WiredWX Hobby Weather ToolsLog in

 


Win 7 System Guard Trojan

2 posters

descriptionWin 7 System Guard Trojan EmptyWin 7 System Guard Trojan

more_horiz
Like many, I caught a trojan or trojans. It implanted links to porn sites on my computer and kept asking me to install this Win 7 System Guard to protect against supposedly 29 viruses/trojans/etc that I had on my computer.

My lavasoft and mcafee and firefox were disabled. When I got mcafee to run a scan, it didn't find anything.

So, I ran Combofix.exe and it deleted many files. Then I ran Malwarebytes' Anti-Malware fast scan and it deleted one trojan. Then I ran it again in full mode and it deleted one more trojan. Next was trendmicro's HouseCall which found nothing, then their rootkitbuster.exe, and finally combofix.exe and malwarebyte again in safe mode (which found nothing).

Unfortunately, that second combofix run deleted the log of the first, but I have the malwarebyte logs. My question is, after looking at the logs below, can I reasonably be sure my computer is disinfected, or is there more I need to do?

thanks in advance.

Here is the first MWB log:


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4049

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/29/2010 1:22:04 AM
mbam-log-2010-04-29 (01-22-04).txt

Scan type: Quick scan
Objects scanned: 112689
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Le Minh Triet\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The second MWB log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4049

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/29/2010 2:33:01 AM
mbam-log-2010-04-29 (02-33-01).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 253461
Time elapsed: 58 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Users\Le Minh Triet\AppData\Local\Temp\csoqq.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.


The third MWB log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4049

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

4/29/2010 3:48:45 AM
mbam-log-2010-04-29 (03-48-45).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 250354
Time elapsed: 27 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The Combofix log:

