Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of Alureon rootkit


  • This topic is locked This topic is locked
55 replies to this topic

#1 webMullet

webMullet

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 14 November 2009 - 09:04 AM

The detected rootkit has changed names a few times from Alureon-DR to Alureon-EC.
Avast detects it, I get a message and opt to delete file and the windows go away. It always seems to come back.
Thanks for any help.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Wade at 5:26:00.02 on Sat 11/14/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3199.1469 [GMT -8:00]

AV: Windows Enterprise Suite *On-access scanning enabled* (Updated) {832AD662-AB4F-483E-955A-DDA7173A39D1}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: Windows Enterprise Suite *enabled* {66C8A644-CEB7-4AF4-A188-BAD419D263CC}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
K:\Alwil Software\Avast4\aswUpdSv.exe
K:\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\TUProgSt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
K:\Roxio\CinePlayer\DMXLauncher.exe
K:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
K:\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
K:\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
K:\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Windows\System32\regsvr32.exe
K:\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\System32\TuneUpDefragService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
K:\Alwil Software\Avast4\ashMaiSv.exe
K:\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Wade\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - k:\micros~1\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [RocketDock] "k:\rocketdock\RocketDock.exe"
uRun: [GrooveSecure] regsvr32 /s /u "c:\users\wade\appdata\local\groove\GrooveSecure.dll"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [<NO NAME>]
mRun: [DMXLauncher] "k:\roxio\cineplayer\DMXLauncher.exe"
mRun: [GrooveMonitor] "k:\microsoft office\office12\GrooveMonitor.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "K:\QTTask.exe" -atboottime
mRun: [iTunesHelper] "k:\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avast!] k:\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\users\wade\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - k:\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - k:\micros~1\office12\EXCEL.EXE/3000
IE: MasterCook: Select Image - k:\mastercook 9\web\MCIEContext.hta
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - k:\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - k:\micros~1\office12\REFIEBAR.DLL
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {22D4879A-92DB-470D-8A83-E158797D8176} - file:///E:/components/Liquid.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {DCD9ECFC-6B2B-4F31-9F5D-31F7FD3B6FE5} = 208.67.222.222,208.67.222.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - k:\micros~1\office12\GR99D3~1.DLL
Notify: !SASWinLogon - k:\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - k:\micros~1\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
IFEO: AdwarePrj.exe - svchost.exe
IFEO: agent.exe - svchost.exe
IFEO: AlphaAV - svchost.exe
IFEO: AlphaAV.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\users\wade\appdata\roaming\mozilla\firefox\profiles\s97rg6ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://74.125.127.104/
FF - component: c:\users\wade\appdata\roaming\mozilla\firefox\profiles\s97rg6ob.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\wade\appdata\roaming\mozilla\firefox\profiles\s97rg6ob.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\wade\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: k:\itunes\mozilla plugins\npitunes.dll
FF - plugin: k:\plugins\npqtplugin.dll
FF - plugin: k:\plugins\npqtplugin2.dll
FF - plugin: k:\plugins\npqtplugin3.dll
FF - plugin: k:\plugins\npqtplugin4.dll
FF - plugin: k:\plugins\npqtplugin5.dll
FF - plugin: k:\plugins\npqtplugin6.dll
FF - plugin: k:\plugins\npqtplugin7.dll
FF - plugin: k:\vlc media player\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-8 114768]
R1 SASDIFSV;SASDIFSV;k:\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;k:\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-8 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-8 53328]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-27 3032360]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-2-28 603904]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-5-25 15656]
S2 gupdate1c9f86dbba2d775;Google Update Service (gupdate1c9f86dbba2d775);c:\program files\google\update\GoogleUpdate.exe [2009-6-28 133104]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;k:\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;k:\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;k:\sisoftware sandra lite 2009.sp3c\RpcAgentSrv.exe [2009-5-22 98488]
S3 SASENUM;SASENUM;k:\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-12-27 16896]

