Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.tdss, Please help!


  • Please log in to reply
7 replies to this topic

#1 KAInc

KAInc

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 02 July 2009 - 07:32 AM

Managed to get a Trojan virus or a root kit (I'm not entirely sure what the latter means, just relaying what was told to me by someone more knowledgeable than myself) and I'm having trouble getting rid of it.

As of my last scans since I've had the problem (these have been updated non-stop since the problem started):

ESET NOD32 Antivirus:
has found nothing.

Malwarebytez:
finds two infected items. Attempts to clean on restart, "succeeds" but the problem persists.
1) Trojan.TDSS -- Memory Module -- \\?\globalroot\systemroot\System32\SKYNETpcxeicla.dll
2) Trojan.TDSS -- File -- \\?\globalroot\systemroot\System32\SKYNETpcxeicla.dll

Spybot Search & Destroy:
finds seventeen infected items, all under one tree, a "Win32.TDSS.rtk". Attempts to clean after scan ends, again, "succeeds" but the problem persists.
1) (SBI $79B0E3AB) File @ C:\Windows\System32\Drivers\SKYNETxgnyskyq.sys
2) (SBI $49F1C28A) File @ C:\Windows\System32\SKYNETiifovxox.dll
3) (SBI $49F1C28A) File @ C:\Windows\System32\SKYNETpcxeicla.dll
4) (SBI $00122603) File @ C:\Windows\temp\SKYNETarmajkkjdn.tmp
5) (SBI $00122603) File @ C:\Windows\temp\SKYNETegfrfapkky.tmp
6) (SBI $00122603) File @ C:\Windows\temp\SKYNETegxuvucuwt.tmp
7) (SBI $00122603) File @ C:\Windows\temp\SKYNETmylijihmamn.tmp
8) (SBI $00122603) File @ C:\Windows\temp\SKYNETnijvaepqmm.tmp
9) (SBI $00122603) File @ C:\Windows\temp\SKYNETpqfceaomny.tmp
10) (SBI $00122603) File @ C:\Windows\temp\SKYNETpvkhotpnsj.tmp
11) (SBI $00122603) File @ C:\Windows\temp\SKYNETsqxsoigyuf.tmp
12) (SBI $00122603) File @ C:\Windows\temp\SKYNETsuxxnjnxrn.tmp
13) (SBI $00122603) File @ C:\Windows\temp\SKYNETtefbohqdxm.tmp
14) (SBI $00122603) File @ C:\Windows\temp\SKYNETtwlgmcklmt.tmp
15) (SBI $00122603) File @ C:\Windows\temp\SKYNETvcowxgvlbi.tmp
16) (SBI $1A7ABF3C) File @ C:\Windows\System32\SKYNETpptpvuav.dat
17) (SBI $1A7ABF3C) File @ C:\Windows\System32\SKYNETxsbkwsfw.dat
Included below is a copy of the DDS.txt file. I have the attached the "Attach.txt" DDS file as well, and can get a copy of HijackThis's readout if it will be of any assistance.

Thank you for taking the time to look into this issue for me,
-KAInc



========DSS.txt========

DDS (Ver_09-06-26.01) - NTFSx86
Run by Chris at 4:29:08.83 on Thu 07/02/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1352 [GMT -7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\hp\HPEZBTN\HPBtnSrv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxczcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Users\Chris\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uDefault_Search_URL = about:blank
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = about:blank
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = about:blank
mSearchAssistant = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\program files\flashget\jccatch.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Wolfram Toolbar: {9e709aef-74f7-4da3-a7fc-f3e2d5a8d793} - c:\program files\wolfram research\wolframtoolbar\1.0\WolframBands32.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [CCUTRAYICON] FactoryMode
mRun: [<NO NAME>]
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\users\chris\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\users\chris\appdata\roaming\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\flashget.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE}
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\aprnnjqw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\gametap web player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-1 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-3-13 33800]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [2008-11-9 78848]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-3-13 472320]
R2 HPBtnSrv;HP Chasis Button Service;c:\hp\hpezbtn\HPBtnSrv.exe [2007-11-14 198240]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-22 185640]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-3 1426304]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-10-21 497152]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\PFC027.SYS [2006-12-5 507136]

=============== Created Last 30 ================

2009-07-01 23:28 <DIR> --d----- c:\program files\Cobian Backup 8
2009-07-01 23:25 <DIR> --d----- c:\programdata\Cobian
2009-07-01 23:25 <DIR> --d----- c:\progra~2\Cobian
2009-07-01 23:25 <DIR> --d----- c:\program files\Cobian Backup 9
2009-07-01 22:46 <DIR> --d----- c:\users\chris\appdata\roaming\MSNInstaller
2009-07-01 22:17 <DIR> --d----- c:\program files\Trend Micro
2009-07-01 18:37 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-01 18:31 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-01 18:29 <DIR> --d----- c:\program files\Lavasoft
2009-07-01 18:28 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-01 18:28 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-30 18:41 <DIR> --d----- C:\SDFix
2009-06-14 03:42 <DIR> --d----- c:\users\chris\FFXIWindower
2009-06-13 01:12 <DIR> --d----- c:\program files\Guild Wars
2009-06-09 21:03 623,616 a------- c:\windows\system32\localspl.dll
2009-06-09 21:03 2,034,688 a------- c:\windows\system32\win32k.sys
2009-06-09 21:02 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-02 19:53 133,931 a------- c:\windows\Magnifier Uninstaller.exe
2009-06-02 19:53 <DIR> --d----- c:\program files\Magnifier 2.4