ComboFix 10-04-28.04 - Le Minh Triet 04/29/2010 3:11.2.2 - x86 MINIMAL
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2304 [GMT -5:00]
Running from: c:\users\Le Minh Triet\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 08:17 . 2010-04-29 08:17 -------- dc----w- c:\users\Owner\AppData\Local\temp
2010-04-29 08:17 . 2010-04-29 08:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-29 08:17 . 2010-04-29 08:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-29 08:07 . 2010-04-29 08:10 -------- d-----w- C:\32788R22FWJFW
2010-04-29 07:47 . 2010-04-29 07:47 -------- d-----w- c:\windows\system32\Wat
2010-04-29 06:13 . 2010-04-29 06:13 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Malwarebytes
2010-04-29 06:12 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 06:12 . 2010-04-29 06:12 -------- d-----w- c:\programdata\Malwarebytes
2010-04-29 06:12 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 06:12 . 2010-04-29 06:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 05:13 . 2010-04-29 05:13 260608 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{F3870710-5316-174B-94C6-7A3730C468E7}-sysmon64x.exe
2010-04-29 02:40 . 2010-04-29 02:40 260608 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{3F49E783-43EC-1B57-8F65-C78B5357E7A7}-sysmon64x.exe
2010-04-29 01:42 . 2010-04-29 05:21 -------- d-----w- c:\programdata\salizuya
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-----w- c:\programdata\rojolutu
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-----w- c:\programdata\jiwirido
2010-04-29 00:20 . 2010-04-29 00:20 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Flickr
2010-04-29 00:20 . 2010-04-29 00:20 -------- d-----w- c:\users\Le Minh Triet\AppData\Local\Flickr
2010-04-28 23:57 . 2010-04-28 23:57 -------- d-----w- c:\program files\SyncToy 2.1
2010-04-28 21:53 . 2010-03-26 02:49 66048 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
2010-04-28 21:53 . 2009-11-26 03:03 61952 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
2010-04-28 21:53 . 2010-04-07 20:28 253952 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
2010-04-28 21:46 . 2010-04-28 21:46 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 21:46 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 21:42 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 21:42 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 21:42 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 21:42 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-28 21:42 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-28 21:42 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-28 21:42 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-28 21:42 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-28 21:42 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-28 21:41 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-28 21:41 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-19 19:59 . 2010-04-19 19:59 255472 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-04-02 16:31 . 2010-04-02 16:32 20846064 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\rp\RealPlayerSPGold.exe
2010-04-02 16:31 . 2010-04-02 16:31 79368 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\vista.exe
2010-04-02 16:31 . 2010-04-02 16:31 64000 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gcapi_dll.dll
2010-04-02 16:31 . 2010-04-02 16:31 52288 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gtapi.dll
2010-04-02 16:31 . 2010-04-02 16:31 50688 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\fftbapi.dll
2010-04-02 16:31 . 2010-04-02 16:31 49152 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\CarboniteCompatibility.dll
2010-04-02 16:31 . 2010-04-02 16:31 118784 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\compat.dll
2010-04-02 03:52 . 2010-04-28 21:38 439816 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\setup.exe
2010-03-31 04:11 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 08:05 . 2010-01-02 17:16 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Skype
2010-04-29 07:48 . 2010-01-02 07:49 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2010-04-29 07:48 . 2010-01-02 07:12 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-04-29 05:24 . 2010-01-02 07:49 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2010-04-28 21:46 . 2010-01-02 17:27 -------- d-----w- c:\program files\Java
2010-04-28 21:39 . 2010-01-02 07:12 13160 ----a-w- c:\windows\system32\Upgrd.exe
2010-04-28 21:39 . 2010-01-02 07:12 57752 ------w- c:\windows\system32\rpcnet.exe
2010-03-26 19:03 . 2010-01-02 14:20 -------- d-----w- c:\program files\PC-Doctor
2010-03-26 17:30 . 2010-03-26 17:30 -------- d-----w- c:\program files\Utimaco
2010-03-25 20:26 . 2010-03-25 20:14 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\RipIt4Me
2010-03-25 20:25 . 2010-03-25 20:25 -------- d-----w- c:\program files\DVD Decrypter
2010-03-25 20:17 . 2010-03-25 20:17 643072 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\RipIt4Me\updater\ri4mupdater.exe
2010-03-25 20:16 . 2010-03-25 20:16 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Vso
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:15 -------- d-----w- c:\program files\DVDFab 7
2010-03-25 20:09 . 2010-03-25 20:09 -------- d-----w- c:\programdata\DVD Shrink
2010-03-25 20:09 . 2010-03-25 20:09 -------- d-----w- c:\program files\DVD Shrink
2010-03-25 03:28 . 2010-01-02 13:54 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\HandBrake
2010-03-25 01:48 . 2010-03-25 01:44 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\InfraRecorder
2010-03-25 01:43 . 2010-03-25 01:43 -------- d-----w- c:\program files\InfraRecorder
2010-03-19 14:24 . 2010-03-19 14:24 -------- d-----w- c:\program files\Lavasoft
2010-03-19 14:24 . 2010-03-19 14:24 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-19 14:24 . 2010-01-02 08:07 -------- d-----w- c:\programdata\Lavasoft
2010-03-19 12:07 . 2010-03-19 12:07 -------- d-----w- c:\programdata\FLEXnet
2010-03-19 10:16 . 2010-01-02 07:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-19 10:16 . 2010-03-19 10:16 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-03-19 10:15 . 2010-01-02 06:53 114560 ----a-w- c:\users\Le Minh Triet\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-17 00:33 . 2010-03-17 00:33 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\AdobeUM
