Welcome to GeekPolice!
HomeSystem Guard 2009
Page 1 of 3 • 1, 2, 3 
- Indiepages
Novice
-
OS : windows xp
Posts : 15
Rubies : 3139
Likes : 0 
Indiepages on 14th February 2009, 5:23 am
Have been trying to remove. Each time I try to download malware bytes program it logs me off the internet. Any help appreciated. Thanks.
- Doctor Inferno
Site Admin
-
OS : Windows 7 Home Premium and Ultimate X64
Anti-Malware : Kaspersky PURE and Malwarebytes' Anti-Malware
Posts : 11975
Rubies : 75487
Likes : 13 -
Doctor Inferno on 14th February 2009, 5:39 am
Read this topic and post a HijackThis log here.
http://www.geekpolice.net/malware-removal-support-hijackthis-logs-f11/read-this-before-posting-t3821.htm
http://www.geekpolice.net/malware-removal-support-hijackthis-logs-f11/read-this-before-posting-t3821.htm
- IndiepagesNovice
-
OS : windows xp
Posts : 15
Rubies : 3139
Likes : 0 -
Indiepages on 14th February 2009, 6:49 am
Updates all done.
Trying to download 'Hijack' also closes internet explorer and takes me back to desktop. So far, the three downloads that shut me off line are: 'malwarebytes' 'mcafee' and now 'hijack'. (I have been unable to open McAfee since this afternoon when we were hit). This is truly insidious. Been seeing red all day. Have had to close the system guard 2009 application every three minutes or so before it starts up again.
Any advice appreciated. Is there an alternate 'hijack' program I could download that may not set off whatever it is that's closing things down? :hmm:
Trying to download 'Hijack' also closes internet explorer and takes me back to desktop. So far, the three downloads that shut me off line are: 'malwarebytes' 'mcafee' and now 'hijack'. (I have been unable to open McAfee since this afternoon when we were hit). This is truly insidious. Been seeing red all day. Have had to close the system guard 2009 application every three minutes or so before it starts up again.
Any advice appreciated. Is there an alternate 'hijack' program I could download that may not set off whatever it is that's closing things down? :hmm:
- Belahzur
Site Admin -
OS : 7 Home Premium x64
Posts : 34948
Rubies : 218005
Likes : 18 -
- IndiepagesNovice
-
OS : windows xp
Posts : 15
Rubies : 3139
Likes : 0 -
Indiepages on 14th February 2009, 5:29 pm
2nd Link worked - thanks:
DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 9:29:45.43 on Sat 02/14/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.139 [GMT -8:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\Program Files\Microtek\ScanWizard 5\LANServer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microtek\ScanWizard 5\MsgRpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\System Guard 2009\systemguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OAY46RPT\dds[1].scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://my.mariners.v.mlb.com/?lang=en
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Seattle-Mariners.net: {cd292324-974f-4224-ca76-c58a7308e72a} - c:\progra~1\seattl~1.net\toolbar\Toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Seattle-Mariners.net: {cd292324-974f-4224-ca76-c58a7308e72a} - c:\progra~1\seattl~1.net\toolbar\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RecordNow!]
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [EPSON Stylus Photo R340 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /M "Stylus Photo R340" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [prunnet] "c:\windows\system32\prun.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [EPSON Stylus Photo R340 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
mRun: [eFax 4.1] "c:\program files\efax messenger 4.1\J2GDllCmd.exe" /R
mRun: [LANServer] c:\program files\microtek\scanwizard 5\LANServer.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [systemguard] c:\program files\system guard 2009\systemguard.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Uninstall getPlus(R) for Adobe] "c:\program files\nos\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\efaxli~1.lnk - c:\program files\efax messenger 3.4\J2GDllCmd.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\efaxtr~1.lnk - c:\program files\efax messenger 3.4\J2GTray.exe
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\creati~1.lnk - c:\program files\scrapbook designer\scrapremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efax41~1.lnk - c:\program files\efax messenger 4.1\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: ameritrade.com\wwws
DPF: RaptisoftGameLoader - hxxp://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxp://www.winkflash.com/photo/loaders/SAXFile.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} - file:///C:/Documents%20and%20Settings/Owner/Local%20Settings/Application%20Data/Oberon%20Media/Oberon%20Games%20Host/PiratePoppers.1.0.0.39.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://mail.stampedesandandgravel.com/Remote/msrdp.cab
DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://playgames.comcast.net/online2/mystery_solitaire/SpinTopGamesLauncher.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://comcast.oberon-media.com/online2/luxor/mjolauncher.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E2B469B-7444-42C3-BE28-7A54E05AC049} - file://e:\memdisc\album_a\view\plugin\HPODPRTC.CAB
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxps://www.dotphoto.com/DPImageUploader.cab
DPF: {A609CB6E-FEB5-47C3-966C-1B916842BD01} - hxxp://poker.milbestlight.com/poker/PokerCreations.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://playgames.comcast.net/GameShell/online/en/pandacraze/gpcontrol.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://comcast.oberon-media.com/online2/diner_dash/DinerDash.1.0.0.80.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://chill.comcast.net/GameShell/online/en/chuzzle/popcaploader_v10.cab
Notify: edbcfcbffdabbbfe - c:\windows\system32\edbcfcbffdabbbfe.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: ieModule - {3563FD09-C6BD-428D-B0EC-1FC820061D46} - c:\documents and settings\all users\application data\microsoft\network\dlls\ieModule.dll
SSODL: InternetConnection - {7AC65328-5BE6-4CDD-8A10-187EA2C1BDFD} - c:\documents and settings\all users\application data\microsoft\network\dlls\opccjnaarm.dll
SSODL: bQArYIKpkxn - {A152C342-D8C5-471A-8985-AFE26A1C85BB} - lfklfpylixqp.dll
============= SERVICES / DRIVERS ===============
R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2006-9-15 18110]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-12-2 201320]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2006-9-15 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2006-9-15 423454]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-12-2 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-12-2 144704]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2007-12-6 810632]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [2008-4-6 16896]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-12-2 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-12-2 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-12-2 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-2 40488]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-13 33752]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-2 33832]
=============== Created Last 30 ================
2009-02-13 21:52 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-13 21:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-13 21:01 --d----- c:\program files\System Guard 2009
2009-02-13 17:49 133,632 a------- c:\windows\system32\lfklfpylixqp.dll
2009-02-13 17:49 380,928 a------- c:\windows\system32\winscenter.exe
2009-02-13 17:49 38,352 a------- c:\windows\reged.exe
2009-02-13 17:49 51,197 a------- c:\windows\spoolsystem.exe
2009-02-13 17:49 47,872 a------- c:\windows\syscert.exe
2009-02-13 17:49 33,149 a------- c:\windows\sysexplorer.exe
2009-02-13 17:49 28,320 a------- c:\windows\sys.com
2009-02-13 17:49 18,941 a------- c:\windows\vmreg.dll
2009-02-13 17:48 69,637 a------- c:\docume~1\alluse~1\applic~1\winlogon.exe
==================== Find3M ====================
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2007-12-19 21:57 20 a---h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2007-12-19 21:57 20 a---h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2006-09-15 18:00 284 a------- c:\docume~1\owner\applic~1\ViewerApp.dat
2006-04-13 20:28 774,144 a------- c:\program files\RngInterstitial.dll
2004-07-30 13:09 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-08-19 11:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat
============= FINISH: 9:31:24.00 ===============
DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 9:29:45.43 on Sat 02/14/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.139 [GMT -8:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\Program Files\Microtek\ScanWizard 5\LANServer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microtek\ScanWizard 5\MsgRpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\System Guard 2009\systemguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OAY46RPT\dds[1].scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://my.mariners.v.mlb.com/?lang=en
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Seattle-Mariners.net: {cd292324-974f-4224-ca76-c58a7308e72a} - c:\progra~1\seattl~1.net\toolbar\Toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Seattle-Mariners.net: {cd292324-974f-4224-ca76-c58a7308e72a} - c:\progra~1\seattl~1.net\toolbar\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RecordNow!]
