Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Eco Antivirus wont go away


  • This topic is locked This topic is locked
13 replies to this topic

#1 Xael

Xael

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 25 November 2009 - 04:35 PM

I saw on your site a way to remove the "antivirus" by using MalwareBytes but it does not get removed when trying to perfom a quick scan or a full scan, it just says that no problems were detected.

DDS:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Michael at 15:16:40.60 on Wed 11/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1390 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

G:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
G:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
G:\WINDOWS\System32\svchost.exe -k imgsvc
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
G:\Program Files\Viewpoint\Common\ViewpointService.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Winamp\winampa.exe
G:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
G:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
G:\WINDOWS\RTHDCPL.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
G:\Program Files\Winamp Remote\bin\OrbTray.exe
D:\DAEMON Tools Pro\DTProAgent.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\Program Files\Winamp Remote\bin\Orb.exe
G:\DOCUME~1\Michael\LOCALS~1\Temp\DAA3DF.tmp\msv.exe
G:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Camera Pics\PhAutoRun.exe
G:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Yahoo!\Messenger\ymsgr_tray.exe
G:\Program Files\Java\jre6\bin\jucheck.exe
G:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://isohunt.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - g:\program files\askbardis\bar\bin\askBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - g:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - g:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "g:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Yahoo! Pager] "c:\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Orb] "g:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [DAEMON Tools Pro Agent] "d:\daemon tools pro\DTProAgent.exe"
uRun: [ctfmon.exe] g:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] g:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "g:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE g:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "g:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] g:\progra~1\symant~1\VPTray.exe
mRun: [NeroFilterCheck] g:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] c:\winamp\winampa.exe
mRun: [amd_dc_opt] g:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechCommunicationsManager] "g:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "g:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [Adobe Reader Speed Launcher] "g:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE g:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ArcSoft Connection Service] g:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "g:\program files\java\jre6\bin\jusched.exe"
mRun: [mxcll] g:\documents and settings\all users\application data\eca\vec.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "g:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - g:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - d:\camera pics\PhAutoRun.exe
IE: &Clean Traces - g:\program files\dap\privacy package\dapcleanerie.htm
IE: E&xport to Microsoft Excel - c:\micros~1\office11\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - g:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\micros~1\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://g:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://g:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197765635765
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197765630625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - g:\program files\superantispyware\SASWINLO.DLL
Notify: LBTWlgn - g:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: NavLogon - g:\windows\system32\NavLogon.dll
Notify: wvUkIXnn - wvUkIXnn.dll
AppInit_DLLs: bvdauy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - g:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

================= FIREFOX ===================

FF - ProfilePath - g:\docume~1\michael\applic~1\mozilla\firefox\profiles\mlypzrx1.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=
FF - component: g:\documents and settings\michael\application data\mozilla\firefox\profiles\mlypzrx1.default\gsl.dll
FF - plugin: c:\divx\divx content uploader\npUpload.dll
FF - plugin: c:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\divx web player\npdivx32.dll
FF - plugin: c:\opera\program\plugins\npdsplay.dll
FF - plugin: c:\opera\program\plugins\NPSWF32.dll
FF - plugin: c:\opera\program\plugins\NPSWF32_back.dll
FF - plugin: c:\opera\program\plugins\npwmsdrm.dll
FF - plugin: g:\documents and settings\michael\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: g:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: g:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: g:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;g:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;g:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 74480]
R1 SAVRT;SAVRT;g:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;g:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;g:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;g:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 SeaPort;SeaPort;g:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 Symantec AntiVirus;Symantec AntiVirus;g:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R2 Viewpoint Manager Service;Viewpoint Manager Service;g:\program files\viewpoint\common\ViewpointService.exe [2007-12-15 24652]
R3 NAVENG;NAVENG;g:\progra~1\common~1\symant~1\virusd~1\20091120.005\naveng.sys [2009-11-20 84912]
R3 NAVEX15;NAVEX15;g:\progra~1\common~1\symant~1\virusd~1\20091120.005\navex15.sys [2009-11-20 1323568]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;g:\windows\system32\drivers\nvhda32.sys [2008-11-18 39456]
R3 SASENUM;SASENUM;g:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
R3 TNET1130;802.11 WLAN;g:\windows\system32\drivers\TNET1130.sys [2005-9-4 386688]
S3 ccPwdSvc;Symantec Password Validation;g:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;g:\windows\system32\drivers\NetWlan5.sys [2008-1-16 132695]
S3 P0630VID;Creative WebCam Live!;g:\windows\system32\drivers\P0630Vid.sys [2008-1-8 67968]
S3 SavRoam;SAVRoam;g:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

