Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system infected message on desktop


  • This topic is locked This topic is locked
52 replies to this topic

#1 jmfft

jmfft

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 11 November 2009 - 12:12 AM

dds scan starts to run but will not show the two logs.
root repeal started scan but triggered a system crash and now will not start. I have attached a HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:13 PM, on 11/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\rsnetsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\eMail ID\IconixService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\eMail ID\OEAddOn\OEdmn_5.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\winupdate.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\DOCUME~1\Amie\LOCALS~1\Temp\drweb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Amie\LOCALS~1\Temp\setup.exe
C:\DOCUME~1\Amie\LOCALS~1\Temp\svchost.exe
C:\DOCUME~1\Amie\LOCALS~1\Temp\lsass.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Java\jre1.6.0_01\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: C:\WINDOWS\system32\xrxb1.dll - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\xrxb1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\eMail ID\OEAddOn\OEdmn_5.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FBSearch] C:\Program Files\Search Guard Plus\SearchGuardPlus.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RsTray.exe" -system
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Amie\LOCALS~1\Temp\drweb.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin F5D8053 N Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?1becc5a10a8349228d237056a5397466
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?1becc5a10a8349228d237056a5397466
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\eMail ID\IEAddOn\IconixBHO_41.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\eMail ID\IEAddOn\IconixBHO_41.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\eMail ID\IEAddOn\IconixBHO_41.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\eMail ID\IEAddOn\IconixBHO_41.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\xrxb1.dll
O22 - SharedTaskScheduler: kjaf83hfriunf3sf9sfinoi\sufh\87sefhuhdd - {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\iuvwcj1o.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Iconix Update Service (IconixService) - Unknown owner - C:\Program Files\Common Files\eMail ID\IconixService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavMonD.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\ScanFrm.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 13390 bytes

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:10 AM

Posted 17 November 2009 - 09:12 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 jmfft

jmfft
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 17 November 2009 - 12:11 PM

I couldn't run the GMER scan properly. It would bring up the following error messages.
LoadDriver(C:DOCUME-1\Amie\LOCALS-1\Temp\fgloapob.sys")error 0xc0000061: Access is denied.
C:\WINDOWS|system32\config\system:Access is denied.
Documents and Settings\Amie\ntuser.dat. The process cannot access the file because it is being used by another process.
If I hit okay a couple of times for the last error message a popup appears stating GMER hasn't found any system modifications.
I tried to start in SAFE mode to run the GMER scan and the following error comes up.
PAGE_FAULT_IN_NONPAGED_AREA
technical info
*** STOP: 0x00000050 (oxc82d302c, 0x00000001, ox80537009, 0x00000000)

Other issues are that Task Manager is disabled and when trying to look anything malware related via an internet search engine the results are redirected to various advertisments. When restarting the computer a rundll error came up Error loading C:DOCUME-1\NETWOR-1\ntuser.dll


I have posted the DDS text and attached the Attach.txt file.
DDS (Ver_09-10-26.01) - NTFSx86
Run by Amie at 9:21:53.99 on Tue 11/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1320 [GMT -7:00]

AV: Rising Antivirus *On-access scanning enabled* (Outdated) {234E4A88-48FA-4220-A994-5323706FF524}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\DOCUME~1\Amie\LOCALS~1\Temp\sostem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\4L424LR6\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.dell.ca/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: H - No File
uURLSearchHooks: SweetIM ToolbarURLSearchHook Class: {eee6c35d-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgHelper.dll
BHO: c:\windows\system32\xrxb1.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\xrxb1.dll
BHO: c:\windows\system32\iuvwcj1o.dll: {a45a4b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\iuvwcj1o.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MsnMsgr] "c:\progra~1\wi1f86~1\messen~1\msnmsgr.exe" /background
uRun: [Creative WebCam Tray] "c:\program files\creative\shared files\CamTray.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\documents and settings\amie\local settings\temp\notepad.exe
uRun: [calc] rundll32.exe c:\docume~1\networ~1\ntuser.dll,_IWMPEvents@0
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\docume~1\amie\locals~1\temp\winamp.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IconixOEAddOn] "c:\program files\email id\oeaddon\OEdmn_5.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FBSearch] c:\program files\search guard plus\SearchGuardPlus.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [RavTray] "c:\program files\rising\rav\RsTray.exe" -system
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\amie\startm~1\programs\startup\mp3roc~1.lnk - c:\program files\mp3 rocket\MP3Rocket.exe
StartupFolder: c:\documents and settings\amie\start menu\programs\startup\scandisk.dll
StartupFolder: c:\docume~1\amie\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/229?1becc5a10a8349228d237056a5397466
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/230?1becc5a10a8349228d237056a5397466
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - {44E212AB-13EA-4CA4-BE65-197FBA170412} - c:\program files\email id\ieaddon\IconixBHO_41.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {BC3F6B6D-2E49-4603-B028-7411655713F3} - {0CC2F28D-D415-4FC6-A2E4-54B4D983609A} - c:\program files\email id\ieaddon\IconixBHO_41.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: aol.com\free
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\xrxb1.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\xrxb1.dll
STS: c:\windows\system32\iuvwcj1o.dll: {a45a4b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\iuvwcj1o.dll

============= SERVICES / DRIVERS ===============

R0 RsNTGDI;RsNTGDI;c:\windows\system32\drivers\RsNTGdi.sys [2009-10-17 10832]
R1 hookcont;hookcont;c:\windows\system32\drivers\HookCont.sys [2009-10-17 15216]
R1 hooksys;hooksys;c:\windows\system32\drivers\HookSys.sys [2009-10-17 138864]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-21 55152]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-5-29 233472]
R2 IconixService;Iconix Update Service;c:\program files\common files\email id\IconixService.exe [2008-10-11 282968]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-29 935208]
R2 RavTask;Rising RavTask Manager;c:\program files\rising\rav\RavTask.exe [2009-10-17 129648]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-5-29 36608]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
S2 RavCCenter;Rav Process Communication Center;c:\program files\rising\rav\CCenter.exe [2009-10-17 113264]
S2 RsRavMon;Rising RealTime Monitor;c:\program files\rising\rav\RavMonD.exe [2009-10-17 133744]
S2 RsScanSrv;Rising Scan Service;c:\program files\rising\rav\ScanFrm.exe [2009-10-17 51824]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]

=============== Created Last 30 ================

2009-11-12 10:01:43 0 d-----w- C:\76efd0aa7f361e1cbb7330e1a29984
2009-11-11 04:37:28 4194316 ----a-w- c:\windows\pfirewall.log.old
2009-11-11 02:36:57 0 d-----w- c:\program files\Trend Micro
2009-11-09 02:17:40 15000 ----a-w- c:\windows\system32\iuvwcj1o.dll
2009-11-09 02:17:35 29696 ----a-w- C:\fpofmum.exe
2009-11-09 02:17:33 0 --sha-w- C:\-999035917
2009-10-23 08:42:23 0 d-----w- c:\program files\AdvancedVirusRemover
2009-10-23 03:54:20 831 ----a-w- c:\windows\system32\critical_warning.html