==================== Find3M ====================

2009-06-28 01:34 758 a------- c:\users\chris\appdata\roaming\wklnhst.dat
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-28 00:31 51,200 a------- c:\windows\inf\infpub.dat
2009-05-28 00:31 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-28 00:31 143,360 a------- c:\windows\inf\infstor.dat
2009-05-28 00:26 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-08 22:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 22:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-10 23:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-10 23:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-10 23:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-10 23:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-10 23:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-10 23:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-10 23:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-10 23:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-10 23:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-10 23:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-10 23:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-10 23:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-10 23:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-10 23:27 627,200 a------- c:\windows\system32\sethc.exe
2009-04-10 23:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-10 23:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-10 22:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-10 22:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-10 21:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-10 21:54 2,048 a------- c:\windows\system32\mferror.dll
2009-04-10 21:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-10 21:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-10 21:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-10 21:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-10 18:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2008-09-11 06:05 614,284,494 a------- c:\program files\wl_setup_2.0.3.exe.sl
2008-07-01 19:38 2,098 a--sh--- c:\programdata\KGyGaAvL.sys
2008-07-01 19:38 2,098 a--sh--- c:\progra~2\KGyGaAvL.sys
2008-06-13 23:27 174 a--sh--- c:\program files\desktop.ini
2008-05-25 22:53 88 ---shr-- c:\programdata\FF0D249BB6.sys
2008-05-25 22:53 88 ---shr-- c:\progra~2\FF0D249BB6.sys
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-11-14 15:18 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 4:30:38.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:58 AM

Posted 02 July 2009 - 09:29 AM

Hi, KAInc :thumbup2:

Welcome.

Please read and follow all these instructions very carefully.

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 KAInc

KAInc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 03 July 2009 - 12:25 AM

Downloaded both programs, ran both, posting the logs below.

You asked for a new hijack this report, wasn't sure if you wanted the DDS or actual HJT report. Ran both, posted both.

1) MBAM
2) Combo-Fix
3) DDS
4) HJT


Malwarebytez Anti-Malware


Malwarebytes' Anti-Malware 1.38
Database version: 2366
Windows 6.0.6002 Service Pack 2

7/2/2009 9:50:05 PM
mbam-log-2009-07-02 (21-50-05).txt

Scan type: Quick Scan
Objects scanned: 86266
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\SKYNETpcxeicla.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\System32\SKYNETpcxeicla.dll (Trojan.TDSS) -> Quarantined and deleted successfully.



Combo-Fix

ComboFix 09-07-02.02 - Chris 07/02/2009 22:06.1 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1906 [GMT -7:00]
Running from: c:\users\Chris\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *disabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\aa75426.msi
c:\windows\system32\drivers\SKYNETxgnyskyq.sys
c:\windows\system32\SKYNETiifovxox.dll
c:\windows\system32\SKYNETpcxeicla.dll
c:\windows\system32\SKYNETpptpvuav.dat
c:\windows\system32\SKYNETxsbkwsfw.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETplbckimv


((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 05:13 . 2009-07-03 05:13 -------- d-----w- c:\users\Chris\AppData\Local\temp
2009-07-03 05:13 . 2009-07-03 05:13 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-07-03 04:46 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 04:46 . 2009-07-03 04:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-03 04:46 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 06:28 . 2009-07-02 06:28 -------- d-----w- c:\program files\Cobian Backup 8
2009-07-02 06:25 . 2009-07-02 06:25 -------- d-----w- c:\programdata\Cobian
2009-07-02 06:25 . 2009-07-02 06:27 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-02 06:11 . 2009-07-02 06:11 -------- d-----w- c:\users\Public\Chris PC Backup
2009-07-02 05:46 . 2009-07-02 05:46 -------- d-----w- c:\users\Chris\AppData\Roaming\MSNInstaller
2009-07-02 05:17 . 2009-07-02 05:17 -------- d-----w- c:\program files\Trend Micro
2009-07-02 01:37 . 2009-07-02 01:31 15688 ------w- c:\windows\system32\lsdelete.exe
2009-07-02 01:29 . 2009-03-12 08:17 2902048 -c----w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-02 01:29 . 2009-07-02 01:29 -------- d-----w- c:\program files\Lavasoft
2009-07-02 01:28 . 2009-07-02 01:29 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-01 01:41 . 2009-07-01 01:45 -------- d-----w- C:\SDFix
2009-07-01 01:29 . 2009-07-01 01:29 -------- d---a-w- c:\users\Public\scripts
2009-06-30 00:31 . 2009-06-30 00:31 2145 ------w- c:\users\Chris\AppData\Roaming\.purple\certificates\x509\tls_peers\ows.messenger.msn.com
2009-06-23 12:34 . 2009-06-23 12:34 2141 ------w- c:\users\Chris\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-06-22 23:53 . 2009-06-22 23:53 1089 ------w- c:\users\Chris\AppData\Roaming\.purple\certificates\x509\tls_peers\login.yahoo.com
2009-06-22 23:49 . 2009-06-22 23:49 -------- d-----w- c:\users\Chris\AppData\Local\Yahoo
2009-06-22 23:48 . 2009-05-27 02:50 607472 ------w- c:\programdata\yahoo!\YUpdater\yupdater.exe
2009-06-17 16:03 . 2009-06-17 16:03 7040776 ------w- c:\users\Chris\AppData\Roaming\MySpace\IM\Install\MSIMClientSetup.1.0.789.0-static-A.exe
2009-06-14 10:42 . 2009-06-14 11:05 -------- d-----w- c:\users\Chris\FFXIWindower
2009-06-13 08:12 . 2009-06-13 08:12 -------- d-----w- c:\program files\Guild Wars
2009-06-11 10:22 . 2009-06-11 10:22 2173616 ------w- c:\users\Chris\AppData\Roaming\MySpace\Toolbar\Installers\MySpaceToolbar_Setup_1.0.45.0.exe
2009-06-10 04:04 . 2009-05-09 05:50 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 04:04 . 2009-05-09 05:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-06-10 04:03 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2009-06-10 04:03 . 2009-04-21 11:39 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-06-10 04:02 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-06 10:14 . 2009-07-02 01:36 -------- d-----w- c:\users\Public\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 04:10 . 2008-02-12 23:32 -------- d-----w- c:\users\Chris\AppData\Roaming\.purple
2009-07-02 07:51 . 2008-02-13 01:12 -------- d-----w- c:\users\Chris\AppData\Roaming\gtk-2.0
2009-07-01 14:25 . 2008-03-14 22:47 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-29 00:21 . 2009-02-23 13:18 -------- d-----w- c:\program files\Curse
2009-06-28 23:40 . 2007-11-14 23:05 -------- d-----w- c:\program files\Yahoo!
2009-06-28 20:55 . 2007-11-14 22:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-28 08:34 . 2009-03-10 01:43 758 ------w- c:\users\Chris\AppData\Roaming\wklnhst.dat
2009-06-27 23:03 . 2007-11-14 23:05 -------- d--h--w- c:\programdata\yahoo!
2009-06-27 23:03 . 2008-04-21 02:24 -------- d-----w- c:\program files\MySpace
2009-06-22 23:52 . 2008-09-19 17:35 -------- d-----w- c:\program files\Pidgin
2009-06-10 04:07 . 2007-11-14 22:59 -------- d-----w- c:\program files\Microsoft Works
2009-06-03 02:53 . 2009-06-03 02:53 133931 ------w- c:\windows\Magnifier Uninstaller.exe
2009-06-03 02:53 . 2009-06-03 02:53 -------- d-----w- c:\program files\Magnifier 2.4
2009-05-28 07:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-05-28 07:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-28 07:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-05-28 07:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-05-28 07:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-05-28 07:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-05-28 07:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-05-28 07:26 . 2006-11-02 12:37 -------- d-----w- c:\program files\Microsoft Games
2009-05-28 07:26 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-17 09:37 . 2009-05-17 09:37 -------- d-----w- c:\users\Chris\AppData\Roaming\Wolfram Research
2009-05-17 09:37 . 2009-05-17 09:37 -------- d-----w- c:\program files\Wolfram Research
2009-04-30 14:24 . 2009-04-30 14:24 1893936 ------w- c:\users\Chris\AppData\Roaming\MySpace\Toolbar\Installers\MySpaceToolbar_Setup_1.0.32.5.exe
2009-04-11 06:33 . 2009-05-28 07:08 986600 ----a-w- c:\windows\system32\winload.exe
2009-04-11 06:33 . 2009-05-28 07:07 926184 ----a-w- c:\windows\system32\winresume.exe
2009-04-11 06:33 . 2009-05-28 07:07 292840 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2009-04-11 06:33 . 2009-05-28 07:08 897000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-04-11 06:33 . 2009-05-28 07:07 614376 ----a-w- c:\windows\system32\ci.dll
2009-04-11 06:28 . 2009-05-28 07:07 56320 ----a-w- c:\windows\system32\xmlfilter.dll
2009-04-11 06:27 . 2009-05-28 07:08 441344 ----a-w- c:\windows\system32\SearchIndexer.exe
