Author Topic: backdoor vulnerability (Read 24531 times)

johnha169 · « **on:** December 24, 2012, 03:00:59 AM »

Hey, it appears that I seem to have backdoor vulnerability on my computer because the the HJT shows this file spoolsv.exe. I also believe that there are other malware on this log too. Any help would be appreciated.
So here is the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:11:09, on 12/24/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Unwired\UwSCT.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.2345.com/?751
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.certified-toolbar.com?si=41460&home=true&tid=2938
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {8d3ec233-b92d-4187-a506-284127cfba2d} - (no file)
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\noname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: (no name) - {5f7f7e76-0f61-4de9-8ae6-e5ee565cd118} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1344919653824
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: SAS Core Service (!SASCORE) - Unknown owner - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (file missing)
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMScheduler - Unknown owner - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (file missing)
O23 - Service: MBAMService - Unknown owner - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe

--
End of file - 8179 bytes

johnha169 · « **Reply #1 on:** December 24, 2012, 03:04:14 AM »

Sorry to mention, why does those program run three time such as

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
.....
C:\WINDOWS\System32\svchost.exe

while running, will it affect PC performance

Thank you

harry 48 · « **Reply #2 on:** December 24, 2012, 03:49:48 PM »

Go here and post the logs.

http://www.computerhope.com/forum/index.php/topic,46313.0.html

SuperDave · « **Reply #3 on:** December 24, 2012, 03:53:12 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
The spool server is a MS file. You can read more here.

Quote

Sorry to mention, why does those program run three time such as

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
.....
C:\WINDOWS\System32\svchost.exe

while running, will it affect PC performance

Those are normal and shouldn't affect the performance of your computer.

Please download AdwCleaner by Xplode onto your Desktop.

Double click on AdwCleaner.exe to run the tool.
Click on Search.
A logfile will automatically open after the scan has finished.
Please post the content of that logfile in your reply.
You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

*********************************************

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*********************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

johnha169 · « **Reply #4 on:** December 24, 2012, 04:35:45 PM »

Hey, here is the Adwcleaner log

# AdwCleaner v2.102 - Logfile created 12/25/2012 at 10:49:51
# Updated 23/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : noname - SKY-20121011IPJ
# Boot Mode : Normal
# Running from : C:\Documents and Settings\noname\My Documents\Downloads\adwcleaner (1).exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKU\S-1-5-21-1202660629-329068152-1177238915-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Found : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKCU\Software\Microsoft\Internet Explorer\Main - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKCU\Software\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938
[HKCU\Software\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938
[HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKCU\Software\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKCU\Software\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938

-\\ Google Chrome v23.0.1271.97

File : C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Found [l.12] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938",
Found [l.16] : urls_to_restore_on_startup = [ "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938" ]
Found [l.65] : keyword = "search.certified-toolbar.com",
Found [l.68] : search_url = "hxxp://search.certified-toolbar.com?si=41460&bs=true&tid=2938&q={searchTerms}",
Found [l.1577] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938",
Found [l.2084] : urls_to_restore_on_startup = [ "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938" ]

*************************

AdwCleaner[R1].txt - [3881 octets] - [17/12/2012 20:52:58]
AdwCleaner[R2].txt - [3813 octets] - [25/12/2012 10:49:51]

########## EOF - C:\AdwCleaner[R2].txt - [3873 octets] ##########

johnha169 · « **Reply #5 on:** December 24, 2012, 04:43:15 PM »

Here is the Security check resutl, just another minute for the Malwarebytes Anti-Malware result

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
ESET NOD32 Antivirus 5.2
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````[/u]
Out of date HijackThis installed!
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.65.1.1000
HijackThis 2.0.2
Java(TM) 6 Update 26
Java version out of Date!
Adobe Reader 10.1.1 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````[/u]
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
noname Desktop Malware Softwware SecurityCheck.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C:: 12% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````[/u]

johnha169 · « **Reply #6 on:** December 24, 2012, 05:44:39 PM »

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.09.29.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
noname :: SKY-20121011IPJ [administrator]

Protection: Disabled

12/25/2012 10:53:35
mbam-log-2012-12-25 (10-53-35).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236556
Time elapsed: 30 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 4
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage.Gen) -> Bad: (http://www.2345.com/?751) Good: (http://www.google.com) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

thank you

johnha169 · « **Reply #7 on:** December 24, 2012, 05:52:05 PM »

At the moment, I am using Google Chrome browser not IE, those programs you requested is only dealt with IE, do they also scan Chrome browser? thanks

SuperDave · « **Reply #8 on:** December 24, 2012, 06:05:04 PM »

Remove the Adware:

Please close all open programs and internet browsers.
Double click on adwcleaner.exe to run the tool.
Click on Delete.
Confirm each time with OK
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile in your reply.
You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

******************************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
******************************************

Quote

do they also scan Chrome browser?

