BleepingComputer.com: Google redirect, trojans, and malware

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Google redirect, trojans, and malware

#1 User is offline   Stormce 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 05-December 11
  • Gender:Male

Posted 05 December 2011 - 01:56 PM

EDIT: I forgot to add some other things that were going on with my computer when I started to notice that things were not running as they should be

My computer has recently fallen very ill to the PING.exe malware, Google redirect malware, trojans, and rootkits. I first started to notice problems when my CPU usage would be consistantly at around 100% and PING.exe was the image that was taking up a large portion of the system resources and firefox and its plugin container were taking up the remaining system resources. No mater how many times I ended the PING.exe process tree it would always manage to restart itself. It was around this time that I began to notice that my google search results links in firefox were consistantly taking me to pages that were either spam or just a website with links and my google search at the top of the page. I tried to google search with Internet Explorer and I was having the same problems. After a few google searches on another machine, I found a thread on another website where someone was having essentially the same issue. I followed the instructions that were posted and I am hoping that I managed to fix the issue. This is the website I used before I found Bleeping Computer: http://www.computing.net/answers/security/google-search-getting-redirected/23540.html Based on my results from the different program logs can anyone determine if there is any remaining malware on my computer?

My system specs are:
Asus G2S laptop
Windows Vista Home Premium 32-bit
Service pack one
Intel Core 2 Duo T7700 @ 2.40 GHz
2.00 GB ram

I have all of the log files from all the steps that I found on that website. Is there any way that you can tell if there is still anything hiding on my computer?

1) Malwarebytes log
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8313

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 7.0.6001.18000

12/5/2011 1:20:50 AM
mbam-log-2011-12-05 (01-20-50).txt

Scan type: Quick scan
Objects scanned: 165157
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\sqlcsw32.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\System32\FastUv32.dll (Trojan.Wimpixo) -> Quarantined and deleted successfully.
c:\Windows\Temp\31204.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\rfrcvx\setup.exe (Trojan.Email) -> Quarantined and deleted successfully.
c:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\system\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


2) Hijack This log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:30 AM, on 12/5/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\PowerForPhone\PowerForPhone.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apvfb.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Users\Chaz\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50788
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6796 bytes


3) Updated Java to latest version

4) The first time I ran ComboFix I recieved a message that stated that I had to restart because a rootkit was discovered and after I restarted my computer both my keyboard and trackpad no longwer worked so I had to reinstall the drivers for them. After this point I have not seen PING.exe listed on my Task Manager

5) Combofix scan 2 log
ComboFix 11-12-04.04 - Chaz 12/05/2011   4:45.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2047.1122 [GMT -5:00]
Running from: c:\users\Chaz\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\LP
c:\program files\LP\EC19\7D87.tmp
c:\users\Chaz\AppData\Roaming\5D8C.1AD
c:\users\Chaz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011
c:\users\Chaz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
(((((((((((((((((((((((((   Files Created from 2011-11-05 to 2011-12-05  )))))))))))))))))))))))))))))))
.
.
2011-12-05 10:15 . 2011-12-05 10:26	--------	d-----w-	c:\users\Chaz\AppData\Local\temp
2011-12-05 10:15 . 2011-12-05 10:15	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-12-05 09:08 . 2011-12-05 09:08	--------	d-----w-	c:\windows\system32\Lang
2011-12-05 08:46 . 2007-07-09 18:28	209408	----a-w-	c:\windows\system32\drivers\iaNvStor.sys
2011-12-05 08:46 . 2007-04-25 17:17	277784	----a-w-	c:\windows\system32\drivers\iaStor.sys
2011-12-05 08:35 . 2011-12-05 08:35	--------	d-----w-	c:\windows\Sun
2011-12-05 07:20 . 2011-11-30 07:21	6823496	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{1D0B7A15-8C91-4429-9A10-F1C14FDCD374}\mpengine.dll
2011-12-05 07:14 . 2011-12-05 07:14	--------	d-----w-	c:\program files\Common Files\Java
2011-12-05 07:13 . 2011-12-05 07:12	611224	----a-w-	c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-12-05 07:13 . 2011-12-05 07:12	544656	----a-w-	c:\windows\system32\deployJava1.dll
2011-11-21 04:02 . 2011-11-21 04:02	--------	d-----w-	c:\users\Chaz\AppData\Roaming\9271C
2011-11-21 04:02 . 2011-11-21 04:02	--------	d-----w-	c:\users\Chaz\AppData\Roaming\IFpmG5sQJdK8
2011-11-21 04:02 . 2011-11-21 04:02	--------	d-----w-	c:\users\Chaz\AppData\Roaming\xkeHEK8gZ9hYwUe
2011-11-21 04:02 . 2011-11-21 04:02	--------	d-----w-	c:\users\Chaz\AppData\Roaming\XP12pQEhYw
2011-11-21 04:01 . 2011-11-21 04:01	--------	d-----w-	c:\users\Chaz\AppData\Roaming\etuinH7gThY
2011-11-16 19:34 . 2011-11-16 19:34	--------	d-----w-	c:\users\Chaz\AppData\Local\Samsung
2011-11-16 19:34 . 2011-11-16 19:34	--------	d-----w-	c:\users\Chaz\AppData\Roaming\Samsung
2011-11-16 19:07 . 2011-10-27 01:25	136808	----a-w-	c:\windows\system32\drivers\ssadmdm.sys
2011-11-16 19:07 . 2011-10-27 01:25	12776	----a-w-	c:\windows\system32\drivers\ssadmdfl.sys
2011-11-16 19:07 . 2011-10-27 01:25	121064	----a-w-	c:\windows\system32\drivers\ssadbus.sys
2011-11-16 19:07 . 2011-10-27 01:25	10472	----a-w-	c:\windows\system32\drivers\ssadcmnt.sys
2011-11-16 19:07 . 2011-10-27 01:25	10472	----a-w-	c:\windows\system32\drivers\ssadcm.sys
2011-11-16 19:07 . 2011-10-27 01:25	10344	----a-w-	c:\windows\system32\drivers\ssadwhnt.sys
2011-11-16 19:07 . 2011-10-27 01:25	10344	----a-w-	c:\windows\system32\drivers\ssadwh.sys
2011-11-16 18:57 . 2011-10-31 16:22	4659712	----a-w-	c:\windows\system32\Redemption.dll
2011-11-16 18:55 . 2011-11-16 18:55	--------	d-----w-	c:\program files\MarkAny
2011-11-16 18:55 . 2011-10-31 16:22	821824	----a-w-	c:\windows\system32\dgderapi.dll
2011-11-16 18:55 . 2011-10-31 16:22	20032	----a-w-	c:\windows\system32\drivers\dgderdrv.sys
2011-11-16 18:50 . 2011-11-16 19:03	--------	d-----w-	c:\program files\Samsung
2011-11-16 18:50 . 2011-11-16 18:58	--------	d-----w-	c:\programdata\Samsung
2011-11-16 18:40 . 2011-11-16 18:40	--------	d-----w-	c:\users\Chaz\AppData\Local\Downloaded Installations
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-05 10:25 . 2007-09-29 06:50	45056	----a-w-	c:\windows\system32\acovcnt.exe
2011-11-01 02:11 . 2011-11-01 02:11	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-31 16:22 . 2011-10-31 16:22	90112	----a-w-	c:\windows\MAMCityDownload.ocx
2011-10-31 16:22 . 2011-10-31 16:22	325552	----a-w-	c:\windows\MASetupCaller.dll
2011-10-31 16:22 . 2011-10-31 16:22	30568	----a-w-	c:\windows\MusiccityDownload.exe
2011-10-31 16:22 . 2011-10-31 16:22	81920	----a-w-	c:\windows\system32\issacapi_bs-2.3.dll
2011-10-31 16:22 . 2011-10-31 16:22	65536	----a-w-	c:\windows\system32\issacapi_pe-2.3.dll
2011-10-31 16:22 . 2011-10-31 16:22	57344	----a-w-	c:\windows\system32\issacapi_se-2.3.dll
2011-10-31 16:22 . 2011-10-31 16:22	49152	----a-w-	c:\windows\system32\MaJGUILib.dll
2011-10-31 16:22 . 2011-10-31 16:22	45056	----a-w-	c:\windows\system32\MaXMLProto.dll
2011-10-31 16:22 . 2011-10-31 16:22	40960	----a-w-	c:\windows\system32\MTTELECHIP.dll
2011-10-31 16:22 . 2011-10-31 16:22	200704	----a-w-	c:\windows\system32\muzwmts.dll
2011-10-31 16:22 . 2011-10-31 16:22	172032	----a-w-	c:\windows\system32\muzapp.exe
2011-10-31 16:22 . 2011-10-31 16:22	143360	----a-w-	c:\windows\system32\3DAudio.ax
2011-10-31 16:22 . 2011-10-31 16:22	135168	----a-w-	c:\windows\system32\muzaf1.dll
2011-10-31 16:22 . 2011-10-31 16:22	122880	----a-w-	c:\windows\system32\muzeffect.ax
2011-10-31 16:22 . 2011-10-31 16:22	118784	----a-w-	c:\windows\system32\MaDRM.dll
2011-10-31 16:22 . 2011-10-31 16:22	110592	----a-w-	c:\windows\system32\muzmp4sp.ax
2011-10-31 16:22 . 2011-10-31 16:22	974848	----a-w-	c:\windows\system32\cis-2.4.dll
2011-10-31 16:22 . 2011-10-31 16:22	57344	----a-w-	c:\windows\system32\MTXSYNCICON.dll
2011-10-31 16:22 . 2011-10-31 16:22	57344	----a-w-	c:\windows\system32\MK_Lyric.dll
2011-10-31 16:22 . 2011-10-31 16:22	569344	----a-w-	c:\windows\system32\muzdecode.ax
2011-10-31 16:22 . 2011-10-31 16:22	491520	----a-w-	c:\windows\system32\muzapp.dll
2011-10-31 16:22 . 2011-10-31 16:22	45056	----a-w-	c:\windows\system32\MACXMLProto.dll
2011-10-31 16:22 . 2011-10-31 16:22	40960	----a-w-	c:\windows\system32\MAMACExtract.dll
2011-10-31 16:22 . 2011-10-31 16:22	352256	----a-w-	c:\windows\system32\MSLUR71.dll
2011-10-31 16:22 . 2011-10-31 16:22	258048	----a-w-	c:\windows\system32\muzoggsp.ax
2011-10-31 16:22 . 2011-10-31 16:22	245760	----a-w-	c:\windows\system32\MSCLib.dll
2011-10-31 16:22 . 2011-10-31 16:22	24576	----a-w-	c:\windows\system32\MASetupCleaner.exe
2011-10-31 16:22 . 2011-10-31 16:22	155648	----a-w-	c:\windows\system32\MSFLib.dll
2011-10-31 16:22 . 2011-10-31 16:22	131072	----a-w-	c:\windows\system32\muzmpgsp.ax
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:08	143360	----a-w-	c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 4423680]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-21 630784]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"PowerForPhone"="c:\program files\PowerForPhone\PowerForPhone.exe" [2007-06-26 778240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-12 155648]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2007-09-29 33136]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-24 174616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-12-05 2042208]
"Skytel"="Skytel.exe" [2007-03-16 1822720]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-22 81920]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-07-24 33304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-10-27 121064]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-10-27 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-10-27 136808]
S0 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2007-07-09 209408]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-21 717296]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-25 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-08-25 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-25 297752]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\atl01v32.sys [2007-03-15 48128]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-04-20 47616]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
Sqlses	REG_MULTI_SZ   	SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50788
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\Chaz\AppData\Roaming\Mozilla\Firefox\Profiles\9banyjoh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50788
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: 4chan: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\AVG\AVG8\Firefox
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Aim6 - (no file)
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-05 05:27
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
C:\ADSM_PData_0150
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2299044074-552368118-3468275311-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0f,d6,02,90,3a,a7,f6,22,e8,a9,7d,60,d8,1c,c6,46,b5,5a,e9,05,9b,f5,01,
   da,a7,29,3d,92,ad,43,80,d9,08,4b,a4,ba,ad,90,22,42,9a,35,f6,7f,13,7d,71,66,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3696)
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files\ATK Hotkey\Hcontrol.exe
c:\program files\ATKOSD2\ATKOSD2.exe
c:\program files\Wireless Console 2\wcourier.exe
c:\program files\P4G\BatteryLife.exe
c:\program files\ASUS\Splendid\ACMON.exe
c:\windows\System32\ACEngSvr.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\program files\ATK Hotkey\KBFiltr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\PresentationSettings.exe
c:\program files\ASUS\NB Probe\SPM\spmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2011-12-05  05:33:14 - machine was rebooted
ComboFix-quarantined-files.txt  2011-12-05 10:33
.
Pre-Run: 32,890,494,976 bytes free
Post-Run: 35,741,126,656 bytes free
.
- - End Of File - - 02EE6490D980E3153188336F7F6724B2


