Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was infected with Windows Antivirus Pro and now getting strange results


  • This topic is locked This topic is locked
27 replies to this topic

#1 khunkao

khunkao

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 03 August 2009 - 12:27 PM

Hi my machine was recently infected with Windows Antivirus Pro 2009. Tried to remove it by these steps:

Downloaded and renamed OTM.exe to OTM.com with the script:

:processes
svchast.exe
Windows Antivirus Pro.exe

:services
AntipPro2009_12

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212}]

:files
%windir%\system32\desot.exe
%windir%\system32\dddesot.dll
%windir%\svchast.exe


This worked in stopping the constant pop ups. I couldn't run the MBAM-SETUP.EXE directly because it was blocked (I assume) so I downloaded and ran it directly from www.malwarebytes.org. That seemed to work in at least installing the program.

I even had trouble booting into SAFE MODE. it would just sit there and do nothing saying Please Wait....
The funny thing was it was fine when I booted normally.

After installing, it wouldn't let me run MBAM.EXE so I renamed it to MALO.BAT and that worked. Ran a full scan and it deleted over 59 infected objects but told me that it needed to delete a few more things on the next reboot.

When I rebooted all I get was a blank blue screen. No login window or anything. I thought I may have been doing something wrong but I rebooted again and same thing. The cursor moves but there's no login window or anything.

I rebooted into Safe Mode and I was able to run the MALO.BAT. I found out that even in Safe Mode sometimes, MBAM.EXE would not run. I ran that and it found 2 more objects but again said I needed to reboot.

Same thing upon reboot. It just hangs there and nothing happens.

When I go back into safe mode again, this time I can't even run MALO.BAT. I uninstall MBAM entirely and reboot a few more times and this time I was able to get a Windows Login prompt.

I log in and have all functionality in terms of visiting Internet sites and all that. The only thing that keeps bothering me is I cannot run MBAM.EXE.

There is probably something running or missing that is preventing me from doing this.

What can I do to fully clean it all out or restore functionality so it will boot up correctly and run things like MBAM.EXE? Help please....



________________________


DDS (Ver_09-07-30.01) - NTFSx86
Run by thperkins at 13:11:49.24 on Mon 08/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.595 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Citrix\icaweb32\Wfcrun32.exe
C:\PROGRA~1\Citrix\icaweb32\WFICA32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = https://go.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [WinVNC] "c:\program files\orl\vnc\WinVNC.exe" -servicehelper
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
Trusted Zone: advancedmd.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {5EF06782-55B2-4DF3-A57A-3FE8F1D2A181} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdforms.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187100176265
DPF: {6A6E7E91-B6EB-46B5-A545-12B8EDDD261E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdscontrols50.cab
DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://go.com/net6helper.cab
DPF: {7F017F97-9257-11D5-87EA-00B0D0BE6479} - hxxp://192.168.16.16/webris/powerscribeSDK/MSSOAP.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://192.168.16.16/webris/powerscribeSDK/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {9602B3CE-BC91-417D-B4FD-F6538C2ABB3B} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdswscheck.cab
DPF: {98EB948F-D2AF-4E43-8EDF-6B288E467EAA} - hxxp://192.168.16.16/webris/powerscribeSDK/Speech.cab
DPF: {9C50CC4C-11D3-4C96-A5CE-0259C15A2107} - hxxp://192.168.16.16/webris/powerscribeSDK/PowerscribeSDK.cab
DPF: {B15C3921-CCFA-4403-9E6F-4470839E835E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/leadtools.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CC99A86F-EA5D-414A-8231-7C3F1B10A644} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdsaudio.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EE8CEFA4-1F91-11D4-B31E-00C04F1D37E6} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdvbdownload.cab
TCP: {02EDAE77-BE99-4908-95A4-509ADE140164} = 192.168.16.10
TCP: {94FB6827-CCDE-4A12-B105-17DDD65A0605} = 10.158.27.25,198.1.6.3
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-8-14 9161]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-8-14 114016]
S2 ssvqbpga;ssvqbpga;c:\windows\system32\drivers\csvasxw.sys --> c:\windows\system32\drivers\csvasxw.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-08-03 13:11 359,932 a------- C:\dds(2).scr
2009-08-03 13:05 683 a------- c:\windows\system32\DWRCCMDError.ini
2009-08-03 12:44 <DIR> --d----- c:\windows\pss
2009-08-03 11:07 <DIR> --d----- c:\docume~1\thperk~1\applic~1\Malwarebytes
2009-08-03 10:48 2,992,448 a------- C:\mbam-rules.exe
2009-08-03 10:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-03 10:13 99 a------- C:\fix.reg
2009-08-03 10:10 <DIR> --d----- C:\_OTM
2009-08-03 10:07 407,552 a------- C:\otm.com
2009-08-03 09:33 3,775,176 a------- C:\joe.exe
2009-08-03 08:27 21,390 a------- C:\DBSINIT.EXE-2213E025.pf
2009-08-03 08:25 11,564 a------- C:\SVCHAST.EXE-01022618.pf
2009-08-03 08:25 24,000 a------- C:\WINDOWS ANTIVIRUS PRO.EXE-0F1C3295.pf
2009-07-20 09:23 <DIR> --d----- c:\documents and settings\thperkins\WINDOWS
2009-07-20 09:23 <DIR> --d----- c:\docume~1\thperk~1\applic~1\Lf
2009-07-08 11:00 <DIR> --ds---- c:\documents and settings\thperkins\UserData

