Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo - Cleaning


  • This topic is locked This topic is locked
10 replies to this topic

#1 brainlinq

brainlinq

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth, USA, Texas, Some town you never heard of
  • Local time:04:07 PM

Posted 26 January 2009 - 10:46 PM

I ran MBAM and it cleaned a lot of infected files but there are still more that it didn't get.

Here is my DDS log, and I can post my MBAM log if needed.


_____________________________________________________


DDS (Ver_09-01-19.01) - NTFSx86
Run by jenncason at 13:34:01.74 on Mon 01/26/2009
Internet Explorer: 7.0.6000.16711
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.766.200 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\DllHost.exe
C:\Users\jenncason\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Acer Tour Reminder]
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

============= SERVICES / DRIVERS ===============

R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-15 43008]
R4 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2007-9-16 13560]
R4 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-8-14 50688]

=============== Created Last 30 ================

2009-01-26 12:51 <DIR> --d----- c:\windows\pss
2009-01-26 10:55 <DIR> --d----- c:\users\jennca~1\appdata\roaming\Malwarebytes
2009-01-26 10:55 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-26 10:55 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 10:55 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-26 10:55 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-26 10:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2008-10-17 20:03 174 a--sh--- c:\program files\desktop.ini
2008-10-06 07:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-10-06 07:12 51,200 a------- c:\windows\inf\infpub.dat
2008-10-06 07:12 86,016 a------- c:\windows\inf\infstrng.dat
2008-10-06 07:12 86,016 a------- c:\windows\inf\infstor.dat
2008-03-12 18:28 32 a------- c:\programdata\ezsid.dat
2008-03-12 18:28 32 a------- c:\progra~2\ezsid.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:34:49.26 ===============

Attached Files


Edited by brainlinq, 26 January 2009 - 10:50 PM.


BC AdBot (Login to Remove)

 


#2 brainlinq

brainlinq
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth, USA, Texas, Some town you never heard of
  • Local time:04:07 PM

Posted 26 January 2009 - 10:49 PM

Here is the MBAM log... I ran this before the DDS posted above.

Thanks


_____________________________________________________



Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 6.0.6000

1/26/2009 12:13:18 PM
mbam-log-2009-01-26 (12-13-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 102669
Time elapsed: 48 minute(s), 44 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 20
Registry Values Infected: 9
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 25

Memory Processes Infected:
C:\Users\jenncason\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\Users\jenncason\AppData\Local\Temp\lsnklnir.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\jenncason\AppData\Local\Temp\bYopNhiG.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\mLefcYqn.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{3095d50f-f1ba-4bbc-a54d-819eeb7e0898} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e55343db-c0bc-44e8-a64c-734aa8af4c4c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e55343db-c0bc-44e8-a64c-734aa8af4c4c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{056a1508-1531-4d7e-8019-e3d6290cca68} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{056a1508-1531-4d7e-8019-e3d6290cca68} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{056a1508-1531-4d7e-8019-e3d6290cca68} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tvicportt (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tvicportt (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tvicportt (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e55343db-c0bc-44e8-a64c-734aa8af4c4c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b4a78d29-52b1-4a7b-bac0-1471bedf9836} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3095d50f-f1ba-4bbc-a54d-819eeb7e0898} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msserver (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm471ec20e (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm471ec20e (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LSA Shellu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\442df192 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\442df192 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\users\jennca~1\appdata\local\temp\byopnhig -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\jenncason\AppData\Roaming\Microsoft\Windows\Start Menu\XP Antivirus 2008 (Rogue.XPAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\drivers\TVicPortt.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\Users\jenncason\AppData\Local\Temp\bYopNhiG.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Users\jenncason\AppData\Local\Temp\GihNpoYb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Users\jenncason\AppData\Local\Temp\GihNpoYb.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Users\jenncason\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Users\jenncason\msconfig.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\Windows\b103.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\b116.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\b157.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\jenncason\AppData\Local\Temp\icnvbjrq.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\mrofinu1000106.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\1064a\tgvram102.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\hI2\aSCdt4x.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\vntiho18\vntiho182328.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\jenncason\ctfmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\core.cache.dsk (Rootkit.Agent) -> Delete on reboot.
C:\Users\jenncason\AppData\Local\Temp\lsnklnir.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\mLefcYqn.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\b149.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\b999.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\hekoqyv821058.dll (Adware.TTC) -> Quarantined and deleted successfully.

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:07 AM

Posted 30 January 2009 - 04:59 AM

Hello Brainlinq,

Can you tell me what problems are remaining,
because that log looks quite good actually. :thumbup2:

If there's still evidence of active malware behaviour :

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :)

If you have any questions along the way, STOP and ask them before proceeding !!