6) Used ATF Cleaner

7) Eset Online scanner log
C:\Program Files\Windows Live\Messenger\msimg32.dll	Win32/Toolbar.MyWebSearch application
C:\Program Files\Windows Live\Messenger\riched20.dll	Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\LP\EC19\7D87.tmp.vir	a variant of Win32/Kryptik.VZB trojan


8)Virus Total logs
File name: msimg32.dll
Submission date: 2011-11-06 21:08:54 (UTC)
Current status: finished
Result: 6 /43 (14.0%)

Antivirus Version Last Update Result 
AhnLab-V3 2011.11.05.02 2011.11.06 - 
AntiVir 7.11.17.28 2011.11.06 - 
Antiy-AVL 2.0.3.7 2011.11.06 - 
Avast 6.0.1289.0 2011.11.06 - 
AVG 10.0.0.1190 2011.11.06 - 
BitDefender 7.2 2011.11.06 - 
ByteHero 1.0.0.1 2011.11.04 - 
CAT-QuickHeal 11.00 2011.11.06 - 
ClamAV 0.97.3.0 2011.11.06 - 
Commtouch 5.3.2.6 2011.11.06 - 
Comodo 10689 2011.11.06 - 
DrWeb 5.0.2.03300 2011.11.06 - 
Emsisoft 5.1.0.11 2011.11.06 Adware.Win32.MyWebSearchToolbar!A2 
eSafe 7.0.17.0 2011.11.06 Win32.Toolbar.MyWebS 
eTrust-Vet 36.1.8657 2011.11.05 - 
F-Prot 4.6.5.141 2011.11.06 - 
F-Secure 9.0.16440.0 2011.11.06 - 
Fortinet 4.3.370.0 2011.11.06 - 
GData 22 2011.11.06 - 
Ikarus T3.1.1.107.0 2011.11.06 - 
Jiangmin 13.0.900 2011.11.06 - 
K7AntiVirus 9.117.5398 2011.11.05 - 
Kaspersky 9.0.0.837 2011.11.06 - 
McAfee 5.400.0.1158 2011.11.06 - 
McAfee-GW-Edition 2010.1D 2011.11.06 - 
Microsoft 1.7801 2011.11.06 - 
NOD32 6606 2011.11.06 Win32/Toolbar.MyWebSearch 
Norman 6.07.13 2011.11.06 - 
nProtect 2011-11-06.01 2011.11.06 - 
Panda 10.0.3.5 2011.11.06 - 
PCTools 8.0.0.5 2011.11.06 - 
Prevx 3.0 2011.11.06 - 
Rising 23.82.02.02 2011.11.02 Trojan.Win32.Generic.1244FF07 
Sophos 4.71.0 2011.11.06 - 
SUPERAntiSpyware 4.40.0.1006 2011.11.05 Adware.MyWebSearch/FunWebProducts 
Symantec 20111.2.0.82 2011.11.06 - 
TheHacker 6.7.0.1.338 2011.11.06 - 
TrendMicro 9.500.0.1008 2011.11.06 - 
TrendMicro-HouseCall 9.500.0.1008 2011.11.06 - 
VBA32 3.12.16.4 2011.11.04 - 
VIPRE 10983 2011.11.06 MyWebSearch Toolbar (not malicious) 
ViRobot 2011.11.5.4757 2011.11.06 - 
VirusBuster 14.1.49.0 2011.11.06 - 

Additional information 
MD5   : 8ee956aee18f2459d5ec5ac53e2314d9 
SHA1  : d2cbbaed406accd4856445bd3a9cc47ca563e49d 
SHA256: af0c2f522dfdc4f6564cb78f1e47e07629d6c3615b18b6726e1b547592eafdb9 


File name: riched20.dll
Submission date: 2011-12-03 02:00:00 (UTC)
Current status: finished
Result: 12 /43 (27.9%)

Antivirus Version Last Update Result 
AhnLab-V3 2011.12.02.00 2011.12.02 Win-Adware/MyWebSearch.24576.C 
AntiVir 7.11.18.204 2011.12.02 - 
Antiy-AVL 2.0.3.7 2011.12.02 AdTool/Win32.MyWebSearch.gen 
Avast 6.0.1289.0 2011.12.02 - 
AVG 10.0.0.1190 2011.12.02 - 
BitDefender 7.2 2011.12.03 - 
ByteHero 1.0.0.1 2011.11.29 - 
CAT-QuickHeal 12.00 2011.12.02 - 
ClamAV 0.97.3.0 2011.12.03 Adware.FunWebProducts-5 
Commtouch 5.3.2.6 2011.12.02 W32/Adware.ABWS 
Comodo 10817 2011.12.02 - 
DrWeb 5.0.2.03300 2011.12.03 - 
Emsisoft 5.1.0.11 2011.12.03 Adware.Win32.MyWebSearch!A2 
eSafe 7.0.17.0 2011.12.01 - 
eTrust-Vet 37.0.9600 2011.12.02 - 
F-Prot 4.6.5.141 2011.11.29 W32/Adware.ABWS 
F-Secure 9.0.16440.0 2011.12.03 - 
Fortinet 4.3.388.0 2011.12.03 Adware/MyWebSearch 
GData 22 2011.12.03 - 
Ikarus T3.1.1.109.0 2011.12.02 - 
Jiangmin 13.0.900 2011.12.02 - 
K7AntiVirus 9.119.5586 2011.12.02 - 
Kaspersky 9.0.0.837 2011.12.02 - 
McAfee 5.400.0.1158 2011.12.03 - 
McAfee-GW-Edition 2010.1D 2011.12.02 - 
Microsoft 1.7903 2011.12.02 - 
NOD32 6668 2011.12.01 Win32/Toolbar.MyWebSearch 
Norman 6.07.13 2011.12.02 - 
nProtect 2011-12-02.01 2011.12.02 - 
Panda 10.0.3.5 2011.12.02 - 
PCTools 8.0.0.5 2011.12.03 - 
Prevx 3.0 2011.12.03 - 
Rising 23.86.04.02 2011.12.02 - 
Sophos 4.71.0 2011.12.03 - 
SUPERAntiSpyware 4.40.0.1006 2011.12.03 Adware.MyWebSearch/FunWebProducts 
Symantec 20111.2.0.82 2011.12.03 - 
TheHacker 6.7.0.1.352 2011.12.01 Aplicacion/MyWebSearch.cj 
TrendMicro 9.500.0.1008 2011.12.02 - 
TrendMicro-HouseCall 9.500.0.1008 2011.12.03 - 
VBA32 3.12.16.4 2011.12.01 - 
VIPRE 11192 2011.12.02 - 
ViRobot 2011.12.2.4805 2011.12.02 Adware.MyWebSearch.245760.E 
VirusBuster 14.1.97.0 2011.12.02 Adware.Agent!Peq28UqhAS0 

Additional information 
MD5   : c4ff418909d55a7744b04774a83135c9 
SHA1  : 2489008ef2e8fb7a3bdf6014d4488d01629c7034 
SHA256: 76adc93b3153ccd4ab6f692d78013cb75842f741168a6de5adee56c23748b7a3 


File name: DPYWKOLWEL-653.pms.tmp.SVD
Submission date: 2011-11-25 05:06:43 (UTC)
Current status: finished
Result: 34 /43 (79.1%)

Antivirus Version Last Update Result 
AhnLab-V3 2011.11.24.00 2011.11.24 Trojan/Win32.Jorik 
AntiVir 7.11.18.67 2011.11.25 TR/Drop.Caefd.A.1 
Antiy-AVL 2.0.3.7 2011.11.25 Trojan/win32.agent.gen 
Avast 6.0.1289.0 2011.11.25 Win32:Cycbot-OS [Trj] 
AVG 10.0.0.1190 2011.11.24 BackDoor.Generic14.BVUJ 
BitDefender 7.2 2011.11.25 Trojan.Generic.6938492 
ByteHero 1.0.0.1 2011.11.14 - 
CAT-QuickHeal 12.00 2011.11.22 Backdoor.Cycbot.B 
ClamAV 0.97.3.0 2011.11.25 - 
Commtouch 5.3.2.6 2011.11.25 - 
Comodo 10787 2011.11.24 UnclassifiedMalware 
DrWeb 5.0.2.03300 2011.11.25 Trojan.PWS.Multi.363 
Emsisoft 5.1.0.11 2011.11.25 Trojan-PWS.Win32.Fareit!IK 
eSafe 7.0.17.0 2011.11.24 Win32.Trojan 
eTrust-Vet 37.0.9586 2011.11.24 Win32/Gbot.E!generic 
F-Prot 4.6.5.141 2011.11.24 - 
F-Secure 9.0.16440.0 2011.11.25 Trojan.Generic.6938492 
Fortinet 4.3.370.0 2011.11.25 W32/BDoor.EXI!tr.bdr 
GData 22 2011.11.25 Trojan.Generic.6938492 
Ikarus T3.1.1.109.0 2011.11.25 Trojan-PWS.Win32.Fareit 
Jiangmin 13.0.900 2011.11.24 Trojan/OpenCloud.ci 
K7AntiVirus 9.119.5534 2011.11.24 Backdoor 
Kaspersky 9.0.0.837 2011.11.24 Trojan.Win32.FraudPack.cyum 
McAfee 5.400.0.1158 2011.11.25 BackDoor-EXI.gen.aa 
McAfee-GW-Edition 2010.1D 2011.11.24 BackDoor-EXI.gen.aa 
Microsoft 1.7801 2011.11.24 PWS:Win32/Fareit.gen!C 
NOD32 6657 2011.11.25 a variant of Win32/Kryptik.VZB 
Norman 6.07.13 2011.11.24 W32/Cycbot.EO 
nProtect 2011-11-25.01 2011.11.25 Gen:Variant.Graftor.4612 
Panda 10.0.3.5 2011.11.24 Generic Malware 
PCTools 8.0.0.5 2011.11.25 Backdoor.Cycbot 
Prevx 3.0 2011.11.25 Medium Risk Malware 
Rising 23.85.03.02 2011.11.24 - 
Sophos 4.71.0 2011.11.25 Mal/FakeAV-IS 
SUPERAntiSpyware 4.40.0.1006 2011.11.24 - 
Symantec 20111.2.0.82 2011.11.25 Backdoor.Cycbot!gen9 
TheHacker 6.7.0.1.347 2011.11.24 - 
TrendMicro 9.500.0.1008 2011.11.25 TROJ_GEN.R72C1KL 
TrendMicro-HouseCall 9.500.0.1008 2011.11.25 TROJ_GEN.R72C1KL 
VBA32 3.12.16.4 2011.11.24 - 
VIPRE 11141 2011.11.25 Trojan.Win32.Generic!BT 
ViRobot 2011.11.25.4792 2011.11.25 - 
VirusBuster 14.1.83.1 2011.11.24 Trojan.FraudPack!syxQXgzPWao 

Additional information  
MD5   : 2b1fb0d9666b92e0cce43e75dcb92c59 
SHA1  : 7b239a3858b6ea3d1a0813280bbdddc2072a7938 
SHA256: d6b7b1532090214fc5a7d7346ba844635a6b581c760ac045c9a712fdf06cd66b


9) CFScript code and Combofix Log 3
CFScript:

C:\_OTMoveIt
C:\Users\Chaz\Desktop\ComboFix
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
DirLook::
C:\Users\Chaz\Desktop\AntiVirusSoftwares

ComboFix 11-12-05.01 - Chaz 12/05/2011   9:33:05.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2047.1134 [GMT -5:00]
Running from: C:\Users\Chaz\Desktop\ComboFix.exe
Command switches used :: C:\Users\Chaz\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Windows\system32\muzapp.exe


(((((((((((((((((((((((((   Files Created from 2011-11-05 to 2011-12-05  )))))))))))))))))))))))))))))))


2011-12-05 15:02:13 . 2011-12-05 15:02:31	--------	d-----w-	C:\Users\Chaz\AppData\Local\temp
2011-12-05 15:02:13 . 2011-12-05 15:02:13	--------	d-----w-	C:\Users\Default\AppData\Local\temp
2011-12-05 13:44:45 . 2011-12-05 13:44:45	--------	d-----w-	C:\_OTMoveIt
2011-12-05 11:07:44 . 2011-12-05 11:07:44	--------	d-----w-	C:\Program Files\ESET
2011-12-05 09:08:45 . 2011-12-05 09:08:45	--------	d-----w-	C:\Windows\system32\Lang
2011-12-05 08:46:04 . 2007-07-09 18:28:16	209408	----a-w-	C:\Windows\system32\drivers\iaNvStor.sys
2011-12-05 08:46:04 . 2007-04-25 17:17:36	277784	----a-w-	C:\Windows\system32\drivers\iaStor.sys
2011-12-05 08:35:47 . 2011-12-05 08:35:47	--------	d-----w-	C:\Windows\Sun
2011-12-05 07:20:38 . 2011-11-30 07:21:44	6823496	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1D0B7A15-8C91-4429-9A10-F1C14FDCD374}\mpengine.dll
2011-12-05 07:14:50 . 2011-12-05 07:14:50	--------	d-----w-	C:\Program Files\Common Files\Java
2011-12-05 07:13:03 . 2011-12-05 07:12:38	611224	----a-w-	C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-12-05 07:13:03 . 2011-12-05 07:12:37	544656	----a-w-	C:\Windows\system32\deployJava1.dll
2011-11-21 04:02:48 . 2011-11-21 04:02:49	--------	d-----w-	C:\Users\Chaz\AppData\Roaming\9271C
2011-11-21 04:02:40 . 2011-11-21 04:02:41	--------	d-----w-	C:\Users\Chaz\AppData\Roaming\IFpmG5sQJdK8
2011-11-21 04:02:39 . 2011-11-21 04:02:39	--------	d-----w-	C:\Users\Chaz\AppData\Roaming\xkeHEK8gZ9hYwUe
2011-11-21 04:02:10 . 2011-11-21 04:02:10	--------	d-----w-	C:\Users\Chaz\AppData\Roaming\XP12pQEhYw
2011-11-21 04:01:54 . 2011-11-21 04:01:54	--------	d-----w-	C:\Users\Chaz\AppData\Roaming\etuinH7gThY
2011-11-16 19:34:22 . 2011-11-16 19:34:22	--------	d-----w-	C:\Users\Chaz\AppData\Local\Samsung
2011-11-16 19:34:02 . 2011-11-16 19:34:02	--------	d-----w-	C:\Users\Chaz\AppData\Roaming\Samsung
2011-11-16 19:07:47 . 2011-10-27 01:25:40	136808	----a-w-	C:\Windows\system32\drivers\ssadmdm.sys
2011-11-16 19:07:47 . 2011-10-27 01:25:40	12776	----a-w-	C:\Windows\system32\drivers\ssadmdfl.sys
2011-11-16 19:07:47 . 2011-10-27 01:25:40	121064	----a-w-	C:\Windows\system32\drivers\ssadbus.sys
2011-11-16 19:07:47 . 2011-10-27 01:25:40	10472	----a-w-	C:\Windows\system32\drivers\ssadcmnt.sys
2011-11-16 19:07:47 . 2011-10-27 01:25:40	10472	----a-w-	C:\Windows\system32\drivers\ssadcm.sys
2011-11-16 19:07:47 . 2011-10-27 01:25:40	10344	----a-w-	C:\Windows\system32\drivers\ssadwhnt.sys
2011-11-16 19:07:47 . 2011-10-27 01:25:40	10344	----a-w-	C:\Windows\system32\drivers\ssadwh.sys
2011-11-16 18:57:13 . 2011-10-31 16:22:56	4659712	----a-w-	C:\Windows\system32\Redemption.dll
2011-11-16 18:55:21 . 2011-11-16 18:55:21	--------	d-----w-	C:\Program Files\MarkAny
2011-11-16 18:55:21 . 2011-10-31 16:22:36	821824	----a-w-	C:\Windows\system32\dgderapi.dll
2011-11-16 18:55:21 . 2011-10-31 16:22:36	20032	----a-w-	C:\Windows\system32\drivers\dgderdrv.sys
2011-11-16 18:50:48 . 2011-11-16 19:03:27	--------	d-----w-	C:\Program Files\Samsung
2011-11-16 18:50:47 . 2011-11-16 18:58:26	--------	d-----w-	C:\ProgramData\Samsung
2011-11-16 18:40:01 . 2011-11-16 18:40:01	--------	d-----w-	C:\Users\Chaz\AppData\Local\Downloaded Installations
.