==================== Find3M ====================

2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2007-08-16 18:45 2,366 a------- c:\documents and settings\all users\splash.reg

============= FINISH: 13:12:25.05 ===============

Attached Files


Edited by khunkao, 03 August 2009 - 12:45 PM.


BC AdBot (Login to Remove)

 


#2 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:05:42 AM

Posted 13 August 2009 - 01:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#3 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 13 August 2009 - 02:13 PM

I was unable to boot up properly via Normal Mode. All I see is a blank screen with a pointer.
I was however, able to boot into Safe Mode with Networking to run DDS.SCR

-------------------


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Administrator at 15:10:52.78 on Thu 08/13/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.802 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [WinVNC] "c:\program files\orl\vnc\WinVNC.exe" -servicehelper
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
Trusted Zone: chartmover.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {5EF06782-55B2-4DF3-A57A-3FE8F1D2A181} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdforms.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187100176265
DPF: {6A6E7E91-B6EB-46B5-A545-12B8EDDD261E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdscontrols50.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://www.go.com/net6helper.cab
DPF: {7F017F97-9257-11D5-87EA-00B0D0BE6479} - hxxp://192.168.16.16/webris/powerscribeSDK/MSSOAP.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://192.168.16.16/webris/powerscribeSDK/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {9602B3CE-BC91-417D-B4FD-F6538C2ABB3B} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdswscheck.cab
DPF: {98EB948F-D2AF-4E43-8EDF-6B288E467EAA} - hxxp://192.168.16.16/webris/powerscribeSDK/Speech.cab
DPF: {9C50CC4C-11D3-4C96-A5CE-0259C15A2107} - hxxp://192.168.16.16/webris/powerscribeSDK/PowerscribeSDK.cab
DPF: {B15C3921-CCFA-4403-9E6F-4470839E835E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/leadtools.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CC99A86F-EA5D-414A-8231-7C3F1B10A644} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdsaudio.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EE8CEFA4-1F91-11D4-B31E-00C04F1D37E6} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdvbdownload.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7smohosj.default\
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-8-14 9161]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-8-14 114016]
S2 jzippvfn;jzippvfn;c:\windows\system32\drivers\jedogpq.sys --> c:\windows\system32\drivers\jedogpq.sys [?]
S2 ssvqbpga;ssvqbpga;c:\windows\system32\drivers\csvasxw.sys --> c:\windows\system32\drivers\csvasxw.sys [?]
S3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-08-13 15:09 <DIR> --d-h--- c:\windows\PIF
2009-08-12 16:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-12 16:19 3,942,048 a------- C:\mbam-setup.exe
2009-08-12 16:19 50,688 a------- C:\ATF-Cleaner.exe
2009-08-12 14:29 <DIR> --d----- C:\Downloads
2009-08-04 10:03 <DIR> --d----- c:\program files\Malo
2009-08-03 20:52 6,881,824 a------- C:\sloppy.bat
2009-08-03 13:11 359,932 a------- C:\dds(2).scr
2009-08-03 13:05 713 a------- c:\windows\system32\DWRCCMDError.ini
2009-08-03 12:44 <DIR> --d----- c:\windows\pss
2009-08-03 11:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-03 10:48 2,992,448 a------- C:\mbam-rules.exe
2009-08-03 10:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-03 10:13 99 a------- C:\fix.reg
2009-08-03 10:10 <DIR> --d----- C:\_OTM
2009-08-03 10:07 407,552 a------- C:\otm.com
2009-08-03 09:33 3,775,176 a------- C:\joe.exe
2009-08-03 08:27 21,390 a------- C:\DBSINIT.EXE-2213E025.pf
2009-08-03 08:25 11,564 a------- C:\SVCHAST.EXE-01022618.pf
2009-08-03 08:25 24,000 a------- C:\WINDOWS ANTIVIRUS PRO.EXE-0F1C3295.pf

==================== Find3M ====================

2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2007-08-16 18:45 2,366 a------- c:\documents and settings\all users\splash.reg

============= FINISH: 15:11:21.29 ===============

Attached Files



#4 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:05:42 AM

Posted 13 August 2009 - 02:31 PM

Hello Khunkao,

Welcome to Bleeping Computer.

