Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Firefox browser hijacked to MonsterMarketplace

  • This topic is locked This topic is locked
3 replies to this topic

#1 nothingnew


  • Members
  • 2 posts
  • Local time:04:46 PM

Posted 24 November 2008 - 01:29 PM


I experienced a spyware infection a few days ago that was surprising given XP SP3, Windows Firewall, Avast Antivirus Pro, and everything current (except for Windows updates, which I have had so many problems with that I leave them off by default, so they would only include critical updates to about end September 2008). That seemed to be from Windows/System32/a.exe, which I removed manually. I updated AdAware as well as Avast, and did a full scan with both, and everything was clean (I don't normally even have cookies found in scans).

The machine was off this morning, and I booted it and everything appeared OK. I did not go to any unusual sites this morning (and don't normally). I had to reboot for other reasons, and when I started Firefox for a Google search, there was a suspicious number at the upper left of the Google search page. Clicking on any of the Google search results went to sites such as MonsterMarketplace.

Using another machine, I found some posts where similar symptoms were related to a false sysaudio.sys, but there was no sign of anything like that. I eventually found bleepingcomputer.com/forums/topic175838.html. I did not spend enough time researching the recommended process to realize I should have posted before running ComboFix, so I tried to download that to the machine. Microsoft.com, BleepingComputers, and several other potentially helpful sites were blocked (it's possible all sites were blocked, I didn't try a lot).

I downloaded the Recovery Console file and today's ComboFix using another machine, and copied them with a shared network connection to the infected machine. When dragging and dropping the Recovery Console file onto ComboFix as per the instructions, nothing happened. I then read that ComboFix itself can be disabled by certain infections. I renamed ComboFix on the machine I had downloaded it from, and copied it again. The Recovery Console process worked then, as did ComboFix.

On starting the scan, ComboFix said it found possible root kit activity, and immediately wanted to reboot. I rebooted, and it completed all its other scans. Somewhere along the way I read something that this problem may have been related to a Java vulnerability (I use many Java browser applications). I had Sun Java JRE 1.6.0_7, and the 'fixed' one is 1.6.0_10

After it was complete, Firefox was functional again. However, since this appears to be pretty pernicious, I want to be sure that everything is gone. I have therefore been following the instructions before posting, running RSIT as well as the Kaspersky online scan. The results from these scans are included below (there is nothing from Kaspersky because in doing a 'critical areas' scan it did not find anything). The instructions say not to post ComboFix, so I haven't, though I do have that available too.

Any help in determining if there is anything left lurking on the computer would be greatly appreciated.

I must say I'm surprised that I'd never come across this site before, but it seems to be the only place that has good information on what seems like some nasty spyware that none of the scanners I normally trust have been able to find, never mind eradicate. Thank you for doing a great job!



Logfile of random's system information tool 1.04 (written by random/random)
Run by xxxx at 2008-11-24 12:00:01
Microsoft Windows XP Professional Service Pack 3
System drive C: has 875 GB (92%) free of 954 GB
Total RAM: 3455 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:02 PM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\bin32\nSvcAppFlt.exe
C:\Program Files\bin32\nSvcIp.exe
C:\Program Files\VMware\Player\vmware-authd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\VMware\Player\hqtray.exe
C:\Program Files\ASUS\AASP\1.00.61\aaCenter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\xxxx\Desktop\RSIT.exe
C:\Program Files\trend micro\xxxx.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\Player\hqtray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\player\vsocklib.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225114801406
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\bin32\nSvcAppFlt.exe
O23 - Service: Google Desktop Manager 5.8.809.8522 (GoogleDesktopManager-090808-172447) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

End of file - 6429 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-24 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-24 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-24 73728]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-03-19 13508608]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-03-19 86016]
"HDAudDeck"=C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [2008-05-13 29831168]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-19 30192]
"Launch PC Probe II"=C:\Program Files\ASUS\PC Probe II\Probe2.exe [2008-04-07 2137088]
"VMware hqtray"=C:\Program Files\VMware\Player\hqtray.exe [2008-09-18 64048]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-24 136600]