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-12-05 10:25:50 . 2007-09-29 06:50:45	45056	----a-w-	C:\Windows\system32\acovcnt.exe
2011-11-01 02:11:43 . 2011-11-01 02:11:43	414368	----a-w-	C:\Windows\system32\FlashPlayerCPLApp.cpl
2011-10-31 16:22:42 . 2011-10-31 16:22:42	90112	----a-w-	C:\Windows\MAMCityDownload.ocx
2011-10-31 16:22:42 . 2011-10-31 16:22:42	325552	----a-w-	C:\Windows\MASetupCaller.dll
2011-10-31 16:22:42 . 2011-10-31 16:22:42	30568	----a-w-	C:\Windows\MusiccityDownload.exe
2011-10-31 16:22:40 . 2011-10-31 16:22:40	81920	----a-w-	C:\Windows\system32\issacapi_bs-2.3.dll
2011-10-31 16:22:40 . 2011-10-31 16:22:40	65536	----a-w-	C:\Windows\system32\issacapi_pe-2.3.dll
2011-10-31 16:22:40 . 2011-10-31 16:22:40	57344	----a-w-	C:\Windows\system32\issacapi_se-2.3.dll
2011-10-31 16:22:40 . 2011-10-31 16:22:40	49152	----a-w-	C:\Windows\system32\MaJGUILib.dll
2011-10-31 16:22:40 . 2011-10-31 16:22:40	45056	----a-w-	C:\Windows\system32\MaXMLProto.dll
2011-10-31 16:22:40 . 2011-10-31 16:22:40	40960	----a-w-	C:\Windows\system32\MTTELECHIP.dll
2011-10-31 16:22:40 . 2011-10-31 16:22:40	200704	----a-w-	C:\Windows\system32\muzwmts.dll
2011-10-31 16:22:40 . 2011-10-31 16:22:40	143360	----a-w-	C:\Windows\system32\3DAudio.ax
2011-10-31 16:22:40 . 2011-10-31 16:22:40	135168	----a-w-	C:\Windows\system32\muzaf1.dll
2011-10-31 16:22:40 . 2011-10-31 16:22:40	122880	----a-w-	C:\Windows\system32\muzeffect.ax
2011-10-31 16:22:40 . 2011-10-31 16:22:40	118784	----a-w-	C:\Windows\system32\MaDRM.dll
2011-10-31 16:22:40 . 2011-10-31 16:22:40	110592	----a-w-	C:\Windows\system32\muzmp4sp.ax
2011-10-31 16:22:38 . 2011-10-31 16:22:38	974848	----a-w-	C:\Windows\system32\cis-2.4.dll
2011-10-31 16:22:38 . 2011-10-31 16:22:38	57344	----a-w-	C:\Windows\system32\MTXSYNCICON.dll
2011-10-31 16:22:38 . 2011-10-31 16:22:38	57344	----a-w-	C:\Windows\system32\MK_Lyric.dll
2011-10-31 16:22:38 . 2011-10-31 16:22:38	569344	----a-w-	C:\Windows\system32\muzdecode.ax
2011-10-31 16:22:38 . 2011-10-31 16:22:38	491520	----a-w-	C:\Windows\system32\muzapp.dll
2011-10-31 16:22:38 . 2011-10-31 16:22:38	45056	----a-w-	C:\Windows\system32\MACXMLProto.dll
2011-10-31 16:22:38 . 2011-10-31 16:22:38	40960	----a-w-	C:\Windows\system32\MAMACExtract.dll
2011-10-31 16:22:38 . 2011-10-31 16:22:38	352256	----a-w-	C:\Windows\system32\MSLUR71.dll
2011-10-31 16:22:38 . 2011-10-31 16:22:38	258048	----a-w-	C:\Windows\system32\muzoggsp.ax
2011-10-31 16:22:38 . 2011-10-31 16:22:38	245760	----a-w-	C:\Windows\system32\MSCLib.dll
2011-10-31 16:22:38 . 2011-10-31 16:22:38	24576	----a-w-	C:\Windows\system32\MASetupCleaner.exe
2011-10-31 16:22:38 . 2011-10-31 16:22:38	155648	----a-w-	C:\Windows\system32\MSFLib.dll
2011-10-31 16:22:38 . 2011-10-31 16:22:38	131072	----a-w-	C:\Windows\system32\muzmpgsp.ax


((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of C:\Users\Chaz\Desktop\AntiVirusSoftwares ----

2011-12-05 09:23:37 . 2011-12-05 09:23:56	50688	----a-w-	C:\Users\Chaz\Desktop\AntiVirusSoftwares\ATF-Cleaner.exe
2011-12-05 05:52:15 . 2011-12-05 05:52:39	401720	----a-w-	C:\Users\Chaz\Desktop\AntiVirusSoftwares\HiJackThis.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:08:18	143360	----a-w-	C:\Program Files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33:10 125952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33:40 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 11:04:53 4423680]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-21 17:31:25 630784]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 15:27:32 61440]
"PowerForPhone"="C:\Program Files\PowerForPhone\PowerForPhone.exe" [2007-06-26 17:10:44 778240]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2006-09-12 01:22:13 155648]
"JMB36X IDE Setup"="C:\Windows\RaidTool\xInsIDE.exe" [2007-03-20 06:36:17 36864]
"ASUS Screen Saver Protector"="C:\Windows\ASScrPro.exe" [2007-09-29 07:07:30 33136]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-24 23:02:42 174616]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 02:16:38 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2011-12-05 09:30:25 2042208]
"Skytel"="Skytel.exe" [2007-03-16 07:06:53 1822720]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-22 14:34:59 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-22 14:34:59 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-05-22 14:34:59 81920]
"Malwarebytes' Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 21:00:48 1047208]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 18:59:46 252136]
"IaNvSrv"="C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-07-24 23:02:54 33304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 SqlCSS;SQL Server EXPRESS;C:\Windows\System32\svchost.exe [2008-01-19 03:33:34 21504]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\system32\drivers\mbamswissarmy.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys [2011-10-27 01:25:40 121064]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys [2011-10-27 01:25:40 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys [2011-10-27 01:25:40 136808]
S0 iaNvStor;Intel(R) Turbo Memory Controller;C:\Windows\system32\DRIVERS\iaNvStor.sys [2007-07-09 18:28:16 209408]
S0 sptd;sptd;C:\Windows\System32\Drivers\sptd.sys [2008-09-21 23:18:22 717296]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\System32\Drivers\avgldx86.sys [2009-08-25 15:39:48 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;C:\Windows\System32\Drivers\avgtdix.sys [2009-08-25 15:39:57 108552]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-25 15:39:04 297752]
S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 21:38:08 24652]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\atl01v32.sys [2007-03-15 06:41:15 48128]
S3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys [2007-04-20 23:14:32 47616]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
Sqlses	REG_MULTI_SZ   	SqlCSS


------- Supplementary Scan -------

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50788
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - C:\Users\Chaz\AppData\Roaming\Mozilla\Firefox\Profiles\9banyjoh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50788
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: 4chan: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - C:\Program Files\AVG\AVG8\Firefox
FF - user.js: yahoo.homepage.dontask - true


**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-05 10:02:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-2299044074-552368118-3468275311-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0f,d6,02,90,3a,a7,f6,22,e8,a9,7d,60,d8,1c,c6,46,b5,5a,e9,05,9b,f5,01,
   da,a7,29,3d,92,ad,43,80,d9,08,4b,a4,ba,ad,90,22,42,9a,35,f6,7f,13,7d,71,66,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

Completion time: 2011-12-05  10:05:49
ComboFix-quarantined-files.txt  2011-12-05 15:05:46
ComboFix2.txt  2011-12-05 10:33:15

Pre-Run: 49,499,181,056 bytes free
Post-Run: 49,258,033,152 bytes free

- - End Of File - - 4DCEF796B38A6D17AEC104E08C074ABB


10)OTMoveIt2 log files
C:\Qoobox\Quarantine\C\Program Files\LP\EC19\7D87.tmp.vir moved successfully.
Created on 12/05/2011 08:44:46

DllUnregisterServer procedure not found in C:\Program Files\Windows Live\Messenger\riched20.dll
C:\Program Files\Windows Live\Messenger\riched20.dll NOT unregistered.
C:\Program Files\Windows Live\Messenger\riched20.dll moved successfully.
Created on 12/05/2011 08:51:07

DllUnregisterServer procedure not found in C:\Program Files\Windows Live\Messenger\msimg32.dll
C:\Program Files\Windows Live\Messenger\msimg32.dll NOT unregistered.
C:\Program Files\Windows Live\Messenger\msimg32.dll moved successfully.
Created on 12/05/2011 08:51:16


Having done those steps everyting seems to be running smoother and I am not getting the redirect issue or having PING.exe show up on my task manager when I have it show processes from all users. Firefox is still rather slugish in comparison to Internet Explorer 8. Could malware be the cause of this?

This post has been edited by Stormce: 05 December 2011 - 09:11 PM

#2 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 10 December 2011 - 02:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430900 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 13 December 2011 - 02:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK

    Do not re-enable these drivers until otherwise instructed.


Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt

    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply


Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

    In your next post I need the following

    • .logs from DDS
    • log from RKUnHooker
    • let me know of any problems you may have had


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#4 User is offline   Stormce 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 05-December 11
  • Gender:Male

Posted 14 December 2011 - 01:41 PM

dds:
.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.19088  BrowserJavaVersion: 10.1.0
Run by Chaz at 13:28:19 on 2011-12-14
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2047.841 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Windows\System32\ACEngSvr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\PowerForPhone\PowerForPhone.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Apoint2K\Apvfb.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\KBFiltr.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50788
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_Plugin.exe -update plugin
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [PowerForPhone] c:\program files\powerforphone\PowerForPhone.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [ASUS Screen Saver Protector] c:\windows\ASScrPro.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Skytel] Skytel.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [Microsoft Pinyin IME Migration] c:\progra~1\common~1\micros~1\ime12\imesc\IMSCMIG.EXE /INSTALL
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8E45889C-8026-4EDD-8FA3-D962727647EA} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F490F34A-8039-41B0-97A0-3F682CA4ECA0} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\chaz\appdata\roaming\mozilla\firefox\profiles\vb2f86st.1\
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2011-12-5 209408]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-25 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-25 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-25 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-25 297752]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01v32.sys [2007-3-15 48128]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2007-9-29 47616]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-11-16 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-11-16 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-11-16 136808]
.
=============== Created Last 30 ================
.
2011-12-13 20:05:23	56200	----a-w-	c:\programdata\microsoft\windows defender\definition updates\{d4a48b63-aa09-4a84-97c2-f256ecd10658}\offreg.dll
2011-12-13 05:02:44	6823496	----a-w-	c:\programdata\microsoft\windows defender\definition updates\{d4a48b63-aa09-4a84-97c2-f256ecd10658}\mpengine.dll
2011-12-09 04:45:00	--------	d-----w-	c:\users\chaz\appdata\local\Apple
2011-12-07 08:02:28	231936	----a-w-	c:\windows\system32\msshsq.dll
2011-12-06 16:10:48	758784	----a-w-	c:\program files\common files\microsoft shared\vgx\VGX.dll
2011-12-05 20:55:42	--------	d-----w-	c:\users\chaz\appdata\local\Adobe
2011-12-05 18:46:11	7680	----a-w-	c:\program files\internet explorer\iecompat.dll
2011-12-05 18:25:00	2048	----a-w-	c:\windows\system32\winrsmgr.dll
2011-12-05 17:46:44	310784	----a-w-	c:\windows\system32\unregmp2.exe
2011-12-05 17:46:44	1418752	----a-w-	c:\program files\windows media player\setup_wm.exe
2011-12-05 17:45:51	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2011-12-05 17:45:50	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2011-12-05 17:38:58	523776	----a-w-	c:\windows\system32\RMActivate_isv.exe
2011-12-05 17:38:57	511488	----a-w-	c:\windows\system32\RMActivate.exe
2011-12-05 17:38:52	347136	----a-w-	c:\windows\system32\RMActivate_ssp.exe
2011-12-05 17:38:51	346624	----a-w-	c:\windows\system32\RMActivate_ssp_isv.exe
2011-12-05 17:38:49	472064	----a-w-	c:\windows\system32\secproc.dll
2011-12-05 17:38:41	472576	----a-w-	c:\windows\system32\secproc_isv.dll
2011-12-05 17:38:17	151040	----a-w-	c:\windows\system32\secproc_ssp_isv.dll
2011-12-05 17:38:17	151040	----a-w-	c:\windows\system32\secproc_ssp.dll
2011-12-05 17:38:16	329216	----a-w-	c:\windows\system32\msdrm.dll
2011-12-05 17:37:16	241152	----a-w-	c:\windows\system32\PortableDeviceApi.dll
2011-12-05 17:37:10	714240	----a-w-	c:\windows\system32\timedate.cpl
2011-12-05 17:36:22	147456	----a-w-	c:\windows\system32\Faultrep.dll
2011-12-05 17:36:22	125952	----a-w-	c:\windows\system32\wersvc.dll
2011-12-05 17:32:38	1645568	----a-w-	c:\windows\system32\connect.dll
2011-12-05 17:32:36	425472	----a-w-	c:\windows\system32\PhotoMetadataHandler.dll
2011-12-05 17:32:35	712704	----a-w-	c:\windows\system32\WindowsCodecs.dll
2011-12-05 17:32:35	347136	----a-w-	c:\windows\system32\WindowsCodecsExt.dll
2011-12-05 15:14:48	--------	d-sh--w-	C:\$RECYCLE.BIN
2011-12-05 15:05:52	--------	d-----w-	c:\users\chaz\appdata\local\temp
2011-12-05 14:23:08	--------	d-----w-	C:\ComboFix
2011-12-05 13:44:45	--------	d-----w-	C:\_OTMoveIt
2011-12-05 11:07:44	--------	d-----w-	c:\program files\ESET
2011-12-05 09:08:45	--------	d-----w-	c:\windows\system32\Lang
2011-12-05 08:46:04	277784	----a-w-	c:\windows\system32\drivers\iaStor.sys
2011-12-05 08:46:04	209408	----a-w-	c:\windows\system32\drivers\iaNvStor.sys
2011-12-05 07:36:17	98816	----a-w-	c:\windows\sed.exe
2011-12-05 07:36:17	518144	----a-w-	c:\windows\SWREG.exe
2011-12-05 07:36:17	256000	----a-w-	c:\windows\PEV.exe
2011-12-05 07:36:17	208896	----a-w-	c:\windows\MBR.exe
2011-12-05 07:13:03	611224	----a-w-	c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-12-05 07:13:03	544656	----a-w-	c:\windows\system32\deployJava1.dll
2011-11-21 04:02:48	--------	d-----w-	c:\users\chaz\appdata\roaming\9271C
2011-11-21 04:02:40	--------	d-----w-	c:\users\chaz\appdata\roaming\IFpmG5sQJdK8
2011-11-21 04:02:39	--------	d-----w-	c:\users\chaz\appdata\roaming\xkeHEK8gZ9hYwUe
2011-11-21 04:02:10	--------	d-----w-	c:\users\chaz\appdata\roaming\XP12pQEhYw
2011-11-21 04:01:54	--------	d-----w-	c:\users\chaz\appdata\roaming\etuinH7gThY
2011-11-16 19:34:22	--------	d-----w-	c:\users\chaz\appdata\local\Samsung
2011-11-16 19:34:02	--------	d-----w-	c:\users\chaz\appdata\roaming\Samsung
2011-11-16 19:07:47	136808	----a-w-	c:\windows\system32\drivers\ssadmdm.sys
2011-11-16 19:07:47	12776	----a-w-	c:\windows\system32\drivers\ssadmdfl.sys
2011-11-16 19:07:47	121064	----a-w-	c:\windows\system32\drivers\ssadbus.sys
2011-11-16 19:07:47	10472	----a-w-	c:\windows\system32\drivers\ssadcmnt.sys
2011-11-16 19:07:47	10472	----a-w-	c:\windows\system32\drivers\ssadcm.sys
2011-11-16 19:07:47	10344	----a-w-	c:\windows\system32\drivers\ssadwhnt.sys
2011-11-16 19:07:47	10344	----a-w-	c:\windows\system32\drivers\ssadwh.sys
2011-11-16 18:57:13	4659712	----a-w-	c:\windows\system32\Redemption.dll
2011-11-16 18:55:21	821824	----a-w-	c:\windows\system32\dgderapi.dll
2011-11-16 18:55:21	20032	----a-w-	c:\windows\system32\drivers\dgderdrv.sys
2011-11-16 18:55:21	--------	d-----w-	c:\program files\MarkAny
2011-11-16 18:50:48	--------	d-----w-	c:\program files\Samsung
2011-11-16 18:50:47	--------	d-----w-	c:\programdata\Samsung
2011-11-16 18:40:01	--------	d-----w-	c:\users\chaz\appdata\local\Downloaded Installations
.
==================== Find3M  ====================
.
2011-12-13 20:10:52	45056	----a-w-	c:\windows\system32\acovcnt.exe
2011-12-06 06:31:03	222080	------w-	c:\windows\system32\MpSigStub.exe
2011-11-01 02:11:43	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 13:30:13.25 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium 
Boot Device: \Device\HarddiskVolume3
Install Date: 9/29/2007 1:20:11 AM
System Uptime: 12/14/2011 4:25:46 AM (9 hours ago)
.
Motherboard: ASUSTeK Computer Inc.         |  | G2S       
Processor: Intel(R) Core(TM)2 Duo CPU     T7700  @ 2.40GHz | Socket 478 | 800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 31.345 GiB free.
D: is FIXED (NTFS) - 67 GiB total, 26.192 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel
.
==== System Restore Points ===================
.
RP563: 12/5/2011 8:59:24 AM - ComboFix created restore point
RP564: 12/5/2011 1:21:30 PM - Windows Update
RP565: 12/6/2011 1:30:24 AM - Windows Update
RP566: 12/6/2011 3:00:13 AM - Windows Update
RP567: 12/7/2011 3:01:04 AM - Windows Update
RP568: 12/8/2011 11:46:58 PM - Windows Update
RP569: 12/13/2011 12:02:09 AM - Windows Update
RP570: 12/13/2011 4:38:32 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system
Activation Assistant for the 2007 Microsoft Office suites
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AIM 6
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
ASUS Data Security Manager
ASUS Direct Console
ASUS InstantFun
ASUS Live Update
ASUS Splendid Video Enhancement Technology
ATK Generic Function Service
ATK Hotkey
ATK Media
ATKOSD2
Attansic Ethernet Utility
AVG Free 8.5
Bonjour
Canon MP620 series MP Drivers
Canon MP620 series User Registration
CD Art Display 2.0.1
ChkMail
Command & Conquer 3
DFX for Windows Media Player
DivX Setup
ESET Online Scanner v3
G1&G2-2 Screen Saver
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) PROSet/Wireless Software
Intel® Turbo Memory and Intel® Matrix Storage Manager
ITECIR Driver
iTunes
Java Auto Updater
Java(TM) 7 Update 1
Java(TM) SE Development Kit 7 Update 1
JMB36X Raid Configurer
K-Lite Codec Pack 5.5.6 (Basic)
LifeFrame2
LightScribe  1.4.142.1
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 3.5 SP1
Microsoft Corporation
Microsoft LifeCam
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (Chinese (Simplified)) 2007
Microsoft Office Access MUI (Chinese (Traditional)) 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (French) 2007
Microsoft Office Access MUI (Spanish) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (Chinese (Simplified)) 2007
Microsoft Office Excel MUI (Chinese (Traditional)) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office File Validation Add-In
Microsoft Office IME (Chinese (Simplified)) 2007
Microsoft Office IME (Chinese (Traditional)) 2007
Microsoft Office Outlook MUI (Chinese (Simplified)) 2007
Microsoft Office Outlook MUI (Chinese (Traditional)) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (French) 2007
Microsoft Office Outlook MUI (Spanish) 2007
Microsoft Office PowerPoint MUI (Chinese (Simplified)) 2007
Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office Professional 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (Chinese (Simplified)) 2007
Microsoft Office Proof (Chinese (Traditional)) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Chinese (Simplified)) 2007
Microsoft Office Proofing (Chinese (Traditional)) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (Chinese (Simplified)) 2007
Microsoft Office Publisher MUI (Chinese (Traditional)) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (French) 2007
Microsoft Office Publisher MUI (Spanish) 2007
Microsoft Office Shared MUI (Chinese (Simplified)) 2007
Microsoft Office Shared MUI (Chinese (Traditional)) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (Chinese (Simplified)) 2007
Microsoft Office Word MUI (Chinese (Traditional)) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WSE 3.0 Runtime
mMHouse
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.6.24)
mPfMgr
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NB Probe
Nero 7 Essentials
NVIDIA Drivers
PeerBlock 1.1 (r518)
Power4Gear eXtreme
PowerForPhone
QuickTime
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype Toolbars
Skype™ 4.2
The Sims™ 3
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Outlook 2007 Junk Email Filter (KB2596560)
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
VistaFeaturePack
Vuze
Windows Driver Package - ITE Tech.Inc. (itecir) HIDClass  (04/20/2007 5.0.0001.2)
Windows Live installer
Windows Live Messenger
WinFlash
WinRAR archiver
Wireless Console 2
.
==== Event Viewer Messages From Past Week ========
.
12/7/2011 3:23:57 AM, Error: Service Control Manager [7023]  - The SQL Server EXPRESS service terminated with the following error:  The specified module could not be found.
12/7/2011 3:23:57 AM, Error: Service Control Manager [7023]  - The Network Security service terminated with the following error:  The specified module could not be found.
12/7/2011 3:23:57 AM, Error: Service Control Manager [7000]  - The Intel(R) PROSet/Wireless Registry Service service failed to start due to the following error:  The system cannot find the file specified.
12/7/2011 3:23:57 AM, Error: Service Control Manager [7000]  - The Intel(R) PROSet/Wireless Event Log service failed to start due to the following error:  The system cannot find the file specified.
12/7/2011 3:23:57 AM, Error: Service Control Manager [7000]  - The ghaio service failed to start due to the following error:  ghaio is not a valid Win32 application.
12/7/2011 3:23:03 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000]  - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 126
.
==== End Of File ===========================