2010-03-15 00:52 . 2010-03-15 00:52 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\inkscape
2010-03-15 00:51 . 2010-03-15 00:51 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Notepad++
2010-03-15 00:51 . 2010-03-15 00:51 -------- d-----w- c:\program files\Notepad++
2010-03-13 20:23 . 2010-01-23 13:43 -------- d-----w- c:\program files\uTorrent
2010-03-13 13:28 . 2010-01-23 13:42 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\uTorrent
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-10 15:14 . 2010-03-10 15:14 300616 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-10 15:14 . 2010-03-10 15:14 329312 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-10 15:14 . 2010-01-02 16:56 -------- d-----w- c:\program files\Common Files\Real
2010-03-10 15:13 . 2010-01-02 16:56 -------- d-----w- c:\program files\Real
2010-03-10 15:13 . 2010-03-10 15:13 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-09 21:46 . 2010-03-09 21:46 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-03-09 21:46 . 2010-03-09 21:46 -------- d-----w- c:\program files\Hewlett-Packard
2010-03-09 21:44 . 2010-03-09 21:44 -------- d-----w- c:\programdata\Hewlett-Packard
2010-03-09 00:46 . 2010-03-09 00:46 -------- d-----w- c:\program files\Morphyre
2010-03-09 00:44 . 2010-01-02 16:34 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Winamp
2010-03-09 00:42 . 2010-01-02 16:34 -------- d-----w- c:\program files\Winamp
2010-03-09 00:40 . 2010-03-09 00:40 -------- d-----w- c:\program files\R4
2010-03-08 06:47 . 2010-01-02 16:34 -------- d-----w- c:\program files\Winamp Detect
2010-03-07 13:50 . 2010-03-07 13:50 79368 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.10\RUP\vista.exe
2010-03-07 05:07 . 2010-03-07 05:07 439816 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-05 15:16 . 2010-03-05 15:16 -------- d-----w- c:\program files\Microsoft
2010-02-24 15:16 . 2010-01-02 06:54 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-18 08:06 . 2010-02-18 08:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-18 03:59 . 2010-01-02 07:20 38784 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-18 03:59 . 2010-01-02 07:20 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 14:13 . 2010-02-15 14:13 64099864 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Nokia\Ovi Suite\Software Updater\NokiaOviSuite2Installer.exe
2010-02-08 01:12 . 2010-02-08 01:12 12212040 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-02-08 01:12 . 2010-02-08 01:12 13930312 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-02-08 01:12 . 2010-02-08 01:12 77824 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-02-08 01:12 . 2010-02-08 01:12 61440 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-02-08 01:12 . 2010-02-08 01:12 58880 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-02-08 01:12 . 2010-02-08 01:12 50000 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\pcswpc.exe
2010-02-08 00:33 . 2010-02-08 01:12 98360888 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Nokia_Ovi_Suite_2_1_0_82_ALL.exe
2010-02-04 15:53 . 2010-03-19 14:24 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2010-03-19 14:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-02 07:45 . 2010-02-24 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2008-09-29 14:07 . 2010-01-02 09:20 22576 ----a-w- c:\program files\mozilla firefox\components\scriptff.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-11-04 03:12 556432 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Google Update"="c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-02 135664]
"googletalk"="c:\users\Le Minh Triet\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"TpShocks"="TpShocks.exe" [2009-07-09 337184]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-09 714016]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-13 36864]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-11-17 69568]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-10-19 3093816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2009-09-27 83312]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-10 202256]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2007-09-07 53248]
"Launch Backup Service Once"="c:\program files\Lenovo\Rescue and Recovery\rrstrigger.exe" [2009-09-25 21304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-08-17 20:27 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\startupfolder\C:^Users^Le Minh Triet^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\Le Minh Triet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-13 13480]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 135664]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\LENOVO\HOTKEY\CAMMUTE.exe [2009-11-09 54632]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-11-18 44984]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
R2 PrivateDisk;PrivateDisk;c:\program files\Utimaco\SafeGuard PrivateDisk\PrivateDiskM.sys [2007-09-07 57856]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-11-17 62904]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-19 1263728]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
R3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2009-11-20 20848]
R3 PCDSRVC{C4B36920-79E24793-06000000}_0;PCDSRVC{C4B36920-79E24793-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\pcdsrvc.pkms [2009-11-20 20848]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-09 75040]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-07-02 38336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-29 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:07]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:07]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1209684377-1073439955-1070647248-1000Core.job
- c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-04 08:07]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1209684377-1073439955-1070647248-1000UA.job
- c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-04 08:07]