==================== Find3M ====================

2009-10-23 03:57:28 22528 ----a-w- c:\windows\system32\winhelper.dll
2009-10-18 02:55:03 15216 ----a-w- c:\windows\system32\drivers\HookCont.sys
2009-10-18 02:54:57 238704 ----a-w- c:\windows\system32\bsmain.exe
2009-10-18 02:54:57 10832 ----a-w- c:\windows\system32\drivers\RsNTGdi.sys
2009-10-18 02:54:53 33904 ----a-w- c:\windows\system32\drivers\HookHelp.sys
2009-10-18 02:54:53 138864 ----a-w- c:\windows\system32\drivers\HookSys.sys
2009-10-18 02:54:50 146032 ----a-w- c:\windows\system32\RavExt.dll
2009-10-17 17:11:34 17709 ----a-w- c:\windows\tehadyd.dat
2009-10-17 17:11:34 12777 ----a-w- c:\windows\system32\xypetude.bat
2009-10-17 17:11:34 12616 ----a-w- c:\windows\esopikaw.reg
2009-10-17 17:11:34 12141 ----a-w- c:\windows\qaca.bat
2009-10-17 05:33:25 24576 ----a-w- c:\windows\system32\winupdate.exe
2009-10-17 05:33:25 24576 ----a-w- C:\nmihj.exe
2009-10-17 05:33:20 160880 ----a-w- c:\docume~1\amie\applic~1\lizkavd.exe
2009-10-17 05:33:17 15000 ----a-w- c:\windows\system32\xrxb1.dll
2009-10-17 05:04:58 168448 ----a-w- c:\program files\_scui.vir
2009-09-20 00:43:23 19896 ----a-w- c:\windows\system32\ycaqijora.com
2009-09-20 00:43:23 19860 ----a-w- c:\program files\common files\rimawupyc.db
2009-09-20 00:43:23 14474 ----a-w- c:\program files\common files\suvujixawo.lib
2009-09-20 00:43:23 14177 ----a-w- c:\docume~1\amie\applic~1\uqytynyh.pif
2009-09-20 00:43:23 11771 ----a-w- c:\program files\common files\cyreciboky.sys
2009-09-20 00:43:23 11195 ----a-w- c:\docume~1\alluse~1\applic~1\yvoha.scr
2009-09-20 00:43:23 10660 ----a-w- c:\program files\common files\vata.bat
2009-09-20 00:43:22 18917 ----a-w- c:\windows\pafyles.vbs
2009-09-20 00:43:22 12684 ----a-w- c:\windows\ojywuj.scr
2009-09-17 23:16:37 13957 ----a-w- c:\windows\system32\dykoha.pif
2009-09-17 23:16:36 19682 ----a-w- c:\docume~1\alluse~1\applic~1\xigu.com
2009-09-17 23:16:36 14344 ----a-w- c:\docume~1\amie\applic~1\ataku.scr
2009-09-17 23:16:36 13823 ----a-w- c:\windows\reke.reg
2009-09-17 23:16:36 13503 ----a-w- c:\windows\qydif.bin
2009-09-17 23:16:36 12593 ----a-w- c:\program files\common files\fyfokyxij.dl
2009-09-17 13:03:51 19421 ----a-w- c:\program files\common files\madoraqyf.dll
2009-09-17 13:03:51 18554 ----a-w- c:\windows\system32\kafiwyjun.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 16:51:46 178440 ----a-w- c:\windows\hpwins20.dat
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-05-08 06:23:14 49465 ----a-w- c:\program files\moviepass Terms.html
2006-01-24 05:39:01 26958 ----a-w- c:\program files\MovieLand Terms.html
2008-08-21 16:34:14 88 -csh--r- c:\windows\system32\B36A6A002E.sys
2009-03-21 14:06:58 24064 --sha-w- c:\windows\system32\calc.dll
2008-08-21 16:34:15 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:23:30.12 ===============





DDS (Ver_09-10-26.01) - NTFSx86
Run by Amie at 9:21:53.99 on Tue 11/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1320 [GMT -7:00]

AV: Rising Antivirus *On-access scanning enabled* (Outdated) {234E4A88-48FA-4220-A994-5323706FF524}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\DOCUME~1\Amie\LOCALS~1\Temp\sostem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\4L424LR6\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.dell.ca/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: H - No File
uURLSearchHooks: SweetIM ToolbarURLSearchHook Class: {eee6c35d-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgHelper.dll
BHO: c:\windows\system32\xrxb1.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\xrxb1.dll
BHO: c:\windows\system32\iuvwcj1o.dll: {a45a4b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\iuvwcj1o.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MsnMsgr] "c:\progra~1\wi1f86~1\messen~1\msnmsgr.exe" /background
uRun: [Creative WebCam Tray] "c:\program files\creative\shared files\CamTray.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\documents and settings\amie\local settings\temp\notepad.exe
uRun: [calc] rundll32.exe c:\docume~1\networ~1\ntuser.dll,_IWMPEvents@0
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\docume~1\amie\locals~1\temp\winamp.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IconixOEAddOn] "c:\program files\email id\oeaddon\OEdmn_5.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FBSearch] c:\program files\search guard plus\SearchGuardPlus.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [RavTray] "c:\program files\rising\rav\RsTray.exe" -system
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\amie\startm~1\programs\startup\mp3roc~1.lnk - c:\program files\mp3 rocket\MP3Rocket.exe
StartupFolder: c:\documents and settings\amie\start menu\programs\startup\scandisk.dll
StartupFolder: c:\docume~1\amie\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/229?1becc5a10a8349228d237056a5397466
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/230?1becc5a10a8349228d237056a5397466
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - {44E212AB-13EA-4CA4-BE65-197FBA170412} - c:\program files\email id\ieaddon\IconixBHO_41.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {BC3F6B6D-2E49-4603-B028-7411655713F3} - {0CC2F28D-D415-4FC6-A2E4-54B4D983609A} - c:\program files\email id\ieaddon\IconixBHO_41.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: aol.com\free
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\xrxb1.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\xrxb1.dll
STS: c:\windows\system32\iuvwcj1o.dll: {a45a4b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\iuvwcj1o.dll

============= SERVICES / DRIVERS ===============

R0 RsNTGDI;RsNTGDI;c:\windows\system32\drivers\RsNTGdi.sys [2009-10-17 10832]
R1 hookcont;hookcont;c:\windows\system32\drivers\HookCont.sys [2009-10-17 15216]
R1 hooksys;hooksys;c:\windows\system32\drivers\HookSys.sys [2009-10-17 138864]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-21 55152]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-5-29 233472]
R2 IconixService;Iconix Update Service;c:\program files\common files\email id\IconixService.exe [2008-10-11 282968]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-29 935208]
R2 RavTask;Rising RavTask Manager;c:\program files\rising\rav\RavTask.exe [2009-10-17 129648]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-5-29 36608]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
S2 RavCCenter;Rav Process Communication Center;c:\program files\rising\rav\CCenter.exe [2009-10-17 113264]
S2 RsRavMon;Rising RealTime Monitor;c:\program files\rising\rav\RavMonD.exe [2009-10-17 133744]
S2 RsScanSrv;Rising Scan Service;c:\program files\rising\rav\ScanFrm.exe [2009-10-17 51824]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]

=============== Created Last 30 ================

2009-11-12 10:01:43 0 d-----w- C:\76efd0aa7f361e1cbb7330e1a29984
2009-11-11 04:37:28 4194316 ----a-w- c:\windows\pfirewall.log.old
2009-11-11 02:36:57 0 d-----w- c:\program files\Trend Micro
2009-11-09 02:17:40 15000 ----a-w- c:\windows\system32\iuvwcj1o.dll
2009-11-09 02:17:35 29696 ----a-w- C:\fpofmum.exe
2009-11-09 02:17:33 0 --sha-w- C:\-999035917
2009-10-23 08:42:23 0 d-----w- c:\program files\AdvancedVirusRemover
2009-10-23 03:54:20 831 ----a-w- c:\windows\system32\critical_warning.html

==================== Find3M ====================

2009-10-23 03:57:28 22528 ----a-w- c:\windows\system32\winhelper.dll
2009-10-18 02:55:03 15216 ----a-w- c:\windows\system32\drivers\HookCont.sys
2009-10-18 02:54:57 238704 ----a-w- c:\windows\system32\bsmain.exe
2009-10-18 02:54:57 10832 ----a-w- c:\windows\system32\drivers\RsNTGdi.sys
2009-10-18 02:54:53 33904 ----a-w- c:\windows\system32\drivers\HookHelp.sys
2009-10-18 02:54:53 138864 ----a-w- c:\windows\system32\drivers\HookSys.sys
2009-10-18 02:54:50 146032 ----a-w- c:\windows\system32\RavExt.dll
2009-10-17 17:11:34 17709 ----a-w- c:\windows\tehadyd.dat
2009-10-17 17:11:34 12777 ----a-w- c:\windows\system32\xypetude.bat
2009-10-17 17:11:34 12616 ----a-w- c:\windows\esopikaw.reg
2009-10-17 17:11:34 12141 ----a-w- c:\windows\qaca.bat
2009-10-17 05:33:25 24576 ----a-w- c:\windows\system32\winupdate.exe
2009-10-17 05:33:25 24576 ----a-w- C:\nmihj.exe
2009-10-17 05:33:20 160880 ----a-w- c:\docume~1\amie\applic~1\lizkavd.exe
2009-10-17 05:33:17 15000 ----a-w- c:\windows\system32\xrxb1.dll
2009-10-17 05:04:58 168448 ----a-w- c:\program files\_scui.vir
2009-09-20 00:43:23 19896 ----a-w- c:\windows\system32\ycaqijora.com
2009-09-20 00:43:23 19860 ----a-w- c:\program files\common files\rimawupyc.db
2009-09-20 00:43:23 14474 ----a-w- c:\program files\common files\suvujixawo.lib
2009-09-20 00:43:23 14177 ----a-w- c:\docume~1\amie\applic~1\uqytynyh.pif
2009-09-20 00:43:23 11771 ----a-w- c:\program files\common files\cyreciboky.sys
2009-09-20 00:43:23 11195 ----a-w- c:\docume~1\alluse~1\applic~1\yvoha.scr
2009-09-20 00:43:23 10660 ----a-w- c:\program files\common files\vata.bat
2009-09-20 00:43:22 18917 ----a-w- c:\windows\pafyles.vbs
2009-09-20 00:43:22 12684 ----a-w- c:\windows\ojywuj.scr
2009-09-17 23:16:37 13957 ----a-w- c:\windows\system32\dykoha.pif
2009-09-17 23:16:36 19682 ----a-w- c:\docume~1\alluse~1\applic~1\xigu.com
2009-09-17 23:16:36 14344 ----a-w- c:\docume~1\amie\applic~1\ataku.scr
2009-09-17 23:16:36 13823 ----a-w- c:\windows\reke.reg
2009-09-17 23:16:36 13503 ----a-w- c:\windows\qydif.bin
2009-09-17 23:16:36 12593 ----a-w- c:\program files\common files\fyfokyxij.dl
2009-09-17 13:03:51 19421 ----a-w- c:\program files\common files\madoraqyf.dll
2009-09-17 13:03:51 18554 ----a-w- c:\windows\system32\kafiwyjun.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 16:51:46 178440 ----a-w- c:\windows\hpwins20.dat
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-05-08 06:23:14 49465 ----a-w- c:\program files\moviepass Terms.html
2006-01-24 05:39:01 26958 ----a-w- c:\program files\MovieLand Terms.html
2008-08-21 16:34:14 88 -csh--r- c:\windows\system32\B36A6A002E.sys
2009-03-21 14:06:58 24064 --sha-w- c:\windows\system32\calc.dll
2008-08-21 16:34:15 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:23:30.12 ===============