=============== Created Last 30 ================

2009-11-14 03:39:43 4365344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-14 03:39:43 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-14 03:39:35 3624 ----a-w- C:\rollback.ini
2009-11-14 03:27:25 0 d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-11-14 03:27:25 0 d-----w- c:\programdata\ParetoLogic
2009-11-14 03:27:25 0 d-----w- c:\program files\common files\ParetoLogic
2009-11-10 22:37:56 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 22:37:38 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-09 03:40:56 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-09 01:39:19 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-09 01:39:06 0 d-----w- c:\users\wade\appdata\roaming\SUPERAntiSpyware.com
2009-11-08 18:24:00 0 d-sh--w- C:\Windows Enterprise Suite
2009-11-08 18:23:59 0 d-sh--w- c:\programdata\WESSys
2009-11-08 18:23:37 0 d-sh--w- c:\programdata\bdea6a4
2009-11-08 17:38:24 0 d-----w- C:\VundoFix Backups
2009-11-08 14:55:07 0 d-----w- c:\users\wade\appdata\roaming\Malwarebytes
2009-11-08 14:55:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 14:55:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 14:55:00 0 d-----w- c:\programdata\Malwarebytes
2009-11-08 04:47:57 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-08 02:15:19 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-27 19:42:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 19:42:57 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 01:42:16 34800 ----a-w- c:\programdata\nvModes.dat
2009-10-27 01:38:33 0 d-----w- c:\program files\NVIDIA Corporation
2009-10-26 19:01:47 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-26 19:01:28 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-26 19:01:23 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-26 19:01:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-22 03:15:52 0 d-----w- c:\programdata\CyberLink
2009-10-22 03:15:38 0 d-----w- c:\program files\common files\CyberLink
2009-10-16 23:15:32 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 23:15:28 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 23:15:27 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 23:15:11 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-10-16 23:15:11 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-16 23:15:11 217088 ----a-w- c:\windows\system32\psisrndr.ax
2009-10-16 23:15:10 80896 ----a-w- c:\windows\system32\MSNP.ax
2009-10-16 23:15:10 177664 ----a-w- c:\windows\system32\mpg2splt.ax

==================== Find3M ====================

2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-27 01:36:43 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-27 01:36:42 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-27 01:36:35 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-28 00:47:30 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-28 00:47:00 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-28 00:47:00 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-28 00:47:00 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-28 00:47:00 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-28 00:47:00 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-28 00:47:00 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-28 00:47:00 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-28 00:47:00 150120 ----a-w- c:\windows\system32\nvshext.dll
2009-09-28 00:47:00 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-28 00:47:00 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-28 00:46:00 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-28 00:46:00 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-27 23:12:22 9509832 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2009-09-27 23:12:22 7614056 ----a-w- c:\windows\system32\nvd3dum.dll
2009-09-27 23:12:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-27 23:12:22 3310184 ----a-w- c:\windows\system32\nvwgf2um.dll
2009-09-27 23:12:22 2169448 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 23:12:22 1997416 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 23:12:22 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 23:12:22 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-09-27 23:12:22 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 23:12:22 11197032 ----a-w- c:\windows\system32\nvoglv32.dll
2009-09-27 23:12:22 10984 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2009-09-27 23:12:22 1074280 ----a-w- c:\windows\system32\nvapi.dll
2009-09-24 16:24:18 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 06:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-12-27 22:10:09 174 --sha-w- c:\program files\desktop.ini
2008-12-27 22:01:55 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-12-31 04:23:58 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008123020081231\index.dat
2009-01-18 23:53:37 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009011820090119\index.dat
2009-01-30 22:37:56 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009013020090131\index.dat
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 5:27:24.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:06 PM

Posted 20 November 2009 - 11:47 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 webMullet

webMullet
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 22 November 2009 - 11:57 PM

I think that Windows Defender might have taken care of it. avast detected some trojan in an old unused backup file I had, so I deleted it. Then Defender said it found something, and did its thing. I used to get warnings every few hours about Alureon, haven't had one in three or four days. I do get messages every once in a while that Defender needs to restart my computer to protect it. Maybe there are still traces of it. Here is my new DDS:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Wade at 20:44:00.75 on Sun 11/22/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3199.2141 [GMT -8:00]