2010-01-19 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\pcdlauncher.exe [2009-11-20 10:12]

2010-04-06 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2010-02-18 00:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://med.uth.tmc.edu/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = ;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: tmc.edu\vpn.uth
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\
FF - prefs.js: browser.startup.homepage - hxxp://med.uth.tmc.edu/
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
FF - component: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce- - (no file)



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{C4B36920-79E24793-06000000}_0]
"ImagePath"="\??\c:\progra~1\pc-doc~1\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-29 03:18:42
ComboFix-quarantined-files.txt 2010-04-29 08:18
ComboFix2.txt 2010-04-29 05:30

Pre-Run: 12,342,243,328 bytes free
Post-Run: 12,292,853,760 bytes free

- - End Of File - - 9DDEBEB98A43FE90C536BC8E5BA75493

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
Hi


GMER

Note about this tool:
  • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
  • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
  • No matter what is in the log, please post all the information/contents of the log.


Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
Thanks for your prompt help. Below is my gmer log. it did cause a BSOD - first time I saw that on Windows 7. I didn't see any warning of a rootkit or infection.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 23:25:58
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\LEMINH~1\AppData\Local\Temp\kxriyaoc.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A36AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A36104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A363F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1F2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A361DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A36958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A366F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A36F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A371A8

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8B596FF8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8B59700C]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8B597022]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8B59705E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0x8B597086]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0x8B597072]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8B59704A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8B597036]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8B596FE4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A96599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ABAF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 82C4CD23 5 Bytes JMP 8B597062 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82CA0449 5 Bytes JMP 8B59703A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 82CA8E20 5 Bytes JMP 8B597026 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82CB4B7D 5 Bytes JMP 8B596FE8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 82CE8F95 5 Bytes JMP 8B597076 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 82CF0102 5 Bytes JMP 8B59708A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 82D2DE5F 5 Bytes JMP 8B596FFC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D2DEAA 7 Bytes JMP 8B597010 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 82D2ED6B 5 Bytes JMP 8B59704E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91A19000, 0x23097E, 0xE8000020]
.text peauth.sys 9A83CC9D 28 Bytes [4F, 3A, 12, 3A, 7F, FC, 5D, ...]
.text peauth.sys 9A83CCC1 28 Bytes [4F, 3A, 12, 3A, 7F, FC, 5D, ...]
PAGE peauth.sys 9A842E20 101 Bytes CALL 03CBD368
PAGE peauth.sys 9A84302C 102 Bytes [07, ED, 79, AB, 57, F3, 1A, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2720] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2720] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2720] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2720] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000061 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000086 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000088 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0016cfef1fca
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0016cfef1fca (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- EOF - GMER 1.0.15 ----

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.
  • Right-click on mbr.exe and click Run as Administrator to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
Here is the mbr.log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 8 !

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
Please download HAMeb_check.exe and save it to your desktop.

  • Double-click on HAMeb_check.exe to run the utility and it will create a log.
  • Copy and paste the contents of that log in your next reply.

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
It says "this tool is not compatible with your system. Press any key to continue..."

No log written.

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
Please download Profiles by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
Here it is:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1209684377-1073439955-1070647248-1000
ProfileImagePath REG_EXPAND_SZ C:\Users\Le Minh Triet

SystemRoot REG_SZ C:\Windows

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
This seems rather odd.

Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])
Enter the following in to the black box, pressing enter after each line:

Code:

mbr.exe -f

exit


Post a log (MBR.log).

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
it says:

C:\Users\Le Minh Triet>cd\

C:\>mbr.exe -f
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: error reading MBR

C:\>exit

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
Sorry. When you go to open Command Prompt, right-click on it first, and click Run as Administrator.

Then do the commands as stated above in the codebox.

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
here it is when run as an administrator:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 8 !

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
  • Please go to VirSCAN.org FREE on-line scan
    service

  • Browse for the following file path into the "Suspicious files to scan" box on the top of the page:
    • C:\windows\system32\termsrv.dll

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
File Name : termsrv.dll
File Size : 543232 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : a01e50a04d7b1960b33e92b9080e6a94
SHA1 : efd82448fe8c8beb48f40f88bd84ab15ea8510b4

Scanner results
Scanner results : Scanners did not find malware!
Time : 2010/04/30 22:17:49 (CDT)

descriptionWin 7 System Guard Trojan EmptyRe: Win 7 System Guard Trojan

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum