Reply to audio and pop-up malware
Results 1 to 5 of 5

Thread: Reply to audio and pop-up malware

  1. July 13th, 2010, 11:12 AM #1
    Down
    Down is offline Virtual Med Student
    Join Date
    Jul 2010
    Posts
    4

    Reply to audio and pop-up malware

    1st of all sorry for creating a new thread for this, i wanted to reply to the thread created yesterday: http://discussions.virtualdr.com/sho...d.php?t=245525 but for some reason i dont have permission to reply there.

    I am in desperate need of help with this though, so ill follow the steps in that post hoping that someone saves me from muted sound every couple of mins.

    STEP 1. Download Malwarebytes' Anti-Malware
    Log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4309

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    13-7-2010 16:54:57
    mbam-log-2010-07-13 (16-54-57).txt

    Scan type: Quick scan
    Objects scanned: 123521
    Time elapsed: 3 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    I will now continue to follow steps 2&3 and will post back here.
    Thanks in advance for the help, sorry for new thread, mayb this could be moved.
    Reply With Quote Reply With Quote
  2. July 13th, 2010, 11:26 AM #2
    Down
    Down is offline Virtual Med Student
    Join Date
    Jul 2010
    Posts
    4
    STEP 2. Download GMER
    Log:

    Attached it cause its alot of tekst (didnt have "Show all" selected but im afraid it still shows... well.. all)

    I will now proceed with step 3


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-13 17:20:55
    Windows 5.1.2600 Service Pack 3
    Running: k7liz5ed.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwrcypog.sys


    ---- System - GMER 1.0.15 ----

    SSDT B87070AE ZwCreateKey
    SSDT B87070A4 ZwCreateThread
    SSDT B87070B3 ZwDeleteKey
    SSDT B87070BD ZwDeleteValueKey
    SSDT B87070C2 ZwLoadKey
    SSDT B8707090 ZwOpenProcess
    SSDT B8707095 ZwOpenThread
    SSDT B87070CC ZwReplaceKey
    SSDT B87070C7 ZwRestoreKey
    SSDT B87070B8 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7613360, 0x3E6B45, 0xE8000020]
    ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\winlogon.exe[868] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 6340FDC0 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider)
    .text C:\WINDOWS\system32\winlogon.exe[868] ntdll.dll!NtFlushKey 7C90D34E 5 Bytes JMP 6340FCB0 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider)
    .text C:\WINDOWS\system32\winlogon.exe[868] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 63411BF0 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider)
    .text C:\WINDOWS\system32\winlogon.exe[868] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 63411CA0 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider)
    .text C:\WINDOWS\system32\winlogon.exe[868] ntdll.dll!NtUnloadKey 7C90DECE 5 Bytes JMP 6340E520 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider)
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 15, 00]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 15, 00]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 15, 00]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EB1A
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 15, 00]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 15, 00]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 15, 00]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EB8B
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 15, 00]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90ECB9
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 15, 00]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 15, 00]
    .text C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3836] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3864] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21550D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3864] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3864] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4CF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3864] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4C29 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3864] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4C94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3864] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4AFA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3864] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4B5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3864] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4D5A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3864] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4BBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21550D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B11 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4CF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4C29 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4C94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4AFA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4B5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4D5A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4BBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] ole32.dll!CoCreateInstance 774FF1C4 1 Byte [E9]
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] ole32.dll!CoCreateInstance 774FF1C4 5 Bytes JMP 3E2EDBC8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] ole32.dll!OleLoadFromStream 775297FD 5 Bytes JMP 3E3E505F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3928] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

    Device \Driver\BTHUSB \Device\00000092 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
    Device \Driver\BTHUSB \Device\00000094 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001b634d47cc
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001b634d47cc (not active ControlSet)

    ---- EOF - GMER 1.0.15 ----

    Edited by Mod for easier reading.
    Attached Files Attached Files
    Reply With Quote Reply With Quote
  3. July 13th, 2010, 11:34 AM #3
    Down
    Down is offline Virtual Med Student
    Join Date
    Jul 2010
    Posts
    4
    Apparently it did show the entire log in my post, srry for that. Dont know what to do about it so will probably happen in this post as well.

    STEP 3. Download HijackThis:
    Log:

    Attached


    I really hope this can be resolved quickly, as i will not do anything untill i get a confirmation from this place.
    Thnx again in advance
    Attached Files Attached Files
    Reply With Quote Reply With Quote
  4. July 13th, 2010, 11:41 AM #4
    Down
    Down is offline Virtual Med Student
    Join Date
    Jul 2010
    Posts
    4
    Seeing the fact that the other post was edited by mod for easier reading:

    HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 17:29:51, on 13-7-2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Boot Camp\Bootcamp.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\AppleOSSMgr.exe
    C:\WINDOWS\system32\AppleTimeSrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\Bootcamp.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: RailNotification - Invalid registry found
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
    O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6666 bytes
    Reply With Quote Reply With Quote
  6. July 13th, 2010, 08:38 PM #5
    Broni's Avatar
    Broni
    Broni is offline Friend of Site Staff
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
    My Home Page
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules