:01 -------- d-----w- c:\documents and settings\Voodoo\.oboesync
2010-04-19 13:19 . 2010-04-19 13:19 -------- d-----w- c:\program files\MP3tunes
2010-04-19 13:18 . 2010-04-19 13:18 -------- d-----w- c:\documents and settings\Voodoo\Local Settings\Application Data\{058E7DAB-1F55-48A3-892A-ECCA62D23C8F}
2010-04-19 10:22 . 2010-04-19 10:22 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Samsung
2010-04-19 09:36 . 2006-05-03 21:53 174592 ----a-w- c:\windows\system32\framedyn.dll
2010-04-19 09:34 . 2010-04-19 09:34 -------- d-----w- c:\program files\DIFX
2010-04-19 09:34 . 2010-04-19 09:34 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-04-19 09:32 . 2010-04-19 09:48 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-04-19 09:31 . 2010-04-19 09:31 -------- d-----w- c:\program files\Samsung
2010-04-17 19:09 . 2010-04-17 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2010-04-17 00:12 . 2010-04-17 00:12 -------- d-----w- c:\program files\NirSoft
2010-04-17 00:06 . 2010-04-17 00:08 -------- d-----w- c:\program files\Nucleus Kernel Hotmail MSN Password Recovery
2010-04-15 17:04 . 2010-04-15 17:04 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\4000005600002i\Update.exe
2010-04-15 17:04 . 2010-04-15 17:04 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\400000a00003i\cvtres.exe
2010-04-15 17:03 . 2010-04-15 17:03 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\4000001300003i\csc.exe
2010-04-15 17:02 . 2010-04-15 17:02 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\10000002200002i\wmiapsrv.exe
2010-04-15 17:02 . 2010-04-15 17:02 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\4000008000002i\Splash Screen.exe
2010-04-15 17:02 . 2010-04-15 17:02 -------- d-----w- c:\documents and settings\Voodoo\Local Settings\Application Data\Thinstall
2010-04-15 17:00 . 2010-04-15 17:00 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Codemonster
2010-04-11 15:53 . 2010-04-11 15:53 -------- d-----w- c:\documents and settings\Voodoo\Application Data\XYplorer
2010-04-11 14:00 . 2010-04-11 14:00 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Noteworthy Software
2010-04-11 14:00 . 2010-04-11 14:00 -------- d-----w- c:\program files\Noteworthy Software
2010-04-08 21:01 . 2010-04-08 21:01 -------- d-----w- c:\windows\system32\custom matrices
2010-04-08 21:00 . 2010-04-08 21:01 -------- d-----w- c:\windows\system32\C2MP
2010-04-08 21:00 . 2010-04-08 21:00 -------- d-----w- c:\windows\system32\QuickTime
2010-04-07 14:36 . 2010-04-07 14:36 -------- d-----w- c:\program files\Bytescout XLS Viewer
2010-04-07 13:50 . 2010-04-07 13:50 -------- d-----w- c:\program files\Rollercoaster Rush
2010-04-06 19:01 . 2010-04-06 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 08:41 . 2009-03-22 22:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-05 08:40 . 2009-03-14 14:10 -------- d-----w- c:\program files\XYplorer
2010-05-04 23:05 . 2010-02-21 00:46 -------- d-----w- c:\documents and settings\Voodoo\Application Data\vlc
2010-05-04 22:51 . 2010-03-31 15:05 -------- d-----w- c:\program files\Java
2010-05-04 21:24 . 2009-03-14 14:22 -------- d-----w- c:\documents and settings\Voodoo\Application Data\foobar2000
2010-05-04 09:52 . 2009-12-30 01:46 117760 ----a-w- c:\documents and settings\Voodoo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-02 23:10 . 2009-03-13 18:44 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Orbit
2010-05-02 21:53 . 2009-03-13 18:44 -------- d-----w- c:\program files\Orbitdownloader
2010-05-02 18:02 . 2009-03-13 16:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 15:44 . 2009-06-21 16:01 -------- d-----w- c:\program files\SpywareBlaster
2010-05-02 15:39 . 2009-03-13 15:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-02 15:37 . 2009-03-13 16:27 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-30 23:44 . 2009-03-14 12:30 32 ----a-w- c:\windows\msocreg32.dat
2010-04-30 19:50 . 2010-01-28 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\eboostr
2010-04-30 19:12 . 2010-01-30 22:01 436207616 --sha-w- C:\eboostr.dat
2010-04-30 14:56 . 2009-03-13 15:06 -------- d-----w- c:\program files\Sandboxie
2010-04-29 14:39 . 2009-03-13 16:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-03-13 16:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 23:06 . 2009-03-14 13:32 -------- d-----w- c:\program files\foobar2000
2010-04-28 13:01 . 2010-03-14 23:06 -------- d-----w- c:\documents and settings\Voodoo\Application Data\PrimoPDF
2010-04-19 09:50 . 2009-03-13 14:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-18 23:59 . 2009-03-13 14:44 173232 ----a-w- c:\documents and settings\Voodoo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 17:02 . 2009-04-07 22:59 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Thinstall
2010-04-15 12:55 . 2009-03-23 18:08 -------- d-----w- c:\program files\CCleaner
2010-04-14 16:52 . 2009-04-23 21:31 -------- d-----w- c:\documents and settings\Voodoo\Application Data\dvdcss
2010-04-11 23:05 . 2009-04-07 14:05 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Spotify
2010-04-08 21:05 . 2010-01-15 00:32 -------- d-----w- c:\program files\FLV Player
2010-04-06 10:25 . 2010-04-04 23:47 -------- d-----w- c:\program files\Steam
2010-04-03 13:05 . 2010-04-03 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SONiVOX
2010-04-03 13:05 . 2010-04-03 13:05 765722 ----a-w- c:\documents and settings\All Users\Application Data\SONiVOX\DVI Taylor Acoustic Guitar\unins000.exe
2010-04-03 13:01 . 2009-03-22 17:03 -------- d-----w- c:\program files\Native Instruments
2010-04-03 13:01 . 2010-04-03 13:01 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-04-03 12:52 . 2010-04-03 12:52 -------- d-----w- c:\documents and settings\Voodoo\Application Data\PACE Anti-Piracy
2010-04-03 12:52 . 2010-04-03 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2010-04-03 12:52 . 2010-04-03 12:52 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-04-03 12:45 . 2010-04-03 12:45 -------- d-----w- c:\program files\SONiVOX
2010-04-03 12:44 . 2010-04-03 12:44 765722 ----a-w- c:\documents and settings\All Users\Application Data\SONiVOX\DVI Martin Acoustic Guitar\unins000.exe
2010-04-03 12:42 . 2010-04-03 12:42 -------- d-----w- c:\program files\InterLok
2010-04-02 22:34 . 2009-03-13 20:31 -------- d-----w- c:\program files\Syncrosoft
2010-04-02 22:10 . 2009-03-14 13:39 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Steinberg
2010-04-02 17:43 . 2010-04-02 17:41 -------- d-----w- c:\documents and settings\Voodoo\Application Data\ACAMPREF
2010-04-02 17:42 . 2010-04-02 17:41 -------- d-----w- c:\program files\Harmony Assistant
2010-04-02 17:41 . 2010-04-02 17:41 1409 ----a-w- c:\windows\Fonts\SToccata.fot
2010-04-01 14:13 . 2010-04-01 14:13 -------- d-----w- c:\program files\DISCOVERY MULTIMEDIA
2010-03-30 21:09 . 2010-03-30 21:09 -------- d-----w- c:\program files\Sierra On-Line
2010-03-28 16:22 . 2010-03-28 16:22 -------- d-----w- c:\program files\FLAC
2010-03-19 20:15 . 2010-03-19 20:15 -------- d-----w- c:\program files\Pando Networks
2010-03-16 13:50 . 2010-03-14 22:51 -------- d-----w- c:\program files\Nitro PDF
2010-03-16 13:26 . 2010-03-16 13:26 -------- d-----w- c:\program files\Speccy
2010-03-09 17:12 . 2010-03-09 17:12 -------- d-----w- c:\program files\QuickSFV
2010-03-09 16:55 . 2010-03-09 16:55 -------- d-----w- c:\program files\QuickPar
2010-03-09 11:09 . 2003-07-16 16:43 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 23:26 . 2010-03-08 23:24 -------- d-----w- c:\documents and settings\Voodoo\Application Data\FMZilla
2010-03-08 23:21 . 2010-03-08 23:21 -------- d-----w- c:\documents and settings\Voodoo\Application Data\OpenCandy
2010-03-08 23:21 . 2010-03-08 23:21 939909 ----a-w- c:\documents and settings\Voodoo\Application Data\OpenCandy\FreeMusicZillaWrapped.exe
2010-03-06 14:41 . 2010-03-06 14:41 -------- d-----w- c:\program files\Smallvideosoft
2010-03-06 14:04 . 2009-03-13 18:45 -------- d-----w- c:\documents and settings\Voodoo\Application Data\GrabPro
2010-03-02 11:43 . 2010-03-02 11:43 65567 ----a-w- c:\documents and settings\All Users\Application Data\tmpE2A6.tmp
2010-03-02 11:43 . 2010-03-02 11:43 65564 ----a-w- c:\documents and settings\All Users\Application Data\tmpE29B.tmp
2010-03-02 11:37 . 2010-03-02 11:37 3804950 ----a-w- c:\documents and settings\All Users\Application Data\tmpE004.tmp
2010-02-26 05:43 . 2003-07-16 16:45 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2009-03-13 14:38 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2003-07-16 16:29 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 08:10 . 2003-07-16 16:33 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 17:54 . 2009-06-08 21:44 1227816 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-12 16:20 . 2010-02-12 16:20 503808 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-209f1d52-n\msvcp71.dll
2010-02-12 16:20 . 2010-02-12 16:20 499712 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-209f1d52-n\jmc.dll
2010-02-12 16:20 . 2010-02-12 16:20 348160 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-209f1d52-n\msvcr71.dll
2010-02-12 16:20 . 2010-02-12 16:20 61440 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4d4af267-n\decora-sse.dll
2010-02-12 16:20 . 2010-02-12 16:20 12800 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4d4af267-n\decora-d3d.dll
2010-02-12 04:33 . 2003-07-16 16:17 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 16:41 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2010-01-25 15:21 . 2010-01-25 15:21 2 --shatr- c:\windows\winstart.bat
2009-09-19 13:35 . 2009-09-19 13:35 8 --sh--r- c:\windows\system32\02910CF17B.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HS3_AutoRun"="c:\program files\Farstone\HackerSmacker\FWMain.exe" [2005-07-23 323584]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"HDTune-Up"="c:\program files\Hard Disk Tune-Up\HDTuneUp.exe" [2008-06-13 981264]
"EW Message Server"="msg32.exe" [2006-12-10 45056]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Voodoo\Start Menu\Programs\Startup\
ESET Smart Security.lnk - c:\program files\ESET\ESET Smart Security\egui.exe [2009-2-6 2021400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HackerSmacker 3.0.lnk - c:\program files\Farstone\HackerSmacker\FWMain.exe [2005-7-23 323584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-06-20 07:03 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi"=gmidi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBoostr Control Panel.lnk]
backup=c:\windows\pss\eBoostr Control Panel.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Voodoo^Start Menu^Programs^Startup^MemTurbo.lnk]
backup=c:\windows\pss\MemTurbo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Voodoo^Start Menu^Programs^Startup^WordWeb Pro.lnk]
backup=c:\windows\pss\WordWeb Pro.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Voodoo^Start Menu^Programs^Startup^WordWeb.lnk]
backup=c:\windows\pss\WordWeb.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2003-08-20 20:24 151552 ----a-w- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2005-11-10 18:44 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-07-29 12:30 335872 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2009-06-10 13:22 334224 ----a-w- c:\program files\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-22 23:00 385024 ----a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HS3_AutoRun]
2005-07-23 17:49 323584 ----a-w- c:\program files\Farstone\HackerSmacker\FWMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-05-28 17:32 86016 ----a-w- c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-04-17 10:56 394984 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-03-11 12:00 24095528 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-04 23:51 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-02 15:38 2020592 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BthServ"=2 (0x2)
"Ati HotKey Poller"=3 (0x3)
"SbieSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Super Internet TV\\Super Internet TV.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57771:TCP"= 57771:TCP:Pando
"57771:UDP"= 57771:UDP:Pando