AV: Windows Enterprise Suite *On-access scanning enabled* (Updated) {832AD662-AB4F-483E-955A-DDA7173A39D1}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: Windows Enterprise Suite *enabled* {66C8A644-CEB7-4AF4-A188-BAD419D263CC}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
K:\Alwil Software\Avast4\aswUpdSv.exe
K:\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\TUProgSt.exe
C:\Windows\system32\SearchIndexer.exe
K:\Alwil Software\Avast4\ashMaiSv.exe
K:\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
K:\Roxio\CinePlayer\DMXLauncher.exe
K:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
K:\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
K:\RocketDock\RocketDock.exe
C:\Windows\System32\regsvr32.exe
K:\DriverMax\devices.exe
K:\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Wade\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - k:\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - k:\micros~1\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - k:\snagit 9\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [RocketDock] "k:\rocketdock\RocketDock.exe"
uRun: [GrooveSecure] regsvr32 /s /u "c:\users\wade\appdata\local\groove\GrooveSecure.dll"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [DriverMax] "k:\drivermax\devices.exe" -agent
uRun: [DriverMax_RESTART] "k:\drivermax\devices.exe" -RESTART
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [<NO NAME>]
mRun: [DMXLauncher] "k:\roxio\cineplayer\DMXLauncher.exe"
mRun: [GrooveMonitor] "k:\microsoft office\office12\GrooveMonitor.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "K:\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast!] k:\alwils~1\avast4\ashDisp.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - k:\logitech\setpoint\SetPoint.exe
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - k:\micros~1\office12\EXCEL.EXE/3000
IE: MasterCook: Select Image - k:\mastercook 9\web\MCIEContext.hta
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - k:\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - k:\micros~1\office12\REFIEBAR.DLL
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {22D4879A-92DB-470D-8A83-E158797D8176} - file:///E:/components/Liquid.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {DCD9ECFC-6B2B-4F31-9F5D-31F7FD3B6FE5} = 208.67.222.222,208.67.222.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - k:\micros~1\office12\GR99D3~1.DLL
Notify: !SASWinLogon - k:\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - k:\micros~1\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
IFEO: AdwarePrj.exe - svchost.exe
IFEO: agent.exe - svchost.exe
IFEO: AlphaAV - svchost.exe
IFEO: AlphaAV.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\users\wade\appdata\roaming\mozilla\firefox\profiles\s97rg6ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://74.125.127.104/
FF - component: c:\users\wade\appdata\roaming\mozilla\firefox\profiles\s97rg6ob.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\wade\appdata\roaming\mozilla\firefox\profiles\s97rg6ob.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\wade\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: k:\itunes\mozilla plugins\npitunes.dll
FF - plugin: k:\plugins\npqtplugin.dll
FF - plugin: k:\plugins\npqtplugin2.dll
FF - plugin: k:\plugins\npqtplugin3.dll
FF - plugin: k:\plugins\npqtplugin4.dll
FF - plugin: k:\plugins\npqtplugin5.dll
FF - plugin: k:\plugins\npqtplugin6.dll
FF - plugin: k:\plugins\npqtplugin7.dll
FF - plugin: k:\vlc media player\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-8 114768]
R1 SASDIFSV;SASDIFSV;k:\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;k:\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-8 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-8 53328]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-27 4497704]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-2-28 603904]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-11-19 113448]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2009-11-19 13480]
S2 gupdate1c9f86dbba2d775;Google Update Service (gupdate1c9f86dbba2d775);c:\program files\google\update\GoogleUpdate.exe [2009-6-28 133104]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;k:\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;k:\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;k:\sisoftware sandra lite 2009.sp3c\RpcAgentSrv.exe [2009-5-22 98488]
S3 SASENUM;SASENUM;k:\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-5-25 15656]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-12-27 16896]

=============== Created Last 30 ================

2009-11-23 04:27:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-11-23 04:26:13 69632 ----a-w- c:\windows\system32\KemXML.dll
2009-11-23 04:26:13 163840 ----a-w- c:\windows\system32\kemutb.dll
2009-11-23 04:26:13 15872 ----a-w- c:\windows\system32\tdlcmd.dll
2009-11-23 04:26:13 135168 ----a-w- c:\windows\system32\KemUtil.dll
2009-11-23 04:26:13 110592 ----a-w- c:\windows\system32\KemWnd.dll
2009-11-23 04:26:02 0 d-----w- c:\programdata\Logitech
2009-11-23 04:25:56 0 d-----w- c:\program files\common files\Logitech
2009-11-23 04:24:52 0 d-----w- c:\programdata\LogiShrd
2009-11-20 05:57:43 0 d-----w- c:\users\wade\appdata\roaming\WTouch
2009-11-20 05:57:37 245032 ----a-w- c:\windows\system32\Touch_Tablet.dll
2009-11-20 05:56:59 13480 ----a-w- c:\windows\system32\drivers\WacomVTHid.sys
2009-11-20 05:56:59 0 d-----w- c:\program files\WTouch
2009-11-20 05:56:43 0 d-----w- c:\program files\TabletPlugins
2009-11-19 19:31:19 0 d-----w- c:\program files\LSI SoftModem
2009-11-19 19:23:38 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2009-11-19 19:23:38 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2009-11-19 19:23:38 172032 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-11-19 19:23:37 64000 ----a-w- c:\windows\agrsmdel.exe
2009-11-19 19:23:37 13824 ----a-w- c:\windows\system32\agrscoin.dll
2009-11-19 19:23:37 1163328 ----a-w- c:\windows\system32\drivers\AGRSM.sys
2009-11-19 18:53:15 68886 ----a-w- c:\windows\system32\drivers\LMouFlt2.sys
2009-11-19 18:53:15 5846 ----a-w- c:\windows\system32\drivers\LKbdFlt2.sys
2009-11-19 18:53:15 52166 ----a-w- c:\windows\system32\drivers\L8042Pr2.sys
2009-11-19 18:53:15 23270 ----a-w- c:\windows\system32\drivers\LHidFlt2.sys
2009-11-19 18:53:15 19188 ----a-w- c:\windows\system32\LCoInst.dll
2009-11-19 18:30:57 0 d-----w- c:\programdata\Innovative Solutions
2009-11-19 09:09:33 0 d-----w- c:\users\wade\appdata\roaming\Bradsoft.com
2009-11-19 09:01:21 72192 ----a-w- c:\windows\unlite3.exe
2009-11-16 04:33:24 0 d-----w- c:\users\wade\appdata\roaming\NumusDiskBuilder
2009-11-16 04:33:03 0 d-----w- c:\windows\XSxS
2009-11-16 04:33:03 0 d-----w- c:\program files\Xenocode
2009-11-15 22:00:26 0 d-----w- c:\users\wade\appdata\roaming\DVDFab
2009-11-14 22:32:26 0 d-----w- c:\programdata\TechSmith
2009-11-14 03:39:43 79736 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-14 03:39:43 5639456 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-14 03:39:35 3624 ----a-w- C:\rollback.ini
2009-11-14 03:27:25 0 d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-11-14 03:27:25 0 d-----w- c:\programdata\ParetoLogic
2009-11-14 03:27:25 0 d-----w- c:\program files\common files\ParetoLogic
2009-11-10 22:37:56 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 22:37:38 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-09 03:40:56 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-09 01:39:19 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-09 01:39:06 0 d-----w- c:\users\wade\appdata\roaming\SUPERAntiSpyware.com
2009-11-08 18:24:00 0 d-sh--w- C:\Windows Enterprise Suite
2009-11-08 18:23:59 0 d-sh--w- c:\programdata\WESSys
2009-11-08 18:23:37 0 d-sh--w- c:\programdata\bdea6a4
2009-11-08 17:38:24 0 d-----w- C:\VundoFix Backups
2009-11-08 14:55:07 0 d-----w- c:\users\wade\appdata\roaming\Malwarebytes
2009-11-08 14:55:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 14:55:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 14:55:00 0 d-----w- c:\programdata\Malwarebytes
2009-11-08 04:47:57 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-08 02:15:19 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-27 19:42:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 19:42:57 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 01:42:16 34800 ----a-w- c:\programdata\nvModes.dat
2009-10-27 01:38:33 0 d-----w- c:\program files\NVIDIA Corporation
2009-10-26 19:01:47 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-26 19:01:28 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-26 19:01:23 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-26 19:01:23 171608 ----a-w- c:\windows\system32\wuwebv.dll

==================== Find3M ====================

2009-11-23 04:27:46 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-23 04:27:46 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-23 04:27:34 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-10 20:02:22 4497704 ----a-w- c:\windows\system32\Pen_Tablet.exe
2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-28 00:47:30 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-28 00:47:00 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-28 00:47:00 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-28 00:47:00 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-28 00:47:00 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-28 00:47:00 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-28 00:47:00 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-28 00:47:00 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-28 00:47:00 150120 ----a-w- c:\windows\system32\nvshext.dll
2009-09-28 00:47:00 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-28 00:47:00 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-28 00:46:00 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-28 00:46:00 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-27 23:12:22 9509832 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2009-09-27 23:12:22 7614056 ----a-w- c:\windows\system32\nvd3dum.dll
2009-09-27 23:12:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-27 23:12:22 3310184 ----a-w- c:\windows\system32\nvwgf2um.dll
2009-09-27 23:12:22 2169448 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 23:12:22 1997416 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 23:12:22 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 23:12:22 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-09-27 23:12:22 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 23:12:22 11197032 ----a-w- c:\windows\system32\nvoglv32.dll
2009-09-27 23:12:22 10984 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2009-09-27 23:12:22 1074280 ----a-w- c:\windows\system32\nvapi.dll
2009-09-24 16:24:18 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-12 04:54:42 1305632 ----a-w- c:\windows\system32\RtkPgExt.dll
2009-09-12 04:54:36 53280 ----a-w- c:\windows\system32\RtkCoInst.dll
2009-09-12 04:54:26 338464 ----a-w- c:\windows\system32\RtkApoApi.dll
2009-09-12 04:54:26 2965536 ----a-w- c:\windows\system32\RtkAPO.dll
2009-09-10 17:30:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 03:44:56 267264 ----a-w- c:\windows\system32\FMAPO.dll
2009-08-31 13:55:50 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-12-27 22:10:09 174 --sha-w- c:\program files\desktop.ini
2008-12-27 22:01:55 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-12-31 04:23:58 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008123020081231\index.dat
2009-01-18 23:53:37 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009011820090119\index.dat
2009-01-30 22:37:56 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009013020090131\index.dat
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:45:21.00 ===============

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:06 PM

Posted 23 November 2009 - 12:31 AM

Hi,

There's still signs of bad stuff left there.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 webMullet

webMullet
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 23 November 2009 - 01:21 AM

Windows Enterprise Suite is running (virus!?) I can't disable it, but I didn't realize it was installed until I ran ComboFix. I have a popup saying that this is still active and if I continue its at my own risk. Where should I go from here?

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:06 PM

Posted 23 November 2009 - 01:22 AM

Let ComboFix continue.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 webMullet

webMullet
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 23 November 2009 - 01:53 AM

Combo fix started, backed-up the registry, and is now stalled. Didn't even change the clock settings.

#8 webMullet

webMullet
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 23 November 2009 - 04:23 AM

Two and a half hours and still nothing. I'm using the task manager to close Combo Fix. I'm not comfortable leaving my firewall and antivirus down, and a stalled program running while I'm away from my computer. I'll await your next suggestion.

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:06 PM

Posted 23 November 2009 - 04:49 AM

Hi,

Please have another attempt after reboot. If ComboFix still jams try in safe mode.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 webMullet

webMullet
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 23 November 2009 - 05:09 AM

Just as I was about to leave it for tonight, I got another alert from avast about the Alureon. I did a Malwarebytes scan, it detected some stuff. After the reboot I got another Alureon warning. I have included the MBAM log report as well as a new DDS report. I'll try ComboFix again in safemode and post the results. Thanks again for your help.

Malwarebytes' Anti-Malware 1.41
Database version: 3217
Windows 6.0.6001 Service Pack 1

11/23/2009 1:49:33 AM
mbam-log-2009-11-23 (01-49-33).txt

Scan type: Quick Scan
Objects scanned: 106034
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirusPlus.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\WESSys (Rogue.WindowsEnterpriseSuite) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\WESSys\wes.cfg (Rogue.WindowsEnterpriseSuite) -> Quarantined and deleted successfully.