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:10 AM

Posted 17 November 2009 - 02:39 PM

Hello jmfft,

Quite some nasty stuff there :/

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 jmfft

jmfft
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 17 November 2009 - 05:41 PM

I downloaded Combofix but couldn't run the program. A popup screen appeared Run As. It asked which user account do you want to use to run this program? Current user (DFHQ9491\Amie)
It asked whether I want to Protect my computer and data from unauthorized program activity. If select to run without protection another error message comes up. this message states that windows cannot open the following file nircmd.cfxxe. It gives a choice of using a web search to find the file needed to open this file or to search the computer. However, it doesn't let you make a choice and closes within five seconds.

#6 jmfft

jmfft
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 17 November 2009 - 07:26 PM

I was able to partially run the combifix. It made it up to 49 then the blue screen of death appeared. The error message that came up was BAD_POOL_HEADER
***STOP: 0x00000019 (0x00000020, 0x89424538, 0x89424950, 0x1a830011)
I was able to run the partial scan via a secondary administrator profile that I had created. The primary profile that is used 90% of the time now shows that it had reduced privilages.

#7 jmfft

jmfft
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 17 November 2009 - 08:52 PM

I tried to run the Combofix again. This time it made it to test 50 then displayed the following message.
System file is infected!! Attempting to repair. "C:windows\system32\drivers ndis.sys"
The computer then went to the BSOD. the technical data for this shutdown was...
***STOP: 0x0000008E (0xc0000005, 0xb13off54, 0xae37d278, 0x00000000)
*** HookSys.sys - Address B13OFF54 base at B1303000, Datestamp 49519729

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:10 AM

Posted 18 November 2009 - 03:08 AM

Hello jmfft,

Lets see if we can do some preliminary clean up here. You are pretty bad infected and all those infections try interfering with the tools we use.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.


In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 jmfft

jmfft
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 18 November 2009 - 01:07 PM

Here is the most recent log. I am not sure whether this log will show the files that had to be deleted with a reboot.


Malwarebytes' Anti-Malware 1.41
Database version: 3193
Windows 5.1.2600 Service Pack 3

11/18/2009 11:00:37 AM
mbam-log-2009-11-18 (11-00-37).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 239834
Time elapsed: 1 hour(s), 4 minute(s), 29 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 7
Registry Data Items Infected: 12
Folders Infected: 5
Files Infected: 129