Please post back with the Kaspersky report and the ComboFix log.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 brainlinq

brainlinq
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth, USA, Texas, Some town you never heard of
  • Local time:04:07 PM

Posted 30 January 2009 - 09:53 AM

After cleaning with MBAM most of the problems went away, but the PC kept locking up. So I assumed that something might still be there.

Last night after doing the online scan it also installed some windows updates and it looks like that helped with the locking up issue.

I did an online scan from Kaspersky and it found nothing.

Do you still want me to do the combofix?


As always, thanks for all you help!

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:07 AM

Posted 30 January 2009 - 11:43 AM

Hello Brainlinq,

Well, running ComboFix can't hurt, and the installation of the Recovery Console is an added bonus,
especially if ever you run into trouble again with that system.

It's your choice : if you run it, I'll take a look at the log,
if you prefer to wait and see, that's fine too. :thumbup2:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 brainlinq

brainlinq
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth, USA, Texas, Some town you never heard of
  • Local time:04:07 PM

Posted 30 January 2009 - 12:16 PM

I'll run it and post results... I have been installing all the windows updates, so when they finish I will run and post results...


Thanks!

#7 brainlinq

brainlinq
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth, USA, Texas, Some town you never heard of
  • Local time:04:07 PM

Posted 30 January 2009 - 01:11 PM

I ran CF as Administrator... It said the Avira was still enabled, but I disabled it - not sure if that is an issue.

Here is the CF Log; I will post a new DDS log following.

