Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection Please Help


  • This topic is locked This topic is locked
11 replies to this topic

#1 Msingh689

Msingh689

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 28 March 2009 - 12:25 PM

Hello,

A couple days ago my vista security center icon appeared and is red and has a white X through it. I try to reactivate it and it says that it is not able to be started. I also get redirected to unrelated sites in google search and some of my icons on the desktop are duplicating (very odd). I have no clue what to do please help.

Here is my Hijackthis Log file.

Thanks in advance
Mel

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:01 PM, on 28/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MetaCut Utilities MCU2CAM] C:\Program Files\MCU\Partners\Mastercam\mcu2cam.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Mel\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O13 - Gopher Prefix:
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://edownload.grisoft.cz/ewidoOnlineScan.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10050 bytes

Edited by Msingh689, 29 March 2009 - 11:12 AM.


BC AdBot (Login to Remove)

 


#2 Msingh689

Msingh689
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 29 March 2009 - 05:16 PM

my computer is getting slower and slower PLEASE HELP!!!!! I dont want to format my pc i have alot of info.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:12:44 AM

Posted 06 April 2009 - 10:43 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 Msingh689

Msingh689
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 06 April 2009 - 11:19 AM

I havent done anything else since i posted. and nothing new has happened that has affected to PC.

Here is the DDS log.

And Thanks again :thumbup2:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Mel at 12:13:48.62 on 06/04/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2047.516 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\alg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Mel\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hp\kbd\kbd.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\ehome\ehshell.exe
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehVid.exe
C:\Windows\ehome\ehExtHost.exe
C:\Windows\ehome\ehExtHost.exe
C:\Windows\ehome\ehExtHost.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mel\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MetaCut Utilities MCU2CAM] c:\program files\mcu\partners\mastercam\mcu2cam.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [BitTorrent DNA] "c:\users\mel\program files\dna\btdna.exe"
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\mel\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\mel\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\CoIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-18 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-18 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-18 482352]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090331.007\IDSvix86.sys [2009-4-3 292912]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-18 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-28 101936]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-9-10 205824]
R3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);c:\windows\system32\drivers\MRVW24B.sys [2008-3-19 310016]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nis\1005000.087\symndisv.sys [2009-3-18 39984]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]

=============== Created Last 30 ================

2009-03-27 12:47 <DIR> --d----- c:\users\mel\appdata\roaming\Malwarebytes
2009-03-27 12:47 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-27 12:47 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-27 11:24 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-03-27 11:24 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-03-27 11:23 <DIR> --d----- c:\users\mel\appdata\roaming\SUPERAntiSpyware.com
2009-03-27 11:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-26 07:54 <DIR> --d----- c:\users\mel\appdata\roaming\CleanMyPC Software
2009-03-25 13:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-25 13:01 <DIR> --d----- c:\program files\Trend Micro
2009-03-24 16:27 <DIR> --d----- C:\games
2009-03-24 06:33 197,120 a------- c:\windows\system32\mqapi.exe
2009-03-24 00:05 <DIR> --d----- c:\programdata\PlayPond
2009-03-24 00:05 <DIR> --d----- c:\progra~2\PlayPond
2009-03-24 00:05 <DIR> --d----- c:\windows\Mystery Legends Sleepy Hollow
2009-03-23 23:38 <DIR> --d----- c:\users\mel\appdata\roaming\Ashtons. Family Resort
2009-03-23 23:38 <DIR> --d----- c:\programdata\Ashtons. Family Resort
2009-03-23 23:38 <DIR> --d----- c:\progra~2\Ashtons. Family Resort
2009-03-23 23:37 <DIR> --d----- c:\windows\Ashtons Family Resort
2009-03-21 14:08 <DIR> --d----- c:\users\mel\Tracing
2009-03-21 14:03 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-21 13:56 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-15 23:53 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-15 23:53 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 23:53 <DIR> --d----- c:\program files\iPod
2009-03-15 23:53 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 23:53 <DIR> --d----- c:\program files\iTunes
2009-03-15 23:53 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 23:51 <DIR> --d----- c:\program files\Bonjour
2009-03-11 21:39 479,232 a------- c:\windows\system32\AudioVisu.dll
2009-03-11 21:39 454,656 a------- c:\windows\system32\AudioRecord.dll
2009-03-11 21:39 348,160 a------- c:\windows\system32\WMAFile.dll
2009-03-11 21:39 116,296 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-03-11 21:39 2,084,864 a------- c:\windows\system32\AudDesign.dll
2009-03-11 21:39 1,986,560 a------- c:\windows\system32\AudFile.dll
2009-03-11 21:39 1,212,416 a------- c:\windows\system32\AudioInfos.dll
2009-03-11 21:39 458,752 a------- c:\windows\system32\AudPlayer.dll
2009-03-11 21:39 417,792 a------- c:\windows\system32\AudDisplay.dll
2009-03-11 21:39 <DIR> --d----- c:\program files\Free Audio Pack
2009-03-11 05:41 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 05:41 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-03-31 23:44 87,608 a------- c:\users\mel\appdata\roaming\inst.exe
2009-03-31 23:44 47,360 a------- c:\users\mel\appdata\roaming\pcouffin.sys
2009-03-26 07:36 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-26 07:36 86,016 a------- c:\windows\inf\infstor.dat
2009-03-26 07:36 51,200 a------- c:\windows\inf\infpub.dat
2009-03-25 19:31 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-25 19:31 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-25 19:31 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-12 05:03 25,136 a----r-- c:\windows\system32\drivers\SymIMV.sys
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-28 16:15 2 a------- C:\13463.exe
2009-02-28 16:15 2 a------- C:\69345.exe
2009-02-28 16:15 2 a------- C:\23856.exe
2009-02-28 15:42 2 a------- C:\45301.exe
2009-02-28 15:42 2 a------- C:\44670.exe
2009-02-28 15:42 2 a------- C:\3435.exe
2009-02-28 15:42 2 a------- C:\76134.exe
2009-02-28 15:42 2 a------- C:\80167.exe
2009-02-28 15:42 2 a------- C:\42317.exe
2009-02-28 15:42 2 a------- C:\31686.exe
2009-02-28 15:42 2 a------- C:\32562.exe
2009-02-28 15:42 2 a------- C:\14409.exe
2009-02-28 15:42 2 a------- C:\88219.exe
2009-02-28 15:37 2 a------- C:\11783.exe
2009-02-28 15:37 2 a------- C:\52718.exe
2009-02-28 15:37 2 a------- C:\35128.exe
2009-02-28 15:37 2 a------- C:\20778.exe
2009-02-28 15:37 2 a------- C:\91327.exe
2009-02-28 15:37 2 a------- C:\85472.exe
2009-02-28 15:37 2 a------- C:\35009.exe
2009-02-28 15:37 2 a------- C:\3329.exe
2009-02-28 15:36 2 a------- C:\33528.exe
2009-02-28 15:36 2 a------- C:\45388.exe
2009-02-28 15:36 2 a------- C:\61248.exe
2009-02-28 15:36 2 a------- C:\38834.exe
2009-02-28 15:36 2 a------- C:\94443.exe
2009-02-28 15:36 2 a------- C:\16111.exe
2009-02-28 15:36 2 a------- C:\43404.exe
2009-02-28 15:36 2 a------- C:\62384.exe
2009-02-28 15:36 2 a------- C:\55726.exe
2009-02-28 15:36 2 a------- C:\36528.exe
2009-02-28 15:36 2 a------- C:\97983.exe
2009-02-28 15:36 2 a------- C:\43174.exe
2009-02-07 13:22 319,456 a------- c:\windows\DIFxAPI.dll
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-15 02:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-06 12:29 965,664 a------- c:\windows\system32\RtkPgExt.dll
2009-01-06 12:29 44,064 a------- c:\windows\system32\RtkCoInst.dll
2009-01-06 12:29 322,080 a------- c:\windows\system32\RtkApoApi.dll
2009-01-06 12:29 2,510,368 a------- c:\windows\system32\RtkAPO.dll
2008-06-11 23:39 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-22 15:47 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-18 01:54 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 12:14:23.53 ===============

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 06 April 2009 - 02:23 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

With Regards,
The Panda

#6 Msingh689

Msingh689
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 06 April 2009 - 11:09 PM

Hi PropagandaPanda,

Here is the Combofix log and the GMER log. hopefully all this helps.

