Jump to content

enf1945

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral
  1. i ran combofix and it cleared it. thanks. yes gkatjihp was still loaded as a driver but at least it wasnt running to do damage. it was listed as a manual activation. its just temporary till its deleted. it still had to be deleted by combofix. as far as deleting these files in a DOS disk, i didnt try it myself . i guess i was concerned that windows wouldnt start if these files were deleted by a DOS disk and the registry entries to get them started still wanted them to run. is this a legitimate concern ? anyway everything is cleared up. i ran your program and 0 malware found. thanks.
  2. Hi, i ran combofix again and it worked this time ! i would like to thanks you for your efforts . You guys are great . i got this by being on a normal everyday site that asked me to update Adobe Flash. i think the site was hacked. btw before running this i was able to change a reistry setting for the driver gkatjihp.sys to make it run inactive. also for HBO's i suggest one go into explorer tools - manage add ons - enable or disable add ons - look for the malware HBO and click disable. do this until its deleted by malwarebytes or combofix or whatever . note - this is not a fix. it will become enabled again. i did ths to minimize damage before its fixed. curious as to why booting into a DOS disk and deleting these files under DOS doesnt work. thanks
  3. I have etrust antivirus. i ahd it turned off for these repairs. also i updated malwarebytes and it still wouldnt remove these entries below is the Combofile log. Combofile has trouble deleting those files. if i try to delete them manually it says they are in use. ComboFix 09-04-15.08 - bob 04/15/2009 20:42.3 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.566 [GMT -4:00] Running from: c:\documents and settings\bob\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\bob\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: c:\windows\system32\ceozgof.dll c:\windows\system32\drivers\gkatjihp.sys c:\windows\system32\hcuvcbb.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\ceozgof.dll . . . . failed to delete c:\windows\system32\drivers\gkatjihp.sys . . . . failed to delete c:\windows\system32\hcuvcbb.dll . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_GKATJIHP -------\Service_gkatjihp ((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 ))))))))))))))))))))))))))))))) . 2009-04-15 19:16 . 2009-04-15 19:16 -------- d-----w c:\documents and settings\bob\Application Data\PKWARE 2009-04-15 19:16 . 2009-04-15 19:16 -------- d-----w c:\documents and settings\All Users\Application Data\PKWARE 2009-04-15 06:21 . 2009-04-15 06:21 9479 ----a-w C:\rollback.ini 2009-04-15 06:18 . 2009-04-16 00:21 32 --sha-w c:\windows\system32\drivers\fidbox2.idx 2009-04-15 06:18 . 2009-04-16 00:21 32 --sha-w c:\windows\system32\drivers\fidbox2.dat 2009-04-15 06:18 . 2009-04-16 00:21 32 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-04-15 06:18 . 2009-04-16 00:21 32 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-04-15 06:12 . 2009-04-15 06:12 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic 2009-04-15 06:03 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-15 05:43 . 2009-04-15 05:43 -------- d-----w c:\windows\system32\DRVSTORE 2009-04-15 05:43 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-04-15 05:41 . 2009-04-15 05:41 -------- d--h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-04-14 22:35 . 2009-04-14 22:36 -------- d-----w c:\documents and settings\bob\Local Settings\Application Data\ulutjskx 2009-04-14 22:35 . 2009-04-14 22:36 -------- d-----w c:\documents and settings\bob\Application Data\ulutjskx 2009-04-14 22:29 . 2009-04-14 22:29 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ulutjskx 2009-04-14 22:29 . 2009-04-14 22:29 -------- d-----w c:\documents and settings\NetworkService\Application Data\ulutjskx 2009-04-14 20:00 . 2009-04-14 20:00 -------- d-----w c:\documents and settings\bob\Application Data\Malwarebytes 2009-04-14 19:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-14 19:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-14 19:59 . 2009-04-14 19:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-14 13:43 . 2009-04-14 13:43 -------- d-sh--w C:\FOUND.000 2009-04-04 18:37 . 