Scan saved at 1:00:01 AM, on 7/15/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TweakNow PowerPack 2010\CDAuto.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\STOPzilla!\SZOptions.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100626221605.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [CD Autorun] C:\Program Files\TweakNow PowerPack 2010\CDAuto.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HiJackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 7026 bytes
***********************************************
AC3File 0.6b
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
AoA Audio Extractor
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Auslogics Disk Defrag
Auslogics Registry Cleaner
Baku
Belarc Advisor 8.1
Bonjour
DVD Decrypter (Remove Only)
DVD Flick 1.3.0.7
DVD Shrink 3.2
DVDFab 7.0.7.0 (08/06/2010)
Free FLV Converter V 6.8.0
Google Earth Plug-in
Google Update Helper
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
Intel(R) Network Connections Drivers
Internet Explorer (Enable DEP)
iTunes
Java(TM) 6 Update 20
KeyScrambler
Malwarebytes' Anti-Malware
McAfee Total Protection
McAfee Virtual Technician
MediaInfo 0.7.33
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Automated Troubleshooting Services Shim
Microsoft Baseline Security Analyzer 2.1
Microsoft Fix it Center
Microsoft MPEG-4 VKI Video Codec V1/V2/V3
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.6)
Orbit Downloader
QuickTime
Realtek AC'97 Audio
Revo Uninstaller 1.89
STOPzilla
System Requirements Lab for Intel
TweakNow PowerPack 2010
Ultimate Extras sounds from Microsoft® Tinker™
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VLC media player 1.1.0
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Sound Schemes
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
ZD Soft Screen Recorder
ZD Soft Screen Video Decoder
**********************************************
I recently downloaded a file called Cain and Abel, a so-called hacker's tool, looking to use it to try and gain access to my wife's email account, for fear that she'd been cheating. I realized quickly that the UI was beyond my knowledge, so I uninstalled it with Revo Uninstaller, using the Advanced option. I then ran a quick scan with Malwarebytes' Anti-Malware(MBAM), and it found the following to be a Rootkit.Agent .
*It must be said that early in my findings, I turned off system restore, as there were malware located in those files as well as what is listed below.*
liqqtxl.sys(Rootkit.Agent) - located in system32\drivers
c:\windows\temp\9f35db3.tmp - Kernel Veryfier tried to access the internet after rootkit liqqtxl.sys was quarrantined and deleted from MBAM.
Windows Problem Reports and Solutions appeared saying 'Kernel Veryfier' has stopped working, and asked to check online for a solution. *Note the spelling of Veryfier. I do not know if this is a legitimate program. I did not allow it to check for a solution, for fear that the malware was using the Windows program to call to the outside world, flagging my PC as an 'open door'.
Other trojans identifying themselves as .tmp files were located, such as: c3453bf1.tmp,VXGame.Temp_044
STOPzilla labels these 'PerformancePlatform' 2 Trojans=\win~\temp\4e1b82c5.tmp,and 93aaf7f.tmp
After every reboot, deleted .tmp files reappear in C:\Windows\Temp , usually 7 of them.
It seems that whenever I try to delete liqqtxl.sys with MBAM and reboot, it reappears as if I had done nothing. I even tried deleting it in Safe Mode. I also performed full scans with MBAM and STOPzilla until each of them found nothing in safe mode. Still, I reboot and STOPzilla finds9 infected registry keys and one .sys file in system32\drivers , not liqqtxl.sys, although it remains.
Also, whenever I try to have HJT delete liqqtxl.sys on startup, an error message appears that states: liqqtxl.sys
A device attached to the system is not functioning.
So I ran a quick scan with MBAM, finding liqqtxl.sys again, and instead of rebooting right away as it suggested, I ran STOPzilla, resulting in the detection of 12 infected registry keys, labeled GASF. Eleven were found at HKLM\SYSTEM\CurrentContr... it doesn't show the rest, but I can provide screenshots if you like.
I then searched for GASF and PerformancePlatform in the registry, without luck. I did find liqqtxl.sys located in:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\liqqtxl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\liqqtxl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\liqqtxl
Note that is was not found in ...ControlSet001\
After finding the above locations of the .sys file in the registry, I exited and removed the 12 items that STOPzilla found, and rebooted as it and MBAM required. Upon startup, once again STOPzilla found 3 PerformancePlatform .tmp files.
I do have a deal more information ready to supply when requested, such as info concerning my temp folder, info I spotted during subsequent scans, cropped screenshots, etc.
I sincerely hope this was not too much information, as I do not want to overstep my bounds. Thank you for any help you can provide.