DDS (Ver_09-10-26.01) - NTFSx86
Run by Wade at 1:56:17.48 on Mon 11/23/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3199.2154 [GMT -8:00]

AV: Windows Enterprise Suite *On-access scanning enabled* (Updated) {832AD662-AB4F-483E-955A-DDA7173A39D1}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: Windows Enterprise Suite *enabled* {66C8A644-CEB7-4AF4-A188-BAD419D263CC}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
K:\Alwil Software\Avast4\aswUpdSv.exe
K:\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\TUProgSt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
K:\Alwil Software\Avast4\ashMaiSv.exe
K:\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
K:\Roxio\CinePlayer\DMXLauncher.exe
K:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
K:\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehtray.exe
K:\RocketDock\RocketDock.exe
C:\Windows\System32\regsvr32.exe
K:\DriverMax\devices.exe
K:\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Wade\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - k:\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - k:\micros~1\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - k:\snagit 9\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [RocketDock] "k:\rocketdock\RocketDock.exe"
uRun: [GrooveSecure] regsvr32 /s /u "c:\users\wade\appdata\local\groove\GrooveSecure.dll"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [DriverMax_RESTART] "k:\drivermax\devices.exe" -RESTART
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [<NO NAME>]
mRun: [DMXLauncher] "k:\roxio\cineplayer\DMXLauncher.exe"
mRun: [GrooveMonitor] "k:\microsoft office\office12\GrooveMonitor.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "K:\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast!] k:\alwils~1\avast4\ashDisp.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - k:\logitech\setpoint\SetPoint.exe
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - k:\micros~1\office12\EXCEL.EXE/3000
IE: MasterCook: Select Image - k:\mastercook 9\web\MCIEContext.hta
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - k:\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - k:\micros~1\office12\REFIEBAR.DLL
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {22D4879A-92DB-470D-8A83-E158797D8176} - file:///E:/components/Liquid.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {DCD9ECFC-6B2B-4F31-9F5D-31F7FD3B6FE5} = 208.67.222.222,208.67.222.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - k:\micros~1\office12\GR99D3~1.DLL
Notify: !SASWinLogon - k:\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - k:\micros~1\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\wade\appdata\roaming\mozilla\firefox\profiles\s97rg6ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://74.125.127.104/
FF - component: c:\users\wade\appdata\roaming\mozilla\firefox\profiles\s97rg6ob.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\wade\appdata\roaming\mozilla\firefox\profiles\s97rg6ob.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\wade\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: k:\itunes\mozilla plugins\npitunes.dll
FF - plugin: k:\plugins\npqtplugin.dll
FF - plugin: k:\plugins\npqtplugin2.dll
FF - plugin: k:\plugins\npqtplugin3.dll
FF - plugin: k:\plugins\npqtplugin4.dll
FF - plugin: k:\plugins\npqtplugin5.dll
FF - plugin: k:\plugins\npqtplugin6.dll
FF - plugin: k:\plugins\npqtplugin7.dll
FF - plugin: k:\vlc media player\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-8 114768]
R1 SASDIFSV;SASDIFSV;k:\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;k:\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-8 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-8 53328]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-27 4497704]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-2-28 603904]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-11-19 113448]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2009-11-19 13480]
S2 gupdate1c9f86dbba2d775;Google Update Service (gupdate1c9f86dbba2d775);c:\program files\google\update\GoogleUpdate.exe [2009-6-28 133104]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;k:\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;k:\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;k:\sisoftware sandra lite 2009.sp3c\RpcAgentSrv.exe [2009-5-22 98488]
S3 SASENUM;SASENUM;k:\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-5-25 15656]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-12-27 16896]