Thanks again,

Melina


ComboFix 09-04-04.01 - Mel 2009-04-06 23:35:25.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.965 [GMT -4:00]
Running from: c:\users\Mel\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\11783.exe
C:\13463.exe
C:\14409.exe
C:\16111.exe
C:\20778.exe
C:\23856.exe
C:\24299.exe
C:\31686.exe
C:\32537.exe
C:\32562.exe
C:\3329.exe
C:\33528.exe
C:\3435.exe
C:\35009.exe
C:\35128.exe
C:\36528.exe
C:\38834.exe
C:\39229.exe
C:\42317.exe
C:\43174.exe
C:\43404.exe
C:\43770.exe
C:\44670.exe
C:\44920.exe
C:\45301.exe
C:\45388.exe
C:\45754.exe
C:\48061.exe
C:\52718.exe
C:\55726.exe
C:\56580.exe
C:\61248.exe
C:\61638.exe
C:\62162.exe
C:\62384.exe
C:\69345.exe
C:\70890.exe
C:\72251.exe
C:\75415.exe
C:\76134.exe
C:\80167.exe
C:\84769.exe
C:\85403.exe
C:\85472.exe
C:\88219.exe
C:\91327.exe
C:\94443.exe
C:\97145.exe
C:\97983.exe
C:\9902.exe
c:\users\Mel\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-03-27 12:47 . 2009-03-27 12:47 <DIR> d-------- c:\users\Mel\AppData\Roaming\Malwarebytes
2009-03-27 12:47 . 2009-03-27 12:47 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-27 12:47 . 2009-03-27 12:47 <DIR> d-------- c:\programdata\Malwarebytes
2009-03-27 11:24 . 2009-03-27 11:24 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-03-27 11:24 . 2009-03-27 11:24 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-03-27 11:23 . 2009-03-28 12:58 <DIR> d-------- c:\users\Mel\AppData\Roaming\SUPERAntiSpyware.com
2009-03-27 11:23 . 2009-03-28 12:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-26 07:54 . 2009-03-26 07:54 <DIR> d-------- c:\users\Mel\AppData\Roaming\CleanMyPC Software
2009-03-25 13:08 . 2009-03-25 13:07 410,984 --a------ c:\windows\System32\deploytk.dll
2009-03-25 13:01 . 2009-03-25 13:01 <DIR> d-------- c:\program files\Trend Micro
2009-03-24 16:27 . 2009-03-24 16:27 <DIR> d-------- C:\games
2009-03-24 06:33 . 2009-03-24 06:33 197,120 --a------ c:\windows\System32\mqapi.exe
2009-03-24 00:05 . 2009-03-24 00:05 <DIR> d-------- c:\windows\Mystery Legends Sleepy Hollow
2009-03-24 00:05 . 2009-03-24 00:05 <DIR> d-------- c:\users\All Users\PlayPond
2009-03-24 00:05 . 2009-03-24 00:05 <DIR> d-------- c:\programdata\PlayPond
2009-03-23 23:38 . 2009-03-24 00:04 <DIR> d-------- c:\users\Mel\AppData\Roaming\Ashtons. Family Resort
2009-03-23 23:38 . 2009-03-23 23:38 <DIR> d-------- c:\users\All Users\Ashtons. Family Resort
2009-03-23 23:38 . 2009-03-23 23:38 <DIR> d-------- c:\programdata\Ashtons. Family Resort
2009-03-23 23:37 . 2009-03-23 23:37 <DIR> d-------- c:\windows\Ashtons Family Resort
2009-03-21 14:08 . 2009-04-06 12:09 <DIR> d-------- c:\users\Mel\Tracing
2009-03-21 14:03 . 2009-03-21 14:03 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-21 13:56 . 2009-03-21 13:56 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\users\All Users\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\program files\iTunes
2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\program files\iPod
2009-03-15 23:53 . 2008-04-17 12:12 107,368 --a------ c:\windows\System32\GEARAspi.dll
2009-03-15 23:53 . 2009-01-15 12:19 23,848 --a------ c:\windows\System32\drivers\GEARAspiWDM.sys
2009-03-15 23:51 . 2009-03-15 23:51 <DIR> d-------- c:\program files\Bonjour
2009-03-15 23:50 . 2009-03-15 23:51 <DIR> d-------- c:\program files\QuickTime
2009-03-11 21:39 . 2009-03-11 21:40 <DIR> d-------- c:\program files\Free Audio Pack
2009-03-11 21:39 . 2005-02-24 12:10 2,084,864 --a------ c:\windows\System32\AudDesign.dll
2009-03-11 21:39 . 2005-03-11 17:37 1,986,560 --a------ c:\windows\System32\AudFile.dll
2009-03-11 21:39 . 2005-02-24 12:11 1,212,416 --a------ c:\windows\System32\AudioInfos.dll
2009-03-11 21:39 . 2005-02-24 12:11 479,232 --a------ c:\windows\System32\AudioVisu.dll
2009-03-11 21:39 . 2005-02-24 15:21 458,752 --a------ c:\windows\System32\AudPlayer.dll
2009-03-11 21:39 . 2005-03-10 16:00 454,656 --a------ c:\windows\System32\AudioRecord.dll
2009-03-11 21:39 . 2005-02-24 12:10 417,792 --a------ c:\windows\System32\AudDisplay.dll
2009-03-11 21:39 . 2005-02-24 11:51 348,160 --a------ c:\windows\System32\WMAFile.dll
2009-03-11 21:39 . 2005-01-10 12:54 116,296 --a------ c:\windows\System32\NCTWMAProfiles.prx
2009-03-11 05:41 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-11 05:41 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-07 02:09 . 2009-03-07 02:10 <DIR> d-------- c:\users\Mel\AppData\Roaming\JivaroPref