My name is Tokek and I will be helping you with your Malware problem.

I apologize for the delay in replying to your post, the forum have been extremely busy.

There may be a delay in my response to your posts as I am still currently in training. I will be helping you with supervision of the teachers and they will approve every posts before I present them to you.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

Please give me some time to look over your log, I will post the reply as soon as they are approved.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#5 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:05:42 AM

Posted 13 August 2009 - 07:45 PM

Hello Khunkao,

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode


Please reply with the GMER log and a new DDS log.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#6 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 14 August 2009 - 10:21 AM

Here is the GMER.LOG

-------------------------------------------

GMER 1.0.15.15020 [bgvs9cl0.exe] - http://www.gmer.net
Rootkit scan 2009-08-14 11:22:54
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 86E5F250 ZwEnumerateKey
Code 86E37A80 ZwFlushInstructionCache
Code 86E8C096 IofCallDriver
Code 86E8F096 IofCompleteRequest
Code 86F73C5D ZwSaveKey
Code 86DCBB25 ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 86E8C09B
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 86E8F09B
.text ntoskrnl.exe!ZwSaveKey 804E42AE 5 Bytes JMP 86F73C62
.text ntoskrnl.exe!ZwSaveKeyEx 804E42C2 5 Bytes JMP 86DCBB2A
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 86E5F254
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 86E37A84
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACxbmjqrminy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [480] 0x10000000
Library \\?\globalroot\systemroot\system32\UACxbmjqrminy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [600] 0x10000000
Library \\?\globalroot\systemroot\system32\UACxbmjqrminy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1508] 0x10000000
Library \\?\globalroot\systemroot\system32\UACxbmjqrminy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1940] 0x01010000
Library \\?\globalroot\systemroot\system32\UACxbmjqrminy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2016] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACflxsmkbnrw.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACflxsmkbnrw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACflxsmkbnrw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACiutewqbapp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACxbmjqrminy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACllraoyqjxj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAClkspxsrnti.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACdwamhpexnw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACflxsmkbnrw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACflxsmkbnrw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACiutewqbapp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACxbmjqrminy.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACllraoyqjxj.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAClkspxsrnti.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACdwamhpexnw.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\thperkins\Local Settings\Temp\UAC8d58.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\UACflxsmkbnrw.sys 54784 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\UACdwamhpexnw.dll 20480 bytes executable
File C:\WINDOWS\system32\uacinit.dll 6145 bytes
File C:\WINDOWS\system32\UACiutewqbapp.dll 26624 bytes executable
File C:\WINDOWS\system32\UAClkspxsrnti.dll 18432 bytes executable
File C:\WINDOWS\system32\UACllraoyqjxj.dat 269 bytes
File C:\WINDOWS\system32\UACxbmjqrminy.dll 74240 bytes executable
File C:\WINDOWS\Temp\UAC4556.tmp 74240 bytes executable
File C:\WINDOWS\Temp\UAC5052.tmp 74240 bytes executable