_____________________________________________________________

ComboFix 09-01-21.04 - jenncason 2009-01-30 11:58:28.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.766.169 [GMT -6:00]
Running from: c:\users\jenncason\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-30 11:25 . 2009-01-30 11:25 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-01-30 11:24 . 2009-01-30 11:25 <DIR> d-------- c:\users\All Users\NVIDIA
2009-01-30 11:24 . 2009-01-30 11:25 <DIR> d-------- c:\programdata\NVIDIA
2009-01-30 11:02 . 2008-05-08 15:59 430,080 --a------ c:\windows\System32\vbscript.dll
2009-01-30 11:02 . 2008-05-08 15:59 180,224 --a------ c:\windows\System32\scrobj.dll
2009-01-30 11:02 . 2008-05-08 15:59 172,032 --a------ c:\windows\System32\scrrun.dll
2009-01-30 11:02 . 2008-05-08 15:59 155,648 --a------ c:\windows\System32\wscript.exe
2009-01-30 11:02 . 2008-05-08 15:58 135,168 --a------ c:\windows\System32\wshom.ocx
2009-01-30 11:02 . 2008-05-08 15:58 135,168 --a------ c:\windows\System32\cscript.exe
2009-01-30 11:02 . 2008-05-08 15:59 90,112 --a------ c:\windows\System32\wshext.dll
2009-01-30 10:49 . 2009-01-30 10:49 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-30 10:49 . 2009-01-30 10:49 <DIR> d-------- c:\program files\Microsoft
2009-01-30 09:51 . 2009-01-30 09:51 <DIR> d-------- C:\PerfLogs
2009-01-30 08:22 . 2008-06-19 19:18 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-01-30 08:22 . 2008-06-19 19:17 622,080 --a------ c:\windows\System32\icardagt.exe
2009-01-30 08:22 . 2008-06-19 19:18 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-01-30 08:22 . 2008-06-19 19:17 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-01-30 08:22 . 2008-06-19 19:18 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-01-30 08:22 . 2008-06-19 19:17 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-01-30 08:22 . 2008-06-19 19:17 11,264 --a------ c:\windows\System32\icardres.dll
2009-01-30 08:21 . 2008-06-19 19:18 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-01-30 08:18 . 2009-01-30 08:21 41,615,360 --a------ c:\windows\ocsetup_install_NetFx3.etl
2009-01-30 08:18 . 2009-01-30 08:21 49,152 --a------ c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-01-30 08:18 . 2009-01-30 08:21 16,384 --a------ c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-01-30 08:07 . 2008-07-27 12:00 282,112 --a------ c:\windows\System32\mscoree.dll
2009-01-30 08:07 . 2008-07-27 12:00 158,720 --a------ c:\windows\System32\mscorier.dll
2009-01-30 08:07 . 2008-07-27 12:00 96,760 --a------ c:\windows\System32\dfshim.dll
2009-01-30 08:07 . 2008-07-27 12:00 83,968 --a------ c:\windows\System32\mscories.dll
2009-01-30 08:07 . 2008-07-27 12:00 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-01-30 03:10 . 2008-10-01 19:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-01-30 03:06 . 2008-10-21 19:22 2,048 --a------ c:\windows\System32\tzres.dll
2009-01-30 02:52 . 2009-01-30 02:52 <DIR> d-------- c:\users\All Users\Avira
2009-01-30 02:52 . 2009-01-30 02:52 <DIR> d-------- c:\programdata\Avira
2009-01-30 02:52 . 2009-01-30 02:52 <DIR> d-------- c:\program files\Avira
2009-01-30 00:52 . 2008-10-21 21:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2009-01-30 00:52 . 2008-01-19 01:36 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2009-01-30 00:52 . 2008-01-19 01:36 94,720 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2009-01-30 00:51 . 2008-10-20 23:25 296,960 --a------ c:\windows\System32\gdi32.dll
2009-01-30 00:51 . 2008-08-26 19:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2009-01-30 00:50 . 2008-10-31 19:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2009-01-30 00:50 . 2008-09-04 23:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2009-01-30 00:50 . 2008-10-31 21:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2009-01-30 00:48 . 2008-09-17 23:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2009-01-30 00:48 . 2008-09-17 23:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2009-01-30 00:48 . 2008-06-22 19:59 2,868,736 --a------ c:\windows\System32\mf.dll
2009-01-30 00:48 . 2008-10-20 23:25 1,645,568 --a------ c:\windows\System32\connect.dll
2009-01-30 00:48 . 2008-09-09 21:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2009-01-30 00:48 . 2008-06-22 19:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2009-01-30 00:48 . 2008-12-15 20:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-30 00:48 . 2008-01-19 01:34 98,816 --a------ c:\windows\System32\mfps.dll
2009-01-30 00:48 . 2008-06-22 19:58 94,720 --a------ c:\windows\System32\logagent.exe
2009-01-30 00:48 . 2008-01-19 01:33 53,248 --a------ c:\windows\System32\rrinstaller.exe
2009-01-30 00:48 . 2008-01-19 01:33 24,576 --a------ c:\windows\System32\mfpmp.exe
2009-01-30 00:44 . 2008-09-17 20:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2009-01-30 00:26 . 2009-01-30 00:26 <DIR> d-------- c:\windows\Sun
2009-01-30 00:24 . 2009-01-30 00:24 410,984 --a------ c:\windows\System32\deploytk.dll
2009-01-30 00:23 . 2009-01-30 00:23 <DIR> d-------- c:\program files\Java
2009-01-30 00:19 . 2008-08-05 03:49 428,544 --a------ c:\windows\System32\EncDec.dll