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 03:33 --------- d-----w c:\users\Mel\AppData\Roaming\DNA
2009-04-06 15:20 --------- d-----w c:\users\Mel\AppData\Roaming\BitTorrent
2009-04-03 22:59 --------- d-----w c:\users\Mel\AppData\Roaming\LimeWire
2009-04-01 03:44 47,360 ----a-w c:\users\Mel\AppData\Roaming\pcouffin.sys
2009-04-01 03:44 --------- d-----w c:\users\Mel\AppData\Roaming\Vso
2009-04-01 03:44 --------- d-----w c:\program files\VSO
2009-03-28 16:59 --------- d---a-w c:\programdata\TEMP
2009-03-25 23:31 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-25 23:31 7,386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-25 23:31 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-25 23:31 --------- d-----w c:\program files\Symantec
2009-03-25 22:16 --------- d-----w c:\program files\Google
2009-03-25 17:07 --------- d-----w c:\program files\Java
2009-03-25 12:53 --------- d-----w c:\programdata\HP Product Assistant
2009-03-25 12:53 --------- d-----w c:\program files\LimeWire
2009-03-21 18:03 --------- d-----w c:\program files\Windows Live
2009-03-21 18:03 --------- d-----w c:\program files\Microsoft
2009-03-16 03:53 --------- d-----w c:\program files\Common Files\Apple
2009-03-15 21:21 --------- d-----w c:\users\Mel\AppData\Roaming\dvdcss
2009-03-15 21:21 --------- d-----w c:\users\Mel\AppData\Roaming\DivX
2009-03-12 09:03 25,136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2009-03-11 21:06 --------- d-----w c:\program files\Windows Mail
2009-03-11 21:01 --------- d-----w c:\programdata\Microsoft Help
2009-03-09 21:47 --------- d-----w c:\programdata\Hewlett-Packard
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-06 03:59 1,900,544 ----a-w c:\windows\System32\usbaaplrc.dll
2009-03-02 23:48 --------- d-----w c:\program files\Maxis
2009-03-02 21:44 --------- d-----w c:\programdata\SimCity Societies
2009-02-28 23:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-28 23:54 --------- d-----w c:\programdata\Norton
2009-02-28 23:54 --------- d-----w c:\program files\Norton Internet Security
2009-02-28 23:53 --------- d-----w c:\programdata\NortonInstaller
2009-02-28 23:53 --------- d-----w c:\program files\NortonInstaller
2009-02-28 21:05 --------- d-----w c:\programdata\Kaspersky Lab
2009-02-28 19:36 --------- d-----w c:\programdata\Kaspersky Lab Setup Files
2009-02-26 17:19 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-09 22:15 --------- d-----w c:\program files\EA GAMES
2009-02-09 13:43 --------- d-----w c:\program files\MagicISO
2009-02-08 18:22 --------- d-----w c:\program files\MagicDisc
2009-02-07 17:43 --------- d-----w c:\program files\DivX
2009-02-07 17:43 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-02-07 17:22 319,456 ----a-w c:\windows\DIFxAPI.dll
2009-02-06 22:52 49,504 ----a-w c:\windows\System32\sirenacm.dll
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-04-22 19:47 174 --sha-w c:\program files\desktop.ini
2008-04-18 05:54 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2008-12-16 637232]
"BitTorrent DNA"="c:\users\Mel\Program Files\DNA\btdna.exe" [2008-12-19 342848]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-10 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-10 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-10 88608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-20 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 148888]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

c:\users\Mel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-02-08 575488]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5523A609-AB6B-4E99-B4E2-293BA82627DF}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{71B2261E-0784-436B-AABE-7A54DCE9A583}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{7C02FC13-E8C4-4468-BE7A-EFBCE20B55EE}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{20F6847E-6D7A-4B54-BD5E-B52040055C88}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{7515EB2A-0C5E-4B4D-84DF-6A7D31F72931}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{EC8B0D6D-9378-4382-8A00-0A71D921FDC5}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{4245AE0B-014A-4969-94F5-198E20B058A3}"= TCP:9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{1758BE7D-DD0E-446E-8A28-878386316385}"= TCP:1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{85DCA282-D022-4B04-B956-05609331975F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E4FEEC97-3095-4C95-89C4-767C6BB805CC}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{03F1EF56-38C5-4DB4-BF2D-ABEB07463B6A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BFF374A6-72DC-4B24-A92D-B45E4618CC9E}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0C4B7A1A-7FE3-450F-A54F-0A54527FC5AD}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8E4E50B7-CA95-48F5-8A3F-5F92DE88FCCD}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5771526C-96DA-427C-9A27-D7928087E637}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{EC7845AA-36FE-4D63-9371-AE3C39ECB2FC}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{F10C5C06-F367-4289-80CD-C4677516BB65}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{1D7811BB-11C8-4460-9812-5E3377992769}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{31205597-6343-4DE7-917A-0FD4C19630F6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FFCF2AA7-39A7-4814-B30D-A2190B5CA7DA}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{42A7AAD5-3682-4149-977F-B080B5A17706}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{2A4817C6-138B-4EF8-A806-6D63A4D93DAA}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{A25E1761-E50C-4022-8DBA-C8F05E11FAB7}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{1532752A-CE7F-4742-9568-0DFAB259E91E}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{DBE57DA0-2E71-4FC0-87C5-E0F3FADD8AE8}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{D38FC019-517B-4199-89C4-29D9D2366FA3}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{804A7E19-0FC8-4109-BA5F-0B1F4586D8B6}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{706A1364-1895-46B8-8955-AB238E901373}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{98B53A97-09A6-4FF5-966D-73D9016D4044}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{B8B6C45B-B86C-41EB-BF68-A756DB12032E}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{0BD19F3E-A711-4166-A6D4-72D60AF7FD50}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{939931D5-753D-400C-B532-8F8AF4F91C5B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{3F7E5399-2F92-4B7F-810B-D409A35FD2D7}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{5BD0E1CD-57B0-40BC-B4EE-2EFF2C97CD87}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{CB57CF9A-AB1E-42D5-BC8F-9CAA707EA1DD}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{FEBF5992-9E21-49F6-8CF8-9304671484D5}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{921B5C27-3561-4E48-AEB6-7C40244ECF91}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{AF6CCFC3-AB38-4D26-B980-8F8799FC8EEB}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{7023F7B5-1377-4754-A1D1-701FD8C832DE}"= UDP:c:\program files\Shareaza Applications\Shareaza\Shareaza.exe:Shareaza
"{FCA44D04-8854-4694-96D7-D18E4ED56CC4}"= TCP:c:\program files\Shareaza Applications\Shareaza\Shareaza.exe:Shareaza
"TCP Query User{53585D34-88E1-4138-AF94-19B976E00056}c:\\users\\mel\\program files\\dna\\btdna.exe"= UDP:c:\users\mel\program files\dna\btdna.exe:btdna.exe
"UDP Query User{D5B86E26-2754-4C68-8AAF-07F3D1D680DE}c:\\users\\mel\\program files\\dna\\btdna.exe"= TCP:c:\users\mel\program files\dna\btdna.exe:btdna.exe
"TCP Query User{EB9BB86B-3A8F-4773-B4A5-272F7B556C48}c:\\program files\\ares\\ares.exe"= UDP:c:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{7441B790-2FFE-4DB9-8E11-3729E11FC9D5}c:\\program files\\ares\\ares.exe"= TCP:c:\program files\ares\ares.exe:Ares p2p for windows
"TCP Query User{5DAB1149-000C-438F-A961-815919ACB612}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{3BBE6B94-95E6-468C-BDC0-24DDE3672301}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{9FABBA60-1C94-430B-862B-626A42203CA7}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DCEDF3A2-90FF-421B-9223-7322D1092841}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CFB5B6B0-8AA8-44F3-A985-90D73224ADBF}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{85964A03-12F3-43ED-BD5D-803A0A6E20A7}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{18D3CB1E-8E3C-46AB-B9B5-49D3917BFC9B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{65194594-0300-4263-B26F-446EC0826A54}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1005000.087\SymEFA.sys [2009-03-18 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-18 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1005000.087\cchpx86.sys [2009-03-18 482352]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSvix86.sys [2009-04-03 292912]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-18 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-28 101936]
R3 HSXHWBS3;HSXHWBS3;c:\windows\System32\drivers\HSXHWBS3.sys [2008-09-10 205824]
R3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);c:\windows\System32\drivers\MRVW24B.sys [2008-03-19 310016]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1005000.087\symndisv.sys [2009-03-18 39984]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\System32\drivers\xcbda.sys [2007-09-07 156928]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [2006-05-10 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\User_Feed_Synchronization-{8F39EAB2-4A1F-4B62-968C-CBD229FE0AE7}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 03:33]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MetaCut Utilities MCU2CAM - c:\program files\MCU\Partners\Mastercam\mcu2cam.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 23:39:52
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-06 23:41:54
ComboFix-quarantined-files.txt 2009-04-07 03:41:47

Pre-Run: 161,206,013,952 bytes free
Post-Run: 161,479,008,256 bytes free

315 --- E O F --- 2009-04-06 15:58:13










GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-07 00:06:30
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT 87C3D7D0 ZwAlertResumeThread
SSDT 87C1A048 ZwAlertThread
SSDT 87C07AB8 ZwAllocateVirtualMemory
SSDT 870B1E28 ZwAlpcConnectPort
SSDT 87C54E88 ZwAssignProcessToJobObject
SSDT 87C3F438 ZwCreateMutant
SSDT 87701F80 ZwCreateSymbolicLinkObject
SSDT 8764D810 ZwCreateThread
SSDT 87C53F50 ZwDebugActiveProcess
SSDT 87C07E70 ZwDuplicateObject
SSDT 87C07498 ZwFreeVirtualMemory
SSDT 87C3FF08 ZwImpersonateAnonymousToken
SSDT 87C3E508 ZwImpersonateThread
SSDT 870B18B0 ZwLoadDriver
SSDT 87C07338 ZwMapViewOfSection
SSDT 87C40908 ZwOpenEvent
SSDT 87C060F8 ZwOpenProcess
SSDT 87521068 ZwOpenProcessToken
SSDT 87C41708 ZwOpenSection
SSDT 87C07F40 ZwOpenThread
SSDT 87C54938 ZwProtectVirtualMemory
SSDT 87223B48 ZwResumeThread
SSDT 8764C048 ZwSetContextThread
SSDT 87C070A0 ZwSetInformationProcess
SSDT 87C41500 ZwSetSystemInformation
SSDT 87C40048 ZwSuspendProcess
SSDT 87C19050 ZwSuspendThread
SSDT 872AE620 ZwTerminateProcess
SSDT 87651048 ZwTerminateThread
SSDT 872AF2A8 ZwUnmapViewOfSection
SSDT 87C07828 ZwWriteVirtualMemory
SSDT 87C542E0 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 820F0914 8 Bytes [D0, D7, C3, 87, 48, A0, C1, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 365 820F0929 3 Bytes [7A, C0, 87]
.text ntkrnlpa.exe!KeSetTimerEx + 370 820F0934 4 Bytes [28, 1E, 0B, 87]
.text ntkrnlpa.exe!KeSetTimerEx + 3C4 820F0988 4 Bytes [88, 4E, C5, 87]
.text ntkrnlpa.exe!KeSetTimerEx + 428 820F09EC 4 Bytes [38, F4, C3, 87]
.text ...
? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\Users\Mel\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [73E57BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [73E998C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73E5D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73E4F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [73E57599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73E4E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73E8B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [73E5D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [73E5012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [73E50095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [73E471F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [73EDD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [73E775E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73E4DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [73E4668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [73E466BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4528] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73E51E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq@imagepath \systemroot\system32\drivers\ovfsthcvewubnqvosntypuwkhrakwpwuswuwcm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq@inst 0
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main@ver icv230309
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main@cid 02
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main@bid 3103255152-1618943633-1469957750-1356896923
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main@aid 303392
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main@sid 40
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main@cmddelay 14401
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main\delete
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main\injector
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\main\tasks
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\modules
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\modules@ovfsth.dll \systemroot\system32\ovfsthcyntxpkrwrcjbwooqqpiivamdtxpvpfy.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthcvewubnqvosntypuwkhrakwpwuswuwcm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\modules@ovfsthlog.dat \systemroot\system32\ovfsthwxnqbtmiacwxpepvcscaiabdrnxnfhwi.dat