Yes, we are cleaning the whole computer.
*********************************************
Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

johnha169 · « **Reply #9 on:** December 24, 2012, 07:28:32 PM »

Java updated

Adwcleaner log

# AdwCleaner v2.102 - Logfile created 12/25/2012 at 12:46:18
# Updated 23/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : noname - SKY-20121011IPJ
# Boot Mode : Normal
# Running from : C:\Documents and Settings\noname\My Documents\Downloads\adwcleaner (1).exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Deleted : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com

-\\ Google Chrome v23.0.1271.97

File : C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.12] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938",
Deleted [l.16] : urls_to_restore_on_startup = [ "hxxp://search.certified-toolbar.com?si=41460&home=true&tid[...]
Deleted [l.65] : keyword = "search.certified-toolbar.com",
Deleted [l.68] : search_url = "hxxp://search.certified-toolbar.com?si=41460&bs=true&tid=2938&q={searchTerms}",
Deleted [l.1577] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938",
Deleted [l.2111] : urls_to_restore_on_startup = [ "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=29[...]

*************************

AdwCleaner[R1].txt - [3881 octets] - [17/12/2012 20:52:58]
AdwCleaner[R2].txt - [3942 octets] - [25/12/2012 10:49:51]
AdwCleaner[S2].txt - [4291 octets] - [25/12/2012 12:46:18]

########## EOF - C:\AdwCleaner[S2].txt - [4351 octets] ##########

johnha169 · « **Reply #10 on:** December 24, 2012, 07:29:46 PM »

ComboFix log

ComboFix 12-12-23.01 - noname 12/25/2012 13:31:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.507 [GMT 11:00]
Running from: c:\documents and settings\noname\My Documents\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\apppatch\AppLoc.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-25 to 2012-12-25 )))))))))))))))))))))))))))))))
.
.
2012-12-25 02:31 . 2012-12-25 02:31   --------   d-----w-   c:\documents and settings\noname\Local Settings\Application Data\ESET
2012-12-25 02:19 . 2012-12-25 02:19   --------   d-----w-   c:\windows\Sun
2012-12-25 02:18 . 2012-12-25 02:18   --------   d-----w-   c:\program files\Common Files\Java
2012-12-25 02:18 . 2012-12-25 02:17   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2012-12-25 02:18 . 2012-12-25 02:17   477168   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-12-25 02:17 . 2012-12-25 02:17   --------   d-----w-   c:\program files\Java
2012-12-24 23:51 . 2012-12-24 23:51   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-12-24 23:51 . 2012-09-29 08:54   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-12-24 20:48 . 2012-12-24 20:58   --------   d-----w-   c:\program files\WinOrganizer
2012-12-17 10:07 . 2012-12-17 10:07   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2012-12-16 13:04 . 2012-12-16 13:04   --------   d-----w-   c:\program files\CCleaner
2012-12-16 07:34 . 2012-12-16 07:34   --------   d-----w-   c:\documents and settings\noname\Application Data\Malwarebytes
2012-12-16 07:16 . 2012-12-16 07:16   --------   d-----w-   c:\documents and settings\noname\Application Data\SUPERAntiSpyware.com
2012-12-16 07:15 . 2012-12-16 13:02   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-12-16 07:15 . 2012-12-16 07:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-12-16 07:10 . 2012-12-16 07:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-12-11 10:37 . 2012-12-11 10:38   --------   d-----w-   C:\Reg
2012-12-05 08:30 . 2012-12-05 08:30   --------   d-----w-   c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-25 02:17 . 2010-12-30 06:32   473072   ----a-w-   c:\windows\system32\deployJava1.dll
2012-12-16 12:23 . 2008-04-14 12:00   290560   ----a-w-   c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2008-04-14 12:00   1866368   ----a-w-   c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2008-04-14 12:00   375296   ----a-w-   c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-04-14 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-04-14 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2008-04-14 12:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-04-14 12:00   385024   ----a-w-   c:\windows\system32\html.iec
2012-10-02 18:04 . 2008-04-14 12:00   58368   ----a-w-   c:\windows\system32\synceng.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2011-11-23 6497592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-03-07 3117344]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-01-06 110592]
"snp2std"="c:\windows\vsnp2std.exe" [2006-01-06 344064]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-10-27 573440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Unwired Launchpad.lnk - c:\program files\Unwired\UwSCT.exe [2007-5-25 200704]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/14/2012 11:40 AM 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/14/2012 11:40 AM 104160]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/7/2012 6:40 PM 913144]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/25/2012 10:51 AM 399432]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/25/2012 10:51 AM 676936]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/25/2012 10:51 AM 22856]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - MBAMSERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-329068152-1177238915-1003Core1cda745ab205abe.job
- c:\documents and settings\noname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-20 13:19]
.
2012-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-329068152-1177238915-1003UA.job
- c:\documents and settings\noname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-20 13:19]
.
2012-10-30 c:\windows\Tasks\Protected Search.job
- c:\program files\Protected Search\ProtectedSearch.exe [2012-10-30 22:43]
.
2012-11-05 c:\windows\Tasks\User_Feed_Synchronization-{E1F925C7-1895-4AEB-89F4-990DCB07AF82}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: {{5f7f7e76-0f61-4de9-8ae6-e5ee565cd118} - {8d3ec233-b92d-4187-a506-284127cfba2d} -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{8d3ec233-b92d-4187-a506-284127cfba2d} - (no file)
Toolbar-Locked - (no file)
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-25 13:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-12-25 13:40:33
ComboFix-quarantined-files.txt 2012-12-25 02:40
.
Pre-Run: 37,402,456,064 bytes free
Post-Run: 38,182,469,632 bytes free
.
- - End Of File - - BF8B3333937AC7CF5ADECB7A69036939