---- EOF - GMER 1.0.15 ----

Here is the DDS.LOG

-----------------


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Administrator at 11:26:00.25 on Fri 08/14/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.696 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\bgvs9cl0.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [WinVNC] "c:\program files\orl\vnc\WinVNC.exe" -servicehelper
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
Trusted Zone: chartmover.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {5EF06782-55B2-4DF3-A57A-3FE8F1D2A181} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdforms.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187100176265
DPF: {6A6E7E91-B6EB-46B5-A545-12B8EDDD261E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdscontrols50.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://go.com/net6helper.cab
DPF: {7F017F97-9257-11D5-87EA-00B0D0BE6479} - hxxp://192.168.16.16/webris/powerscribeSDK/MSSOAP.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://192.168.16.16/webris/powerscribeSDK/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {9602B3CE-BC91-417D-B4FD-F6538C2ABB3B} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdswscheck.cab
DPF: {98EB948F-D2AF-4E43-8EDF-6B288E467EAA} - hxxp://192.168.16.16/webris/powerscribeSDK/Speech.cab
DPF: {9C50CC4C-11D3-4C96-A5CE-0259C15A2107} - hxxp://192.168.16.16/webris/powerscribeSDK/PowerscribeSDK.cab
DPF: {B15C3921-CCFA-4403-9E6F-4470839E835E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/leadtools.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CC99A86F-EA5D-414A-8231-7C3F1B10A644} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdsaudio.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EE8CEFA4-1F91-11D4-B31E-00C04F1D37E6} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdvbdownload.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7smohosj.default\
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-8-14 9161]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-8-14 114016]
S2 jzippvfn;jzippvfn;c:\windows\system32\drivers\jedogpq.sys --> c:\windows\system32\drivers\jedogpq.sys [?]
S2 ssvqbpga;ssvqbpga;c:\windows\system32\drivers\csvasxw.sys --> c:\windows\system32\drivers\csvasxw.sys [?]
S3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-08-13 15:09 <DIR> --d-h--- c:\windows\PIF
2009-08-12 16:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-12 16:19 3,942,048 a------- C:\mbam-setup.exe
2009-08-12 16:19 50,688 a------- C:\ATF-Cleaner.exe
2009-08-12 14:29 <DIR> --d----- C:\Downloads
2009-08-04 10:03 <DIR> --d----- c:\program files\Malo
2009-08-03 20:52 6,881,824 a------- C:\sloppy.bat
2009-08-03 13:11 359,932 a------- C:\dds(2).scr
2009-08-03 13:05 713 a------- c:\windows\system32\DWRCCMDError.ini
2009-08-03 12:44 <DIR> --d----- c:\windows\pss
2009-08-03 11:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-03 10:48 2,992,448 a------- C:\mbam-rules.exe
2009-08-03 10:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-03 10:13 99 a------- C:\fix.reg
2009-08-03 10:10 <DIR> --d----- C:\_OTM
2009-08-03 10:07 407,552 a------- C:\otm.com
2009-08-03 09:33 3,775,176 a------- C:\joe.exe
2009-08-03 08:27 21,390 a------- C:\DBSINIT.EXE-2213E025.pf
2009-08-03 08:25 11,564 a------- C:\SVCHAST.EXE-01022618.pf
2009-08-03 08:25 24,000 a------- C:\WINDOWS ANTIVIRUS PRO.EXE-0F1C3295.pf

==================== Find3M ====================

2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2007-08-16 18:45 2,366 a------- c:\documents and settings\all users\splash.reg

============= FINISH: 11:26:23.64 ===============

Edited by khunkao, 14 August 2009 - 10:23 AM.


#7 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:05:42 AM

Posted 14 August 2009 - 01:27 PM

Hello Khunkao,

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



Please post the ComboFix log, a new DDS log and a description on how your PC is running.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#8 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 14 August 2009 - 02:39 PM

I saved ComboFix.exe directly to my desktop and when I double clicked on it, nothing happens. This happens alot to many of my other executables like MBAM.EXE for instance.

I am running from Safe Mode too.

Should I rename it to something like combo.bat?

Edited by khunkao, 14 August 2009 - 02:57 PM.


#9 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:05:42 AM

Posted 14 August 2009 - 04:40 PM

Hello Khunkao,

Go ahead and rename ComboFix.exe to something else, for example: FixMe.exe and rerun it.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#10 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 17 August 2009 - 08:31 AM

nothing. I renamed Combofix.exe to fixit.exe, fixit.bat or .cmd...nothing happens
This Antivirus 2009 disabled my ability to run other things too. It also seems to have redirected my searches to strange websites.

Edited by khunkao, 17 August 2009 - 08:35 AM.


#11 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:05:42 AM

Posted 17 August 2009 - 04:00 PM

Hello Khunkao,
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Drivers to delete:UACd.sysFiles to delete:C:\Documents and Settings\thperkins\Local Settings\Temp\UAC8d58.tmpC:\WINDOWS\system32\drivers\UACflxsmkbnrw.sysC:\WINDOWS\system32\UACdwamhpexnw.dllC:\WINDOWS\system32\uacinit.dllC:\WINDOWS\system32\UACiutewqbapp.dllC:\WINDOWS\system32\UAClkspxsrnti.dllC:\WINDOWS\system32\UACllraoyqjxj.datC:\WINDOWS\system32\UACxbmjqrminy.dllC:\WINDOWS\Temp\UAC4556.tmpC:\WINDOWS\Temp\UAC5052.tmp
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new DDS log in your next reply.

