Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack problem


  • This topic is locked This topic is locked
18 replies to this topic

#1 faceman802

faceman802

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 08 November 2009 - 08:40 PM

was asked by another mod to post my logs here for help. so here are my hijack logs and root repeal log as requested by mod Garmanma Topic referenced is here: http://www.bleepingcomputer.com/forums/t/268180/dont-know-what-the-problem-isor-even-if-there-is-a-problem/ ~ OB


DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by Owner at 20:20:58.23 on Sun 11/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.147 [GMT -5:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [NPSStartup]
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233534767082
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3y83o19v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3y83o19v.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3y83o19v.default\extensions\gametap@gametap.com\plugins\npGameTapWebUpdater.dll
FF - plugin: c:\program files\gametap web player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\drivers\WPC54Gv3.SYS [2008-9-2 610816]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-7 54752]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\drivers\cbpmp50.sys --> c:\windows\system32\drivers\CBPMp50.sys [?]
S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [2008-9-2 27072]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-11-5 36608]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2008-9-13 119448]

=============== Created Last 30 ================

2009-11-06 02:49:15 0 d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-11-06 02:18:29 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2009-11-06 02:18:29 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2009-11-06 02:18:28 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2009-11-06 02:17:31 0 d-----w- c:\docume~1\owner\applic~1\Samsung
2009-11-06 02:16:35 0 d-----w- c:\program files\MarkAny
2009-11-06 02:16:22 0 d-----w- c:\program files\PC Connectivity Solution
2009-11-06 02:14:53 0 d-----w- c:\program files\Samsung
2009-11-04 02:16:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 18:39:32 0 d-----w- c:\documents and settings\owner\DoctorWeb
2009-11-02 23:15:41 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-02 23:14:46 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-02 23:14:46 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-11-02 23:13:42 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-30 01:53:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 01:53:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 01:53:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 22:43:05 0 d-----w- C:\New
2009-10-29 02:16:41 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-11-08 03:13:04 4132 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-08 03:13:03 892960 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-08 03:13:03 29360 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-08 03:13:02 3619872 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-29 02:15:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-14 21:21:46 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-14 21:21:45 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-02-02 18:45:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020220090203\index.dat

============= FINISH: 20:22:25.47 ===============



rootrepeal

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/08 20:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6E56000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AD4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6094000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-59\plugin-ads
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-59\plugin-config.prodXml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-59\plugin-crossdomain-1.xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-59\plugin-crossdomain.xml
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\data\av71.tmp
Status: Allocation size mismatch (API: 32546816, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\data\av72.tmp
Status: Allocation size mismatch (API: 32055296, Raw: 0)

==EOF==

Edited by Orange Blossom, 08 November 2009 - 11:20 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:14 PM

Posted 14 November 2009 - 03:16 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • RootRepeal log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 faceman802

faceman802
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 15 November 2009 - 04:34 PM

My laptop is experience really slow, if not at all, browsing on the web even though my wireless signal is at full strength. even plugged in and wired, the connection is still slow if non-existant, however when my laptop on safe mode and wired, I experience perfect connection and no slowdown in browsing at all. its how i have to use my laptop now, full time if I want to browse the web at all. any other info you need just ask, and ill try to accomodate you if I can. thanks for you help in advance with this


DDS Log


DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by Owner at 10:03:47.67 on Sun 11/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.157 [GMT -5:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [NPSStartup]
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233534767082
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3y83o19v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3y83o19v.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3y83o19v.default\extensions\gametap@gametap.com\plugins\npGameTapWebUpdater.dll
FF - plugin: c:\program files\gametap web player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\drivers\WPC54Gv3.SYS [2008-9-2 610816]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
S2 CBTWlanSrv;CBT Wlan Service;c:\windows\CBTWlanSrv.exe [2008-9-2 106496]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-7 54752]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-11-5 233472]
S2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2008-12-10 88576]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-10 24652]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\drivers\cbpmp50.sys --> c:\windows\system32\drivers\CBPMp50.sys [?]
S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [2008-9-2 27072]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-11-5 36608]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-6-22 14336]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2008-9-13 119448]
S4 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2008-12-14 1086840]

=============== Created Last 30 ================

2009-11-09 01:25:38 0 ----a-w- c:\documents and settings\owner\settings.dat
2009-11-06 02:49:15 0 d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-11-06 02:18:29 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2009-11-06 02:18:29 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2009-11-06 02:18:28 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2009-11-06 02:17:31 0 d-----w- c:\docume~1\owner\applic~1\Samsung
2009-11-06 02:16:35 0 d-----w- c:\program files\MarkAny
2009-11-06 02:16:22 0 d-----w- c:\program files\PC Connectivity Solution
2009-11-06 02:14:53 0 d-----w- c:\program files\Samsung
2009-11-04 02:16:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 18:39:32 0 d-----w- c:\documents and settings\owner\DoctorWeb
2009-11-02 23:15:41 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-02 23:14:46 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-02 23:14:46 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-11-02 23:13:42 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-30 01:53:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 01:53:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 01:53:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 22:43:05 0 d-----w- C:\New
2009-10-29 02:16:41 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-11-11 22:42:28 892960 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-11 22:42:28 4132 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-11 22:42:27 3619872 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-11 22:42:27 29360 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-29 02:15:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-14 21:21:46 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-14 21:21:45 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-02-02 18:45:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020220090203\index.dat

============= FINISH: 10:03:57.34 ===============


Gmer log

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-15 16:29:28
Windows 5.1.2600 Service Pack 3
Running: 13oyfz3v.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwtdapog.sys


---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 35]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetModuleFileNameA] 00B504A8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 00B504D2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 00B504FC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 00B50526
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] 00B50550
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B5057A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetErrorMode] 00B505A4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 00B505CE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleFileNameW] 00B505F8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50622
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 00B5064C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!FreeLibrary] 00B50676
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 00B506A0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] 00B506CA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B506F4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 00B5071E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 00B50748
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetModuleFileNameW] 00B50772
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] 00B5079C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] 00B507C6
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 00B507F0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] 00B5081A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameA] 00B50844
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 00B5086E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50898
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 00B508C2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 00B508EC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!FreeLibrary] 00B50916
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameW] 00B50940
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B5096A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 00B50994
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 00B509BE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!FreeLibrary] 00B509E8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 00B50A12
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 00B50A3C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetErrorMode] 00B50C34
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50C5E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] 00B50C88
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] 00B50CB2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] 00B50CDC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] 00B50D06
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] 00B50D30
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameA] 00B50D5A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleFileNameW] 00B50D84
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50E2C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 00B50E56
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] 00B50E80
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleFileNameW] 00B50EAA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetErrorMode] 00B50ED4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] 00B50EFE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 00B50F28
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 00B50F52
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] 00B50F7C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] 00B50FA6
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50FD0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetErrorMode] 00B80010
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameW] 00B8003A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] 00B80064
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 00B8008E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] 00B800B8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] 00B800E2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] 00B8010C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibrary] 00B80136
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] 00B80160
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] 00B8018A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameA] 00B801B4
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 00B801DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 00B80208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 00B80232
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 00B8025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetModuleFileNameW] 00B80286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 00B802B0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 00B802DA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] 00B80304
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B8032E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] 00B80994
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!FreeLibrary] 00B809BE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] 00B809E8
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter] 00B80A12
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetErrorMode] 00B80BE0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] 00B80C0A
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] 00B80C34
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateProcessW] 00B80C5E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetModuleFileNameW] 00B80C88
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetProcAddress] 00B80CB2
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!FreeLibrary] 00B80CDC
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] 00B80D06
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B80D30
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!FreeLibrary] 00B501DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] 00B5025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] 00B50286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] 00B5025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetModuleFileNameA] 00B50208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] 00B50286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!FreeLibrary] 00B501DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!FreeLibrary] 00B501DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] 00B50286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleFileNameA] 00B50208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] 00B5025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] 00B501DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] 00B5025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] 00B50286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] 00B502B0
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 00B502DA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleFileNameW] 00B50232
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleFileNameA] 00B50208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] 00B50304
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] 00B50286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!FreeLibrary] 00B501DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] 00B5025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetModuleFileNameA] 00B50208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] 00B50304
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetErrorMode] 00B5032E
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleFileNameA] 00B50208
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 00B50358
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 00B502DA
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] 00B5025C
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] 00B50286
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!FreeLibrary] 00B501DE
IAT C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[584] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleFileNameW] 00B50232