RKUnHooker:
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6001 (Service Pack 1)
Number of processors #2
==============================================
>Drivers
==============================================
0x8CA0A000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 7118848 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 101.34 )
0x82211000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x82211000 PnpManager 3903488 bytes
0x82211000 RAW 3903488 bytes
0x82211000 WMIxWDM 3903488 bytes
0x8D406000 C:\Windows\system32\DRIVERS\NETw4v32.sys 2289664 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x99EF0000 Win32k 2113536 bytes
0x99EF0000 C:\Windows\System32\win32k.sys 2113536 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8DA50000 C:\Windows\system32\drivers\RTKVHDA.sys 1757184 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0x88602000 C:\Windows\System32\Drivers\Ntfs.sys 1110016 bytes (Microsoft Corporation, NT File System Driver)
0x88202000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x90A5D000 C:\Windows\system32\DRIVERS\smserial.sys 983040 bytes (Motorola Inc., Motorola SM56 Modem WDM Driver)
0x88409000 C:\Windows\System32\drivers\tcpip.sys 954368 bytes (Microsoft Corporation, TCP/IP Driver)
0x806CA000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xA480A000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x91A3F000 C:\Windows\System32\Drivers\dump_iaStor.sys 778240 bytes
0x82E09000 C:\Windows\system32\DRIVERS\iaStor.sys 778240 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0x91B39000 C:\Windows\system32\drivers\spsys.sys 716800 bytes (Microsoft Corporation, security processor)
0x8D0D4000 C:\Windows\System32\drivers\dxgkrnl.sys 651264 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x82C00000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x82F74000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x88537000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x80610000 C:\Windows\system32\mcupdate_GenuineIntel.dll 393216 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x8D734000 C:\Windows\system32\DRIVERS\itecir.sys 356352 bytes (Windows (R) Codename Longhorn DDK provider, SMSC Consumer IR Driver for eHome)
0x91199000 C:\Windows\System32\Drivers\avgldx86.sys 331776 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0x8D690000 C:\Windows\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0xA3AE9000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
0x82D32000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x910B7000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x82C89000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80689000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x88372000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8D18B000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x82DA1000 C:\Windows\system32\DRIVERS\iaNvStor.sys 245760 bytes (Intel Corporation, Intel(R) Turbo Memory Driver)
0x91136000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x88338000 C:\Windows\system32\drivers\NETIO.SYS 237568 bytes (Microsoft Corporation, Network I/O Subsystem)
0xA3A70000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x88711000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8DA0B000 C:\Windows\system32\DRIVERS\usbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x825CA000 ACPI_HAL 208896 bytes
0x825CA000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x82F28000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x91085000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8D7C3000 C:\Windows\system32\DRIVERS\msiscsi.sys 188416 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x90A0B000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8830D000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x807AA000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x8850D000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x8D701000 C:\Windows\system32\DRIVERS\Apfiltr.sys 163840 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0x91A0A000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA3AC1000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x88763000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x82CE0000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x82F02000 C:\Windows\system32\DRIVERS\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
0x90A38000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x883B3000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8879B000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x90B9F000 C:\Windows\System32\Drivers\usbvideo.sys 135168 bytes (Microsoft Corporation, USB Video Class Driver)
0x807D4000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0xA3A31000 C:\Windows\system32\drivers\mrxdav.sys 131072 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xA3A51000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x82ECF000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x885A4000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x884F2000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x91B16000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x91006000 C:\Windows\system32\drivers\InCDFs.sys 106496 bytes (Nero AG, InCD File System Driver)
0x8D653000 C:\Windows\system32\DRIVERS\sdbus.sys 106496 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0x9106C000 C:\Windows\System32\Drivers\avgtdix.sys 102400 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xA3A03000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8D78B000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA3AA9000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x9117C000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x885CB000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x90B64000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xA48FE000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x910FF000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x91042000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0xA3A1C000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x883EA000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x883D6000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8D67C000 C:\Windows\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0x91058000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8D6E1000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x911EA000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x91123000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8D1D8000 C:\Windows\system32\DRIVERS\HDAudBus.sys 73728 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8878A000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x8DA3F000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80670000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x82F5A000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x90B88000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x91BE8000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x82D91000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8D635000 C:\Windows\system32\DRIVERS\ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x82FE5000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x8D1EA000 C:\Windows\system32\DRIVERS\atl01v32.sys 61440 bytes (Attansic Technology corporation., Attansic L1 Gigabit Ethernet 10/100/1000Base-T Adapter)
0x887F1000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0xA49D2000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x88752000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x82D07000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x885E2000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8D66D000 C:\Windows\system32\DRIVERS\rimmptsk.sys 61440 bytes (REDC, RICOH SD Driver)
0x8D1C9000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x82D23000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x8D645000 C:\Windows\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0x9A130000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x885F1000 C:\Windows\system32\DRIVERS\circlass.sys 57344 bytes (Microsoft Corporation, Consumer IR Class Driver for eHome)
0x91115000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x9102B000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x82D83000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x91A32000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x90B4D000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x82DDD000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8D173000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x82C7C000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x82EF6000 C:\Windows\system32\DRIVERS\jraid.sys 49152 bytes (JMicron Technology Corp., JMicron JMB36X RAID Driver)
0xA48F2000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x90BF1000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x90B7D000 C:\Windows\system32\DRIVERS\hidir.sys 45056 bytes (Microsoft Corporation, Infrared Miniport Driver for Input Devices)
0x8D6F6000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8D729000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x91020000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x887D2000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8D7F1000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x887DD000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8D180000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x82F6A000 C:\Windows\System32\Drivers\AsDsm.sys 40960 bytes (Windows (R) Codename Longhorn DDK provider, Data Security Manager Driver)
0x82D19000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x91AFD000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x90B5A000 C:\Windows\system32\drivers\MODEMCSA.sys 40960 bytes (Microsoft Corporation, Unimodem CSA Filter)
0x8CA00000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x91A00000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x91172000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0xA48E8000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xA49E3000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xA49F3000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x887BC000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x90BDA000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x90BD1000 C:\Windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x8D7AB000 C:\Windows\system32\drivers\InCDRm.sys 36864 bytes (Nero AG, Nero MRW Filter Driver)
0x90BC0000 C:\Windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x82EED000 C:\Windows\system32\drivers\msahci.sys 36864 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0x91039000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x9A110000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x887E8000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x82CCF000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x82EC7000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8D7BB000 C:\Windows\system32\DRIVERS\ATKACPI.sys 32768 bytes (ATK0100, ATK0100 ACPI Utility)
0x80681000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8D7A3000 C:\Windows\system32\drivers\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)
0x80608000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x90BC9000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x82CD8000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x90A00000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8DA00000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8874A000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x91BF8000 C:\Program Files\ATKGFNEX\ASMMAP.sys 28672 bytes (-, -)
0x90BEA000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x90B98000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x82D7C000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xA49EC000 C:\Users\Chaz\AppData\Local\Temp\mbr.sys 28672 bytes
0x90BE3000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x91193000 C:\Windows\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0x8D7B7000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x82D16000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x8D7B4000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 12288 bytes (GEAR Software Inc., CD DVD Filter)
0x90A08000 C:\Windows\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)
0x88761000 C:\Windows\system32\DRIVERS\JGOGO.sys 8192 bytes (JMicron , SCSI Port upper filter driver)
0x8D6F4000 C:\Windows\system32\DRIVERS\kbfiltr.sys 8192 bytes ( , Keyboard Filter Driver)
0x8D7FC000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x90B7B000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================