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [EPSON Stylus Photo R340 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /M "Stylus Photo R340" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [prunnet] "c:\windows\system32\prun.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [EPSON Stylus Photo R340 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
mRun: [eFax 4.1] "c:\program files\efax messenger 4.1\J2GDllCmd.exe" /R
mRun: [LANServer] c:\program files\microtek\scanwizard 5\LANServer.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [systemguard] c:\program files\system guard 2009\systemguard.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Uninstall getPlus(R) for Adobe] "c:\program files\nos\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\efaxli~1.lnk - c:\program files\efax messenger 3.4\J2GDllCmd.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\efaxtr~1.lnk - c:\program files\efax messenger 3.4\J2GTray.exe
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\creati~1.lnk - c:\program files\scrapbook designer\scrapremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efax41~1.lnk - c:\program files\efax messenger 4.1\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: ameritrade.com\wwws
DPF: RaptisoftGameLoader - hxxp://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxp://www.winkflash.com/photo/loaders/SAXFile.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} - file:///C:/Documents%20and%20Settings/Owner/Local%20Settings/Application%20Data/Oberon%20Media/Oberon%20Games%20Host/PiratePoppers.1.0.0.39.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://mail.stampedesandandgravel.com/Remote/msrdp.cab
DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://playgames.comcast.net/online2/mystery_solitaire/SpinTopGamesLauncher.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://comcast.oberon-media.com/online2/luxor/mjolauncher.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E2B469B-7444-42C3-BE28-7A54E05AC049} - file://e:\memdisc\album_a\view\plugin\HPODPRTC.CAB
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxps://www.dotphoto.com/DPImageUploader.cab
DPF: {A609CB6E-FEB5-47C3-966C-1B916842BD01} - hxxp://poker.milbestlight.com/poker/PokerCreations.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://playgames.comcast.net/GameShell/online/en/pandacraze/gpcontrol.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://comcast.oberon-media.com/online2/diner_dash/DinerDash.1.0.0.80.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://chill.comcast.net/GameShell/online/en/chuzzle/popcaploader_v10.cab
Notify: edbcfcbffdabbbfe - c:\windows\system32\edbcfcbffdabbbfe.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: ieModule - {3563FD09-C6BD-428D-B0EC-1FC820061D46} - c:\documents and settings\all users\application data\microsoft\network\dlls\ieModule.dll
SSODL: InternetConnection - {7AC65328-5BE6-4CDD-8A10-187EA2C1BDFD} - c:\documents and settings\all users\application data\microsoft\network\dlls\opccjnaarm.dll
SSODL: bQArYIKpkxn - {A152C342-D8C5-471A-8985-AFE26A1C85BB} - lfklfpylixqp.dll
============= SERVICES / DRIVERS ===============
R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2006-9-15 18110]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-12-2 201320]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2006-9-15 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2006-9-15 423454]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-12-2 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-12-2 144704]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2007-12-6 810632]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [2008-4-6 16896]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-12-2 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-12-2 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-12-2 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-2 40488]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-13 33752]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-2 33832]
=============== Created Last 30 ================
2009-02-13 21:52 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-13 21:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-13 21:01
2009-02-13 17:49 133,632 a------- c:\windows\system32\lfklfpylixqp.dll
2009-02-13 17:49 380,928 a------- c:\windows\system32\winscenter.exe
2009-02-13 17:49 38,352 a------- c:\windows\reged.exe
2009-02-13 17:49 51,197 a------- c:\windows\spoolsystem.exe
2009-02-13 17:49 47,872 a------- c:\windows\syscert.exe
2009-02-13 17:49 33,149 a------- c:\windows\sysexplorer.exe
2009-02-13 17:49 28,320 a------- c:\windows\sys.com
2009-02-13 17:49 18,941 a------- c:\windows\vmreg.dll
2009-02-13 17:48 69,637 a------- c:\docume~1\alluse~1\applic~1\winlogon.exe
==================== Find3M ====================
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2007-12-19 21:57 20 a---h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2007-12-19 21:57 20 a---h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2006-09-15 18:00 284 a------- c:\docume~1\owner\applic~1\ViewerApp.dat
2006-04-13 20:28 774,144 a------- c:\program files\RngInterstitial.dll
2004-07-30 13:09 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-08-19 11:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat
============= FINISH: 9:31:24.00 ===============
- BelahzurSite Admin
-
OS : 7 Home Premium x64
Posts : 34948
Rubies : 218005
Likes : 18 -
Belahzur on 14th February 2009, 5:57 pm
1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Link: HERE or HERE.
- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
Files to delete:
c:\documents and settings\all users\application data\microsoft\network\dlls\ieModule.dll
c:\documents and settings\all users\application data\microsoft\network\dlls\opccjnaarm.dll
c:\windows\system32\lfklfpylixqp.dll
c:\windows\system32\winscenter.exe
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\sys.com
c:\windows\vmreg.dll
c:\docume~1\alluse~1\applic~1\winlogon.exe
c:\windows\system32\edbcfcbffdabbbfe.dll
Folders to delete:
c:\program files\System Guard 2009
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Input script here:", paste in the script from the quote box above.
- Leave the ticked box "Scan for rootkit" ticked.
- Then tick "Disable any rootkits found"
- Now click on the Execute to begin execution of the script.
- Answer "Yes" twice when prompted.
The Avenger will automatically do the following: - It will Restart your computer.
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Site Admin / Security Administrator
[Prework] - Please PM me if I fail to respond within 24hrs.