2009-04-04 18:37 -------- d-----w c:\documents and settings\bob\Application Data\TradeStation Technologies 2009-03-24 01:13 . 2009-03-24 01:13 -------- d-----w C:\Right Web Monitor 2009-03-23 23:20 . 2009-03-23 23:20 0 ----a-w c:\windows\nsreg.dat 2009-03-23 23:20 . 2009-03-23 23:20 -------- d-----w c:\documents and settings\bob\Local Settings\Application Data\Mozilla 2009-03-20 17:08 . 2007-04-30 03:24 61440 ----a-w c:\windows\system32\digitbox.ocx 2009-03-20 00:25 . 2009-03-20 00:25 135 ----a-w c:\windows\REDEMUNINS.INI 2009-03-20 00:25 . 2009-03-20 00:25 -------- d-----w c:\documents and settings\bob\Application Data\Redemption . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-16 00:45 . 2009-04-15 06:24 2684 ----a-w C:\aaw7boot.log 2009-04-16 00:43 . 2004-08-27 19:40 23424 ----a-w c:\windows\system32\drivers\pgrvplcf.sys 2009-04-15 16:38 . 2004-08-27 19:40 104448 ----a-w c:\windows\system32\ceozgof.dll 2009-04-15 06:40 . 2009-04-15 06:40 -------- d-----w c:\program files\Trend Micro 2009-04-15 06:12 . 2006-08-17 04:48 45760 ----a-w c:\documents and settings\bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-15 06:12 . 2009-04-15 06:12 -------- d-----w c:\program files\Common Files\ParetoLogic 2009-04-14 19:59 . 2009-04-14 19:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-14 16:02 . 2009-04-14 16:02 -------- d-----w c:\program files\Support Tools 2009-04-14 16:02 . 2004-08-27 19:51 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-04-14 15:28 . 2009-04-14 15:28 -------- d-----w c:\program files\Debugging Tools for Windows (x86) 2009-04-04 18:38 . 2009-04-04 18:38 -------- d-----w c:\program files\TradeStation 8.5 (Build 2289) 2009-03-24 00:59 . 2009-03-24 00:59 -------- d-----w c:\program files\WebMon 2009-03-20 17:08 . 2009-03-20 17:08 -------- d-----w c:\program files\Alarm 2009-03-17 14:20 . 2007-06-26 16:51 39156 ---ha-w c:\windows\system32\mlfcache.dat 2009-03-16 03:51 . 2009-03-16 03:51 -------- d-----w c:\program files\DIY DataRecovery DiskPatch 2009-03-12 22:54 . 2009-03-12 22:53 -------- d-----w c:\program files\Floppy Image 2009-03-12 19:32 . 2009-03-12 19:32 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-12 19:32 . 2009-03-12 19:32 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-09-25 15:16 . 2008-02-27 21:53 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT 2006-08-28 05:43 . 2006-08-28 05:43 126 ----a-w c:\documents and settings\bob\Local Settings\Application Data\fusioncache.dat . ((((((((((((((((((((((((((((( SnapShot@2009-04-15_16.41.00 ))))))))))))))))))))))))))))))))))))))))) . - 2004-08-27 19:40 . 2004-08-04 09:00 23424 c:\windows\system32\drivers\pgrvplcf.sys + 2004-08-27 19:40 . 2009-04-16 00:43 23424 c:\windows\system32\drivers\pgrvplcf.sys + 2004-08-27 19:54 . 2009-04-15 20:33 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2004-08-27 19:54 . 2009-04-14 20:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2004-08-27 19:54 . 2009-04-14 16:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2004-08-27 19:54 . 2009-04-15 20:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2004-08-27 19:54 . 2009-04-15 20:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2004-08-27 19:54 . 2009-04-14 16:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-04-16 00:44 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE - 2009-04-15 16:39 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0F96E09-F426-417A-9E3E-F2002FE9DA6B}] 2004-08-04 09:00 104448 ----a-w c:\windows\system32\hcuvcbb.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "Power2GoExpress"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768] "Guard"="c:\program files\Phoenix Technologies\Applications\Guard\Guard.exe" [2006-05-15 679936] "Recover Pro"="c:\program files\Phoenix Technologies\Applications\RPro\XP\VBPTASK.EXE" [2006-05-25 131072] "Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-16 86102] "EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848] "SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208] c:\documents and settings\bob\Start Menu\Programs\Startup\ Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-6-14 479232] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 01000000 "NoNetworkConnections"= 01000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM "VIDC.D263"= xl_x263dec.dll "msacm.g723"= g723.acm "vidc.I263"= I263_32.drv "msacm.ac3filter"= ac3filter.acm "msacm.imc"= imc32.