#5 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 14 December 2011 - 02:41 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#6 User is offline   Stormce 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 05-December 11
  • Gender:Male

Posted 14 December 2011 - 09:05 PM

combofix:
[de]ComboFix 11-12-13.03 - Chaz 12/14/2011 18:45:45.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.986 [GMT -5:00]
Running from: c:\users\Chaz\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))
.
.
2011-12-15 00:14 . 2011-12-15 00:15 -------- d-----w- c:\users\Chaz\AppData\Local\temp
2011-12-15 00:14 . 2011-12-15 00:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-13 20:05 . 2011-12-13 20:05 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D4A48B63-AA09-4A84-97C2-F256ECD10658}\offreg.dll
2011-12-13 05:02 . 2011-11-30 07:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D4A48B63-AA09-4A84-97C2-F256ECD10658}\mpengine.dll
2011-12-09 04:45 . 2011-12-09 04:45 -------- d-----w- c:\users\Chaz\AppData\Local\Apple
2011-12-07 08:02 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
2011-12-06 16:10 . 2011-04-30 06:09 758784 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-12-05 20:55 . 2011-12-05 20:55 -------- d-----w- c:\users\Chaz\AppData\Local\Adobe
2011-12-05 18:46 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-12-05 18:25 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-12-05 17:46 . 2009-09-10 15:21 1418752 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
2011-12-05 17:46 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2011-12-05 17:45 . 2010-08-26 16:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-12-05 17:45 . 2010-08-26 14:11 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-12-05 17:38 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-12-05 17:38 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2011-12-05 17:38 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-12-05 17:38 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-12-05 17:38 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll
2011-12-05 17:38 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2011-12-05 17:38 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-12-05 17:38 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-12-05 17:38 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll
2011-12-05 17:37 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2011-12-05 17:37 . 2009-10-23 17:42 714240 ----a-w- c:\windows\system32\timedate.cpl
2011-12-05 17:36 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2011-12-05 17:36 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2011-12-05 17:32 . 2008-10-21 05:25 1645568 ----a-w- c:\windows\system32\connect.dll
2011-12-05 17:32 . 2008-08-28 03:40 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-12-05 17:32 . 2008-08-28 03:40 712704 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-12-05 17:32 . 2008-08-28 03:40 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-12-05 13:44 . 2011-12-05 13:44 -------- d-----w- C:\_OTMoveIt
2011-12-05 11:07 . 2011-12-05 11:07 -------- d-----w- c:\program files\ESET
2011-12-05 09:08 . 2011-12-05 09:08 -------- d-----w- c:\windows\system32\Lang
2011-12-05 08:46 . 2007-07-09 18:28 209408 ----a-w- c:\windows\system32\drivers\iaNvStor.sys
2011-12-05 08:46 . 2007-04-25 17:17 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2011-12-05 08:35 . 2011-12-05 08:35 -------- d-----w- c:\windows\Sun
2011-12-05 07:14 . 2011-12-05 07:14 -------- d-----w- c:\program files\Common Files\Java
2011-12-05 07:13 . 2011-12-05 07:12 611224 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-12-05 07:13 . 2011-12-05 07:12 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-21 04:02 . 2011-11-21 04:02 -------- d-----w- c:\users\Chaz\AppData\Roaming\9271C
2011-11-21 04:02 . 2011-11-21 04:02 -------- d-----w- c:\users\Chaz\AppData\Roaming\IFpmG5sQJdK8
2011-11-21 04:02 . 2011-11-21 04:02 -------- d-----w- c:\users\Chaz\AppData\Roaming\xkeHEK8gZ9hYwUe
2011-11-21 04:02 . 2011-11-21 04:02 -------- d-----w- c:\users\Chaz\AppData\Roaming\XP12pQEhYw
2011-11-21 04:01 . 2011-11-21 04:01 -------- d-----w- c:\users\Chaz\AppData\Roaming\etuinH7gThY
2011-11-16 19:34 . 2011-11-16 19:34 -------- d-----w- c:\users\Chaz\AppData\Local\Samsung
2011-11-16 19:34 . 2011-11-16 19:34 -------- d-----w- c:\users\Chaz\AppData\Roaming\Samsung
2011-11-16 19:07 . 2011-10-27 01:25 136808 ----a-w- c:\windows\system32\drivers\ssadmdm.sys
2011-11-16 19:07 . 2011-10-27 01:25 12776 ----a-w- c:\windows\system32\drivers\ssadmdfl.sys
2011-11-16 19:07 . 2011-10-27 01:25 121064 ----a-w- c:\windows\system32\drivers\ssadbus.sys
2011-11-16 19:07 . 2011-10-27 01:25 10472 ----a-w- c:\windows\system32\drivers\ssadcmnt.sys
2011-11-16 19:07 . 2011-10-27 01:25 10472 ----a-w- c:\windows\system32\drivers\ssadcm.sys
2011-11-16 19:07 . 2011-10-27 01:25 10344 ----a-w- c:\windows\system32\drivers\ssadwhnt.sys
2011-11-16 19:07 . 2011-10-27 01:25 10344 ----a-w- c:\windows\system32\drivers\ssadwh.sys
2011-11-16 18:57 . 2011-10-31 16:22 4659712 ----a-w- c:\windows\system32\Redemption.dll
2011-11-16 18:55 . 2011-11-16 18:55 -------- d-----w- c:\program files\MarkAny
2011-11-16 18:55 . 2011-10-31 16:22 821824 ----a-w- c:\windows\system32\dgderapi.dll
2011-11-16 18:55 . 2011-10-31 16:22 20032 ----a-w- c:\windows\system32\drivers\dgderdrv.sys
2011-11-16 18:50 . 2011-11-16 19:03 -------- d-----w- c:\program files\Samsung
2011-11-16 18:50 . 2011-11-16 18:58 -------- d-----w- c:\programdata\Samsung
2011-11-16 18:40 . 2011-11-16 18:40 -------- d-----w- c:\users\Chaz\AppData\Local\Downloaded Installations
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-13 20:10 . 2007-09-29 06:50 45056 ----a-w- c:\windows\system32\acovcnt.exe
2011-12-06 06:31 . 2009-10-05 17:17 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-01 02:11 . 2011-11-01 02:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-31 16:22 . 2011-10-31 16:22 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2011-10-31 16:22 . 2011-10-31 16:22 325552 ----a-w- c:\windows\MASetupCaller.dll
2011-10-31 16:22 . 2011-10-31 16:22 30568 ----a-w- c:\windows\MusiccityDownload.exe
2011-10-31 16:22 . 2011-10-31 16:22 81920 ----a-w- c:\windows\system32\issacapi_bs-2.3.dll
2011-10-31 16:22 . 2011-10-31 16:22 65536 ----a-w- c:\windows\system32\issacapi_pe-2.3.dll
2011-10-31 16:22 . 2011-10-31 16:22 57344 ----a-w- c:\windows\system32\issacapi_se-2.3.dll
2011-10-31 16:22 . 2011-10-31 16:22 49152 ----a-w- c:\windows\system32\MaJGUILib.dll
2011-10-31 16:22 . 2011-10-31 16:22 45056 ----a-w- c:\windows\system32\MaXMLProto.dll
2011-10-31 16:22 . 2011-10-31 16:22 40960 ----a-w- c:\windows\system32\MTTELECHIP.dll
2011-10-31 16:22 . 2011-10-31 16:22 200704 ----a-w- c:\windows\system32\muzwmts.dll
2011-10-31 16:22 . 2011-10-31 16:22 143360 ----a-w- c:\windows\system32\3DAudio.ax
2011-10-31 16:22 . 2011-10-31 16:22 135168 ----a-w- c:\windows\system32\muzaf1.dll
2011-10-31 16:22 . 2011-10-31 16:22 122880 ----a-w- c:\windows\system32\muzeffect.ax
2011-10-31 16:22 . 2011-10-31 16:22 118784 ----a-w- c:\windows\system32\MaDRM.dll
2011-10-31 16:22 . 2011-10-31 16:22 110592 ----a-w- c:\windows\system32\muzmp4sp.ax
2011-10-31 16:22 . 2011-10-31 16:22 974848 ----a-w- c:\windows\system32\cis-2.4.dll
2011-10-31 16:22 . 2011-10-31 16:22 57344 ----a-w- c:\windows\system32\MTXSYNCICON.dll
2011-10-31 16:22 . 2011-10-31 16:22 57344 ----a-w- c:\windows\system32\MK_Lyric.dll
2011-10-31 16:22 . 2011-10-31 16:22 569344 ----a-w- c:\windows\system32\muzdecode.ax
2011-10-31 16:22 . 2011-10-31 16:22 491520 ----a-w- c:\windows\system32\muzapp.dll
2011-10-31 16:22 . 2011-10-31 16:22 45056 ----a-w- c:\windows\system32\MACXMLProto.dll
2011-10-31 16:22 . 2011-10-31 16:22 40960 ----a-w- c:\windows\system32\MAMACExtract.dll
2011-10-31 16:22 . 2011-10-31 16:22 352256 ----a-w- c:\windows\system32\MSLUR71.dll
2011-10-31 16:22 . 2011-10-31 16:22 258048 ----a-w- c:\windows\system32\muzoggsp.ax
2011-10-31 16:22 . 2011-10-31 16:22 245760 ----a-w- c:\windows\system32\MSCLib.dll
2011-10-31 16:22 . 2011-10-31 16:22 24576 ----a-w- c:\windows\system32\MASetupCleaner.exe
2011-10-31 16:22 . 2011-10-31 16:22 155648 ----a-w- c:\windows\system32\MSFLib.dll
2011-10-31 16:22 . 2011-10-31 16:22 131072 ----a-w- c:\windows\system32\muzmpgsp.ax
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 4423680]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-21 630784]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"PowerForPhone"="c:\program files\PowerForPhone\PowerForPhone.exe" [2007-06-26 778240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-12 155648]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2007-09-29 33136]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-24 174616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-12-05 2042208]
"Skytel"="Skytel.exe" [2007-03-16 1822720]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-22 81920]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-07-24 33304]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2011-05-31 32112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-10-27 121064]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-10-27 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-10-27 136808]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-21 717296]
S0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2007-07-09 209408]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-25 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-08-25 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-25 297752]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\atl01v32.sys [2007-03-15 48128]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-04-20 47616]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BLACKBOX
*Deregistered* - BlackBox
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Sqlses REG_MULTI_SZ SqlCSS
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50788
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Chaz\AppData\Roaming\Mozilla\Firefox\Profiles\vb2f86st.1\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-14 19:15
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\ADSM_PData_0150
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2299044074-552368118-3468275311-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0f,d6,02,90,3a,a7,f6,22,e8,a9,7d,60,d8,1c,c6,46,b5,5a,e9,05,9b,f5,01,
da,a7,29,3d,92,ad,43,80,d9,08,4b,a4,ba,ad,90,22,42,9a,35,f6,7f,13,7d,71,66,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4400)
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
Completion time: 2011-12-14 19:18:52
ComboFix-quarantined-files.txt 2011-12-15 00:18
ComboFix2.txt 2011-12-05 15:05
ComboFix3.txt 2011-12-05 10:33
.
Pre-Run: 33,284,972,544 bytes free
Post-Run: 33,259,098,112 bytes free
.
- - End Of File - - 030674ABE5F4673A6C1083051A6D04D0
[/code]