Memory Processes Infected:
C:\Documents and Settings\Amie\Local Settings\Temp\notepad.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\nvsvc32.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lizkavd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.43 85.255.112.185 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\temp (Adware.Comet) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Amie\Local Settings\Temp\notepad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\nvsvc32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\fpofmum.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\nmihj.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\_scui.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iuvwcj1o.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xrxb1.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Application Data\lizkavd.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Application Data\jgknay\pkohsysguard.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\cmd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1019966496.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1026561392.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\102909790.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1037230254.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\96509230.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\969907082.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\985549542.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\995855150.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2119035606.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\214299454.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2253119828.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2318802350.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2340090982.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2446823090.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2473646848.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2485950021.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1530085912.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1601482105.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1619257770.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1677549364.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1752541218.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3764162776.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3806877296.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\4007878268.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\4085270890.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\4090231510.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\4136702191.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\26953444.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2741187416.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\275173548.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2794546990.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1977588396.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2034086848.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2048213788.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2048477746.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2049206968.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3572070380.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3592150372.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3635233418.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3637090958.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3682026518.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1155474670.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1274696296.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1314870644.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1428488464.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1432578884.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1487707214.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2876639580.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2913729716.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2957341564.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2991529892.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2519489235.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2586909252.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2644270462.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\2659654892.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1843193210.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1843332874.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1849991952.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1888807162.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1895201070.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\1967034718.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\469064686.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\490121888.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\522247956.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\536576064.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\644595726.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3402668388.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3487694227.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3492130606.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3508111660.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\758765762.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\824300928.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\835822851.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\841901168.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\rundll32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\sbk7tny9q.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\u6c6f.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\~.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3117342312.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3156310852.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3168494332.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\317100576.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\320967292.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3222390525.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3267222896.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\3351605826.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\winamp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\zuro03gc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\_A00F18095D89.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\HVKUVO01\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\iebyterange.xml (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\iebyterange.xml.backup (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\SSSUninst.exe (Adware.Comet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\dad\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Amie\Cookies\oxyw.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:10 AM

Posted 18 November 2009 - 01:22 PM

Hi jmfft,

This computer is really bad infected!!! Therefore, please keep it disconnected from the internet unless otherwise instructed until we clean this up. Not doing so will only result in further infection!

Make sure Combofix is on your desktop.

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.


Let me know if this works, if not, we will try another method :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 jmfft

jmfft
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 18 November 2009 - 03:10 PM

I was able to get the combofix to start running. Initially it had a message Detected Rootkit Activity Combofix needs to reboot. After the system rebooted the program was able to run scans through 50 and as soon as it began to delete files the BSOD appeared with the following error message. BAD_POOL_HEADER
STOP: 0x00000019 (0x00000020, 0x898446D0, 0x89844AE8, 0x1a830008)

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:10 AM

Posted 18 November 2009 - 03:22 PM

Hello jmfft,

Well, it seems we will have to go for a manual fix of this rootkit.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ndis.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
In your next reply, please include the following:
  • SystemLook.txt
  • RootRepeal.txt

Edited by elise025, 18 November 2009 - 03:22 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 jmfft

jmfft
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 18 November 2009 - 04:05 PM

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:50 on 18/11/2009 by dad (Administrator - Elevation successful)

========== filefind ==========

Searching for "ndis.sys"
C:\i386\ndis.sys --a--- 182912 bytes [01:26 17/01/2006] [11:00 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\$NtServicePackUninstall$\ndis.sys -----c 182912 bytes [05:01 04/11/2008] [11:00 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\ServicePackFiles\i386\ndis.sys ------ 182656 bytes [06:52 13/10/2008] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\drivers\ndis.sys --a--- 182656 bytes [18:51 10/08/2004] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D

-=End Of File=-

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/18 13:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAD593000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\calc.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Amie\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\dad\ntuser.dll
Status: Invisible to the Windows API!

Path: c:\documents and settings\dad\local settings\temp\~df1f08.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: c:\documents and settings\dad\local settings\temp\~df6118.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Amie\Start Menu\Programs\Startup\scandisk.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Amie\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\dad\Start Menu\Programs\Startup\scandisk.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\dad\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343f73

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba34405a

#: 043 Function Name: NtCreateMutant
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343ff7

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343d00

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343d21

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343da5

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343eef

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba3440bd

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba34409c

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343f94

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343d63

#: 103 Function Name: NtLockVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343ead

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba344141

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba344039

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343dc6

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343e8c

#: 145 Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343fd6

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343f52

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343e6b

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba3440de

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343f31

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba344120

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343e29

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba3440ff

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343ece

#: 242 Function Name: NtSetSystemTime
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343fb5

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba34407b

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343e4a

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343e08

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343f10

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343d42

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343de7

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba344018

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba343d84

Shadow SSDT
-------------------
#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba344ce2

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\HOOKHELP.sys" at address 0xba344cc1

==EOF==

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:10 AM

Posted 18 November 2009 - 05:05 PM

Hello jmfft,

Two things we have to try next, no worry, if that doesn't work, I will have to create a nice manual fix :(

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Place make sure you have a fresh copy of Combofix on your desktop.