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\se32.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\System32\\dpvsetup.exe"= "c:\\MircRT\\MIRC32.EXE"= "c:\\mircIP\\mirc32.exe"= "c:\\mirc\\mirc32.exe"= "c:\\Program Files\\Paltalk Messenger\\paltalk.exe"= "c:\\Program Files\\AdSubtract\\adsub.exe"= "c:\\WINDOWS\\System32\\mmc.exe"= "c:\\StubInstaller.exe"= "c:\\MircRT\\mirc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "%windir%\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "15513:TCP"= 15513:TCP:Emule "12577:UDP"= 12577:UDP:Emule "18774:UDP"= 18774:UDP:limewireUDP "18774:TCP"= 18774:TCP:limewireTCP [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R3 EyelineService;Eyeline Service;c:\program files\NCH Software\Eyeline\eyeline.exe [2008-02-03 425988] R3 huadio;huadio; [x] S0 gkatjihp;gkatjihp;c:\windows\system32\drivers\gkatjihp.sys [2004-08-04 23424] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160] S0 ptpd;Disk Filter Driver;c:\windows\system32\drivers\ptpd.sys [2005-10-18 8320] S1 DCDisk;DCDisk; [x] S1 se32;EnTech softEngine;c:\windows\system32\Drivers\se32.sys [2007-05-03 12112] S2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2005-12-02 8832] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632] S2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2003-08-13 2304] S2 PhnxPsaService;Phoenix PSA Service;c:\windows\system32\PhxPsSvr.exe [2006-04-05 40960] S2 PhnxVaultService;Phoenix Vault Service;c:\windows\system32\PhxVtSvr.exe [2005-12-14 53248] S2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-15 27992] S3 PhnxVcd;PhnxVcd;c:\windows\system32\Drivers\PhnxVcd.sys [2006-03-21 47488] --- Other Services/Drivers In Memory --- *NewlyCreated* - GKATJIHP [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fc941b2-325c-11db-b69b-00161777ace5}] \Shell\AutoRun\command - E:\PC.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9667f638-14cf-11de-bbb9-00161777ace5}] \Shell\AutoRun\command - E:\ONSPCLCK.exe . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uDefault_Search_URL = uInternet Settings,ProxyOverride = 127.0.0.1 IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe Trusted Zone: ameritrade.com Trusted Zone: nyc.gov\a836-acris Trusted Zone: tdameritrade.com Trusted Zone: thedaytradegroup.com Trusted Zone: tnto.com\www Trusted Zone: tradearca.com\datasvr Trusted Zone: urbansherpany.com\www Trusted Zone: usgs.gov\earthnow Trusted Zone: weather.gov\radar DPF: {065FD296-2A8A-48C3-9634-7E167BF2C6C2} - hxxp://www.terranovaonline.com/INVESTOR/TALTNInvestor.cab DPF: {0FB028C2-2704-40F6-A983-2A2405027A19} - hxxps://epresent.sungard.com/ws/dropslot.cab DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} - hxxp://www.tegosoft.com/ActiveX/TegoLoad.cab DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02b.cab FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\xlb3e9mq.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-15 20:46 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\huadio] "ImagePath"="\??\c:\huadio.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2523675433-3985973265-1301256737-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(880) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3608) c:\windows\system32\nview.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\LEXBCES.EXE c:\windows\SYSTEM32\LEXPPS.EXE c:\program files\APC\APC POWERCHUTE PERSONAL EDITION\MAINSERV.EXE c:\program files\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE c:\windows\SYSTEM32\RUNDLL32.EXE c:\program files\CA\ETRUST ANTIVIRUS\INORPC.EXE c:\program files\CA\ETRUST ANTIVIRUS\INORT.EXE c:\windows\SYSTEM32\RUNDLL32.EXE c:\program files\CA\ETRUST ANTIVIRUS\INOTASK.EXE c:\program files\LEXMARK X5100 SERIES\LXBABMON.EXE c:\windows\SYSTEM32\NVSVC32.EXE c:\program files\CA\SHAREDCOMPONENTS\SCANENGINE\INODIST.EXE c:\windows\system32\wbem\unsecapp.exe . ************************************************************************** . Completion time: 2009-04-16 20:48 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-16 00:48 ComboFix2.txt 2009-04-15 20:23 ComboFix3.txt 2009-04-15 16:42 Pre-Run: 109,675,642,880 bytes free Post-Run: 109,755,531,264 bytes free 261