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxpaxtofxh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxserv \systemroot\system32\drivers\msqpdxpaxtofxh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxl \systemroot\system32\msqpdxosvdnrsr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxdfswfh35g2 \systemroot\system32\msqpdxriqpcfum.dll

---- EOF - GMER 1.0.15 ----

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:14 PM

Posted 16 November 2009 - 04:26 AM

Hello faceman82,

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 faceman802

faceman802
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 16 November 2009 - 04:33 PM

when i try to run combofix in regular mode I get a message stating that

!! ALERT !! It is NOT SAFE to continue!

The contents of the ComboFix package has been compromised. Please download a fresh copy from
http:/bleepingcomputer.com/combofix/how-to-use-combofix

Note:You may be infected with a file patching virus :virut"

It wasnt a specialized window just a generic windows window. no marking or idea of what program created it

needless to say I'm stuck at this point now. I didn't want to try to run it in safe mode until I got the go ahead from you. so what do we do now? thanks

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:14 PM

Posted 17 November 2009 - 05:17 AM

Hello faceman82,

Okay, lets check that out with an online scan.

KASPERSKY ONLINE SCAN
-----------------------------------
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • Kaspersky scan results

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 faceman802

faceman802
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 17 November 2009 - 04:05 PM

kaspersky online scan report

Tuesday, November 17, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, November 17, 2009 15:58:55
Records in database: 3229364
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Objects scanned 87661
Threats found 1
Infected objects found 1
Suspicious objects found 0
Scan duration 04:32:45

File name Threat Threats count
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\10\4a808d8a-39d60cf7 Infected: Trojan-Downloader.Java.OpenStream.ad 1
Selected area has been scanned.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:14 PM

Posted 17 November 2009 - 04:16 PM

Please delete your old copy of Combofix, download a new one, and try running it again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 faceman802

faceman802
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 17 November 2009 - 05:44 PM

combofix run in safe mode, which is the only way it would run

ComboFix 09-11-18.04 - Owner 11/17/2009 17:21.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.184 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1488018017-707485047-3602277516-1003
c:\recycler\S-1-5-21-2813485913-4116339037-3355495370-1005
c:\recycler\S-1-5-21-3052689220-2853511648-3012505981-1003
c:\recycler\S-1-5-21-3929092118-2281859393-1097217307-1003
c:\recycler\S-1-5-21-796845957-1708537768-1343024091-1003
c:\recycler\S-1-5-21-992452117-2258272498-4129910425-1003