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\eBoost.sys [28/01/2009 12:34 125544]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06/02/2009 15:23 106208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/01/2010 08:56 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 61440]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [06/02/2009 15:23 727720]
R2 fsnet;fsnet;c:\windows\system32\drivers\fsnet.sys [23/03/2009 17:59 18882]
R2 Hard Disk Tune-Up;Hard Disk Tune-Up;c:\program files\Hard Disk Tune-Up\HDTuneUpSrv.exe [30/04/2010 18:04 448272]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/03/2009 17:21 304464]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [13/03/2009 21:31 33792]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [13/03/2009 20:51 115312]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/03/2009 17:21 20952]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [06/04/2009 13:19 23064]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [05/04/2009 13:10 717296]
S2 ATE_PROCMON;ATE_PROCMON;\\??\\c:\\Program Files\\Anti Trojan Elite\\ATEPMon.sys --> \\c:\\Program Files\\Anti Trojan Elite\\ATEPMon.sys [?]
S3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [30/04/2010 20:48 1447040]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\filespy.sys [30/04/2010 20:48 26992]
S3 FWCOM;FWCOM;c:\program files\Farstone\HackerSmacker\FWCOM.exe [18/07/2005 19:27 69632]
S3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys --> c:\windows\system32\DRIVERS\JakNDis.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\107E.tmp --> c:\windows\system32\107E.tmp [?]
S3 NSTATION;NSTATION;c:\windows\system32\drivers\nstation.sys [30/04/2010 20:48 18944]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 12872]
S4 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [28/01/2009 12:34 634488]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
2007-09-19 09:32 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-26 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-01-23 15:48]