Please reply with the Avenger log, a new DDS log and a description of how your PC is running.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#12 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 17 August 2009 - 04:39 PM

It took me several tries to reboot successfully. The Windows startup would hang and there would be no login box.
When I finally booted successfully this is what I got for the Avenger.log:


-------------------------------------------------------------------------------------------------------------------------------------
Logfile of The Avenger Version 2.0, by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\Documents and Settings\thperkins\Local Settings\Temp\UAC8d58.tmp" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACflxsmkbnrw.sys" deleted successfully.
File "C:\WINDOWS\system32\UACdwamhpexnw.dll" deleted successfully.
File "C:\WINDOWS\system32\uacinit.dll" deleted successfully.
File "C:\WINDOWS\system32\UACiutewqbapp.dll" deleted successfully.
File "C:\WINDOWS\system32\UAClkspxsrnti.dll" deleted successfully.
File "C:\WINDOWS\system32\UACllraoyqjxj.dat" deleted successfully.
File "C:\WINDOWS\system32\UACxbmjqrminy.dll" deleted successfully.
File "C:\WINDOWS\Temp\UAC4556.tmp" deleted successfully.

Error: file "C:\WINDOWS\Temp\UAC5052.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\UAC5052.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "uzrvqvt" found!
Could not open driver uzrvqvt for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Rootkit scan completed.


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!
Deletion of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Documents and Settings\thperkins\Local Settings\Temp\UAC8d58.tmp" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACflxsmkbnrw.sys" deleted successfully.
File "C:\WINDOWS\system32\UACdwamhpexnw.dll" deleted successfully.
File "C:\WINDOWS\system32\uacinit.dll" deleted successfully.
File "C:\WINDOWS\system32\UACiutewqbapp.dll" deleted successfully.
File "C:\WINDOWS\system32\UAClkspxsrnti.dll" deleted successfully.
File "C:\WINDOWS\system32\UACllraoyqjxj.dat" deleted successfully.
File "C:\WINDOWS\system32\UACxbmjqrminy.dll" deleted successfully.
File "C:\WINDOWS\Temp\UAC4556.tmp" deleted successfully.

Error: file "C:\WINDOWS\Temp\UAC5052.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\UAC5052.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
-------------------------------------------------------------------------------------------------------------------------------------

This is my current DDS.LOG:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 17:40:56.54 on Mon 08/17/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.633 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\ORL\VNC\WinVNC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [WinVNC] "c:\program files\orl\vnc\WinVNC.exe" -servicehelper
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
Trusted Zone: chartmover.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {5EF06782-55B2-4DF3-A57A-3FE8F1D2A181} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdforms.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187100176265
DPF: {6A6E7E91-B6EB-46B5-A545-12B8EDDD261E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdscontrols50.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://go.com/net6helper.cab
DPF: {7F017F97-9257-11D5-87EA-00B0D0BE6479} - hxxp://192.168.16.16/webris/powerscribeSDK/MSSOAP.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://192.168.16.16/webris/powerscribeSDK/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {9602B3CE-BC91-417D-B4FD-F6538C2ABB3B} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdswscheck.cab
DPF: {98EB948F-D2AF-4E43-8EDF-6B288E467EAA} - hxxp://192.168.16.16/webris/powerscribeSDK/Speech.cab
DPF: {9C50CC4C-11D3-4C96-A5CE-0259C15A2107} - hxxp://192.168.16.16/webris/powerscribeSDK/PowerscribeSDK.cab
DPF: {B15C3921-CCFA-4403-9E6F-4470839E835E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/leadtools.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CC99A86F-EA5D-414A-8231-7C3F1B10A644} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdsaudio.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EE8CEFA4-1F91-11D4-B31E-00C04F1D37E6} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdvbdownload.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7smohosj.default\
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-8-14 9161]
RUnknown mfhgx;mfhgx; [x]
RUnknown uzrvqvt;uzrvqvt; [x]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-8-14 114016]
S2 jzippvfn;jzippvfn;c:\windows\system32\drivers\jedogpq.sys --> c:\windows\system32\drivers\jedogpq.sys [?]
S2 ssvqbpga;ssvqbpga;c:\windows\system32\drivers\csvasxw.sys --> c:\windows\system32\drivers\csvasxw.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-08-17 09:40 <DIR> --d----- c:\program files\Enigma Software Group
2009-08-13 15:09 <DIR> --d-h--- c:\windows\PIF
2009-08-12 16:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-12 16:19 3,942,048 a------- C:\mbam-setup.exe
2009-08-12 16:19 50,688 a------- C:\ATF-Cleaner.exe
2009-08-12 14:29 <DIR> --d----- C:\Downloads
2009-08-04 10:03 <DIR> --d----- c:\program files\Malo
2009-08-03 20:52 6,881,824 a------- C:\sloppy.bat
2009-08-03 13:11 359,932 a------- C:\dds(2).scr
2009-08-03 13:05 713 a------- c:\windows\system32\DWRCCMDError.ini
2009-08-03 12:44 <DIR> --d----- c:\windows\pss
2009-08-03 11:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-03 10:48 2,992,448 a------- C:\mbam-rules.exe
2009-08-03 10:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-03 10:10 <DIR> --d----- C:\_OTM
2009-08-03 10:07 407,552 a------- C:\otm.com
2009-08-03 09:33 3,775,176 a------- C:\joe.exe
2009-08-03 08:27 21,390 a------- C:\DBSINIT.EXE-2213E025.pf
2009-08-03 08:25 11,564 a------- C:\SVCHAST.EXE-01022618.pf
2009-08-03 08:25 24,000 a------- C:\WINDOWS ANTIVIRUS PRO.EXE-0F1C3295.pf