2009-04-11 06:22 . 2009-05-28 07:06 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2009-04-11 06:21 . 2009-05-28 07:06 37376 ----a-w- c:\windows\system32\cdd.dll
2009-04-11 05:42 . 2009-05-28 07:06 93696 ----a-w- c:\windows\system32\drivers\bridge.sys
2009-04-11 05:03 . 2009-05-28 07:08 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 05:03 . 2009-05-28 07:08 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 04:57 . 2009-05-28 07:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-04-11 04:54 . 2009-05-28 07:06 2048 ----a-w- c:\windows\system32\mferror.dll
2009-04-11 04:51 . 2009-05-28 07:06 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-04-11 04:47 . 2009-05-28 07:06 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2009-04-11 04:46 . 2009-05-28 07:06 69120 ----a-w- c:\windows\system32\drivers\rassstp.sys
2009-04-11 04:46 . 2009-05-28 07:06 121344 ----a-w- c:\windows\system32\drivers\ndiswan.sys
2009-04-11 04:46 . 2009-05-28 07:06 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2009-04-11 04:46 . 2009-05-28 07:06 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2009-04-11 04:46 . 2009-05-28 07:06 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2009-04-11 04:46 . 2009-05-28 07:06 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-04-11 04:45 . 2009-05-28 07:06 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2009-04-11 04:45 . 2009-05-28 07:06 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-04-11 04:45 . 2009-05-28 07:07 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2009-04-11 04:45 . 2009-05-28 07:07 401408 ----a-w- c:\windows\system32\drivers\http.sys
2009-04-11 04:45 . 2009-05-28 07:06 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-04-11 04:45 . 2009-05-28 07:06 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2009-04-11 04:43 . 2009-05-28 07:06 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-04-11 04:43 . 2009-05-28 07:07 196096 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-04-11 04:43 . 2009-05-28 07:06 62208 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2009-04-11 04:42 . 2009-05-28 07:07 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-04-11 04:42 . 2009-05-28 07:06 25856 ----a-w- c:\windows\system32\drivers\USBCAMD2.sys
2009-04-11 04:42 . 2009-05-28 07:06 25856 ----a-w- c:\windows\system32\drivers\USBCAMD.sys
2009-04-11 04:42 . 2009-05-28 07:07 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-04-11 04:42 . 2009-05-28 07:06 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-04-11 04:42 . 2009-05-28 07:06 12800 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-04-11 04:42 . 2009-05-28 07:06 39424 ----a-w- c:\windows\system32\drivers\hidclass.sys
2009-04-11 04:42 . 2009-05-28 07:06 52992 ----a-w- c:\windows\system32\drivers\stream.sys
2009-04-11 04:42 . 2009-05-28 07:08 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-04-11 04:39 . 2009-05-28 07:06 16384 ----a-w- c:\windows\system32\iscsilog.dll
2009-04-11 04:39 . 2009-05-28 07:06 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-04-11 04:39 . 2009-05-28 07:06 19456 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2009-04-11 04:38 . 2009-05-28 07:07 149504 ----a-w- c:\windows\system32\drivers\ks.sys
2009-04-11 04:38 . 2009-05-28 07:07 17408 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-04-11 04:27 . 2009-05-28 07:06 2560 ----a-w- c:\windows\system32\msimsg.dll
2009-04-11 04:23 . 2009-05-28 07:07 626176 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-04-11 04:23 . 2009-05-28 07:06 76288 ----a-w- c:\windows\system32\drivers\dxg.sys
2009-04-11 04:23 . 2009-05-28 07:06 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-04-11 04:22 . 2009-05-28 07:06 33280 ----a-w- c:\windows\system32\drivers\watchdog.sys
2009-04-11 04:15 . 2009-05-28 07:07 288768 ----a-w- c:\windows\system32\drivers\srv.sys
2009-04-11 04:15 . 2009-05-28 07:07 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-04-11 04:15 . 2009-05-28 07:07 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-04-11 04:14 . 2009-05-28 07:07 114688 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-04-11 04:14 . 2009-05-28 07:07 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-04-11 04:14 . 2009-05-28 07:07 225280 ----a-w- c:\windows\system32\drivers\rdbss.sys
2009-04-11 04:14 . 2009-05-28 07:07 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2009-04-11 04:14 . 2009-05-28 07:07 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-04-11 04:14 . 2009-05-28 07:06 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2009-04-11 04:14 . 2009-05-28 07:06 35328 ----a-w- c:\windows\system32\drivers\npfs.sys
2009-04-11 04:13 . 2009-05-28 07:06 226816 ----a-w- c:\windows\system32\drivers\udfs.sys
2009-04-11 04:13 . 2009-05-28 07:06 136704 ----a-w- c:\windows\system32\drivers\exfat.sys
2009-04-11 04:13 . 2009-05-28 07:06 142848 ----a-w- c:\windows\system32\drivers\fastfat.sys
2009-04-11 04:12 . 2009-05-28 07:07 617984 ----a-w- c:\windows\system32\adtschema.dll
2009-04-11 02:52 . 2009-05-28 07:08 684032 ----a-w- c:\windows\system32\drivers\spsys.sys
2009-04-11 01:59 . 2009-05-28 07:07 107612 ----a-w- c:\windows\system32\StructuredQuerySchema.bin
2009-04-04 11:54 . 2009-04-04 11:54 1892856 ------w- c:\users\Chris\AppData\Roaming\MySpace\Toolbar\Installers\MySpaceToolbar_Setup_1.0.32.0.exe
2008-09-11 13:05 . 2008-09-11 13:05 614284494 ------w- c:\program files\wl_setup_2.0.3.exe.sl
2007-11-14 22:18 . 2007-11-14 22:13 8192 --sh--w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnhancedStorageShell]