- IndiepagesNovice
-
OS : windows xp
Posts : 15
Rubies : 3139
Likes : 0 -
Indiepages on 14th February 2009, 7:00 pm
I got as far as extracting Avenger to my desktop. When I try to open it, I verify that I trust it by clicking 'Run', and then it closes and takes me back to desktop. Thank you for your tireless efforts - Perhaps I should just shoot my computer now?
- BelahzurSite Admin
-
OS : 7 Home Premium x64
Posts : 34948
Rubies : 218005
Likes : 18 -
Belahzur on 14th February 2009, 7:01 pm
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
Site Admin / Security Administrator
[Prework] - Please PM me if I fail to respond within 24hrs.
- IndiepagesNovice
-
OS : windows xp
Posts : 15
Rubies : 3139
Likes : 0 -
Indiepages on 14th February 2009, 7:55 pm
Done. When I paste here it says "The posted message is too big."
So I will paste the first part (System and Kernel codes), The User Code Section seems to be gigantic, I can post that in increments if needed:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-14 11:53:51
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF50429AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF5042A4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF5042958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF504296C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF5042A5F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF5042A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF5042AFE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF5042AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF50429EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF5042B28]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF5042A32]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF5042930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF5042944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF50429BE]
Code 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF749A999]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF5042B64]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF5042AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF5042996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF5042982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF5042AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF5042A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF5042B12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF5042A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF50429D4]
Code 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc) IoCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc) NtQueryDirectoryFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP F50429D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP F5042A36 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP F5042ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!IoCreateFile 8056CC6B 5 Bytes JMP F749A872 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP F50429AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP F5042986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP F5042A4F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP F5042B68 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP F5042B02 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP F5042934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP F50429C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtQueryDirectoryFile 80572111 5 Bytes JMP F749A99D 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP F5042AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP F5042A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP F50429EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP F5042970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP F5042A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP F5042948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP F5042B2C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP F5042AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP F5042A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP F5042A63 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP F504295C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCF7 5 Bytes JMP F504299A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA12 7 Bytes JMP F5042B16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E338 7 Bytes JMP F5042AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E7B6 7 Bytes JMP F5042A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ECA9 5 Bytes JMP F5042B40 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F112 5 Bytes JMP F5042B54 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
So I will paste the first part (System and Kernel codes), The User Code Section seems to be gigantic, I can post that in increments if needed:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-14 11:53:51
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF50429AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF5042A4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF5042958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF504296C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF5042A5F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF5042A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF5042AFE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF5042AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF50429EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF5042B28]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF5042A32]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF5042930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF5042944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF50429BE]
Code 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF749A999]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF5042B64]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF5042AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF5042996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF5042982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF5042AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF5042A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF5042B12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF5042A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF50429D4]
Code 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc) IoCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc) NtQueryDirectoryFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP F50429D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP F5042A36 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP F5042ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!IoCreateFile 8056CC6B 5 Bytes JMP F749A872 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP F50429AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP F5042986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP F5042A4F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP F5042B68 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP F5042B02 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP F5042934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP F50429C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtQueryDirectoryFile 80572111 5 Bytes JMP F749A99D 6edf8591b0162747147f684e7d317181.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP F5042AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP F5042A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP F50429EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP F5042970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP F5042A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP F5042948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP F5042B2C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP F5042AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP F5042A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP F5042A63 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP F504295C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCF7 5 Bytes JMP F504299A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA12 7 Bytes JMP F5042B16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E338 7 Bytes JMP F5042AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E7B6 7 Bytes JMP F5042A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ECA9 5 Bytes JMP F5042B40 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F112 5 Bytes JMP F5042B54 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
- BelahzurSite Admin
-
OS : 7 Home Premium x64
Posts : 34948
Rubies : 218005
Likes : 18 -
Belahzur on 14th February 2009, 8:03 pm
Hello.
I figured it would be.
Upload it here for me:
www.mediafire.com
Press the big green upload button.
Choose to upload without an account.
Locate the file and upload it.
It should give you a link so I can get the text file.
I figured it would be.
Upload it here for me:
www.mediafire.com
Press the big green upload button.
Choose to upload without an account.
Locate the file and upload it.
It should give you a link so I can get the text file.
Site Admin / Security Administrator
[Prework] - Please PM me if I fail to respond within 24hrs.
Page 1 of 3 • 1, 2, 3
Similar topics
Create an account or log in to leave a reply
You need to be a member in order to leave a reply.
Page 1 of 3
Permissions in this forum:
You can reply to topics in this forum