==================== Find3M ====================

2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2007-08-16 18:45 2,366 a------- c:\documents and settings\all users\splash.reg

============= FINISH: 17:41:17.54 ===============


I was able to reboot successfully without stopping or hanging and I can run ComboFix.exe
ComboFix warned me that I do not have MS Recovery Console installed and asked to download it. I didn't know what to do so I closed out of it.
What should I do?

Edited by khunkao, 17 August 2009 - 04:43 PM.


#13 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:05:42 AM

Posted 17 August 2009 - 08:24 PM

Hello Khunkao,

If you still have ComboFix, feel free to run that by following the instructions below and ignore the download information. If you have deleted it, the download link is below.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new DDS log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



Please post the ComboFix log, a new DDS log and a description on how your PC is running.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#14 khunkao

khunkao
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 18 August 2009 - 08:30 AM

I rebooted several times and they have all been successful. I can visit sites like malwarebytes.org without getting redirected to something else. It also seems I am able to run things like Combofix, items I previously could not run.
Should I run Malwarebytes again?

After running ComboFix, I also ran ESET's Online Scanner just for good measure and it found three threats so far: Win32/Olmarik.KI trojan, Win32/Olmarik.HZ trojan and Win32/Olmarik.JQ trojan.

The trojan files quarantined were:

c:\windows\system32\UACxbmjqrminy.dll
c:\windows\system32\UAClkspxsrnti.dll
c:\windows\system32\UACiutewqbapp.dll




Here is the ComboFix report:

------------------------------------------------------------------------------------------------