@="{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}"
[HKEY_CLASSES_ROOT\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}]
2009-04-11 06:28 114176 ----a-w- c:\windows\System32\EhStorShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-27 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-02 520024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"BindDirectlyToPropertySetStorage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Chris^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::b6,ed,ed,b3,66,df,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-799302225-74038327-656276079-1001]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{35DDB595-6818-4024-AC79-31E31EF5A9C9}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{BF965ADA-4F45-4465-9CAD-AE64D062DEE9}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{5595EEB0-667B-42BF-A1DA-66D96BCB829D}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{DB3D997F-889F-4010-921F-880678FE591D}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{942DB7EA-B593-4996-9F46-A0A0A77F81E7}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{6B77BD2A-07DC-4CBC-9AC7-263957C45336}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{15A57BDB-A382-42AC-B227-0EC25F065271}"= TCP:9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{20583813-65FB-4E5E-8BAE-42041BC4C7F9}"= TCP:1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{A6622414-DDDA-4E99-AFD3-EDAE12AA293C}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{66A03EF0-EADB-4C6B-91D3-5590293AFE4F}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{344AA195-68BC-4FE0-A03F-1AB4A1D139CD}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E196AD02-81AF-4116-83B6-CE857C633828}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D155C561-3988-4F76-951B-F308FA4B796F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{83490079-3294-4A55-BFB0-D35AE81E4428}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4FD16A15-84FE-42E6-B782-98A4988309FF}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{D0ABACFB-2553-4F0F-BB8A-BF2A37304962}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{5105CC55-323E-4279-A821-4046381D55A6}"= UDP:c:\windows\System32\lxczcoms.exe:Lexmark Communications System
"{A69DD93B-0762-4B8B-8463-55AE5EEE59BE}"= TCP:c:\windows\System32\lxczcoms.exe:Lexmark Communications System
"{C588DBAF-6E57-4B18-B72A-E3F3964C2C14}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxczpswx.exe:Printer Status Window
"{C02C4A93-5A38-42E6-A3E3-0B23C25FDD48}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxczpswx.exe:Printer Status Window
"TCP Query User{19AF8D85-D721-4B5D-8BFA-A4BDECE8335A}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= UDP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"UDP Query User{9B9ABEE2-0DBA-4CB3-A70B-1F682AB147B2}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= TCP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"{A940D0CC-67CB-49D3-B71D-14A25638BC91}"= UDP:c:\program files\XIWin\launcher_gui.exe:launcher_gui
"{D396A93B-04B2-4E5E-A9BB-6401D0E2049D}"= TCP:c:\program files\XIWin\launcher_gui.exe:launcher_gui
"{D249D0F9-44AA-4324-8765-4796C10A1AF0}"= UDP:c:\program files\XIWin\launcher.exe:launcher
"{F292316A-438E-4DF9-90A3-5370D68CDDBE}"= TCP:c:\program files\XIWin\launcher.exe:launcher
"TCP Query User{5AB8CBC9-9F99-44DB-A50A-FD5E293B40B1}c:\\program files\\trillian\\trillian.exe"= UDP:c:\program files\trillian\trillian.exe:Trillian
"UDP Query User{970D7221-7BD4-4965-B414-9C7E47633C33}c:\\program files\\trillian\\trillian.exe"= TCP:c:\program files\trillian\trillian.exe:Trillian
"{2455008E-B75A-426A-9465-54451D5AB493}"= UDP:c:\program files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe:FINAL FANTASY XI
"{07DFACA6-6F8D-4373-A64A-37E6DF541378}"= TCP:c:\program files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe:FINAL FANTASY XI
"TCP Query User{F845BD4C-DD88-4F4E-BA45-BF348565AE9C}c:\\program files\\ngd studios\\regnum online\\liveserver\\roclientgame.exe"= UDP:c:\program files\ngd studios\regnum online\liveserver\roclientgame.exe:RegnumOnline
"UDP Query User{F6A8A408-1EB3-4B6D-81D5-12F209714052}c:\\program files\\ngd studios\\regnum online\\liveserver\\roclientgame.exe"= TCP:c:\program files\ngd studios\regnum online\liveserver\roclientgame.exe:RegnumOnline
"TCP Query User{11B1C61F-97BC-4DD6-A289-B112DDE631C6}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{D3D9F816-6D3A-44E9-9A72-BA61C539E620}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{FEBB9E90-7525-4F6E-83C4-180436BAE0C1}c:\\windows\\system32\\dplaysvr.exe"= UDP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{9B9B875D-234D-46DF-8F43-B8D7030F16B8}c:\\windows\\system32\\dplaysvr.exe"= TCP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"TCP Query User{3A6FF3B0-3F1A-463B-9019-61EC730F733D}c:\\program files\\black isle\\bgii - soa\\bgmain.exe"= UDP:c:\program files\black isle\bgii - soa\bgmain.exe:Baldur's Gate II - Shadows of Amn - Throne of Bhaal
"UDP Query User{3CAB48A3-CA1A-47AC-B843-05DF492C6DFE}c:\\program files\\black isle\\bgii - soa\\bgmain.exe"= TCP:c:\program files\black isle\bgii - soa\bgmain.exe:Baldur's Gate II - Shadows of Amn - Throne of Bhaal