.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-09 01:25 . 2009-11-09 01:25 0 ----a-w- c:\documents and settings\Owner\settings.dat
2009-11-06 02:49 . 2009-11-06 02:50 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-11-06 02:20 . 2009-11-06 02:20 -------- d-----w- c:\program files\DIFX
2009-11-06 02:18 . 2009-02-19 14:34 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2009-11-06 02:18 . 2009-02-19 14:34 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2009-11-06 02:18 . 2009-02-19 14:34 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2009-11-06 02:17 . 2009-11-06 02:48 69632 ----a-w- c:\documents and settings\Owner\Application Data\Samsung\New PC Studio\DriverChecker.exe
2009-11-06 02:17 . 2009-11-06 02:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Samsung
2009-11-06 02:16 . 2009-11-06 02:16 -------- d-----w- c:\program files\MarkAny
2009-11-06 02:16 . 2009-11-06 02:16 -------- d-----w- c:\program files\PC Connectivity Solution
2009-11-06 02:14 . 2009-11-06 02:14 -------- d-----w- c:\program files\Samsung
2009-11-04 02:16 . 2009-11-17 14:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 18:39 . 2009-11-03 18:39 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2009-11-02 23:16 . 2009-11-02 23:16 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-02 23:15 . 2009-11-02 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-02 23:14 . 2009-11-02 23:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-02 23:14 . 2009-11-02 23:14 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-11-02 23:13 . 2009-11-02 23:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-30 01:53 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 01:53 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 01:53 . 2009-10-30 01:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 22:43 . 2009-10-29 22:43 -------- d-----w- C:\New
2009-10-29 02:09 . 2009-10-29 02:09 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 21:11 . 2008-09-03 17:01 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-11-06 02:49 . 2004-06-23 17:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-02 03:17 . 2008-09-20 04:27 -------- d-----w- c:\program files\Verizon
2009-10-29 02:15 . 2008-12-08 18:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-29 02:14 . 2008-09-17 20:58 -------- d-----w- c:\program files\Java
2009-10-16 00:22 . 2009-03-01 22:16 -------- d-----w- c:\program files\Common Files\Intuit
2009-10-07 02:20 . 2009-07-08 00:44 -------- d-----w- c:\program files\Windows Live
2009-09-13 01:52 . 2009-09-11 20:30 89864 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-11 14:18 . 2004-06-22 22:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-06-22 22:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 15:53 . 2009-09-10 13:58 30912 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y83o19v.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-09-03 15:53 . 2009-09-10 13:58 22848 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y83o19v.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-09-03 15:53 . 2009-09-10 13:57 19792 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y83o19v.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-08-29 08:08 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-06-22 22:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 499712]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 23:49 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"msfwsvc"=2 (0x2)
"WRConsumerService"=2 (0x2)
"wltrysvc"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Brother XP spl Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/12/2008 4:02 PM 29808]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
S2 CBTWlanSrv;CBT Wlan Service;c:\windows\CBTWlanSrv.exe [9/2/2008 8:28 PM 106496]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [7/7/2009 7:54 PM 54752]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [11/5/2009 9:18 PM 233472]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [12/10/2008 6:05 PM 88576]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/10/2008 10:47 PM 24652]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\CBPMp50.sys --> c:\windows\system32\Drivers\CBPMp50.sys [?]
S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [9/2/2008 8:27 PM 27072]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [11/5/2009 9:18 PM 36608]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [6/22/2004 5:19 PM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [9/13/2008 12:36 PM 119448]
S3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\drivers\WPC54Gv3.SYS [9/2/2008 8:27 PM 610816]
S4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [12/14/2008 1:43 PM 1086840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-17 c:\windows\Tasks\User_Feed_Synchronization-{CC37D918-BB91-490E-9E49-A8F64809DAC9}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y83o19v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y83o19v.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y83o19v.default\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NPSStartup - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 17:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1686071658-933296537-1562137378-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(432)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(536)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-17 17:40
ComboFix-quarantined-files.txt 2009-11-17 22:39

Pre-Run: 6,888,767,488 bytes free
Post-Run: 7,968,067,584 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 26DE4DE77B0EDEBD0370779354C96AB0

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:14 PM

Posted 18 November 2009 - 03:10 AM

Hello faceman802,

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.


In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 faceman802

faceman802
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 18 November 2009 - 09:07 PM

MBAM log

Malwarebytes' Anti-Malware 1.41
Database version: 3195
Windows 5.1.2600 Service Pack 3

11/18/2009 9:05:21 PM
mbam-log-2009-11-18 (21-05-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190651
Time elapsed: 3 hour(s), 0 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:14 PM

Posted 19 November 2009 - 04:09 AM

Hello again :(

I son't see any malware that may cause your problems, however, maybe the following is of interest.

http://www.systemlookup.com/Startup/16817-ZCfgSvc_exe.html

I recommend you to prevent this program from running on startup and see if that solves the problems.

If you are not sure how to do this, please let me know. It would be handy if you posted also attach.txt (re-run DDS, attach.txt will be minimized).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 faceman802

faceman802
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 19 November 2009 - 04:09 PM

I think I stopped it from loading up, i went to msconfig, services and unchecked the wireless zero configuration box

here is the attach file attached

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:14 PM

Posted 19 November 2009 - 04:21 PM

Hello faceman82,

Okay, please let me know how things are running now. Use your computer for a day or two and let me know if things are changed.

UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
- Ask Toolbar
- AutoUpdate
- Viewpoint Media Player

If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u15-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Edited by elise025, 19 November 2009 - 04:23 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 faceman802

faceman802
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 21 November 2009 - 05:15 PM

been working on it for 2 days and it seems to be working ok. i can surf and do everything i want and there is no lag or stopping like there was before. do you need to see any more logs or are we good? thanks for all your help fixing this. i greatly appreciate it....thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users