REBOOT IN SAFE MODE
-------------------------------
Now reboot into Safe Mode.
  • This can be done tapping the F8 key as soon as you start your computer.
  • You will be brought to a menu where you can choose to boot into safe mode.
  • Make sure you choose the option without networking support.
  • Please see here for additional details.
Try running Combofix once you are in safe mode and post the log if the run is succesful.


Even if the above has no succes, reboot in normal mode and do the following

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



Now, without restarting again, start MBAM, update it and run a full scan.


Post me the scan results together with a new DDS log (if Combofix was able to run no need for the DDS log).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 jmfft

jmfft
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 18 November 2009 - 08:11 PM

I could not get into safe mode to run combofix.

Malwarebytes' Anti-Malware 1.41
Database version: 3195
Windows 5.1.2600 Service Pack 3

11/18/2009 6:02:20 PM
mbam-log-2009-11-18 (18-02-20).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 220239
Time elapsed: 54 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Amie\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.



DDS (Ver_09-10-26.01) - NTFSx86
Run by dad at 18:05:32.15 on Wed 11/18/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1562 [GMT -7:00]

AV: Rising Antivirus *On-access scanning enabled* (Outdated) {234E4A88-48FA-4220-A994-5323706FF524}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\rsnetsvr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\eMail ID\IconixService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\eMail ID\OEAddOn\OEdmn_5.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Documents and Settings\dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.ca/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uDefault_Page_URL = hxxp://www.dell.ca/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [calc] rundll32.exe c:\docume~1\dad\ntuser.dll,_IWMPEvents@0
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IconixOEAddOn] "c:\program files\email id\oeaddon\OEdmn_5.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FBSearch] c:\program files\search guard plus\SearchGuardPlus.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [RavTray] "c:\program files\rising\rav\RsTray.exe" -system
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - {44E212AB-13EA-4CA4-BE65-197FBA170412} - c:\program files\email id\ieaddon\IconixBHO_41.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {BC3F6B6D-2E49-4603-B028-7411655713F3} - {0CC2F28D-D415-4FC6-A2E4-54B4D983609A} - c:\program files\email id\ieaddon\IconixBHO_41.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 RsNTGDI;RsNTGDI;c:\windows\system32\drivers\RsNTGdi.sys [2009-10-17 10832]
R1 hookcont;hookcont;c:\windows\system32\drivers\HookCont.sys [2009-10-17 15216]
R1 hooksys;hooksys;c:\windows\system32\drivers\HookSys.sys [2009-10-17 138864]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-21 55152]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-5-29 233472]
R2 IconixService;Iconix Update Service;c:\program files\common files\email id\IconixService.exe [2008-10-11 282968]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-29 935208]
R2 RavTask;Rising RavTask Manager;c:\program files\rising\rav\RavTask.exe [2009-10-17 129648]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S?2 RavCCenter;Rav Process Communication Center;c:\program files\rising\rav\CCenter.exe [2009-10-17 113264]
S?2 RsRavMon;Rising RealTime Monitor;c:\program files\rising\rav\RavMonD.exe [2009-10-17 133744]
S?2 RsScanSrv;Rising Scan Service;c:\program files\rising\rav\ScanFrm.exe [2009-10-17 51824]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
S4 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-5-29 36608]

=============== Created Last 30 ================

2009-11-18 20:13:57 0 d-s---w- C:\ComboFix
2009-11-18 20:07:30 0 ----a-w- c:\documents and settings\dad\񀿉
2009-11-18 16:51:55 0 d-----w- c:\docume~1\dad\applic~1\Malwarebytes
2009-11-18 16:51:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-18 16:51:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 16:51:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-18 16:51:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-17 23:15:18 0 d-sha-r- C:\cmdcons
2009-11-17 22:52:27 98816 ----a-w- c:\windows\sed.exe
2009-11-17 22:52:27 77312 ----a-w- c:\windows\MBR.exe
2009-11-17 22:52:27 260608 ----a-w- c:\windows\PEV.exe
2009-11-17 22:52:27 161792 ----a-w- c:\windows\SWREG.exe
2009-11-17 22:47:04 0 ----a-w- c:\documents and settings\dad\;;
2009-11-12 10:01:43 0 d-----w- C:\76efd0aa7f361e1cbb7330e1a29984
2009-11-11 04:37:28 4194333 ----a-w- c:\windows\pfirewall.log.old
2009-11-11 03:41:42 0 d-sh--w- c:\documents and settings\dad\PrivacIE
2009-11-11 03:39:17 0 d-----w- c:\docume~1\dad\applic~1\You've Got Pictures Screensaver
2009-11-11 03:39:17 0 d-----w- c:\docume~1\dad\applic~1\AOL
2009-11-11 02:36:57 0 d-----w- c:\program files\Trend Micro
2009-11-09 02:17:33 0 --sha-w- C:\-999035917