2010-05-05 c:\windows\Tasks\WECPUpdate.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Send To &Bluetooth
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Voodoo\Application Data\Mozilla\Firefox\Profiles\55x8pt7q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Voodoo\Application Data\Mozilla\Firefox\Profiles\55x8pt7q.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Contraptions - c:\sierra\Contraptions\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-05 09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys >>UNKNOWN [0x85DBDD60]<< PCIIDEX.SYS
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75f3f28
\Driver\ACPI -> ACPI.sys @ 0xf7566cb8
\Driver\atapi -> atapi.sys @ 0xf7500852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\107E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1580818891-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BD42A954-F9E7-F446-D346-A866649FEB8A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abphnjehiblbihlbpmjahjdmcnnghldjia"=hex:61,61,00,01
"maaicjfdndpmdmjmlbjlckbhhh"=hex:61,61,00,01

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="83EDC7D649F9EC5F53DBFBE889484F41BA035D8350BF5CBEC761EF84FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DBA7FD869164D6794BA7FD869164D679410AECF649C222455881B92C2CFF5DE9073E18CBFA09692D24B72482406A5406255AC1AA5C03C93587072D3570D4EBB96305BC12428191050CAE87E62A5AB0F1C5151926E15751F1FC25DE4586FE92C40625177A867B210F06863812772F2C981FC4F44BFB398068A84E7436AB13E75DD3CC5C3AFD3217C16A50199B6BDA0A0A3C67D4C5EEF52DD7AB2C08470C021B2C1E6E14D61988412227802A51810BF171611535E544DB68E54BAB94E183DCD50C17DF1D0279360E5FC48C99498A4BB847231F0BFEE843B560302CBDC4D7DE4113991649EB1589CDD92F263ED47EB6695D471964BBE013C45725D10FE428B690986264F9B742E07B4D1C97AC9F88876C8DD102B6E18E3F4BF17184618EE24C2A40B33E8BE258C50F82F90605645D183F231BEB82D96030BFE6372519F8A3ABB1FB0248C953FA48B0FA2820AD209540DBB79A3EB1C95E40290D29DB7209571848C5FDA3CBF82D7B1ABA64A1097E4CE719D625918E53647C6D3E243A4395224AF51852B9A7172BCA05ABA8AAF8BBBB479EA1CECB2C95E9926FD957BE61F465FB62718DAEF72D41F9579635749ACB5AECC455CE0551936025297EE577118BAE5F19B8C28A7A036FB37BD293A638BBF16F8255AAABDB9ACD8637E7AD8DB003E2C2212DC42D1EAE4070E2C95B0244F0A7D6FD654B54E2670A852E2C4775FC5245BEBBE874D225674A4051F3AAA5A2F09A505790B5E0DEEF834FD49609E5CEB81D254AB91E0F07A3CF16DC6298EF67AF287748041F823B2FDEE290AE12CD50BB02249377E893B0556BCFB25FA330E11C6CDD9344048602AFD02F8D2E2F3F0CDCF8F1813DBC79EB4A28649104CE7596742D93731D50AB39FB748792482BDFAF3419575C3360FDFDD4586CF35BAEB34096A3CF1E452E8B46FB3D49853614361CFAA607824A047E76A23277210EA76221288BE531609091E8D38E9A788A4B3364976D19B63B24C41D4E908747504AE463326DC89DAD47FCB00D3025DC0F6B2B25C5300BF0186EE1D2E07F9FD0C33B169B29645A49E1156C161D6C756CB0657B017B3B3A7D2BA724D992D841CCDA51279E9EA5B9AA11E8CA45FD61D8D4F82AB2E9CCB6AFA84F18E4CD155E1BE8911530545FD37C5786012BDBBAD166844A12F4FA51755C41252EFB4A03A003A632C6E44466AA4610A41507C4DF7FAAA7720555A7CD4DBF3CE8737C5E7D903C65033D00F0210A191922E9D72FE16C80188B705BA018416DCDEBE78E41B77BF819BE55CE0A394645AA016CAD44E2E30F76E2D997EA5EE52B73CACB919C31C"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1368)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LgNotify.dll
.
Completion time: 2010-05-05 10:00:33
ComboFix-quarantined-files.txt 2010-05-05 09:00
ComboFix2.txt 2010-04-08 20:15

Pre-Run: 5,686,358,016 bytes free
Post-Run: 5,806,833,664 bytes free

- - End Of File - - 6334CAE8D96B547FAD900AE64FD4406E

Voods

Senior Surfer
Senior Surfer

Posts: 229
Joined: 2008-12-07
Operating System: Windows 7 Professional

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Belahzur on Wed 05 May 2010, 7:43 pm

Download the GMER rootkit scan from here: GMER

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Voods on Thu 06 May 2010, 12:01 am

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-05 23:59:30
Windows 5.1.2600 Service Pack 3
Running: hsbsvfh4.exe; Driver: C:\DOCUME~1\Voodoo\LOCALS~1\Temp\kflyqpog.sys


---- System - GMER 1.0.15 ----

SSDT 863B6580 ZwAssignProcessToJobObject
SSDT spny.sys ZwCreateKey [0xF748F0E0]
SSDT 863B7100 ZwDebugActiveProcess
SSDT 863B6B30 ZwDuplicateObject
SSDT spny.sys ZwEnumerateKey [0xF74ADCA2]
SSDT spny.sys ZwEnumerateValueKey [0xF74AE030]
SSDT spny.sys ZwOpenKey [0xF748F0C0]
SSDT 863B5CC0 ZwOpenProcess
SSDT 863B5FC0 ZwOpenThread
SSDT 863B69C0 ZwProtectVirtualMemory
SSDT spny.sys ZwQueryKey [0xF74AE108]
SSDT spny.sys ZwQueryValueKey [0xF74ADF88]
SSDT 863B6860 ZwSetContextThread
SSDT 863B66E0 ZwSetInformationThread
SSDT 863B3700 ZwSetSecurityObject
SSDT spny.sys ZwSetValueKey [0xF74AE19A]
SSDT 863B6420 ZwSuspendProcess
SSDT 863B62C0 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xBA4BB900]
SSDT 863B6150 ZwTerminateThread
SSDT 863B6F50 ZwWriteVirtualMemory