C:\Documents and Settings\xxxx\Start Menu\Programs\Startup
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe









"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\VMware\Player\vmware-authd.exe"="C:\Program Files\VMware\Player\vmware-authd.exe:*:Enabled:VMware Authd"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-11-24 11:57:27 ----D---- C:\rsit
2008-11-24 11:57:27 ----D---- C:\Program Files\trend micro
2008-11-24 11:19:21 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-24 11:17:05 ----D---- C:\WINDOWS\Sun
2008-11-24 11:15:56 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-24 11:15:56 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-24 11:15:56 ----A---- C:\WINDOWS\system32\java.exe
2008-11-24 11:15:56 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-11-24 11:15:28 ----D---- C:\Documents and Settings\xxxx\Application Data\Sun
2008-11-24 10:51:44 ----A---- C:\ComboFix.txt
2008-11-24 10:41:04 ----A---- C:\Boot.bak
2008-11-24 10:41:01 ----RASHD---- C:\cmdcons
2008-11-24 10:40:43 ----A---- C:\WINDOWS\zip.exe
2008-11-24 10:40:43 ----A---- C:\WINDOWS\VFIND.exe
2008-11-24 10:40:43 ----A---- C:\WINDOWS\SWREG.exe
2008-11-24 10:40:43 ----A---- C:\WINDOWS\sed.exe
2008-11-24 10:40:43 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-24 10:40:43 ----A---- C:\WINDOWS\grep.exe
2008-11-24 10:40:43 ----A---- C:\WINDOWS\fdsv.exe
2008-11-24 10:40:42 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-24 10:40:42 ----A---- C:\WINDOWS\SWSC.exe
2008-11-24 10:40:38 ----D---- C:\WINDOWS\ERDNT
2008-11-24 10:40:38 ----D---- C:\Qoobox
2008-11-21 12:06:31 ----D---- C:\Program Files\Lavasoft
2008-11-21 12:06:30 ----D---- C:\Users\AllUsers\Application Data\Lavasoft
2008-11-21 09:55:24 ----RHD---- C:\Documents and Settings\xxxx\Application Data\Microchip
2008-11-21 09:49:46 ----D---- C:\Program Files\Microchip
2008-11-18 13:27:26 ----D---- C:\Documents and Settings\xxxx\Application Data\Wireshark
2008-11-17 10:29:30 ----D---- C:\Program Files\WinPcap
2008-11-17 10:29:13 ----D---- C:\Program Files\Wireshark
2008-11-14 09:31:14 ----D---- C:\ubuntu
2008-11-12 11:13:25 ----D---- C:\Documents and Settings\xxxx\Application Data\PeaZip
2008-11-12 11:13:01 ----D---- C:\Program Files\PeaZip
2008-11-11 16:24:32 ----D---- C:\Program Files\Adobe
2008-11-11 09:40:56 ----D---- C:\Users\AllUsers\Application Data\Adobe
2008-11-11 09:40:54 ----SD---- C:\Users\AllUsers\Application Data\Microsoft
2008-11-11 09:40:54 ----D---- C:\Users\AllUsers\Application Data\nView_Profiles
2008-11-11 09:40:53 ----D---- C:\Users\AllUsers\Application Data\Windows Genuine Advantage
2008-11-11 09:40:53 ----D---- C:\Users\AllUsers\Application Data\VMware
2008-11-11 09:40:53 ----ASH---- C:\Users\AllUsers\Application Data\desktop.ini
2008-11-11 09:21:55 ----A---- C:\WINDOWS\system32\TweakUI.exe
2008-11-11 09:17:42 ----D---- C:\Users
2008-11-10 10:09:06 ----D---- C:\Documents and Settings\xxxx\Application Data\OpenOffice.org
2008-11-10 10:07:50 ----D---- C:\Program Files\JRE
2008-11-10 10:07:48 ----D---- C:\Program Files\OpenOffice.org 3
2008-11-04 13:44:23 ----D---- C:\Documents and Settings\xxxxn\Application Data\Scilab
2008-11-04 13:42:46 ----D---- C:\Program Files\scilab-5.0.2
2008-10-31 09:53:00 ----D---- C:\Program Files\HWiNFO32
2008-10-29 13:05:28 ----A---- C:\WINDOWS\MinGW.INI
2008-10-28 14:36:31 ----D---- C:\MinGW
2008-10-28 14:06:13 ----D---- C:\Program Files\Common Files\HHD Software
2008-10-27 12:39:30 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-27 12:39:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2008-10-27 12:39:19 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-27 12:39:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-27 12:39:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-27 12:39:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-27 12:39:00 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-27 12:38:57 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-10-27 12:38:53 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-10-27 12:38:48 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-10-27 12:38:44 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-10-27 12:38:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-10-27 12:38:36 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-10-27 12:38:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-10-27 12:38:25 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-10-27 12:38:20 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-10-27 12:38:16 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-10-27 12:38:12 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-10-27 12:38:08 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-10-27 12:12:24 ----D---- C:\WINDOWS\system32\PreInstall
2008-10-27 12:12:23 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2008-10-27 12:12:22 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-10-27 12:12:22 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-27 12:12:20 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-10-27 08:40:32 ----A---- C:\WINDOWS\system32\wups2.dll
2008-10-27 08:40:32 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-27 08:40:32 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-27 08:40:31 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-10-27 08:40:31 ----A---- C:\WINDOWS\system32\wuapi.dll.mui