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\modules@ovfsthwi.dll \systemroot\system32\ovfsthmhmkaqxekyxbkyvsvehbfailqguixiog.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\modules@ovfsthff.dll \systemroot\system32\ovfsthiqswynyxxsgfrelowumdctqejisimoka.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthtikroeprvnqsmqlsxtetfinvbkeupquq\modules@ovfsth.dat \systemroot\system32\ovfsthjdhqhxlxeevuimumwqbicdgrpgtqjbth.dat
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E50FA67B-089E-6DAC-EB1B-44D5E3180782}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E50FA67B-089E-6DAC-EB1B-44D5E3180782}@iadjpigmmmdcgjdfla 0x6A 0x61 0x68 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E50FA67B-089E-6DAC-EB1B-44D5E3180782}@hajjjohacjcbdllj 0x6A 0x61 0x68 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E50FA67B-089E-6DAC-EB1B-44D5E3180782}@haemlfkhciaagbdm 0x66 0x61 0x69 0x61 ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Program Files\Electronic Arts\SimCity\x2122 Societies\PackageInstaller.exe 1

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\wfp\wfpdiag.etl (size mismatch) 65536/0 bytes
File C:\Windows\System32\LogFiles\Scm\SCM.EVM (size mismatch) 7700480/7438336 bytes
File C:\Windows\System32\LogFiles\SQM\SQMLogger_2009-4-6-13-42-9_0.etl (size mismatch) 5242880/0 bytes
File C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 32768/24576 bytes

---- EOF - GMER 1.0.15 ----

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 07 April 2009 - 07:30 AM

Hello.

Just some leftovers.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :files
    c:\windows\System32\mqapi.exe
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Please take a new DDS.txt log after.

Any problems at the moment?

With Regards,
The Panda

#8 Msingh689

Msingh689
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 07 April 2009 - 01:30 PM

Hi Panda,

All of the problems that i originally had are gone. THANK YOU. :thumbup2:

When i was running the OTMoveIt the file moved correctly but the :commands [emptytemp] part did not work i left the computer to run it for about 30 mins and nothing came up. it just said that the file moved correctly and thats it. not sure if it is supposed to say something.

anyways the kaspersky online scanner log file said that there is no malware detected. :)

is there anyway to prevent this from happening again. i have norton IS and apparently thats not enough.

Thanks again. Great help

Melina

#9 Msingh689

Msingh689
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 07 April 2009 - 01:34 PM

Oh i forgot to add the DDS log file so here it is.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mel at 14:31:46.97 on 07/04/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2047.1094 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\alg.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Windows\system32\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conime.exe
C:\Users\Mel\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [BitTorrent DNA] "c:\users\mel\program files\dna\btdna.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\mel\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\mel\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\CoIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-18 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-18 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-18 482352]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090331.007\IDSvix86.sys [2009-4-3 292912]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-18 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-28 101936]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-9-10 205824]
R3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);c:\windows\system32\drivers\MRVW24B.sys [2008-3-19 310016]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nis\1005000.087\symndisv.sys [2009-3-18 39984]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]