  4. also wanted to mention to save time that Conbofix already deleted a trojan from an entry windows notify registry. by a rerun of combofix doesnt find anything anymore. in the meantime that BHO enrty i put as disables in IE . i dont know if im protected by doing that. still seems that hcuvcbb.dll still cant be deleted, although it doesnt show as a loaded dll on my PC. it must be in use by IE . here is new combofix log : ComboFix 09-04-15.08 - bob 04/15/2009 16:20.2 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.586 [GMT -4:00] Running from: c:\documents and settings\bob\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 ))))))))))))))))))))))))))))))) . 2009-04-15 19:16 . 2009-04-15 19:16 -------- d-----w c:\documents and settings\bob\Application Data\PKWARE 2009-04-15 19:16 . 2009-04-15 19:16 -------- d-----w c:\documents and settings\All Users\Application Data\PKWARE 2009-04-15 06:21 . 2009-04-15 06:21 9479 ----a-w C:\rollback.ini 2009-04-15 06:18 . 2009-04-15 08:04 32 --sha-w c:\windows\system32\drivers\fidbox2.idx 2009-04-15 06:18 . 2009-04-15 08:04 32 --sha-w c:\windows\system32\drivers\fidbox2.dat 2009-04-15 06:18 . 2009-04-15 08:04 32 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-04-15 06:18 . 2009-04-15 08:04 32 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-04-15 06:12 . 2009-04-15 06:12 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic 2009-04-15 06:03 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-15 05:43 . 2009-04-15 05:43 -------- d-----w c:\windows\system32\DRVSTORE 2009-04-15 05:43 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-04-15 05:41 . 2009-04-15 05:41 -------- d--h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-04-14 22:35 . 2009-04-14 22:36 -------- d-----w c:\documents and settings\bob\Local Settings\Application Data\ulutjskx 2009-04-14 22:35 . 2009-04-14 22:36 -------- d-----w c:\documents and settings\bob\Application Data\ulutjskx 2009-04-14 22:29 . 2009-04-14 22:29 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ulutjskx 2009-04-14 22:29 . 2009-04-14 22:29 -------- d-----w c:\documents and settings\NetworkService\Application Data\ulutjskx 2009-04-14 20:00 . 2009-04-14 20:00 -------- d-----w c:\documents and settings\bob\Application Data\Malwarebytes 2009-04-14 19:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-14 19:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-14 19:59 . 2009-04-14 19:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-14 13:43 . 2009-04-14 13:43 -------- d-sh--w C:\FOUND.000 2009-04-04 18:37 . 2009-04-04 18:37 -------- d-----w c:\documents and settings\bob\Application Data\TradeStation Technologies 2009-03-24 01:13 . 2009-03-24 01:13 -------- d-----w C:\Right Web Monitor 2009-03-23 23:20 . 2009-03-23 23:20 0 ----a-w c:\windows\nsreg.dat 2009-03-23 23:20 . 2009-03-23 23:20 -------- d-----w c:\documents and settings\bob\Local Settings\Application Data\Mozilla 2009-03-20 17:08 . 2007-04-30 03:24 61440 ----a-w c:\windows\system32\digitbox.ocx 2009-03-20 00:25 . 2009-03-20 00:25 135 ----a-w c:\windows\REDEMUNINS.INI 2009-03-20 00:25 . 2009-03-20 00:25 -------- d-----w c:\documents and settings\bob\Application Data\Redemption . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-15 19:42 . 2009-04-15 06:24 2012 ----a-w C:\aaw7boot.log 2009-04-15 16:38 . 2004-08-27 19:40 104448 ----a-w c:\windows\system32\ceozgof.dll 2009-04-15 06:40 . 2009-04-15 06:40 -------- d-----w c:\program files\Trend Micro 2009-04-15 06:12 . 2006-08-17 04:48 45760 ----a-w c:\documents and settings\bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-15 06:12 . 2009-04-15 06:12 -------- d-----w c:\program files\Common Files\ParetoLogic 2009-04-14 19:59 . 2009-04-14 19:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-14 16:02 . 2009-04-14 16:02 -------- d-----w c:\program files\Support Tools 2009-04-14 16:02 . 2004-08-27 19:51 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-04-14 15:28 . 2009-04-14 15:28 -------- d-----w c:\program files\Debugging Tools for Windows (x86) 2009-04-04 18:38 . 2009-04-04 18:38 -------- d-----w c:\program files\TradeStation 8.5 (Build 2289) 2009-03-24 00:59 . 2009-03-24 00:59 -------- d-----w c:\program files\WebMon 2009-03-20 17:08 . 2009-03-20 17:08 -------- d-----w c:\program files\Alarm 2009-03-17 14:20 . 2007-06-26 16:51 39156 ---ha-w c:\windows\system32\mlfcache.dat 2009-03-16 03:51 . 2009-03-16 03:51 -------- d-----w c:\program files\DIY DataRecovery DiskPatch 2009-03-12 22:54 . 