======List of files/folders modified in the last 1 months======

2008-11-24 11:57:27 ----RD---- C:\Program Files
2008-11-24 11:19:29 ----D---- C:\Program Files\Mozilla Firefox
2008-11-24 11:19:21 ----SHD---- C:\WINDOWS\Installer
2008-11-24 11:19:21 ----D---- C:\WINDOWS\system32
2008-11-24 11:19:17 ----D---- C:\Program Files\Java
2008-11-24 11:19:16 ----D---- C:\Program Files\Common Files
2008-11-24 11:17:39 ----D---- C:\WINDOWS\Prefetch
2008-11-24 11:17:05 ----D---- C:\WINDOWS
2008-11-24 11:15:58 ----D---- C:\WINDOWS\Temp
2008-11-24 10:54:13 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-24 10:51:46 ----D---- C:\WINDOWS\system32\drivers
2008-11-24 10:50:37 ----A---- C:\WINDOWS\system.ini
2008-11-24 10:48:45 ----D---- C:\WINDOWS\system32\config
2008-11-24 10:47:35 ----D---- C:\WINDOWS\AppPatch
2008-11-24 10:46:32 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-24 10:41:04 ----RASH---- C:\boot.ini
2008-11-24 08:28:56 ----D---- C:\eclipse
2008-11-21 12:06:02 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-21 10:21:12 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-21 10:13:35 ----HD---- C:\WINDOWS\inf
2008-11-21 09:53:12 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-21 09:52:56 ----D---- C:\WINDOWS\WinSxS
2008-11-18 12:41:38 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-11-14 11:36:11 ----SD---- C:\Documents and Settings\xxxx\Application Data\Microsoft
2008-11-11 16:24:44 ----D---- C:\Program Files\Common Files\Adobe
2008-11-10 10:07:58 ----RSD---- C:\WINDOWS\Fonts
2008-10-29 14:00:39 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-28 14:59:27 ----D---- C:\Documents and Settings\xxxx\Application Data\Mozilla
2008-10-28 14:57:10 ----D---- C:\cygwin
2008-10-28 14:06:13 ----D---- C:\Program Files\HHD Software
2008-10-27 12:39:29 ----A---- C:\WINDOWS\imsins.BAK
2008-10-27 12:38:38 ----D---- C:\Program Files\Messenger
2008-10-27 11:59:21 ----D---- C:\WINDOWS\SoftwareDistribution
2008-10-27 08:40:34 ----D---- C:\WINDOWS\Help
2008-10-27 08:40:08 ----SD---- C:\WINDOWS\Downloaded Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-11-18 26944]
R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 AsIO;AsIO; C:\WINDOWS\system32\drivers\AsIO.sys [2007-12-17 12400]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-11-18 110160]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-11-18 50864]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-11-18 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-11-18 94032]
R2 hcmon;VMware hcmon; \??\C:\WINDOWS\system32\drivers\hcmon.sys []
R2 HWiNFO32;HWiNFO32 Kernel Driver; \??\C:\Program Files\HWiNFO32\HWiNFO32.SYS []
R2 MCUSBICD2;Microchip MPLAB ICD 2 Firmware Client Driver (ICD2W2K.SYS); C:\WINDOWS\System32\Drivers\icd2w2k.sys [2004-03-22 12427]
R2 vmci;VMware vmci; \??\C:\WINDOWS\system32\Drivers\vmci.sys []
R2 VMnetBridge;VMware Bridge Protocol; C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys [2008-09-18 31280]
R2 VMnetuserif;VMware Network Application Interface; \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys []
R2 VMparport;VMware VMparport; \??\C:\WINDOWS\system32\Drivers\VMparport.sys []
R2 vmx86;VMware vmx86; \??\C:\WINDOWS\system32\Drivers\vmx86.sys []
R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver; \??\C:\Program Files\VMware\Player\vstor2-ws60.sys []
R2 XilinxPC4Driver;XilinxPC4Driver; C:\WINDOWS\System32\drivers\xpc4drvr.sys [2008-03-05 16000]
R3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys [2007-06-29 34304]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-11-18 23152]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 monfilt;monfilt; C:\WINDOWS\system32\drivers\monfilt.sys [2008-02-14 1389056]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-03-19 7086240]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-01-28 54016]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-01-28 22016]
R3 nvsmu;nvsmu; C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-10-12 13312]
R3 Ser2pl;Prolific Serial port driver; C:\WINDOWS\system32\DRIVERS\ser2pl.sys [2003-07-16 43264]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service; C:\WINDOWS\system32\drivers\viahduaa.sys [2008-05-08 238080]
R3 vmkbd;VMware kbd; \??\C:\WINDOWS\system32\drivers\VMkbd.sys []
R3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys [2008-09-18 16560]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2008-03-05 194362]
S3 NDMSHLP;Device Monitor Helper Driver; \??\C:\Program Files\Common Files\HHD Software\Device Monitor\ndmshlp.sys []
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-14 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 SerMon;Serial Monitor Filter Driver; \??\C:\Program Files\HHD Software\Free Serial Port Monitor\sermon.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 XilinxFirmwareEmbeddedLpLoader;XilinxFirmwareEmbeddedLpLoader; C:\WINDOWS\System32\Drivers\xusb_emb.sys [2008-03-05 17408]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-11-18 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-11-18 155160]
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM); C:\Program Files\bin32\nSvcAppFlt.exe [2008-01-29 598016]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-24 152984]
R2 nSvcIp;ForceWare IP service; C:\Program Files\bin32\nSvcIp.exe [2008-01-29 163840]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-03-19 155716]
R2 VMAuthdService;VMware Authorization Service; C:\Program Files\VMware\Player\vmware-authd.exe [2008-09-18 113200]
R2 VMnetDHCP;VMware DHCP Service; C:\WINDOWS\system32\vmnetdhcp.exe [2008-09-18 326192]
R2 VMware NAT Service;VMware NAT Service; C:\WINDOWS\system32\vmnat.exe [2008-09-18 399920]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-11-18 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-11-18 352920]
S3 GoogleDesktopManager-090808-172447;Google Desktop Manager 5.8.809.8522; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-19 30192]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S3 ufad-ws60;VMware Agent Service; C:\Program Files\VMware\Player\vmware-ufad.exe [2008-08-25 191024]