"{7B8C0320-35C9-45F7-A509-D353D624EECA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8E480D33-92B2-4AE9-8EDB-CEBFAC755076}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FBF49955-BDCF-4021-AADD-6C9685132E29}"= UDP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"{BAB0FE36-11C4-42F1-91B8-8D5137327ED3}"= TCP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"{82166D3B-23D5-489C-9D6A-DD1B78712C62}"= UDP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"{FF5D7184-7605-40D9-8B7F-BF649BE85859}"= TCP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"{841F0764-7F47-4C2B-A907-610948F5E79F}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{519C8188-437B-4A6A-BB0D-E9AED747117C}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{6AC7FE9B-4AA8-42B0-B792-90FCB72D6CAD}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"TCP Query User{8BF9455E-C589-4ECD-B633-0CC76CD5D9B0}c:\\program files\\adobe\\photoshop elements 6.0\\photoshopelementsorganizer.exe"= UDP:c:\program files\adobe\photoshop elements 6.0\photoshopelementsorganizer.exe:Adobe Photoshop Elements 6.0 (Organizer)
"UDP Query User{7B9D952C-7F22-469C-875D-A2C4112709D4}c:\\program files\\adobe\\photoshop elements 6.0\\photoshopelementsorganizer.exe"= TCP:c:\program files\adobe\photoshop elements 6.0\photoshopelementsorganizer.exe:Adobe Photoshop Elements 6.0 (Organizer)
"TCP Query User{09C1317C-C848-4A16-A906-BC7CEBB25E1A}c:\\program files\\well of souls\\souls.exe"= UDP:c:\program files\well of souls\souls.exe:Well of Souls
"UDP Query User{5C159081-CEA1-40B3-9BE8-E1EC249AACC7}c:\\program files\\well of souls\\souls.exe"= TCP:c:\program files\well of souls\souls.exe:Well of Souls
"TCP Query User{348D75B1-1A91-47D2-9516-106831364199}c:\\program files\\dreamcatcher\\dungeon lords\\dlords.exe"= UDP:c:\program files\dreamcatcher\dungeon lords\dlords.exe:dlords
"UDP Query User{2F27C2B0-AC9C-473C-A68C-2C719CF2992D}c:\\program files\\dreamcatcher\\dungeon lords\\dlords.exe"= TCP:c:\program files\dreamcatcher\dungeon lords\dlords.exe:dlords
"TCP Query User{25F8EDEB-350C-465E-A147-793FFE1C2540}c:\\program files\\microsoft games\\dungeon siege\\dungeonsiege.exe"= UDP:c:\program files\microsoft games\dungeon siege\dungeonsiege.exe:Dungeon Siege Game Executable
"UDP Query User{3D883130-4292-4E29-B935-B9A8A89BE73A}c:\\program files\\microsoft games\\dungeon siege\\dungeonsiege.exe"= TCP:c:\program files\microsoft games\dungeon siege\dungeonsiege.exe:Dungeon Siege Game Executable
"TCP Query User{1FC8C40F-6A56-4B8B-8632-4E8D0ED6FF8A}c:\\rohan\\rohanclient.exe"= UDP:c:\rohan\rohanclient.exe:Rohan Online Game
"UDP Query User{EC2331A8-1548-443D-8356-93B42053F9B3}c:\\rohan\\rohanclient.exe"= TCP:c:\rohan\rohanclient.exe:Rohan Online Game
"TCP Query User{0A7D895E-3E28-41DF-83F4-8A155B3FD979}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{D745FB44-030C-4A7D-9777-F7C8621F24D3}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{F9B71D42-6323-4139-87C5-F90373A13247}c:\\program files\\bitlord\\bitlord.exe"= UDP:c:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{930785A9-B5F9-4AF3-9F58-5DD44CF66AE1}c:\\program files\\bitlord\\bitlord.exe"= TCP:c:\program files\bitlord\bitlord.exe:BitLord
"{2F002B82-EE3D-4254-B6BA-6538BE180998}"= Disabled:UDP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{AC263A64-875A-4A57-AF2D-529F00D1A988}"= TCP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{EF82FAE2-C1ED-4A39-8879-065E50B9749C}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{21F48B8A-ED16-45D8-ABCF-DD0F3CE02A6C}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{EAD7E598-CC7A-4D46-9196-2FC38938503E}c:\\program files\\teamspeak2_rc2\\server_windows.exe"= UDP:c:\program files\teamspeak2_rc2\server_windows.exe:Server
"UDP Query User{6E94F232-76E8-4753-ACB4-5E5463B360EE}c:\\program files\\teamspeak2_rc2\\server_windows.exe"= TCP:c:\program files\teamspeak2_rc2\server_windows.exe:Server
"TCP Query User{3B20861D-8924-44F4-842D-5DAA1EFF3DEA}c:\\program files\\ares vista\\aresvista.exe"= UDP:c:\program files\ares vista\aresvista.exe:Ares Vista
"UDP Query User{74075784-A46F-4F5C-B92F-2D9504D074AC}c:\\program files\\ares vista\\aresvista.exe"= TCP:c:\program files\ares vista\aresvista.exe:Ares Vista
"TCP Query User{4A6671E6-7F30-41FF-81C9-724250F068FF}c:\\program files\\bitdownload\\bitdownload.exe"= UDP:c:\program files\bitdownload\bitdownload.exe:BitDownload
"UDP Query User{4DF305FF-FD39-4086-B526-5F1F168A13E0}c:\\program files\\bitdownload\\bitdownload.exe"= TCP:c:\program files\bitdownload\bitdownload.exe:BitDownload
"TCP Query User{5875A030-3EF2-4B64-9715-39613F7FA7FA}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= UDP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{7AA6F467-2C25-4FDE-A155-19A2BB788218}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= TCP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"{F3C60513-62D1-45FE-9FDC-73A1442E106E}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{0CAA065E-E17D-41CD-B5B7-4BDA3AFF6924}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
"TCP Query User{63B4A35C-FFE4-4D83-8D95-DB964F9E1D63}c:\\program files\\gametap web player\\bin\\release\\gametapplayer.exe"= UDP:c:\program files\gametap web player\bin\release\gametapplayer.exe:GameTap Headless Application
"UDP Query User{36A5F3CF-6F4F-4D5E-9031-5FE2879B9DDB}c:\\program files\\gametap web player\\bin\\release\\gametapplayer.exe"= TCP:c:\program files\gametap web player\bin\release\gametapplayer.exe:GameTap Headless Application
"TCP Query User{7611A1E0-E74D-4DA5-B6FF-7F050C7045E0}c:\\program files\\pidgin\\pidgin.exe"= UDP:c:\program files\pidgin\pidgin.exe:Pidgin
"UDP Query User{6BFA4A4C-90C7-4696-A737-B167BF2FAE3A}c:\\program files\\pidgin\\pidgin.exe"= TCP:c:\program files\pidgin\pidgin.exe:Pidgin