2009-03-12 22:53 -------- d-----w c:\program files\Floppy Image 2009-03-12 19:32 . 2009-03-12 19:32 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-12 19:32 . 2009-03-12 19:32 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-09-25 15:16 . 2008-02-27 21:53 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT 2006-08-28 05:43 . 2006-08-28 05:43 126 ----a-w c:\documents and settings\bob\Local Settings\Application Data\fusioncache.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0F96E09-F426-417A-9E3E-F2002FE9DA6B}] 2004-08-04 09:00 104448 ----a-w c:\windows\system32\hcuvcbb.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "Power2GoExpress"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768] "Guard"="c:\program files\Phoenix Technologies\Applications\Guard\Guard.exe" [2006-05-15 679936] "Recover Pro"="c:\program files\Phoenix Technologies\Applications\RPro\XP\VBPTASK.EXE" [2006-05-25 131072] "Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-16 86102] "EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848] "SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208] c:\documents and settings\bob\Start Menu\Programs\Startup\ Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-6-14 479232] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 01000000 "NoNetworkConnections"= 01000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM "VIDC.D263"= xl_x263dec.dll "msacm.g723"= g723.acm "vidc.I263"= I263_32.drv "msacm.ac3filter"= ac3filter.acm "msacm.imc"= imc32.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\se32.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\System32\\dpvsetup.exe"= "c:\\MircRT\\MIRC32.EXE"= "c:\\mircIP\\mirc32.exe"= "c:\\mirc\\mirc32.exe"= "c:\\Program Files\\Paltalk Messenger\\paltalk.exe"= "c:\\Program Files\\AdSubtract\\adsub.exe"= "c:\\Program Files\\limewire\\LimeWire.exe"= "c:\\WINDOWS\\System32\\mmc.exe"= "c:\\StubInstaller.exe"= "c:\\MircRT\\mirc.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\mirc\\mirc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "%windir%\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R3 EyelineService;Eyeline Service;c:\program files\NCH Software\Eyeline\eyeline.exe [2008-02-03 425988] R3 huadio;huadio; [x] S0 gkatjihp;gkatjihp;c:\windows\system32\drivers\gkatjihp.sys [2004-08-04 23424] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160] S0 ptpd;Disk Filter Driver;c:\windows\system32\drivers\ptpd.sys [2005-10-18 8320] S1 DCDisk;DCDisk; [x] S1 se32;EnTech softEngine;c:\windows\system32\Drivers\se32.sys [2007-05-03 12112] S2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2005-12-02 8832] S2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2003-08-13 2304] S2 PhnxPsaService;Phoenix PSA Service;c:\windows\system32\PhxPsSvr.exe [2006-04-05 40960] S2 PhnxVaultService;Phoenix Vault Service;c:\windows\system32\PhxVtSvr.exe [2005-12-14 53248] S2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-15 27992] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632] S3 PhnxVcd;PhnxVcd;c:\windows\system32\Drivers\PhnxVcd.sys [2006-03-21 47488] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fc941b2-325c-11db-b69b-00161777ace5}] \Shell\AutoRun\command - E:\PC.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9667f638-14cf-11de-bbb9-00161777ace5}] \Shell\AutoRun\command - E:\ONSPCLCK.exe . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uDefault_Search_URL = uInternet Settings,ProxyOverride = 127.0.0.1 IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe Trusted Zone: ameritrade.com Trusted Zone: datek.com\public.answerbox Trusted Zone: etrade.com\us Trusted Zone: financialchat.com\www Trusted Zone: live365.com\www Trusted Zone: londonstockexchange.com\www Trusted Zone: noaa.gov\weather Trusted Zone: nyc.gov\a836-acris Trusted Zone: tdameritrade.com Trusted Zone: thedaytradegroup.com Trusted Zone: tnto.com\www Trusted Zone: tradearca.com\datasvr Trusted Zone: urbansherpany.com\www Trusted Zone: usgs.gov\earthnow Trusted Zone: weather.gov\radar DPF: {065FD296-2A8A-48C3-9634-7E167BF2C6C2} - hxxp://www.terranovaonline.com/INVESTOR/TALTNInvestor.cab DPF: {0FB028C2-2704-40F6-A983-2A2405027A19} - hxxps://epresent.sungard.com/ws/dropslot.cab DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} - hxxp://www.tegosoft.com/ActiveX/TegoLoad.cab DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02b.cab FF - ProfilePath - c:\documents and settings\bob\Application Data\Mozilla\Firefox\Profiles\xlb3e9mq.