Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Opened unknown e mail hijack this log (New)

Reply  
Thread Tools
nazziek's Avatar
Member with 40 posts.
  
Join Date: Oct 2003
06-May-2009, 06:47 PM #1
Opened unknown e mail hijack this log
My brother opened an e mail which was unknown to him and caused absolute chaos with his pc.

It was a long time ago that it started so he doesnt remember much but there seemed to b something about antivirusxp2008 on the desktop instead of the normal desktop. the pc is so extremely slow it takes about 26 hours to do a virus scan! There were no more system restore points left. Mcafee security suite was on there but didnt find anything. Neither did super antispyware.
he does also remember seeing warning message with 'cutwail' in it.

I put AVG on there n it found a few things:
WORM AUTOIT.AMF
TROJEN HORSE GENERIC_cZOC which it moved to vault

this is the list from spyware doctor:
Rogue antispyware- antivirusxp 2008
Trojen downloader agent
Rogue antispyware- xp antispyware
Rojen gaslise.B

but i cant do anything with them since i havent purchased it - but if these look like a probable cause to someone i will purchase it.

I'm also going to run mcafee root kit n post results

thanks for any help in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:15 PM, on 5/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NCH Swift Sound\Components\mp3el\mp3enc.exe
C:\Program Files\NCH Swift Sound\Components\mp3el\mp3enc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.homecallbroadband.com/customer/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [tkbellexe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sunjavaupdatesched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [speedtouch usb diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [regshave] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nerocheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [istray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [gsiconexe] gsicon.exe
O4 - HKLM\..\Run: [framework 2.5] FrameWork.exe
O4 - HKLM\..\Run: [dslagentexe] dslagent.exe USB
O4 - HKLM\..\Run: [broadwaverun] "C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe" -logon
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [FrameWork 2.5] FrameWork.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer\Add_AllO.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1211892112983
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1211892099592
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karina.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dytaxohp - dytaxohp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BroadWave Service (BroadWaveService) - Unknown owner - C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 13163 bytes
nazziek's Avatar
Member with 40 posts.
  
Join Date: Oct 2003
08-May-2009, 10:42 AM #2
mcafee rootkit
these r the results from mcafee rootkit detective:

Scan complete. Hidden registry keys/values: 22
McAfee(R) Rootkit Detective 1.1 scan report
On 06-05-2009 at 22:24:20
OS-Version 5.1.2600
Service Pack 2.0
====================================
Object-Type: SSDT-hook
Object-Name: ZwConnectPort
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwCreateFile
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwCreateKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwCreatePort
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwCreateProcess
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwCreateProcessEx
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwCreateSection
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwCreateWaitablePort
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwDeleteFile
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwDeleteKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwDeleteValueKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwDuplicateObject
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwLoadKey2
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwLoadKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwOpenFile
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwOpenProcess
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwOpenThread
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwRenameKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwReplaceKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwRequestWaitReplyPort
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwRestoreKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwSecureConnectPort
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwSetInformationFile
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwSetValueKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwSystemDebugControl
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: C:\WINDOWS\system32\vsdatant.sys
Object-Type: SSDT-hook
Object-Name: ZwWriteVirtualMemory
Object-Path: C:\WINDOWS\system32\drivers\iksysflt.sys
Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CLEANUP
Object-Path: \SystemRoot\System32\vsdatant.sys
Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_INTERNAL_DEVICE_CONTROL
Object-Path: \SystemRoot\System32\vsdatant.sys
Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_DEVICE_CONTROL
Object-Path: \SystemRoot\System32\vsdatant.sys
Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CLOSE
Object-Path: \SystemRoot\System32\vsdatant.sys
Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CREATE
Object-Path: \SystemRoot\System32\vsdatant.sys
Object-Type: Registry-key
Object-Name: DatatemRoot\System32\vsdatant.sys
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
Status: Hidden
Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden
Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden
Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden
Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}.RENm Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}.REN
Status: Hidden
Object-Type: Registry-value
Object-Name: Item Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}.REN
Status: Hidden
Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000.RENtem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}.REN
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000.REN
Status: Hidden
Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000.REN
Status: Hidden
Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.RENtem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000.REN
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.REN
Status: Hidden
Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.REN
Status: Hidden
Object-Type: Registry-key
Object-Name: edec4b50-3a44-4ded-86dd-85a4e65c20ea System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.REN
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\edec4b50-3a44-4ded-86dd-85a4e65c20ea
Status: Hidden
Object-Type: Registry-key
Object-Name: 0f88886d-d7b0-4839-9f39-5c335ef07898 System Provider\*Local Machine*\Data\edec4b50-3a44-4ded-86dd-85a4e65c20ea
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\edec4b50-3a44-4ded-86dd-85a4e65c20ea\0f88886d-d7b0-4839-9f39-5c335ef07898
Status: Hidden
Object-Type: Registry-key
Object-Name: MachineKeyicrosoft\Protected Storage System Provider\*Local Machine*\Data\edec4b50-3a44-4ded-86dd-85a4e65c20ea\0f88886d-d7b0-4839-9f39-5c335ef07898
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\edec4b50-3a44-4ded-86dd-85a4e65c20ea\0f88886d-d7b0-4839-9f39-5c335ef07898\MachineKey
Status: Hidden
Object-Type: Registry-value
Object-Name: Item Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\edec4b50-3a44-4ded-86dd-85a4e65c20ea\0f88886d-d7b0-4839-9f39-5c335ef07898\MachineKey
Status: Hidden
Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\edec4b50-3a44-4ded-86dd-85a4e65c20ea\0f88886d-d7b0-4839-9f39-5c335ef07898
Status: Hidden
Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\edec4b50-3a44-4ded-86dd-85a4e65c20ea
Status: Hidden
Object-Type: Registry-key
Object-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\edec4b50-3a44-4ded-86dd-85a4e65c20ea
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Status: Hidden
Object-Type: Registry-key
Object-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden
Object-Type: Registry-value
Object-Name: Value
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden
Object-Type: Registry-key
Object-Name: Windows.RENcrosoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows.REN
Status: Hidden
Object-Type: Registry-value
Object-Name: Value
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows.REN
Status: Hidden
Object-Type: Registry-key
Object-Name: Data 2.RENicrosoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows.REN
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2.REN
Status: Hidden
Object-Type: IAT/EAT-hook
PID: 1720
Details: Export : Function : USER32.dll!SetWindowsHookExW =>
Object-Path:
Status: Hooked
Object-Type: IAT/EAT-hook
PID: 1720
Details: Export : Function : USER32.dll!SetWindowsHookExA =>
Object-Path:
Status: Hooked
Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible
Object-Type: Process
Object-Name: wuauclt.exe
Pid: 1612
Object-Path: C:\WINDOWS\system32\wuauclt.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 992