2009-01-30 00:19 . 2008-08-05 03:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-01-30 00:19 . 2008-08-05 03:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-01-30 00:19 . 2008-08-05 03:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-01-30 00:19 . 2008-08-05 03:48 80,896 --a------ c:\windows\System32\MSNP.ax
2009-01-30 00:16 . 2008-10-16 15:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2009-01-30 00:16 . 2008-10-16 14:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2009-01-30 00:16 . 2008-10-16 15:12 561,688 --a------ c:\windows\System32\wuapi.dll
2009-01-30 00:16 . 2008-10-16 14:55 83,456 --a------ c:\windows\System32\wudriver.dll
2009-01-30 00:16 . 2008-10-16 15:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2009-01-30 00:16 . 2008-10-16 15:09 43,544 --a------ c:\windows\System32\wups2.dll
2009-01-30 00:16 . 2008-10-16 15:08 34,328 --a------ c:\windows\System32\wups.dll
2009-01-30 00:15 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2009-01-30 00:15 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2009-01-26 10:55 . 2009-01-26 10:55 <DIR> d-------- c:\users\jenncason\AppData\Roaming\Malwarebytes
2009-01-26 10:55 . 2009-01-26 10:55 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-26 10:55 . 2009-01-26 10:55 <DIR> d-------- c:\programdata\Malwarebytes
2009-01-26 10:55 . 2009-01-26 10:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 10:55 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-26 10:55 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-29 22:57 . 2008-12-29 22:57 952,832 --a------ c:\windows\System32\drivers\athr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 16:08 174 --sha-w c:\program files\desktop.ini
2009-01-30 15:57 --------- d-----w c:\program files\Windows Sidebar
2009-01-30 15:57 --------- d-----w c:\program files\Windows Mail
2009-01-30 15:57 --------- d-----w c:\program files\Windows Journal
2009-01-30 15:57 --------- d-----w c:\program files\Windows Collaboration
2009-01-30 15:57 --------- d-----w c:\program files\Windows Calendar
2009-01-30 15:56 --------- d-----w c:\program files\Windows Photo Gallery
2009-01-30 15:56 --------- d-----w c:\program files\Windows Defender
2009-01-30 15:33 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2009-01-30 15:32 82,432 ----a-w c:\windows\System32\axaltocm.dll
2009-01-26 19:03 --------- d-----w c:\program files\Google
2009-01-26 18:56 --------- d-----w c:\program files\Yahoo!
2009-01-26 18:55 --------- d-----w c:\program files\Enigma Software Group
2009-01-26 18:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-03-13 00:28 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-13 00:28 32 ----a-w c:\programdata\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-07 857648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-03 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-17 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
--a------ 2007-02-02 12:05 1261568 c:\program files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
--a------ 2007-02-02 13:24 3383296 c:\program files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
--a------ 2007-05-22 16:49 151552 c:\acer\AcerTour\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-03-08 05:38 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eAudio]
--a------ 2007-06-11 16:00 1286144 c:\acer\Empowering Technology\eAudio\eAudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
--a------ 2007-04-25 17:33 457216 c:\acer\Empowering Technology\eDataSecurity\eDSLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a------ 2007-08-15 21:44 707080 c:\progra~1\LAUNCH~1\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-12-03 21:12 13556256 c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-12-03 21:12 92704 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2008-12-03 21:12 711200 c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
--------- 2007-05-24 14:38 206952 c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSet]
--a------ 2007-04-25 14:47 45056 c:\windows\PLFSet.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-19 01:33 1233920 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-05-07 00:15 857648 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2007-05-17 12:28 4468736 c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9BAC033A-75E5-4DA2-8477-C890D9AF6716}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{5FFA0153-8E02-414A-A584-24D33558B250}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{E6BD3C2F-053F-4AA3-BB03-3A448F135DEF}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{142FEB2C-45DE-42A2-B83C-3994C4338296}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{0044038D-55C1-47BF-AA2D-F702691714A5}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{33CA8AFC-E91D-4E75-A91C-74944D165ACC}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{F742978B-F6C9-4C2A-9F96-73C862000540}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{2E2E102C-CB16-47F9-B43E-3791DCA1FF82}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{5C43A44F-5C15-4B9F-B31D-03FC7557B58D}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype

R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [2007-03-28 43008]
R4 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2007-09-16 08:38:34 13560]
R4 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-08-14 50688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5644ccec-2ac4-11dd-a651-001b24a4e4c4}]
\shell\Auto\command - F:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Start.exe
.
Contents of the 'Scheduled Tasks' folder

2008-05-29 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - jenncason.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 12:00:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-30 12:02:21
ComboFix-quarantined-files.txt 2009-01-30 18:02:13

Pre-Run: 33,576,005,632 bytes free
Post-Run: 33,544,736,768 bytes free

216 --- E O F --- 2009-01-30 17:16:45

Edited by brainlinq, 30 January 2009 - 01:11 PM.


#8 brainlinq

brainlinq
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth, USA, Texas, Some town you never heard of
  • Local time:04:07 PM

Posted 30 January 2009 - 01:12 PM

DDS Log:

_______________________________________


DDS (Ver_09-01-19.01) - NTFSx86
Run by jenncason at 12:06:23.52 on Fri 01/30/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.766.163 [GMT -6:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\WUDFHost.exe
C:\Users\jenncason\Desktop\dds.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

============= SERVICES / DRIVERS ===============

R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
R4 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2007-9-16 13560]
R4 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-8-14 50688]

=============== Created Last 30 ================

2009-01-30 11:57 161,792 a------- c:\windows\SWREG.exe
2009-01-30 11:57 98,816 a------- c:\windows\sed.exe
2009-01-30 11:25 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-01-30 11:24 <DIR> --d----- c:\programdata\NVIDIA
2009-01-30 11:02 430,080 a------- c:\windows\system32\vbscript.dll
2009-01-30 11:02 180,224 a------- c:\windows\system32\scrobj.dll
2009-01-30 11:02 172,032 a------- c:\windows\system32\scrrun.dll
2009-01-30 11:02 155,648 a------- c:\windows\system32\wscript.exe
2009-01-30 11:02 135,168 a------- c:\windows\system32\wshom.ocx
2009-01-30 11:02 135,168 a------- c:\windows\system32\cscript.exe
2009-01-30 11:02 90,112 a------- c:\windows\system32\wshext.dll
2009-01-30 10:49 <DIR> --d----- c:\program files\Microsoft
2009-01-30 09:51 <DIR> --d----- C:\PerfLogs
2009-01-30 08:22 97,800 a------- c:\windows\system32\infocardapi.dll
2009-01-30 08:22 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-01-30 08:22 622,080 a------- c:\windows\system32\icardagt.exe
2009-01-30 08:22 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-01-30 08:22 11,264 a------- c:\windows\system32\icardres.dll
2009-01-30 08:22 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-01-30 08:22 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-01-30 08:21 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-01-30 08:18 41,615,360 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-01-30 08:18 49,152 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-01-30 08:18 16,384 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-01-30 08:07 96,760 a------- c:\windows\system32\dfshim.dll
2009-01-30 08:07 282,112 a------- c:\windows\system32\mscoree.dll
2009-01-30 08:07 41,984 a------- c:\windows\system32\netfxperf.dll
2009-01-30 08:07 158,720 a------- c:\windows\system32\mscorier.dll
2009-01-30 08:07 83,968 a------- c:\windows\system32\mscories.dll
2009-01-30 03:10 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-01-30 03:06 2,048 a------- c:\windows\system32\tzres.dll
2009-01-30 02:52 <DIR> --d----- c:\programdata\Avira
2009-01-30 02:52 <DIR> --d----- c:\program files\Avira
2009-01-30 02:52 <DIR> --d----- c:\progra~2\Avira
2009-01-30 00:52 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-01-30 00:52 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-01-30 00:52 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-01-30 00:51 296,960 a------- c:\windows\system32\gdi32.dll
2009-01-30 00:51 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-01-30 00:50 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-01-30 00:50 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-01-30 00:50 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-01-30 00:48 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-30 00:48 2,868,736 a------- c:\windows\system32\mf.dll
2009-01-30 00:48 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-01-30 00:48 98,816 a------- c:\windows\system32\mfps.dll
2009-01-30 00:48 94,720 a------- c:\windows\system32\logagent.exe
2009-01-30 00:48 53,248 a------- c:\windows\system32\rrinstaller.exe
2009-01-30 00:48 24,576 a------- c:\windows\system32\mfpmp.exe
2009-01-30 00:48 1,645,568 a------- c:\windows\system32\connect.dll
2009-01-30 00:48 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-01-30 00:48 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2009-01-30 00:48 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2009-01-30 00:44 2,032,640 a------- c:\windows\system32\win32k.sys
2009-01-30 00:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-30 00:19 217,088 a------- c:\windows\system32\psisrndr.ax
2009-01-30 00:19 428,544 a------- c:\windows\system32\EncDec.dll
2009-01-30 00:19 293,376 a------- c:\windows\system32\psisdecd.dll
2009-01-30 00:19 80,896 a------- c:\windows\system32\MSNP.ax
2009-01-30 00:19 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-01-30 00:16 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-01-30 00:16 83,456 a------- c:\windows\system32\wudriver.dll
2009-01-30 00:15 162,064 a------- c:\windows\system32\wuwebv.dll
2009-01-30 00:15 31,232 a------- c:\windows\system32\wuapp.exe
2009-01-26 12:51 <DIR> --d----- c:\windows\pss
2009-01-26 10:55 <DIR> --d----- c:\users\jennca~1\appdata\roaming\Malwarebytes
2009-01-26 10:55 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-26 10:55 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 10:55 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-26 10:55 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-26 10:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-01-30 10:50 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-30 10:50 51,200 a------- c:\windows\inf\infpub.dat
2009-01-30 10:50 86,016 a------- c:\windows\inf\infstor.dat
2009-01-30 10:08 174 a--sh--- c:\program files\desktop.ini
2009-01-30 09:51 665,600 a------- c:\windows\inf\drvindex.dat
2009-01-30 09:33 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-01-30 09:32 82,432 a------- c:\windows\system32\axaltocm.dll
2008-12-29 22:57 952,832 a------- c:\windows\system32\drivers\athr.sys
2008-03-12 18:28 32 a------- c:\programdata\ezsid.dat
2008-03-12 18:28 32 a------- c:\progra~2\ezsid.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:07:14.78 ===============

Edited by brainlinq, 30 January 2009 - 01:12 PM.


#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:07 AM

Posted 31 January 2009 - 07:13 PM

Hello Brainlinq,

Your logs look fine. :thumbup2:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 brainlinq

brainlinq
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth, USA, Texas, Some town you never heard of
  • Local time:04:07 PM

Posted 01 February 2009 - 12:10 AM

Awesome. All is good now. Thanks!

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:07 AM

Posted 01 February 2009 - 05:50 PM

Glad we could help, Brainlinq :thumbup2:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users