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/1/2009 6:31 PM 64160]
R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 33800]
R1 SSHDRV85;SSHDRV85;c:\windows\System32\drivers\SSHDRV85.sys [11/9/2008 4:13 PM 78848]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [9/3/2006 11:32 AM 208896]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472320]
R2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [11/14/2007 3:58 PM 198240]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [1/22/2009 2:31 AM 185640]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [12/3/2008 11:20 PM 1426304]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\System32\drivers\netr73.sys [10/21/2008 5:00 AM 497152]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [5/10/2006 10:13 AM 29696]
S3 PAC207;SoC PC-Camera;c:\windows\System32\drivers\PFC027.SYS [12/5/2006 11:34 AM 507136]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = about:blank
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE}
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\aprnnjqw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 22:13
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-799302225-74038327-656276079-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:80,27,a5,fe,56,ff,cc,67,ce,36,77,6b,dc,cd,2f,2d,b5,67,99,42,60,7f,d9,
ad,fb,bf,13,6e,08,52,31,2b,1a,47,33,7a,92,52,72,cd,ee,be,55,b6,fc,78,40,82,\
"??"=hex:65,f6,0a,68,b1,1a,bd,29,16,31,f1,6e,f0,ee,13,34

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-03 22:15
ComboFix-quarantined-files.txt 2009-07-03 05:15