ComboFix 09-08-10.06 - Administrator 08/18/2009 9:16.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.700 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\fixme.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
PEV Error: CacheFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1130116359-4277417950-2146920369-500
c:\recycler\S-1-5-21-2322712386-357967339-2079644369-500
c:\recycler\S-1-5-21-247674877-1043198755-3057704224-500
c:\recycler\S-1-5-21-4090836578-679329520-3290149956-500
C:\sloppy.bat
c:\windows\system32\uacinit.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 13:25 . 2009-08-18 13:25 -------- d-----w- c:\windows\LastGood
2009-08-17 13:40 . 2009-08-17 13:41 -------- d-----w- c:\program files\Enigma Software Group
2009-08-13 19:09 . 2009-08-13 19:09 -------- d--h--w- c:\windows\PIF
2009-08-13 18:59 . 2009-08-13 18:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-12 20:20 . 2009-08-12 20:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-12 20:19 . 2009-08-12 19:24 3942048 ----a-w- C:\mbam-setup.exe
2009-08-12 20:19 . 2009-08-12 19:24 50688 ----a-w- C:\ATF-Cleaner.exe
2009-08-12 18:37 . 2009-08-12 18:37 -------- d-----w- c:\documents and settings\administrator.CADUCPA\Application Data\Malwarebytes
2009-08-12 18:29 . 2009-08-12 19:24 -------- d-----w- C:\Downloads
2009-08-12 18:28 . 2009-08-12 18:28 0 ----a-w- c:\windows\nsreg.dat
2009-08-12 18:28 . 2009-08-12 18:28 -------- d-----w- c:\documents and settings\administrator.CADUCPA\Local Settings\Application Data\Mozilla
2009-08-12 18:22 . 2009-08-12 18:22 -------- d-s---w- c:\documents and settings\administrator.CADUCPA\UserData
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 14:03 . 2009-08-12 19:35 -------- d-----w- c:\program files\Malo
2009-08-03 17:11 . 2009-08-03 17:08 359932 ----a-w- C:\dds(2).scr
2009-08-03 15:48 . 2009-08-03 15:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-03 15:07 . 2009-08-03 15:07 -------- d-----w- c:\documents and settings\thperkins\Application Data\Malwarebytes
2009-08-03 14:48 . 2009-08-03 14:47 2992448 ----a-w- C:\mbam-rules.exe
2009-08-03 14:32 . 2009-08-03 14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 14:32 . 2009-08-03 14:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-03 14:10 . 2009-08-03 14:10 -------- d-----w- C:\_OTM
2009-08-03 14:07 . 2009-08-03 14:02 407552 ----a-w- C:\otm.com
2009-08-03 13:33 . 2009-08-03 14:21 3775176 ----a-w- C:\joe.exe
2009-08-03 12:24 . 2009-08-03 16:08 20480 ----a-w- c:\windows\system32\UACdwamhpexnw.dll
2009-08-03 12:24 . 2009-08-03 16:08 18432 ----a-w- c:\windows\system32\UAClkspxsrnti.dll
2009-08-03 12:24 . 2009-08-12 19:04 269 ----a-w- c:\windows\system32\UACllraoyqjxj.dat
2009-08-03 12:24 . 2009-08-17 21:33 74240 ----a-w- c:\windows\system32\UACxbmjqrminy.dll
2009-08-03 12:24 . 2009-08-03 16:08 54784 ----a-w- c:\windows\system32\drivers\UACflxsmkbnrw.sys
2009-08-03 12:24 . 2009-08-03 16:08 26624 ----a-w- c:\windows\system32\UACiutewqbapp.dll
2009-07-28 11:22 . 2009-06-17 14:15 152576 ----a-w- c:\documents and settings\glsacknoff\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-28 11:22 . 2009-07-13 11:27 -------- d-sh--w- c:\documents and settings\glsacknoff\PrivacIE
2009-07-28 11:22 . 2009-07-13 11:26 -------- d-sh--w- c:\documents and settings\glsacknoff\IETldCache
2009-07-22 18:21 . 2009-07-22 18:21 -------- d-----w- c:\documents and settings\thperkins\Application Data\AdobeUM
2009-07-20 13:23 . 2009-07-20 13:23 -------- d-----w- c:\documents and settings\thperkins\WINDOWS
2009-07-20 13:23 . 2009-07-20 13:23 -------- d-----w- c:\documents and settings\thperkins\Application Data\Lf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-06-26 16:50 . 2004-08-04 08:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 08:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-09-25 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-09-25 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-09-25 94208]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]
"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2001-03-16 208896]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2003-02-13 493024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2008-03-24 78848]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2007-8-14 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-8-14 122880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 8:00 AM 26624]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 8:00 AM 3712]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/14/2007 12:17 PM 9161]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/14/2007 12:17 PM 114016]
S2 jzippvfn;jzippvfn;c:\windows\system32\drivers\jedogpq.sys --> c:\windows\system32\drivers\jedogpq.sys [?]
S2 ssvqbpga;ssvqbpga;c:\windows\system32\drivers\csvasxw.sys --> c:\windows\system32\drivers\csvasxw.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: chartmover.com\www
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7F017F97-9257-11D5-87EA-00B0D0BE6479} - hxxp://192.168.16.16/webris/powerscribeSDK/MSSOAP.cab
DPF: {98EB948F-D2AF-4E43-8EDF-6B288E467EAA} - hxxp://192.168.16.16/webris/powerscribeSDK/Speech.cab
DPF: {9C50CC4C-11D3-4C96-A5CE-0259C15A2107} - hxxp://192.168.16.16/webris/powerscribeSDK/PowerscribeSDK.cab
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\7smohosj.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 09:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1952)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\DWRCS.EXE
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\windows\SoftwareDistribution\Download\Install\windows-kb890830-v2.13-delta.exe
c:\a2618b18d4007acf643efe\mrtstub.exe
c:\windows\system32\MRT.exe
.
**************************************************************************
.
Completion time: 2009-08-18 9:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 13:30

Pre-Run: 61,321,269,248 bytes free
Post-Run: 62,080,716,800 bytes free

215 --- E O F --- 2009-07-29 20:41


and the DDS.LOG....