info.txt logfile of random's system information tool 1.04 2008-11-24 11:57:36

======Uninstall list======

"GNU gdb 5.2.1"-->C:\mingw\uninstall\unins000.exe
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
AMD Power Monitor-->MsiExec.exe /X{EA1A669B-302B-4E6E-BD23-FA5572A7A85C}
AMD Processor Driver-->C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BitTyrant-->C:\Program Files\BitTyrant\Uninstall.exe
Canon PIXMA iP4000-->C:\WINDOWS\system32\CNMCP64.exe "-PRINTERNAMECanon PIXMA iP4000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP4000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP4000 Installer\Inst2\cnmi0409.dll"
Cool & Quiet-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}\setup.exe" -l0x9
Express Gate-->MsiExec.exe /I{685C7EBA-82F4-44F8-9514-911A69850DA3}
FileZilla Client>C:\Program Files\FileZilla\uninstall.exe
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
HHD Software Free Hex Editor Neo 4.64-->"C:\Program Files\HHD Software\Hex Editor Neo\Setup\uninstHEX.exe" -u
HHD Software Free Serial Port Monitor 3.31-->MsiExec.exe /I{3472693C-6EC5-41FA-B5B9-A22B11AEFE72}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HWiNFO32 Version 2.20-->"C:\Program Files\HWiNFO32\unins000.exe"
Java™ 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
MinGW 5.1.4-->C:\MinGW\uninst.exe
ModelSim XE III 6.3c-->"C:\Program Files\InstallShield Installation Information\{ED472FBE-FF70-47CE-B1A1-B22365EE9304}\setup.exe" -runfromtemp -l0x0009 -uninst -removeonly
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MPLAB Tools v8.10-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{5E9EA5FD-DFD9-44C7-8301-00E371A6D8E1}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA ForceWare Network Access Manager-->"C:\Program Files\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe" -runfromtemp -l0x0409 -removeonly
NVIDIA ForceWare Network Access Manager-->MsiExec.exe /I{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}
OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
Paint Shop Pro 7 ESD-->MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PC Probe II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
PDFCreator-->C:\Program Files\PDFCreator\unins000.exe
PeaZip 2.3a-->"C:\Program Files\PeaZip\unins000.exe"
PL-2303 USB-to-Serial-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
PuTTY version 0.60-->"C:\Program Files\PuTTY\unins000.exe"
scilab-5.0.2-->"C:\Program Files\scilab-5.0.2\unins000.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VMware Player-->MsiExec.exe /I{A53A11EA-0095-493F-86FA-A15E8A86A405}
WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe
Wireshark 0.99.7-->"C:\Program Files\Wireshark\uninstall.exe"
Xilinx ISE 10.1-->C:\Xilinx\10.1\ISE/bin/nt/setup.exe -uninstall

======Security center information======

AV: avast! antivirus 4.8.1290 [VPS 081123-0]

======Environment variables======

"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Microchip\MPLAB C30\bin;%XILINX%\bin\nt;%XILINX%\lib\nt;%LMC_HOME%\lib\pcnt.lib;c:\ruby\bin;c:\MinGW\bin
"PROCESSOR_IDENTIFIER"=x86 Family 16 Model 2 Stepping 3, AuthenticAMD


BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:46 PM

Posted 13 December 2008 - 09:54 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 nothingnew

  • Topic Starter

  • Members
  • 2 posts
  • Local time:04:46 PM

Posted 13 December 2008 - 11:03 PM

Hi Orange Blossom,

Thank you for the reply. I have not experienced any more symptoms on that computer (it is at a remote location), so I assume that the steps outlined in the first e-mail did eradicate the infection.

However, since that is a pretty risky assumption I will try running DDS. If there is anything questionable, I will definitely post it back here.

Otherwise it would be safe to consider this one resolved. Thank you for following up - I'm really not sure that any apology is appropriate for the time it took, especially when you are all doing such a great job for free.

Have a great Christmas!

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:46 PM

Posted 13 December 2008 - 11:24 PM

Hello nothingnew,

Thank you for posting back. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please Start a new topic.

Happy computing,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users