==================== Find3M ====================

2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-18 02:55:03 15216 ----a-w- c:\windows\system32\drivers\HookCont.sys
2009-10-18 02:54:57 238704 ----a-w- c:\windows\system32\bsmain.exe
2009-10-18 02:54:57 10832 ----a-w- c:\windows\system32\drivers\RsNTGdi.sys
2009-10-18 02:54:53 33904 ----a-w- c:\windows\system32\drivers\HookHelp.sys
2009-10-18 02:54:53 138864 ----a-w- c:\windows\system32\drivers\HookSys.sys
2009-10-18 02:54:50 146032 ----a-w- c:\windows\system32\RavExt.dll
2009-10-17 17:11:34 17709 ----a-w- c:\windows\tehadyd.dat
2009-10-17 17:11:34 12777 ----a-w- c:\windows\system32\xypetude.bat
2009-10-17 17:11:34 12616 ----a-w- c:\windows\esopikaw.reg
2009-10-17 17:11:34 12141 ----a-w- c:\windows\qaca.bat
2009-09-20 00:43:23 19896 ----a-w- c:\windows\system32\ycaqijora.com
2009-09-20 00:43:23 19860 ----a-w- c:\program files\common files\rimawupyc.db
2009-09-20 00:43:23 14474 ----a-w- c:\program files\common files\suvujixawo.lib
2009-09-20 00:43:23 11771 ----a-w- c:\program files\common files\cyreciboky.sys
2009-09-20 00:43:23 11195 ----a-w- c:\docume~1\alluse~1\applic~1\yvoha.scr
2009-09-20 00:43:23 10660 ----a-w- c:\program files\common files\vata.bat
2009-09-20 00:43:22 18917 ----a-w- c:\windows\pafyles.vbs
2009-09-20 00:43:22 12684 ----a-w- c:\windows\ojywuj.scr
2009-09-17 23:16:37 13957 ----a-w- c:\windows\system32\dykoha.pif
2009-09-17 23:16:36 19682 ----a-w- c:\docume~1\alluse~1\applic~1\xigu.com
2009-09-17 23:16:36 13823 ----a-w- c:\windows\reke.reg
2009-09-17 23:16:36 13503 ----a-w- c:\windows\qydif.bin
2009-09-17 23:16:36 12593 ----a-w- c:\program files\common files\fyfokyxij.dl
2009-09-17 13:03:51 19421 ----a-w- c:\program files\common files\madoraqyf.dll
2009-09-17 13:03:51 18554 ----a-w- c:\windows\system32\kafiwyjun.dat
2009-09-15 10:18:15 18738 ----a-w- c:\windows\vymubifu.scr
2009-09-15 10:18:15 18721 ----a-w- c:\windows\lykyxelen.bin
2009-09-15 10:18:15 18655 ----a-w- c:\program files\common files\giqajolace.dl
2009-09-15 10:18:15 17769 ----a-w- c:\docume~1\alluse~1\applic~1\haguso.bat
2009-09-15 10:18:15 13245 ----a-w- c:\windows\jejyjexo.bin
2009-09-15 10:18:15 12665 ----a-w- c:\program files\common files\qydy._sy
2009-09-15 10:18:15 11558 ----a-w- c:\windows\babigefu.dll
2009-09-15 10:18:15 11242 ----a-w- c:\windows\obafepow.com
2009-09-15 10:18:15 10171 ----a-w- c:\docume~1\alluse~1\applic~1\wywevyrydo.dat
2009-09-15 10:18:14 14682 ----a-w- c:\windows\idijefibur.com
2009-09-15 10:18:14 14136 ----a-w- c:\program files\common files\mofux.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-09-02 16:51:46 178440 ----a-w- c:\windows\hpwins20.dat
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2006-05-08 06:23:14 49465 ----a-w- c:\program files\moviepass Terms.html
2006-01-24 05:39:01 26958 ----a-w- c:\program files\MovieLand Terms.html
2008-08-21 16:34:14 88 -csh--r- c:\windows\system32\B36A6A002E.sys
2009-03-21 14:06:58 24064 --sha-w- c:\windows\system32\calc.dll
2008-08-21 16:34:15 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:07:14.40 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users