Pre-Run: 164,948,701,184 bytes free
Post-Run: 164,829,810,688 bytes free

361 --- E O F --- 2009-07-03 01:23


DDS


DDS (Ver_09-06-26.01) - NTFSx86
Run by Chris at 22:22:55.52 on Thu 07/02/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1908 [GMT -7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\hp\HPEZBTN\HPBtnSrv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxczcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Chris\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\program files\flashget\jccatch.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Wolfram Toolbar: {9e709aef-74f7-4da3-a7fc-f3e2d5a8d793} - c:\program files\wolfram research\wolframtoolbar\1.0\WolframBands32.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\users\chris\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\users\chris\appdata\roaming\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\flashget.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE}
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\aprnnjqw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\gametap web player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-1 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-3-13 33800]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [2008-11-9 78848]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-3-13 472320]
R2 HPBtnSrv;HP Chasis Button Service;c:\hp\hpezbtn\HPBtnSrv.exe [2007-11-14 198240]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-22 185640]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-3 1426304]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-10-21 497152]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\PFC027.SYS [2006-12-5 507136]

=============== Created Last 30 ================

2009-07-02 22:15 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-02 21:59 161,792 a------- c:\windows\SWREG.exe
2009-07-02 21:59 155,136 a------- c:\windows\PEV.exe
2009-07-02 21:59 98,816 a------- c:\windows\sed.exe
2009-07-02 21:58 <DIR> --ds---- C:\Combo-Fix
2009-07-02 21:46 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 21:46 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-02 21:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 23:28 <DIR> --d----- c:\program files\Cobian Backup 8
2009-07-01 23:25 <DIR> --d----- c:\programdata\Cobian
2009-07-01 23:25 <DIR> --d----- c:\progra~2\Cobian
2009-07-01 23:25 <DIR> --d----- c:\program files\Cobian Backup 9
2009-07-01 22:46 <DIR> --d----- c:\users\chris\appdata\roaming\MSNInstaller
2009-07-01 22:17 <DIR> --d----- c:\program files\Trend Micro
2009-07-01 18:37 15,688 -------- c:\windows\system32\lsdelete.exe
2009-07-01 18:31 64,160 -------- c:\windows\system32\drivers\Lbd.sys
2009-07-01 18:29 <DIR> --d----- c:\program files\Lavasoft
2009-07-01 18:28 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-01 18:28 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-30 18:41 <DIR> --d----- C:\SDFix
2009-06-14 03:42 <DIR> --d----- c:\users\chris\FFXIWindower
2009-06-13 01:12 <DIR> --d----- c:\program files\Guild Wars
2009-06-09 21:03 623,616 a------- c:\windows\system32\localspl.dll
2009-06-09 21:03 2,034,688 a------- c:\windows\system32\win32k.sys
2009-06-09 21:02 784,896 a------- c:\windows\system32\rpcrt4.dll

==================== Find3M ====================

2009-06-28 01:34 758 -------- c:\users\chris\appdata\roaming\wklnhst.dat
2009-06-02 19:53 133,931 -------- c:\windows\Magnifier Uninstaller.exe
2009-05-28 00:31 51,200 a------- c:\windows\inf\infpub.dat
2009-05-28 00:31 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-28 00:31 143,360 a------- c:\windows\inf\infstor.dat
2009-05-28 00:26 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-08 22:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 22:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-10 23:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-10 23:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-10 23:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-10 23:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-10 23:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-10 23:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-10 23:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-10 23:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-10 23:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-10 23:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-10 23:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-10 23:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-10 23:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-10 23:27 627,200 a------- c:\windows\system32\sethc.exe
2009-04-10 23:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-10 23:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-10 22:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-10 22:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-10 21:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-10 21:54 2,048 a------- c:\windows\system32\mferror.dll
2009-04-10 21:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-10 21:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-10 21:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-10 21:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-10 18:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2008-09-11 06:05 614,284,494 -------- c:\program files\wl_setup_2.0.3.exe.sl
2008-07-01 19:38 2,098 ---sh--- c:\programdata\KGyGaAvL.sys
2008-07-01 19:38 2,098 ---sh--- c:\progra~2\KGyGaAvL.sys
2008-06-13 23:27 174 ---sh--- c:\program files\desktop.ini
2008-05-25 22:53 88 ---shr-- c:\programdata\FF0D249BB6.sys
2008-05-25 22:53 88 ---shr-- c:\progra~2\FF0D249BB6.sys
2006-11-02 05:42 287,440 -------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 -------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 -------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 -------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 -------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 -------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 -------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 -------- c:\windows\inf\perflib\0000\perfc.dat
2007-11-14 15:18 8,192 ---sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 22:23:26.59 ===============


Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:28 PM, on 7/2/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Wolfram Toolbar - {9E709AEF-74F7-4DA3-A7FC-F3E2D5A8D793} - C:\Program Files\Wolfram Research\WolframToolbar\1.0\WolframBands32.dll
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} -
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Chasis Button Service (HPBtnSrv) - Unknown owner - c:\hp\HPEZBTN\HPBtnSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7979 bytes

Edited by KAInc, 03 July 2009 - 12:25 AM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:58 AM

Posted 03 July 2009 - 01:19 AM

Hi, KAInc :thumbup2:

Lets scan for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u14-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 KAInc

KAInc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 03 July 2009 - 08:23 AM

Ye gods man, I do believe that did it.

I'd post the scan log... but it's empty! Added it to upload for proof. :thumbup2:


Edit:: Oh, snap, didn't realize that wasn't going to be just an empty text file. Sorry for the image, just got excited. lol

Attached Files


Edited by KAInc, 03 July 2009 - 08:25 AM.


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:58 AM

Posted 03 July 2009 - 11:12 AM

How is it doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 KAInc

KAInc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 03 July 2009 - 05:17 PM

It's doing quite well. No more annoying browser re-directs or anything. Thank you /so/ much.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:58 AM

Posted 03 July 2009 - 11:13 PM

Hi, KAInc :thumbup2:

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

To turn off Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK

Graphic instructions:

http://www.bleepingcomputer.com/tutorials/windows-vista-system-restore-guide/

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix
  • Click START then type CMD in the Search box.
  • Press Ctrl+Shift+Enter to obtain an Administrator Command Prompt
  • At the prompt type (Copy and Paste) the following and press Enter after each line (Combofix will launch only to uninstall):

    c:\users\Chris\Desktop\Combo-Fix.exe /u Note the space between the e and the /u, it needs to be there.

  • Type Exit and Press Enter to return to Windows.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users