Thanks

johnha169 · « **Reply #11 on:** December 24, 2012, 08:45:54 PM »

Hey Dave,

Not sure you have noticed from other users, I believe with Eset and Malwarebytes Anti-Malware are not compatible each other, because my system froze and unable move my cursor or whatever as long as Eset loaded (Malwarebytes Anti-Malware loaded before Esset)

this is the second times I tried. 3 months ago, I installed Malwarebytes Anti-Malware and the same thing happened last time; so I went to safe mode and deleted Malwarebytes Anti-Malware and it works fine in my computer now

Or could it be a malware to make my system froze?

Cheers

SuperDave · « **Reply #12 on:** December 25, 2012, 01:05:39 PM »

Quote

Not sure you have noticed from other users, I believe with Eset and Malwarebytes Anti-Malware are not compatible each other, because my system froze and unable move my cursor or whatever as long as Eset loaded (Malwarebytes Anti-Malware loaded before Esset)

This is the first time I've heard of this. It shouldn't be be a problem. Let's run some more scans.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

On completion of the scan click save log, save it to your desktop and post in your next reply
**************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

johnha169 · « **Reply #13 on:** December 25, 2012, 02:38:20 PM »

Merry Xmas and Happy New Year, Dave. All the best for this year

Thanks for your time of being a good helper here

So those for the log you requested

aswMBR

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-26 08:43:36
-----------------------------
08:43:36.593 OS Version: Windows 5.1.2600 Service Pack 3
08:43:36.593 Number of processors: 1 586 0xD08
08:43:36.593 ComputerName: SKY-20121011IPJ UserName: noname
08:43:38.375 Initialize success
08:43:48.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
08:43:48.578 Disk 0 Vendor: SAMSUNG_MP0603H UD100-14 Size: 56759MB BusType: 3
08:43:48.593 Disk 0 MBR read successfully
08:43:48.609 Disk 0 MBR scan
08:43:48.625 Disk 0 Windows XP default MBR code
08:43:48.625 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 56753 MB offset 63
08:43:48.640 Disk 0 scanning sectors +116230275
08:43:48.734 Disk 0 scanning C:\WINDOWS\system32\drivers
08:44:14.828 Service scanning
08:44:28.546 Modules scanning
08:44:36.703 Disk 0 trace - called modules:
08:44:36.718 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
08:44:36.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8610cab8]
08:44:36.718 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\0000007e[0x861ef9e8]
08:44:36.734 5 ACPI.sys[f743e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x861ba940]
08:44:36.734 Scan finished successfully
08:45:04.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\noname\Desktop\MBR.dat"
08:45:04.171 The log file has been saved successfully to "C:\Documents and Settings\noname\Desktop\aswMBR log.txt"