=============== Created Last 30 ================

2009-11-23 09:42:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 09:42:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 08:46:23 0 d-s---w- C:\ComboFix
2009-11-23 06:33:08 98816 ----a-w- c:\windows\sed.exe
2009-11-23 06:33:08 77312 ----a-w- c:\windows\MBR.exe
2009-11-23 06:33:08 260608 ----a-w- c:\windows\PEV.exe
2009-11-23 06:33:08 161792 ----a-w- c:\windows\SWREG.exe
2009-11-23 04:27:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-11-23 04:26:13 69632 ----a-w- c:\windows\system32\KemXML.dll
2009-11-23 04:26:13 163840 ----a-w- c:\windows\system32\kemutb.dll
2009-11-23 04:26:13 135168 ----a-w- c:\windows\system32\KemUtil.dll
2009-11-23 04:26:13 110592 ----a-w- c:\windows\system32\KemWnd.dll
2009-11-23 04:26:02 0 d-----w- c:\programdata\Logitech
2009-11-23 04:25:56 0 d-----w- c:\program files\common files\Logitech
2009-11-23 04:24:52 0 d-----w- c:\programdata\LogiShrd
2009-11-20 05:57:43 0 d-----w- c:\users\wade\appdata\roaming\WTouch
2009-11-20 05:57:37 245032 ----a-w- c:\windows\system32\Touch_Tablet.dll
2009-11-20 05:56:59 13480 ----a-w- c:\windows\system32\drivers\WacomVTHid.sys
2009-11-20 05:56:59 0 d-----w- c:\program files\WTouch
2009-11-20 05:56:43 0 d-----w- c:\program files\TabletPlugins
2009-11-19 19:31:19 0 d-----w- c:\program files\LSI SoftModem
2009-11-19 19:23:38 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2009-11-19 19:23:38 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2009-11-19 19:23:38 172032 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-11-19 19:23:37 64000 ----a-w- c:\windows\agrsmdel.exe
2009-11-19 19:23:37 13824 ----a-w- c:\windows\system32\agrscoin.dll
2009-11-19 19:23:37 1163328 ----a-w- c:\windows\system32\drivers\AGRSM.sys
2009-11-19 18:53:15 68886 ----a-w- c:\windows\system32\drivers\LMouFlt2.sys
2009-11-19 18:53:15 5846 ----a-w- c:\windows\system32\drivers\LKbdFlt2.sys
2009-11-19 18:53:15 52166 ----a-w- c:\windows\system32\drivers\L8042Pr2.sys
2009-11-19 18:53:15 23270 ----a-w- c:\windows\system32\drivers\LHidFlt2.sys
2009-11-19 18:53:15 19188 ----a-w- c:\windows\system32\LCoInst.dll
2009-11-19 18:30:57 0 d-----w- c:\programdata\Innovative Solutions
2009-11-19 09:09:33 0 d-----w- c:\users\wade\appdata\roaming\Bradsoft.com
2009-11-19 09:01:21 72192 ----a-w- c:\windows\unlite3.exe
2009-11-16 04:33:24 0 d-----w- c:\users\wade\appdata\roaming\NumusDiskBuilder
2009-11-16 04:33:03 0 d-----w- c:\windows\XSxS
2009-11-16 04:33:03 0 d-----w- c:\program files\Xenocode
2009-11-15 22:00:26 0 d-----w- c:\users\wade\appdata\roaming\DVDFab
2009-11-14 22:32:26 0 d-----w- c:\programdata\TechSmith
2009-11-14 03:39:43 79736 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-14 03:39:43 5639456 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-14 03:39:35 3624 ----a-w- C:\rollback.ini
2009-11-14 03:27:25 0 d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-11-14 03:27:25 0 d-----w- c:\programdata\ParetoLogic
2009-11-14 03:27:25 0 d-----w- c:\program files\common files\ParetoLogic
2009-11-10 22:37:56 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 22:37:38 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-09 03:40:56 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-09 01:39:19 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-09 01:39:06 0 d-----w- c:\users\wade\appdata\roaming\SUPERAntiSpyware.com
2009-11-08 18:24:00 0 d-sh--w- C:\Windows Enterprise Suite
2009-11-08 18:23:37 0 d-sh--w- c:\programdata\bdea6a4
2009-11-08 17:38:24 0 d-----w- C:\VundoFix Backups
2009-11-08 14:55:07 0 d-----w- c:\users\wade\appdata\roaming\Malwarebytes
2009-11-08 14:55:00 0 d-----w- c:\programdata\Malwarebytes
2009-11-08 04:47:57 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-08 02:15:19 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-27 19:42:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 19:42:57 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 01:42:16 34800 ----a-w- c:\programdata\nvModes.dat
2009-10-27 01:38:33 0 d-----w- c:\program files\NVIDIA Corporation
2009-10-26 19:01:47 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-26 19:01:28 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-26 19:01:23 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-26 19:01:23 171608 ----a-w- c:\windows\system32\wuwebv.dll