-------------------------------------------------------------------------------------------------------------------


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 9:33:14.89 on Tue 08/18/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.603 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [WinVNC] "c:\program files\orl\vnc\WinVNC.exe" -servicehelper
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
Trusted Zone: chartmover.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {5EF06782-55B2-4DF3-A57A-3FE8F1D2A181} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdforms.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187100176265
DPF: {6A6E7E91-B6EB-46B5-A545-12B8EDDD261E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdscontrols50.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://go.com/net6helper.cab
DPF: {7F017F97-9257-11D5-87EA-00B0D0BE6479} - hxxp://192.168.16.16/webris/powerscribeSDK/MSSOAP.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://192.168.16.16/webris/powerscribeSDK/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {9602B3CE-BC91-417D-B4FD-F6538C2ABB3B} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdswscheck.cab
DPF: {98EB948F-D2AF-4E43-8EDF-6B288E467EAA} - hxxp://192.168.16.16/webris/powerscribeSDK/Speech.cab
DPF: {9C50CC4C-11D3-4C96-A5CE-0259C15A2107} - hxxp://192.168.16.16/webris/powerscribeSDK/PowerscribeSDK.cab
DPF: {B15C3921-CCFA-4403-9E6F-4470839E835E} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/leadtools.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CC99A86F-EA5D-414A-8231-7C3F1B10A644} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/amdsaudio.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EE8CEFA4-1F91-11D4-B31E-00C04F1D37E6} - hxxps://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdvbdownload.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7smohosj.default\
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-8-14 9161]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-8-14 114016]
S2 jzippvfn;jzippvfn;c:\windows\system32\drivers\jedogpq.sys --> c:\windows\system32\drivers\jedogpq.sys [?]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-5-17 26488]
S2 ssvqbpga;ssvqbpga;c:\windows\system32\drivers\csvasxw.sys --> c:\windows\system32\drivers\csvasxw.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-08-18 09:30 118 a------- c:\windows\system32\MRT.INI
2009-08-18 09:29 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-17 17:43 216,064 a------- c:\windows\PEV.exe
2009-08-17 17:43 161,792 a------- c:\windows\SWREG.exe
2009-08-17 17:43 98,816 a------- c:\windows\sed.exe
2009-08-17 09:40 <DIR> --d----- c:\program files\Enigma Software Group
2009-08-17 09:30 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-17 09:29 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-13 15:09 <DIR> --d-h--- c:\windows\PIF
2009-08-12 16:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-12 16:19 3,942,048 a------- C:\mbam-setup.exe
2009-08-12 16:19 50,688 a------- C:\ATF-Cleaner.exe
2009-08-12 14:29 <DIR> --d----- C:\Downloads
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 10:03 <DIR> --d----- c:\program files\Malo
2009-08-03 13:11 359,932 -------- C:\dds(2).scr
2009-08-03 13:05 713 a------- c:\windows\system32\DWRCCMDError.ini
2009-08-03 12:44 <DIR> --d----- c:\windows\pss
2009-08-03 11:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-03 10:48 2,992,448 a------- C:\mbam-rules.exe
2009-08-03 10:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-03 10:10 <DIR> --d----- C:\_OTM
2009-08-03 10:07 407,552 a------- C:\otm.com
2009-08-03 09:33 3,775,176 a------- C:\joe.exe
2009-08-03 08:27 21,390 a------- C:\DBSINIT.EXE-2213E025.pf
2009-08-03 08:25 11,564 a------- C:\SVCHAST.EXE-01022618.pf
2009-08-03 08:25 24,000 a------- C:\WINDOWS ANTIVIRUS PRO.EXE-0F1C3295.pf
2009-08-03 08:24 20,480 a------- c:\windows\system32\UACdwamhpexnw.dll
2009-08-03 08:24 18,432 a------- c:\windows\system32\UAClkspxsrnti.dll
2009-08-03 08:24 269 a------- c:\windows\system32\UACllraoyqjxj.dat
2009-08-03 08:24 74,240 a------- c:\windows\system32\UACxbmjqrminy.dll
2009-08-03 08:24 26,624 a------- c:\windows\system32\UACiutewqbapp.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\SET14.tmp
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2007-08-16 18:45 2,366 a------- c:\documents and settings\all users\splash.reg

============= FINISH: 9:33:24.98 ===============

Edited by khunkao, 18 August 2009 - 10:46 AM.


#15 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:05:42 AM

Posted 18 August 2009 - 01:33 PM

Hello Khunkao,

Looks like we're almost there, please bear with me a little longer so we can make sure that your system is completely clean.


Please run a scan with Malwarebytes Anti Malware, I believe it's still installed in your system. If you don't have it, please follow the instructions below to download and install.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Please reply with the MBAM log, a new DDS log and a description of how your PC is running.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users