This post has been edited by gringo_pr: 14 December 2011 - 09:07 PM

#7 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 14 December 2011 - 09:10 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

  • click ok


copy and paste the report into this topic for me to review

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#8 User is offline   Stormce 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 05-December 11
  • Gender:Male

Posted 14 December 2011 - 09:12 PM

Extra Report
 Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system
Activation Assistant for the 2007 Microsoft Office suites
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AIM 6
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
ASUS Data Security Manager
ASUS Direct Console
ASUS InstantFun
ASUS Live Update
ASUS Splendid Video Enhancement Technology
ATK Generic Function Service
ATK Hotkey
ATK Media
ATKOSD2
Attansic Ethernet Utility
AVG Free 8.5
Bonjour
Canon MP620 series MP Drivers
Canon MP620 series User Registration
CD Art Display 2.0.1
ChkMail
Command & Conquer 3
DFX for Windows Media Player
DivX Setup
ESET Online Scanner v3
G1&G2-2 Screen Saver
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) PROSet/Wireless Software
Intel® Turbo Memory and Intel® Matrix Storage Manager
ITECIR Driver
iTunes
Java Auto Updater
Java(TM) 7 Update 1
Java(TM) SE Development Kit 7 Update 1
JMB36X Raid Configurer
K-Lite Codec Pack 5.5.6 (Basic)
LifeFrame2
LightScribe  1.4.142.1
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 3.5 SP1
Microsoft Corporation
Microsoft LifeCam
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (Chinese (Simplified)) 2007
Microsoft Office Access MUI (Chinese (Traditional)) 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (French) 2007
Microsoft Office Access MUI (Spanish) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (Chinese (Simplified)) 2007
Microsoft Office Excel MUI (Chinese (Traditional)) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office File Validation Add-In
Microsoft Office IME (Chinese (Simplified)) 2007
Microsoft Office IME (Chinese (Traditional)) 2007
Microsoft Office Outlook MUI (Chinese (Simplified)) 2007
Microsoft Office Outlook MUI (Chinese (Traditional)) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (French) 2007
Microsoft Office Outlook MUI (Spanish) 2007
Microsoft Office PowerPoint MUI (Chinese (Simplified)) 2007
Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office Professional 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (Chinese (Simplified)) 2007
Microsoft Office Proof (Chinese (Traditional)) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Chinese (Simplified)) 2007
Microsoft Office Proofing (Chinese (Traditional)) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (Chinese (Simplified)) 2007
Microsoft Office Publisher MUI (Chinese (Traditional)) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (French) 2007
Microsoft Office Publisher MUI (Spanish) 2007
Microsoft Office Shared MUI (Chinese (Simplified)) 2007
Microsoft Office Shared MUI (Chinese (Traditional)) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (Chinese (Simplified)) 2007
Microsoft Office Word MUI (Chinese (Traditional)) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WSE 3.0 Runtime
mMHouse
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.6.24)
mPfMgr
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NB Probe
Nero 7 Essentials
NVIDIA Drivers
PeerBlock 1.1 (r518)
Power4Gear eXtreme
PowerForPhone
QuickTime
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype Toolbars
Skype™ 4.2
The Sims™ 3
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Outlook 2007 Junk Email Filter (KB2596560)
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
VistaFeaturePack
Vuze
Windows Driver Package - ITE Tech.Inc. (itecir) HIDClass  (04/20/2007 5.0.0001.2)
Windows Live installer
Windows Live Messenger
WinFlash
WinRAR archiver
Wireless Console 2

#9 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 14 December 2011 - 09:16 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 8.1.2

    and click on remove


Update Adobe Reader

    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

      If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.




TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

    In your next post I need the following

    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?


Gringo

This post has been edited by gringo_pr: 14 December 2011 - 09:17 PM

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#10 User is offline   Stormce 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 05-December 11
  • Gender:Male

Posted 14 December 2011 - 11:45 PM

MBAM log
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8373

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19088

12/14/2011 11:23:04 PM
mbam-log-2011-12-14 (23-23-04).txt

Scan type: Quick scan
Objects scanned: 167457
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:30 PM, on 12/14/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.19088)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\explorer.exe
C:\Users\Chaz\Desktop\AntiVirusSoftwares\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50788
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6165 bytes

#11 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 14 December 2011 - 11:49 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
      O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [Skytel] Skytel.exe
      O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brackets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#12 User is offline   Stormce 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 05-December 11
  • Gender:Male

Posted 15 December 2011 - 04:04 PM

ESET
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=cf556eba076ccc4eb13403f93c63423e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-15 07:50:11
# local_time=2011-12-15 02:50:11 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 71789500 71789500 0 0
# compatibility_mode=5892 16776573 100 100 0 160533370 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=144211
# found=6
# cleaned=0
# scan_time=9569
C:\Program Files\Vuze\.install4j\i4j_extf_8_5p83tu.exe	a variant of Win32/AdInstaller application (unable to clean)	00000000000000000000000000000000	I
C:\Users\Chaz\Downloads\frostwire-4.18.3.windows.exe	Win32/OpenCandy application (unable to clean)	00000000000000000000000000000000	I
C:\Users\Chaz\Downloads\winamp5581_full_emusic-7plus_en-us.exe	Win32/OpenCandy application (unable to clean)	00000000000000000000000000000000	I
C:\_OTMoveIt\MovedFiles\Program Files\Windows Live\Messenger\msimg32.dll	Win32/Toolbar.MyWebSearch application (unable to clean)	00000000000000000000000000000000	I
C:\_OTMoveIt\MovedFiles\Program Files\Windows Live\Messenger\riched20.dll	Win32/Toolbar.MyWebSearch application (unable to clean)	00000000000000000000000000000000	I
C:\_OTMoveIt\MovedFiles\Qoobox\Quarantine\C\Program Files\LP\EC19\7D87.tmp.vir	a variant of Win32/Kryptik.VZB trojan (unable to clean)	00000000000000000000000000000000	I

#13 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 15 December 2011 - 04:16 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    Quote

    @echo off
    del /f /s /q "C:\Program Files\Vuze\.install4j\i4j_extf_8_5p83tu.exe"
    del /f /s /q "C:\Users\Chaz\Downloads\frostwire-4.18.3.windows.exe"
    del /f /s /q "C:\Users\Chaz\Downloads\winamp5581_full_emusic-7plus_en-us.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.



The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK

    Your Emulation drivers are now re-enabled.



:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image



:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.



:Make Firefox more secure:




Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.

  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.


Here is some great reading about how to be safer online:




I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#14 User is offline   Stormce 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 05-December 11
  • Gender:Male

Posted 16 December 2011 - 12:57 AM

Thank you so much for all of your help, I would not have been able to remove everything on my own.

#15 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 16 December 2011 - 01:00 PM

You are most welcome


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users