=============== Created Last 30 ================

2009-04-07 11:30 <DIR> --d----- C:\_OTMoveIt
2009-04-06 23:34 161,792 a------- c:\windows\SWREG.exe
2009-04-06 23:34 98,816 a------- c:\windows\sed.exe
2009-04-06 23:33 <DIR> --d----- C:\ComboFix
2009-03-27 12:47 <DIR> --d----- c:\users\mel\appdata\roaming\Malwarebytes
2009-03-27 12:47 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-27 12:47 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-27 11:24 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-03-27 11:24 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-03-27 11:23 <DIR> --d----- c:\users\mel\appdata\roaming\SUPERAntiSpyware.com
2009-03-27 11:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-26 07:54 <DIR> --d----- c:\users\mel\appdata\roaming\CleanMyPC Software
2009-03-25 13:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-25 13:01 <DIR> --d----- c:\program files\Trend Micro
2009-03-24 16:27 <DIR> --d----- C:\games
2009-03-24 00:05 <DIR> --d----- c:\programdata\PlayPond
2009-03-24 00:05 <DIR> --d----- c:\progra~2\PlayPond
2009-03-24 00:05 <DIR> --d----- c:\windows\Mystery Legends Sleepy Hollow
2009-03-23 23:38 <DIR> --d----- c:\users\mel\appdata\roaming\Ashtons. Family Resort
2009-03-23 23:38 <DIR> --d----- c:\programdata\Ashtons. Family Resort
2009-03-23 23:38 <DIR> --d----- c:\progra~2\Ashtons. Family Resort
2009-03-23 23:37 <DIR> --d----- c:\windows\Ashtons Family Resort
2009-03-21 14:08 <DIR> --d----- c:\users\mel\Tracing
2009-03-21 14:03 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-21 13:56 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-15 23:53 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-15 23:53 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 23:53 <DIR> --d----- c:\program files\iPod
2009-03-15 23:53 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 23:53 <DIR> --d----- c:\program files\iTunes
2009-03-15 23:53 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 23:51 <DIR> --d----- c:\program files\Bonjour
2009-03-11 21:39 479,232 a------- c:\windows\system32\AudioVisu.dll
2009-03-11 21:39 454,656 a------- c:\windows\system32\AudioRecord.dll
2009-03-11 21:39 348,160 a------- c:\windows\system32\WMAFile.dll
2009-03-11 21:39 116,296 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-03-11 21:39 2,084,864 a------- c:\windows\system32\AudDesign.dll
2009-03-11 21:39 1,986,560 a------- c:\windows\system32\AudFile.dll
2009-03-11 21:39 1,212,416 a------- c:\windows\system32\AudioInfos.dll
2009-03-11 21:39 458,752 a------- c:\windows\system32\AudPlayer.dll
2009-03-11 21:39 417,792 a------- c:\windows\system32\AudDisplay.dll
2009-03-11 21:39 <DIR> --d----- c:\program files\Free Audio Pack
2009-03-11 05:41 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 05:41 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-03-31 23:44 47,360 a------- c:\users\mel\appdata\roaming\pcouffin.sys
2009-03-26 07:36 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-26 07:36 86,016 a------- c:\windows\inf\infstor.dat
2009-03-26 07:36 51,200 a------- c:\windows\inf\infpub.dat
2009-03-25 19:31 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-25 19:31 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-25 19:31 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-12 05:03 25,136 a----r-- c:\windows\system32\drivers\SymIMV.sys
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-07 13:22 319,456 a------- c:\windows\DIFxAPI.dll
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-15 02:11 827,392 a------- c:\windows\system32\wininet.dll
2008-06-11 23:39 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-22 15:47 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-18 01:54 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 14:31:55.11 ===============

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 07 April 2009 - 02:25 PM

Hello.

Looks good. Unless there are any issues at the moment, we can wrap up.

I'll leave you with some prevention tips.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.
  • Double click the OTMoveIt2.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#11 Msingh689

Msingh689
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 07 April 2009 - 02:47 PM

Thank you Panda,

You've been a great help and the computer is back to normal. Thanks a bunch.

Melina

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 07 April 2009 - 02:51 PM

You are welcome.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users