SysProt

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\DOCUME~1\noname\LOCALS~1\Temp\aswMBR.sys
Service Name: aswMBR
Module Base: AA0C4000
Module End: AA0D0000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: AA6674B0
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwCreateThread
Address: AA6677F0
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwDebugActiveProcess
Address: AA667AB0
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwDuplicateObject
Address: AA6675D0
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwLoadDriver
Address: AA6678B0
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwOpenProcess
Address: AA667350
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwOpenThread
Address: AA667410
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwProtectVirtualMemory
Address: AA667570
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwQueueApcThread
Address: AA667630
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSetContextThread
Address: AA667530
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSetInformationThread
Address: AA6674F0
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSetSecurityObject
Address: AA667670
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSetSystemInformation
Address: AA667870
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSuspendProcess
Address: AA6673B0
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSuspendThread
Address: AA667430
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwSystemDebugControl
Address: AA667830
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwTerminateProcess
Address: AA667370
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwTerminateThread
Address: AA667470
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

Function Name: ZwWriteVirtualMemory
Address: AA6675F0
Driver Base: AA666000
Driver End: AA686000
Driver Name: \SystemRoot\system32\DRIVERS\ehdrv.sys

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: PsGetProcessInheritedFromUniqueProcessI d
At Address: 804FD889
Jump To: EABC805A
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\autorun.inf\123.
Status: Hidden

Object: C:\Documents and Settings\noname\Application Data\Microsoft\Office\Recent\«??» .LNK
Status: Hidden

Object: C:\Documents and Settings\noname\Application Data\Microsoft\Office\Recent\«?

»??:

?.LNK
Status: Hidden

Object: C:\Documents and Settings\noname\Application Data\Microsoft\Office\Recent\«???»??:

.LNK
Status: Hidden

Object: C:\Documents and Settings\noname\Application Data\Microsoft\Office\Recent\

??«?

».LNK
Status: Hidden

Object: C:\Documents and Settings\noname\Application Data\Microsoft\Office\Recent\??«?

?».LNK
Status: Hidden

Object: C:\Documents and Settings\noname\Desktop\Music\2011-06-03 ?? -

??+???Live ??
Status: Hidden

Object: C:\Documents and Settings\noname\Desktop\Music,\CD 1\--- applemilk.HaX3 ---.m3u
Status: Hidden

Object: C:\Documents and Settings\noname\Desktop\Music,\CD 2\--- applemilk.HaX3 ---.m3u
Status: Hidden

Object: C:\Documents and Settings\noname\Desktop\Music,\CD 2\04.??:

??.mp3
Status: Hidden

Object: C:\Documents and Settings\noname\Desktop\Music,\CD 2\05.

(

?).mp3
Status: Hidden

Object: C:\Documents and Settings\noname\Desktop\Music,\CD 2\09.??(

?):

??.mp3
Status: Hidden

Object: C:\Documents and Settings\noname\Desktop\Music,\CD 2\10.

?+???Live??.mp3
Status: Hidden

Object: C:\Documents and Settings\noname\Recent\«??»??:??.lnk
Status: Hidden

Object: C:\Documents and Settings\noname\Recent\«??».lnk
Status: Hidden

Object: C:\Documents and Settings\noname\Recent\«?

(

)»??:

?.lnk
Status: Hidden

Object: C:\Documents and Settings\noname\Recent\«?

»??:??.lnk
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

SuperDave · « **Reply #14 on:** December 25, 2012, 03:58:30 PM »

Quote

Merry Xmas and Happy New Year, Dave. All the best for this year

Thank you and the same to you and yours.

How's your computer running now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Computer Hope Forum

News:

Author Topic: backdoor vulnerability (Read 24531 times)

johnha169

backdoor vulnerability

johnha169

Re: backdoor vulnerability

harry 48

Re: backdoor vulnerability

SuperDave

Re: backdoor vulnerability

johnha169

Re: backdoor vulnerability

johnha169

Re: backdoor vulnerability

johnha169

Re: backdoor vulnerability

johnha169

Re: backdoor vulnerability

SuperDave

Re: backdoor vulnerability

johnha169

Re: backdoor vulnerability

johnha169

Re: backdoor vulnerability

johnha169

Re: backdoor vulnerability

SuperDave

Re: backdoor vulnerability

johnha169

Re: backdoor vulnerability

SuperDave

Re: backdoor vulnerability