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-15 16:22 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\huadio] "ImagePath"="\??\c:\huadio.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2523675433-3985973265-1301256737-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(884) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(140) c:\windows\system32\nview.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-04-15 16:23 ComboFix-quarantined-files.txt 2009-04-15 20:23 ComboFix2.txt 2009-04-15 16:42 Pre-Run: 109,898,465,280 bytes free Post-Run: 109,911,900,160 bytes free 210
  5. here is hijackthis log in addition this dll hcucvbb is in CLSID listed in an entry with Inprocserver32 with the dll hcuvcbb.dll. when malwarebytes tries to fix it it says it will be repaired on reboot but it doesnt get fixed. also Eploroer.exe ends with "memory could not be written" before malwarebytes reboots the PC thanks Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:47:11 PM, on 4/15/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Phoenix Technologies\Applications\Guard\Guard.exe C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe C:\Program Files\Lexmark X5100 Series\lxbabmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PhxPsSvr.exe C:\WINDOWS\system32\PhxVtSvr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {E0F96E09-F426-417A-9E3E-F2002FE9DA6B} - c:\windows\system32\hcuvcbb.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\Applications\Guard\Guard.exe" /background O4 - HKLM\..\Run: [Recover Pro] "C:\Program Files\Phoenix Technologies\Applications\RPro\XP\VBPTASK.EXE" VBStart O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [Power2GoExpress] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Web Monitor - {AD794498-7E3E-4E00-9864-94A669EEB2BF} - C:\Program Files\Right Web Monitor\iecontext.htm (HKCU) O15 - Trusted Zone: http://www.londonstockexchange.com O15 - Trusted Zone: http://www.urbansherpany.com O15 - Trusted Zone: http://earthnow.usgs.gov O15 - Trusted Zone: http://radar.weather.gov O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab O16 - DPF: {065FD296-2A8A-48C3-9634-7E167BF2C6C2} (RealTick OCX) - http://www.terranovaonline.com/INVESTOR/TALTNInvestor.cab O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {0FB028C2-2704-40F6-A983-2A2405027A19} (DropSlot Control) - https://epresent.sungard.com/ws/dropslot.cab O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://www.tegosoft.com/ActiveX/TegoLoad.cab O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02b.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1234231649953 O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://www.scotlandspeople.gov.uk/Viewers/...ol/viewdw32.ocx O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www2.gotomeeting.com/default/applets/g2mdlax.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://monitor110.webex.com/client/T26L/sales/ieatgpc.cab O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Eyeline Service (EyelineService) - Unknown owner - C:\Program Files\NCH Software\Eyeline\eyeline.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pacific Image Comm. Fax Server - Unknown owner - C:\SUPERVOC\PROGRAM\PICPMON.EXE O23 - Service: Phoenix PSA Service (PhnxPsaService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhxPsSvr.exe O23 - Service: Phoenix Vault Service (PhnxVaultService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhxVtSvr.exe O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- End of file - 9214 bytes
  6. your product is great . this is the log file where it finds it. in adition this CLSID is listed in an entry with Inprocserver32 with the dll hcuvcbb.dll Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e0f96e09-f426-417a-9e3e-f2002fe9da6b} (Trojan.BHO.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{e0f96e09-f426-417a-9e3e-f2002fe9da6b} (Trojan.BHO.H) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\hcuvcbb.dll (Trojan.BHO.H) -> No action taken. when i click "remove selected" i get an address exception right when i tells me it will reboot how can i fix this ?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.