INT 0x3B ? 86A87F00
INT 0x3B ? 86A87F00
INT 0x3B ? 86A87F00
INT 0x3B ? 86A87F00
INT 0x3E ? 86F6ABF8
INT 0x3F ? 86F6ABF8

---- Kernel code sections - GMER 1.0.15 ----

? spny.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F54DB8AC 5 Bytes JMP 86A874E0
.text aaaowu0u.SYS F4F52386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text aaaowu0u.SYS F4F523AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aaaowu0u.SYS F4F523C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text aaaowu0u.SYS F4F523C9 1 Byte [2E]
.text aaaowu0u.SYS F4F523C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[936] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 05F827A0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 05F836F0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 05F833B0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] WS2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 05F828D0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F6C2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74C0C4C] spny.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74C0CA0] spny.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7490040] spny.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F749013C] spny.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74900BE] spny.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74907FC] spny.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74906D2] spny.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86A875E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74A0048] spny.sys
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlInitUnicodeString] 2266E852
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!swprintf] 478B0000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeSetEvent] 50016A40
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoGetConfigurationInformation] E8510000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00002254
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmFreeMappingAddress] 6A18538B
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 868D5200
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 00001C98
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmUnmapIoSpace] 2242E850
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 4B8B0000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IofCompleteRequest] 51016A18
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 1CB4968D
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IofCallDriver] E8520000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 00002230
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 8A05478A
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoConnectInterrupt] 001CBB8E
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoDetachDevice] 30C48300
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeWaitForSingleObject] 1CBD8688
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeInitializeEvent] 80E90000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeCancelTimer] C6000000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 001CBB86
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlInitAnsiString] 438B0100
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 8E8D5018
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoQueueWorkItem] 00001C90
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmMapIoSpace] 2202E851
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 538B0000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoReportDetectedDevice] 52016A18
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoReportResourceForDetection] 1CAC868D
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] E8500000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!NlsMbCodePageTag] 000021F0
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!PoRequestPowerIrp] 8A05478A
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CBB8E
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 18C48300
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!sprintf] 1CBD8688
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 43EB0000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ObfDereferenceObject] 320C538A
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 88F93BC0
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 001CBB96
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ZwClose] F6317300
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 74070647
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 75C0841A
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 05578A0B
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 968801B0
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoCreateDevice] 00001CBD
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 57B60F66
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 533B6604
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 03087408
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ZwOpenKey] 72F93B3F
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 8A09EBDA
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoStartTimer] 86880547
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeInitializeTimer] 00001CBD
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoInitializeTimer] 88084B8A
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeInitializeDpc] 001CBE8E
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeInitializeSpinLock] 40578B00
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoInitializeIrp] 8D52006A
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ZwCreateKey] 001CC086
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 81E85000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 8B000021
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ZwSetValueKey] 001CB88E
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeInsertQueueDpc] BC968B00
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 8900001C
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoStartPacket] 001CC48E
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] C8968900
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 8B00001C
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoFreeMdl] 016A4047
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmUnlockPages] CCC68150
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 5600001C
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 002157E8
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 5D5B5E5F
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeSynchronizeExecution] CCCCCCC3
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoStartNextPacket] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeBugCheckEx] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeSetTimer] 8BEC8B55
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!_allmul] 00C73445
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!_except_handler3] 830C458B
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!PoSetPowerState] C0840CEC
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 053C0D74
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B80974
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 8B000000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!_aulldiv] 56C35DE5
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!strstr] 8D08758B
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!_strupr] 8D51FC4D
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeQuerySystemTime] 8D52FD55
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 8D51FE4D
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!KeTickCount] 8D52FF55
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 8D51F84D
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoDeleteDevice] 5052F455
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] EACAE856
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoAllocateWorkItem] C483FFFF
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoAllocateIrp] 0FC08520
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoAllocateMdl] 0001AD85
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 46B70F00
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmLockPagableDataSection] F44D8B48
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] C1815753
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 00002590
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!ExFreePoolWithTag] 467C8D51
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoFreeIrp] 7622E84A
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!IoFreeWorkItem] D88BFFFF
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!InitSafeBootMode] 8504C483
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!RtlCompareMemory] 5F0A75DB
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!PoCallDriver] 5B08438D
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!memmove] 5DE58B5E
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[ntoskrnl.exe!MmHighestUserAddress] 259068C3
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\aaaowu0u.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F78602DE] \SystemRoot\system32\drivers\fsnet.sys (fsnet/FarStone Technology Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F691F8

AttachedDevice \FileSystem\Ntfs \Ntfs eBoost.sys (eBoostr Filter Driver/eBoostr.com)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip fsnet.sys (fsnet/FarStone Technology Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \Driver\NetBT \Device\NetBT_Tcpip_{6C9201EB-89B7-481B-8B6C-B6AEB81A72B2} 864841F8
Device \Driver\sptd \Device\1313219296 spny.sys
Device \FileSystem\Cdfs \Cdfs 86B921F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00025b2267c0
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00025b2267c0@0021d19495b9 0x53 0xCE 0x76 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c65f896a
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2A 0xFB 0x75 0xC4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x94 0x9C 0x2F 0xAB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEF 0xE9 0x76 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x00 0xD2 0xB3 0xA4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00025b2267c0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00025b2267c0@0021d19495b9 0x53 0xCE 0x76 0xCB ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0010c65f896a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2A 0xFB 0x75 0xC4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x94 0x9C 0x2F 0xAB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEF 0xE9 0x76 0x44 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x00 0xD2 0xB3 0xA4 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL 83EDC7D649F9EC5F53DBFBE889484F41BA035D8350BF5CBEC761EF84FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DBA7FD869164D6794BA7FD869164D679410AECF649C222455881B92C2CFF5DE9073E18CBFA09692D24B72482406A5406255AC1AA5C03C93587072D3570D4EBB96305BC12428191050CAE87E62A5AB0F1C5151926E15751F1FC25DE4586FE92C40625177A867B210F06863812772F2C981FC4F44BFB398068A84E7436AB13E75DD3CC5C3AFD3217C16A50199B6BDA0A0A3C67D4C5EEF52DD7AB2C08470C021B2C1E6E14D61988412227802A51810BF171611535E544DB68E54BAB94E183DCD50C17DF1D0279360E5FC48C99498A4BB847231F0BFEE843B560302CBDC4D7DE4113991649EB1589CDD92F263ED47EB6695D471964BBE013C45725D10FE428B690986264F9B742E07B4D1C97AC9F88876C8DD102B6E18E3F4BF17184618EE24C2A40B33E8BE258C50F82F90605645D183F231BEB82D96030BFE6372519F8A3ABB1FB0248C953FA48B0FA2820AD209540DBB79A3EB1C95E40290D29DB7209571848C5FDA3CBF82D7B1ABA64A1097E4CE719D625918E53647C6D3E243A4395224AF51852B9A7172BCA05ABA8AAF8BBBB479EA1CECB2C95E9926FD957BE61F465FB62718DAEF72D
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BD42A954-F9E7-F446-D346-A866649FEB8A}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BD42A954-F9E7-F446-D346-A866649FEB8A}@abphnjehiblbihlbpmjahjdmcnnghldjia 0x61 0x61 0x00 0x01
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BD42A954-F9E7-F446-D346-A866649FEB8A}@maaicjfdndpmdmjmlbjlckbhhh 0x61 0x61 0x00 0x01

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\temp\HTT30B6.tmp 0 bytes

---- EOF - GMER 1.0.15 ----

Voods

Senior Surfer
Senior Surfer

Posts: 229
Joined: 2008-12-07
Operating System: Windows 7 Professional

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Voods on Thu 06 May 2010, 4:19 pm

Hi

Just thought i'd say, after my last post, I got the BSOD, but my computer shut dowon instantly, so I didn't get chance to write the deatails down.
It'll be in the dump file I guess, but i'm not sure what to do with it.

It took 6 attempts of a reboot, for the system to load without crashing, I did take a screenshot of the error message for you to look at



Regards

Voods

Senior Surfer
Senior Surfer

Posts: 229
Joined: 2008-12-07
Operating System: Windows 7 Professional

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Belahzur on Thu 06 May 2010, 10:15 pm

Hello.
Even though we managed to repair some of the damage, I'm not sure we can repair it all, this variant of malware goes to the extreme lenght to do it's damage.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EW Message Server"=-

    RegNull::
    [HKEY_USERS\S-1-5-21-1644491937-1580818891-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BD42A954-F9E7-F446-D346-A866649FEB8A}*]

    MBR::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Voods on Thu 06 May 2010, 10:50 pm

ComboFix 10-05-04.05 - Voodoo 06/05/2010 22:32:06.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.260 [GMT 1:00]
Running from: c:\documents and settings\Voodoo\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Voodoo\Desktop\CFscript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-05 10:57 . 2010-05-06 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-05 10:57 . 2010-05-05 11:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-04 22:51 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 09:52 . 2010-05-05 13:37 63488 ----a-w- c:\documents and settings\Voodoo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-02 23:23 . 2009-08-02 17:49 3036024 ----a-w- c:\documents and settings\Voodoo\Application Data\Simply Super Software\Trojan Remover\vuq8F07.exe
2010-04-30 23:38 . 2010-04-30 23:38 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Waves Audio
2010-04-30 20:06 . 2010-04-30 20:06 -------- d-----w- C:\g3LicenseBackup
2010-04-30 19:47 . 2006-12-10 00:08 139264 ----a-w- c:\windows\system32\wstrm32.dll
2010-04-30 19:47 . 2010-04-30 19:47 -------- d-----w- c:\program files\Tascam
2010-04-30 18:58 . 2010-04-26 17:08 2227712 ----a-w- c:\documents and settings\Voodoo\Application Data\Mozilla\Firefox\Profiles\55x8pt7q.default\extensions\firetorrent@radicalsoft.com\components\firetorrent.dll
2010-04-30 18:37 . 2010-04-30 18:37 -------- d-----w- c:\program files\Waves
2010-04-30 17:04 . 2010-04-30 17:04 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Sammsoft
2010-04-30 17:04 . 2010-04-30 17:05 -------- d-----w- c:\program files\Hard Disk Tune-Up
2010-04-22 20:49 . 2010-04-22 20:49 -------- d-----w- c:\program files\LoveChess Age Of Egypt
2010-04-20 13:32 . 2010-04-20 13:32 -------- d-----w- C:\ConvertTemp
2010-04-20 10:53 . 2010-04-20 10:53 -------- d-----w- c:\program files\MSXML 4.0
2010-04-19 13:34 . 2010-04-19 13:34 -------- d-----w- c:\program files\ConvertHelper
2010-04-19 13:19 . 2010-04-22 08:01 -------- d-----w- c:\documents and settings\Voodoo\.oboesync
2010-04-19 13:19 . 2010-04-19 13:19 -------- d-----w- c:\program files\MP3tunes
2010-04-19 13:18 . 2010-04-19 13:18 -------- d-----w- c:\documents and settings\Voodoo\Local Settings\Application Data\{058E7DAB-1F55-48A3-892A-ECCA62D23C8F}
2010-04-19 10:22 . 2010-04-19 10:22 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Samsung
2010-04-19 09:36 . 2006-05-03 21:53 174592 ----a-w- c:\windows\system32\framedyn.dll
2010-04-19 09:34 . 2010-04-19 09:34 -------- d-----w- c:\program files\DIFX
2010-04-19 09:34 . 2010-04-19 09:34 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-04-19 09:32 . 2010-04-19 09:48 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-04-19 09:31 . 2010-04-19 09:31 -------- d-----w- c:\program files\Samsung
2010-04-17 19:09 . 2010-04-17 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2010-04-17 00:12 . 2010-04-17 00:12 -------- d-----w- c:\program files\NirSoft
2010-04-17 00:06 . 2010-04-17 00:08 -------- d-----w- c:\program files\Nucleus Kernel Hotmail MSN Password Recovery
2010-04-15 17:04 . 2010-04-15 17:04 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\4000005600002i\Update.exe
2010-04-15 17:04 . 2010-04-15 17:04 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\400000a00003i\cvtres.exe
2010-04-15 17:03 . 2010-04-15 17:03 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\4000001300003i\csc.exe
2010-04-15 17:02 . 2010-04-15 17:02 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\10000002200002i\wmiapsrv.exe
2010-04-15 17:02 . 2010-04-15 17:02 303104 ----a-w- c:\documents and settings\Voodoo\Application Data\Thinstall\Virus Cleaner\4000008000002i\Splash Screen.exe
2010-04-15 17:02 . 2010-04-15 17:02 -------- d-----w- c:\documents and settings\Voodoo\Local Settings\Application Data\Thinstall
2010-04-15 17:00 . 2010-05-05 09:07 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Codemonster
2010-04-15 16:46 . 2010-05-05 09:07 -------- d-----w- c:\program files\Codemonster
2010-04-11 15:53 . 2010-04-11 15:53 -------- d-----w- c:\documents and settings\Voodoo\Application Data\XYplorer
2010-04-11 14:00 . 2010-04-11 14:00 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Noteworthy Software
2010-04-11 14:00 . 2010-04-11 14:00 -------- d-----w- c:\program files\Noteworthy Software
2010-04-08 21:01 . 2010-04-08 21:01 -------- d-----w- c:\windows\system32\custom matrices
2010-04-08 21:00 . 2010-04-08 21:01 -------- d-----w- c:\windows\system32\C2MP
2010-04-08 21:00 . 2010-04-08 21:00 -------- d-----w- c:\windows\system32\QuickTime
2010-04-07 14:36 . 2010-04-07 14:36 -------- d-----w- c:\program files\Bytescout XLS Viewer
2010-04-07 13:50 . 2010-04-07 13:50 -------- d-----w- c:\program files\Rollercoaster Rush

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 21:40 . 2009-03-22 22:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 18:15 . 2009-03-14 14:10 -------- d-----w- c:\program files\XYplorer
2010-05-06 18:10 . 2010-02-21 00:46 -------- d-----w- c:\documents and settings\Voodoo\Application Data\vlc
2010-05-06 18:05 . 2009-03-14 14:22 -------- d-----w- c:\documents and settings\Voodoo\Application Data\foobar2000
2010-05-05 13:37 . 2009-12-30 01:46 117760 ----a-w- c:\documents and settings\Voodoo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-05 11:04 . 2010-03-14 23:06 -------- d-----w- c:\documents and settings\Voodoo\Application Data\PrimoPDF
2010-05-05 10:47 . 2009-03-23 18:08 -------- d-----w- c:\program files\CCleaner
2010-05-04 22:51 . 2010-03-31 15:05 -------- d-----w- c:\program files\Java
2010-05-02 23:10 . 2009-03-13 18:44 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Orbit
2010-05-02 21:53 . 2009-03-13 18:44 -------- d-----w- c:\program files\Orbitdownloader
2010-05-02 18:02 . 2009-03-13 16:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 15:44 . 2009-06-21 16:01 -------- d-----w- c:\program files\SpywareBlaster
2010-05-02 15:39 . 2009-03-13 15:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-02 15:37 . 2009-03-13 16:27 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-30 23:44 . 2009-03-14 12:30 32 ----a-w- c:\windows\msocreg32.dat
2010-04-30 19:50 . 2010-01-28 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\eboostr
2010-04-30 19:12 . 2010-01-30 22:01 436207616 --sha-w- C:\eboostr.dat
2010-04-30 14:56 . 2009-03-13 15:06 -------- d-----w- c:\program files\Sandboxie
2010-04-29 14:39 . 2009-03-13 16:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-03-13 16:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 23:06 . 2009-03-14 13:32 -------- d-----w- c:\program files\foobar2000
2010-04-19 09:50 . 2009-03-13 14:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-18 23:59 . 2009-03-13 14:44 173232 ----a-w- c:\documents and settings\Voodoo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 17:02 . 2009-04-07 22:59 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Thinstall
2010-04-14 16:52 . 2009-04-23 21:31 -------- d-----w- c:\documents and settings\Voodoo\Application Data\dvdcss
2010-04-11 23:05 . 2009-04-07 14:05 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Spotify
2010-04-08 21:05 . 2010-01-15 00:32 -------- d-----w- c:\program files\FLV Player
2010-04-07 10:54 . 2010-04-06 19:01 -------- d-----w- c:\program files\McAfee Security Scan
2010-04-06 19:01 . 2010-04-06 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-06 10:25 . 2010-04-04 23:47 -------- d-----w- c:\program files\Steam
2010-04-03 13:05 . 2010-04-03 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SONiVOX
2010-04-03 13:05 . 2010-04-03 13:05 765722 ----a-w- c:\documents and settings\All Users\Application Data\SONiVOX\DVI Taylor Acoustic Guitar\unins000.exe
2010-04-03 13:01 . 2009-03-22 17:03 -------- d-----w- c:\program files\Native Instruments
2010-04-03 13:01 . 2010-04-03 13:01 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-04-03 12:52 . 2010-04-03 12:52 -------- d-----w- c:\documents and settings\Voodoo\Application Data\PACE Anti-Piracy
2010-04-03 12:52 . 2010-04-03 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2010-04-03 12:52 . 2010-04-03 12:52 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-04-03 12:45 . 2010-04-03 12:45 -------- d-----w- c:\program files\SONiVOX
2010-04-03 12:44 . 2010-04-03 12:44 765722 ----a-w- c:\documents and settings\All Users\Application Data\SONiVOX\DVI Martin Acoustic Guitar\unins000.exe
2010-04-02 22:34 . 2009-03-13 20:31 -------- d-----w- c:\program files\Syncrosoft
2010-04-02 22:10 . 2009-03-14 13:39 -------- d-----w- c:\documents and settings\Voodoo\Application Data\Steinberg
2010-04-02 17:43 . 2010-04-02 17:41 -------- d-----w- c:\documents and settings\Voodoo\Application Data\ACAMPREF
2010-04-02 17:42 . 2010-04-02 17:41 -------- d-----w- c:\program files\Harmony Assistant
2010-04-02 17:41 . 2010-04-02 17:41 1409 ----a-w- c:\windows\Fonts\SToccata.fot
2010-04-01 14:13 . 2010-04-01 14:13 -------- d-----w- c:\program files\DISCOVERY MULTIMEDIA
2010-03-30 21:09 . 2010-03-30 21:09 -------- d-----w- c:\program files\Sierra On-Line
2010-03-28 16:22 . 2010-03-28 16:22 -------- d-----w- c:\program files\FLAC
2010-03-19 20:15 . 2010-03-19 20:15 -------- d-----w- c:\program files\Pando Networks
2010-03-16 13:50 . 2010-03-14 22:51 -------- d-----w- c:\program files\Nitro PDF
2010-03-16 13:26 . 2010-03-16 13:26 -------- d-----w- c:\program files\Speccy
2010-03-09 17:12 . 2010-03-09 17:12 -------- d-----w- c:\program files\QuickSFV
2010-03-09 16:55 . 2010-03-09 16:55 -------- d-----w- c:\program files\QuickPar
2010-03-09 11:09 . 2003-07-16 16:43 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 23:26 . 2010-03-08 23:24 -------- d-----w- c:\documents and settings\Voodoo\Application Data\FMZilla
2010-03-08 23:21 . 2010-03-08 23:21 -------- d-----w- c:\documents and settings\Voodoo\Application Data\OpenCandy
2010-03-08 23:21 . 2010-03-08 23:21 939909 ----a-w- c:\documents and settings\Voodoo\Application Data\OpenCandy\FreeMusicZillaWrapped.exe
2010-03-02 11:43 . 2010-03-02 11:43 65567 ----a-w- c:\documents and settings\All Users\Application Data\tmpE2A6.tmp
2010-03-02 11:43 . 2010-03-02 11:43 65564 ----a-w- c:\documents and settings\All Users\Application Data\tmpE29B.tmp
2010-03-02 11:37 . 2010-03-02 11:37 3804950 ----a-w- c:\documents and settings\All Users\Application Data\tmpE004.tmp
2010-02-26 05:43 . 2003-07-16 16:45 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2009-03-13 14:38 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2003-07-16 16:29 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 08:10 . 2003-07-16 16:33 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 17:54 . 2009-06-08 21:44 1227816 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-12 16:20 . 2010-02-12 16:20 503808 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-209f1d52-n\msvcp71.dll
2010-02-12 16:20 . 2010-02-12 16:20 499712 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-209f1d52-n\jmc.dll
2010-02-12 16:20 . 2010-02-12 16:20 348160 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-209f1d52-n\msvcr71.dll
2010-02-12 16:20 . 2010-02-12 16:20 61440 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4d4af267-n\decora-sse.dll
2010-02-12 16:20 . 2010-02-12 16:20 12800 ----a-w- c:\documents and settings\Voodoo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4d4af267-n\decora-d3d.dll
2010-02-12 04:33 . 2003-07-16 16:17 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 16:41 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2010-01-25 15:21 . 2010-01-25 15:21 2 --shatr- c:\windows\winstart.bat
2009-09-19 13:35 . 2009-09-19 13:35 8 --sh--r- c:\windows\system32\02910CF17B.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HS3_AutoRun"="c:\program files\Farstone\HackerSmacker\FWMain.exe" [2005-07-23 323584]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"HDTune-Up"="c:\program files\Hard Disk Tune-Up\HDTuneUp.exe" [2008-06-13 981264]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Voodoo\Start Menu\Programs\Startup\
ESET Smart Security.lnk - c:\program files\ESET\ESET Smart Security\egui.exe [2009-2-6 2021400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HackerSmacker 3.0.lnk - c:\program files\Farstone\HackerSmacker\FWMain.exe [2005-7-23 323584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-06-20 07:03 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi"=gmidi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBoostr Control Panel.lnk]
backup=c:\windows\pss\eBoostr Control Panel.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Voodoo^Start Menu^Programs^Startup^MemTurbo.lnk]
backup=c:\windows\pss\MemTurbo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Voodoo^Start Menu^Programs^Startup^WordWeb Pro.lnk]
backup=c:\windows\pss\WordWeb Pro.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Voodoo^Start Menu^Programs^Startup^WordWeb.lnk]
backup=c:\windows\pss\WordWeb.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2003-08-20 20:24 151552 ----a-w- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2005-11-10 18:44 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-07-29 12:30 335872 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2009-06-10 13:22 334224 ----a-w- c:\program files\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-22 23:00 385024 ----a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HS3_AutoRun]
2005-07-23 17:49 323584 ----a-w- c:\program files\Farstone\HackerSmacker\FWMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-05-28 17:32 86016 ----a-w- c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-04-17 10:56 394984 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-03-11 12:00 24095528 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-04 23:51 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-02 15:38 2020592 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BthServ"=2 (0x2)
"Ati HotKey Poller"=3 (0x3)
"SbieSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Super Internet TV\\Super Internet TV.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57771:TCP"= 57771:TCP:Pando
"57771:UDP"= 57771:UDP:Pando

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\eBoost.sys [28/01/2009 12:34 125544]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [05/04/2009 13:10 717296]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06/02/2009 15:23 106208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/01/2010 08:56 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 61440]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [06/02/2009 15:23 727720]
R2 fsnet;fsnet;c:\windows\system32\drivers\fsnet.sys [23/03/2009 17:59 18882]
R2 Hard Disk Tune-Up;Hard Disk Tune-Up;c:\program files\Hard Disk Tune-Up\HDTuneUpSrv.exe [30/04/2010 18:04 448272]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/03/2009 17:21 304464]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [13/03/2009 21:31 33792]
R3 FWCOM;FWCOM;c:\program files\Farstone\HackerSmacker\FWCOM.exe [18/07/2005 19:27 69632]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [13/03/2009 20:51 115312]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/03/2009 17:21 20952]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [06/04/2009 13:19 23064]
S2 ATE_PROCMON;ATE_PROCMON;\\??\\c:\\Program Files\\Anti Trojan Elite\\ATEPMon.sys --> \\c:\\Program Files\\Anti Trojan Elite\\ATEPMon.sys [?]
S3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [30/04/2010 20:48 1447040]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\filespy.sys [30/04/2010 20:48 26992]
S3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys --> c:\windows\system32\DRIVERS\JakNDis.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\107E.tmp --> c:\windows\system32\107E.tmp [?]
S3 NSTATION;NSTATION;c:\windows\system32\drivers\nstation.sys [30/04/2010 20:48 18944]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 12872]
S4 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [28/01/2009 12:34 634488]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
2007-09-19 09:32 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\WECPUpdate.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Send To &Bluetooth
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Voodoo\Application Data\Mozilla\Firefox\Profiles\55x8pt7q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Voodoo\Application Data\Mozilla\Firefox\Profiles\55x8pt7q.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-06 22:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys spwr.sys hal.dll >>UNKNOWN [0x86F8A938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75f3f28
\Driver\ACPI -> ACPI.sys @ 0xf744ecb8
\Driver\atapi -> atapi.sys @ 0xf73ebb40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\107E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="83EDC7D649F9EC5F53DBFBE889484F41BA035D8350BF5CBEC761EF84FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DBA7FD869164D6794BA7FD869164D679410AECF649C222455881B92C2CFF5DE9073E18CBFA09692D24B72482406A5406255AC1AA5C03C93587072D3570D4EBB96305BC12428191050CAE87E62A5AB0F1C5151926E15751F1FC25DE4586FE92C40625177A867B210F06863812772F2C981FC4F44BFB398068A84E7436AB13E75DD3CC5C3AFD3217C16A50199B6BDA0A0A3C67D4C5EEF52DD7AB2C08470C021B2C1E6E14D61988412227802A51810BF171611535E544DB68E54BAB94E183DCD50C17DF1D0279360E5FC48C99498A4BB847231F0BFEE843B560302CBDC4D7DE4113991649EB1589CDD92F263ED47EB6695D471964BBE013C45725D10FE428B690986264F9B742E07B4D1C97AC9F88876C8DD102B6E18E3F4BF17184618EE24C2A40B33E8BE258C50F82F90605645D183F231BEB82D96030BFE6372519F8A3ABB1FB0248C953FA48B0FA2820AD209540DBB79A3EB1C95E40290D29DB7209571848C5FDA3CBF82D7B1ABA64A1097E4CE719D625918E53647C6D3E243A4395224AF51852B9A7172BCA05ABA8AAF8BBBB479EA1CECB2C95E9926FD957BE61F465FB62718DAEF72D41F9579635749ACB5AECC455CE0551936025297EE577118BAE5F19B8C28A7A036FB37BD293A638BBF16F8255AAABDB9ACD8637E7AD8DB003E2C2212DC42D1EAE4070E2C95B0244F0A7D6FD654B54E2670A852E2C4775FC5245BEBBE874D225674A4051F3AAA5A2F09A505790B5E0DEEF834FD49609E5CEB81D254AB91E0F07A3CF16DC6298EF67AF287748041F823B2FDEE290AE12CD50BB02249377E893B0556BCFB25FA330E11C6CDD9344048602AFD02F8D2E2F3F0CDCF8F1813DBC79EB4A28649104CE7596742D93731D50AB39FB748792482BDFAF3419575C3360FDFDD4586CF35BAEB34096A3CF1E452E8B46FB3D49853614361CFAA607824A047E76A23277210EA76221288BE531609091E8D38E9A788A4B3364976D19B63B24C41D4E908747504AE463326DC89DAD47FCB00D3025DC0F6B2B25C5300BF0186EE1D2E07F9FD0C33B169B29645A49E1156C161D6C756CB0657B017B3B3A7D2BA724D992D841CCDA51279E9EA5B9AA11E8CA45FD61D8D4F82AB2E9CCB6AFA84F18E4CD155E1BE8911530545FD37C5786012BDBBAD166844A12F4FA51755C41252EFB4A03A003A632C6E44466AA4610A41507C4DF7FAAA7720555A7CD4DBF3CE8737C5E7D903C65033D00F0210A191922E9D72FE16C80188B705BA018416DCDEBE78E41B77BF819BE55CE0A394645AA016CAD44E2E30F76E2D997EA5EE52B73CACB919C31C"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1396)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\System32\dllhost.exe
c:\windows\system32\crypserv.exe
c:\windows\system32\1XConfig.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-05-06 22:44:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 21:44
ComboFix2.txt 2010-05-05 09:00
ComboFix3.txt 2010-04-08 20:15

Pre-Run: 6,188,187,648 bytes free
Post-Run: 6,149,898,240 bytes free

- - End Of File - - C8A95770ACB73E750451CA43D7306D46

Voods

Senior Surfer
Senior Surfer

Posts: 229
Joined: 2008-12-07
Operating System: Windows 7 Professional

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Voods on Thu 06 May 2010, 10:52 pm

Could you possibly tell me what Malware I have been infected with?
I thought I had enough protection, both in software and with add-ons in FFox...
What's the major damage that's been done?

Regards

Voods

Senior Surfer
Senior Surfer

Posts: 229
Joined: 2008-12-07
Operating System: Windows 7 Professional

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Belahzur on Thu 06 May 2010, 11:00 pm

Hello.
There is still one patched file hiding I think.


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Voods on Thu 06 May 2010, 11:07 pm

23:04:06:279 1044 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
23:04:06:279 1044 ================================================================================
23:04:06:289 1044 SystemInfo:

23:04:06:289 1044 OS Version: 5.1.2600 ServicePack: 3.0
23:04:06:289 1044 Product type: Workstation
23:04:06:289 1044 ComputerName: HOME-43XJ81EHD3
23:04:06:289 1044 UserName: Voodoo
23:04:06:289 1044 Windows directory: C:\WINDOWS
23:04:06:289 1044 Processor architecture: Intel x86
23:04:06:289 1044 Number of processors: 1
23:04:06:289 1044 Page size: 0x1000
23:04:06:299 1044 Boot type: Normal boot
23:04:06:299 1044 ================================================================================
23:04:06:359 1044 UnloadDriverW: NtUnloadDriver error 2
23:04:06:359 1044 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:04:06:920 1044 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:04:06:920 1044 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:04:06:920 1044 wfopen_ex: Trying to KLMD file open
23:04:06:920 1044 wfopen_ex: File opened ok (Flags 2)
23:04:06:920 1044 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:04:06:920 1044 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:04:06:920 1044 wfopen_ex: Trying to KLMD file open
23:04:06:920 1044 wfopen_ex: File opened ok (Flags 2)
23:04:06:920 1044 Initialize success
23:04:06:920 1044
23:04:06:920 1044 Scanning Services ...
23:04:07:491 1044 Raw services enum returned 383 services
23:04:07:531 1044
23:04:07:531 1044 Scanning Kernel memory ...
23:04:07:531 1044 Devices to scan: 2
23:04:07:531 1044
23:04:07:531 1044 Driver Name: Disk
23:04:07:531 1044 IRP_MJ_CREATE : F75F5BB0
23:04:07:531 1044 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
23:04:07:531 1044 IRP_MJ_CLOSE : F75F5BB0
23:04:07:531 1044 IRP_MJ_READ : F75EFD1F
23:04:07:531 1044 IRP_MJ_WRITE : F75EFD1F
23:04:07:531 1044 IRP_MJ_QUERY_INFORMATION : 804FA88E
23:04:07:531 1044 IRP_MJ_SET_INFORMATION : 804FA88E
23:04:07:531 1044 IRP_MJ_QUERY_EA : 804FA88E
23:04:07:531 1044 IRP_MJ_SET_EA : 804FA88E
23:04:07:531 1044 IRP_MJ_FLUSH_BUFFERS : F75F02E2
23:04:07:531 1044 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
23:04:07:531 1044 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
23:04:07:531 1044 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
23:04:07:531 1044 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
23:04:07:531 1044 IRP_MJ_DEVICE_CONTROL : F75F03BB
23:04:07:531 1044 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75F3F28
23:04:07:531 1044 IRP_MJ_SHUTDOWN : F75F02E2
23:04:07:531 1044 IRP_MJ_LOCK_CONTROL : 804FA88E
23:04:07:531 1044 IRP_MJ_CLEANUP : 804FA88E
23:04:07:531 1044 IRP_MJ_CREATE_MAILSLOT : 804FA88E
23:04:07:531 1044 IRP_MJ_QUERY_SECURITY : 804FA88E
23:04:07:531 1044 IRP_MJ_SET_SECURITY : 804FA88E
23:04:07:531 1044 IRP_MJ_POWER : F75F1C82
23:04:07:531 1044 IRP_MJ_SYSTEM_CONTROL : F75F699E
23:04:07:531 1044 IRP_MJ_DEVICE_CHANGE : 804FA88E
23:04:07:531 1044 IRP_MJ_QUERY_QUOTA : 804FA88E
23:04:07:531 1044 IRP_MJ_SET_QUOTA : 804FA88E
23:04:07:581 1044 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:04:07:581 1044
23:04:07:581 1044 Driver Name: atapi
23:04:07:581 1044 IRP_MJ_CREATE : F73EBB40
23:04:07:581 1044 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
23:04:07:581 1044 IRP_MJ_CLOSE : F73EBB40
23:04:07:581 1044 IRP_MJ_READ : 804FA88E
23:04:07:581 1044 IRP_MJ_WRITE : 804FA88E
23:04:07:581 1044 IRP_MJ_QUERY_INFORMATION : 804FA88E
23:04:07:581 1044 IRP_MJ_SET_INFORMATION : 804FA88E
23:04:07:581 1044 IRP_MJ_QUERY_EA : 804FA88E
23:04:07:581 1044 IRP_MJ_SET_EA : 804FA88E
23:04:07:581 1044 IRP_MJ_FLUSH_BUFFERS : 804FA88E
23:04:07:581 1044 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
23:04:07:581 1044 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
23:04:07:581 1044 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
23:04:07:581 1044 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
23:04:07:581 1044 IRP_MJ_DEVICE_CONTROL : F73EBB40
23:04:07:581 1044 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73EBB40
23:04:07:581 1044 IRP_MJ_SHUTDOWN : 804FA88E
23:04:07:581 1044 IRP_MJ_LOCK_CONTROL : 804FA88E
23:04:07:581 1044 IRP_MJ_CLEANUP : 804FA88E
23:04:07:581 1044 IRP_MJ_CREATE_MAILSLOT : 804FA88E
23:04:07:581 1044 IRP_MJ_QUERY_SECURITY : 804FA88E
23:04:07:581 1044 IRP_MJ_SET_SECURITY : 804FA88E
23:04:07:581 1044 IRP_MJ_POWER : F73EBB40
23:04:07:581 1044 IRP_MJ_SYSTEM_CONTROL : F73EBB40
23:04:07:581 1044 IRP_MJ_DEVICE_CHANGE : 804FA88E
23:04:07:581 1044 IRP_MJ_QUERY_QUOTA : 804FA88E
23:04:07:581 1044 IRP_MJ_SET_QUOTA : 804FA88E
23:04:07:611 1044 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
23:04:07:611 1044
23:04:07:611 1044 Completed
23:04:07:611 1044
23:04:07:611 1044 Results:
23:04:07:611 1044 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:04:07:611 1044 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:04:07:611 1044 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:04:07:621 1044
23:04:07:621 1044 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:04:07:621 1044 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:04:07:621 1044 KLMD(ARK) unloaded successfully

Voods

Senior Surfer
Senior Surfer

Posts: 229
Joined: 2008-12-07
Operating System: Windows 7 Professional

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Belahzur on Thu 06 May 2010, 11:09 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan.SVCHost/Fake.Process

Post by Voods on Fri 07 May 2010, 10:58 am

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e3298c72b86b0141a9135c8ab4915811
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-07 01:25:19
# local_time=2010-05-07 02:25:19 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8201 39157077 100 100 22256 39259275 0 0
# compatibility_mode=9217 16777214 0 9 35454388 41470205 0 0
# scanned=85612
# found=1
# cleaned=1
# scan_time=9861
C:\Program Files\Tascam\Gstudio\Uunwise.exe Win32/Packed.Autoit.Gen application (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C

Voods

Senior Surfer
Senior Surfer

Posts: 229
Joined: 2008-12-07
Operating System: Windows 7 Professional

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


Permissions in this forum:
You cannot reply to topics in this forum