==================== Find3M ====================

2009-11-23 04:27:46 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-23 04:27:46 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-23 04:27:34 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-10 20:02:22 4497704 ----a-w- c:\windows\system32\Pen_Tablet.exe
2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-28 00:47:30 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-28 00:47:00 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-28 00:47:00 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-28 00:47:00 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-28 00:47:00 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-28 00:47:00 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-28 00:47:00 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-28 00:47:00 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-28 00:47:00 150120 ----a-w- c:\windows\system32\nvshext.dll
2009-09-28 00:47:00 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-28 00:47:00 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-28 00:46:00 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-28 00:46:00 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-27 23:12:22 9509832 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2009-09-27 23:12:22 7614056 ----a-w- c:\windows\system32\nvd3dum.dll
2009-09-27 23:12:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-27 23:12:22 3310184 ----a-w- c:\windows\system32\nvwgf2um.dll
2009-09-27 23:12:22 2169448 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 23:12:22 1997416 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 23:12:22 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 23:12:22 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-09-27 23:12:22 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 23:12:22 11197032 ----a-w- c:\windows\system32\nvoglv32.dll
2009-09-27 23:12:22 10984 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2009-09-27 23:12:22 1074280 ----a-w- c:\windows\system32\nvapi.dll
2009-09-24 16:24:18 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-12 04:54:42 1305632 ----a-w- c:\windows\system32\RtkPgExt.dll
2009-09-12 04:54:36 53280 ----a-w- c:\windows\system32\RtkCoInst.dll
2009-09-12 04:54:26 338464 ----a-w- c:\windows\system32\RtkApoApi.dll
2009-09-12 04:54:26 2965536 ----a-w- c:\windows\system32\RtkAPO.dll
2009-09-10 17:30:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 03:44:56 267264 ----a-w- c:\windows\system32\FMAPO.dll
2009-08-31 13:55:50 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-12-27 22:10:09 174 --sha-w- c:\program files\desktop.ini
2008-12-27 22:01:55 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-12-31 04:23:58 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008123020081231\index.dat
2009-01-18 23:53:37 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009011820090119\index.dat
2009-01-30 22:37:56 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009013020090131\index.dat
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 1:57:54.30 ===============

#11 webMullet

webMullet
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 23 November 2009 - 05:52 AM

I tried running ComboFix in safemode, and it kept requiring administrative priveledges. I am logged in as administrator. It also detected rootkit activity and said it had to restart the system. I rebooted back into safemode and the same thing happened. I am now logged back into my regular administrative account and running Combofix once again. I turned UAC off. It's been about 20 minutes though and Combfix is stalled again. I'm gonna let it run for a bit and check back later. What's next if ComboFix stays stalled?

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:06 PM

Posted 23 November 2009 - 09:55 AM

Hi,

Please ensure that Avast is correctly disabled by following instructions here. Then see if ComboFix still stalls.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 webMullet

webMullet
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 23 November 2009 - 01:00 PM

Its off. Avast doesn't even start in safemode, and in regular mode rightnow, I have both windows firewall and avast disabled. I can't shutdown Windows Enterprise Suite.

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:06 PM

Posted 23 November 2009 - 04:19 PM

Please uninstall Avast for now. You may reinstall it after we've got the case solved. Then run ComboFix and ignore possible warnings related to Windows Enterprise Suite. It's a rogue product.

If ComboFix stalls, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed, pev or swreg. See if that helps ComboFix continue.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 webMullet

webMullet
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 23 November 2009 - 04:56 PM

Stalled, no time change, there are no instances of processes: findstr, find, sed, pev or swreg running in the task manager.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users