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 2388
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: AskService.exe
Pid: 1768
Object-Path: C:\Program Files\AskBarDis\bar\bin\AskService.exe
Status: Visible
Object-Type: Process
Object-Name: wdfmgr.exe
Pid: 2420
Object-Path: C:\WINDOWS\System32\wdfmgr.exe
Status: Visible
Object-Type: Process
Object-Name: avgrsx.exe
Pid: 312
Object-Path: C:\PROGRA~1\AVG\AVG8\avgrsx.exe
Status: Visible
Object-Type: Process
Object-Name: wltuser.exe
Pid: 3692
Object-Path: C:\Program Files\Windows Live\Toolbar\wltuser.exe
Status: Visible
Object-Type: Process
Object-Name: winlogon.exe
Pid: 592
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible
Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible
Object-Type: Process
Object-Name: bgsvcgen.exe
Pid: 1836
Object-Path: C:\WINDOWS\system32\bgsvcgen.exe
Status: Visible
Object-Type: Process
Object-Name: GoogleUpdaterSe
Pid: 224
Object-Path: C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Status: Visible
Object-Type: Process
Object-Name: ezSP_Px.exe
Pid: 1712
Object-Path: C:\WINDOWS\System32\ezSP_Px.exe
Status: Visible
Object-Type: Process
Object-Name: gsicon.exe
Pid: 1960
Object-Path: C:\WINDOWS\system32\gsicon.exe
Status: Visible
Object-Type: Process
Object-Name: wlcomm.exe
Pid: 876
Object-Path: C:\Program Files\Windows Live\Contacts\wlcomm.exe
Status: Visible
Object-Type: Process
Object-Name: smss.exe
Pid: 504
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible
Object-Type: Process
Object-Name: vsmon.exe
Pid: 1248
Object-Path: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Status: Visible
Object-Type: Process
Object-Name: mDNSResponder.e
Pid: 1868
Object-Path: C:\Program Files\Bonjour\mDNSResponder.exe
Status: Visible
Object-Type: Process
Object-Name: broadwave.exe
Pid: 1992
Object-Path: C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
Status: Visible
Object-Type: Process
Object-Name: csrss.exe
Pid: 568
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible
Object-Type: Process
Object-Name: SeaPort.exe
Pid: 2336
Object-Path: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
Status: Visible
Object-Type: Process
Object-Name: AppleMobileDevi
Pid: 1748
Object-Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Status: Visible
Object-Type: Process
Object-Name: msnmsgr.exe
Pid: 3516
Object-Path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 1160
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: HPZipm12.exe
Pid: 1036
Object-Path: C:\WINDOWS\System32\HPZipm12.exe
Status: Visible
Object-Type: Process
Object-Name: pctsSvc.exe
Pid: 3176
Object-Path: C:\Program Files\Spyware Doctor\pctsSvc.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 852
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: explorer.exe
Pid: 1720
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible
Object-Type: Process
Object-Name: services.exe
Pid: 636
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible
Object-Type: Process
Object-Name: avgtray.exe
Pid: 2156
Object-Path: C:\PROGRA~1\AVG\AVG8\avgtray.exe
Status: Visible
Object-Type: Process
Object-Name: iexplore.exe
Pid: 3396
Object-Path: C:\Program Files\Internet Explorer\iexplore.exe
Status: Visible
Object-Type: Process
Object-Name: zlclient.exe
Pid: 2064
Object-Path: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
Status: Visible
Object-Type: Process
Object-Name: iexplore.exe
Pid: 1228
Object-Path: C:\Program Files\Internet Explorer\iexplore.exe
Status: Visible
Object-Type: Process
Object-Name: dslagent.exe
Pid: 1972
Object-Path: C:\WINDOWS\system32\dslagent.exe
Status: Visible
Object-Type: Process
Object-Name: jucheck.exe
Pid: 516
Object-Path: C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
Status: Visible
Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1508
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible
Object-Type: Process
Object-Name: mp3enc.exe
Pid: 144
Object-Path: C:\Program Files\NCH Swift Sound\Components\mp3el\mp3enc.exe
Status: Visible
Object-Type: Process
Object-Name: pctsAuxs.exe
Pid: 1384
Object-Path: C:\Program Files\Spyware Doctor\pctsAuxs.exe
Status: Visible
Object-Type: Process
Object-Name: jusched.exe
Pid: 1632
Object-Path: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 920
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 1664
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: dragdiag.exe
Pid: 1820
Object-Path: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
Status: Visible
Object-Type: Process
Object-Name: alg.exe
Pid: 3092
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible
Object-Type: Process
Object-Name: realsched.exe
Pid: 1728
Object-Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Status: Visible
Object-Type: Process
Object-Name: broadwave.exe
Pid: 1884
Object-Path: C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
Status: Visible
Object-Type: Process
Object-Name: avgnsx.exe
Pid: 428
Object-Path: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
Status: Visible
Object-Type: Process
Object-Name: Atwtusb.exe
Pid: 2040
Object-Path: C:\WINDOWS\system32\atwtusb.exe
Status: Visible
Object-Type: Process
Object-Name: avgwdsvc.exe
Pid: 1824
Object-Path: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
Status: Visible
Object-Type: Process
Object-Name: pctsTray.exe
Pid: 1948
Object-Path: C:\Program Files\Spyware Doctor\pctsTray.exe
Status: Visible
Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 3376
Object-Path: C:\Documents and Settings\NAZ\Desktop\McafeeRootkitDetective\Rootkit_Detective.exe
Status: Visible
Object-Type: Process
Object-Name: lsass.exe
Pid: 648
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible
Object-Type: Process
Object-Name: btwdins.exe
Pid: 2012
Object-Path: C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 804
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: mp3enc.exe
Pid: 2044
Object-Path: C:\Program Files\NCH Swift Sound\Components\mp3el\mp3enc.exe
Status: Visible
Object-Type: Process
Object-Name: PC_Checkup.exe
Pid: 3904
Object-Path: c:\program files\norton pc checkup\pc_checkup.exe
Status: Visible
Scan complete. Hidden registry keys/values: 22
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply

Tags
cutwail, trojan

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 12:10 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.