=============== Created Last 30 ================

2009-11-22 09:14 <DIR> --d----- g:\docume~1\michael\applic~1\Malwarebytes
2009-11-22 09:14 38,224 a------- g:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 09:14 19,160 a------- g:\windows\system32\drivers\mbam.sys
2009-11-22 09:14 <DIR> --d----- g:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-22 09:14 <DIR> --d----- g:\program files\Malwarebytes' Anti-Malware
2009-11-22 07:36 <DIR> --d----- g:\docume~1\alluse~1\applic~1\eca
2009-11-20 00:05 <DIR> --d----- g:\program files\mIRC
2009-11-17 00:45 <DIR> --d----- g:\docume~1\michael\applic~1\mIRC
2009-10-31 08:43 7,552 ac------ g:\windows\system32\dllcache\sonypvu1.sys
2009-10-31 08:43 7,552 a------- g:\windows\system32\drivers\SONYPVU1.SYS

==================== Find3M ====================

2009-09-02 06:14 3 a------- g:\program files\common files\time.cv
2009-02-22 00:19 4,137 a--sh--- g:\windows\system32\UFNUutwa.ini2

============= FINISH: 15:17:07.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:46 AM

Posted 30 November 2009 - 08:33 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:46 AM

Posted 06 December 2009 - 01:39 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:46 AM

Posted 11 December 2009 - 09:07 PM

Reopened at user's request

----------------------------------------

Please run RootRepeal as instructed in the post above.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 Xael

Xael
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 11 December 2009 - 10:22 PM

The RootRepeal report.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/11 21:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: G:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB653B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: G:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADD2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP8910
Image Path: \Driver\PCI_PNP8910
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: G:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5072000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spuw.sys
Image Path: spuw.sys
Address: 0xBA6A9000 Size: 1040384 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a418a08

#: 041 Function Name: NtCreateKey
Status: Hooked by "spuw.sys" at address 0xba6aa0e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spuw.sys" at address 0xba6c7ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spuw.sys" at address 0xba6c8030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spuw.sys" at address 0xba6aa0c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spuw.sys" at address 0xba6c8108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spuw.sys" at address 0xba6c7f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spuw.sys" at address 0xba6c819a

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "G:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb66f40b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a75a1f8 Size: 121

Object: Hidden Code [Driver: ah4gn17tࠅ敓ࠁఈ浗灩, IRP_MJ_CREATE]
Process: System Address: 0x8a3ca500 Size: 121

Object: Hidden Code [Driver: ah4gn17tࠅ敓ࠁఈ浗灩, IRP_MJ_CLOSE]
Process: System Address: 0x8a3ca500 Size: 121

Object: Hidden Code [Driver: ah4gn17tࠅ敓ࠁఈ浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3ca500 Size: 121

Object: Hidden Code [Driver: ah4gn17tࠅ敓ࠁఈ浗灩, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3ca500 Size: 121

Object: Hidden Code [Driver: ah4gn17tࠅ敓ࠁఈ浗灩, IRP_MJ_POWER]
Process: System Address: 0x8a3ca500 Size: 121

Object: Hidden Code [Driver: ah4gn17tࠅ敓ࠁఈ浗灩, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3ca500 Size: 121

Object: Hidden Code [Driver: ah4gn17tࠅ敓ࠁఈ浗灩, IRP_MJ_PNP]
Process: System Address: 0x8a3ca500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a4a31f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a7cd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a7cd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7cd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7cd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a7cd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7cd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a7cd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a75c1f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8a3c4500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8a3c4500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3c4500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3c4500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8a3c4500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3c4500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8a3c4500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a7ce1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a33c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a33c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a33c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a33c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a33c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a33c500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a42e4c8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a42e4c8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a42e4c8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a42e4c8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a42e4c8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a42e4c8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a42e4c8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a349500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_CREATE]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_CLOSE]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_READ]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_CLEANUP]
Process: System Address: 0x8a35e500 Size: 121

Object: Hidden Code [Driver: Cdfs؀෺䅓䍃B, IRP_MJ_PNP]
Process: System Address: 0x8a35e500 Size: 121

==EOF==

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:46 AM

Posted 12 December 2009 - 05:55 AM

Now let's see if we can target the rogue antivirus

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Finally post a new DDS log (log only, no attach.txt) :(
Posted Image
m0le is a proud member of UNITE

#7 Xael

Xael
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 12 December 2009 - 12:07 PM

Thankyou for the speed replys and help so far.

The EXE Helper log:
exeHelper by Raktor
Build 20091204
Run at 10:23:36 on 12/12/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

The ComboFix Log
ComboFix 09-12-11.05 - Michael 12/12/2009 10:33:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1665 [GMT -6:00]
Running from: g:\documents and settings\Michael\Desktop\comfix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

g:\documents and settings\All Users\Application Data\Microsoft\id.txt
g:\program files\Common Files\System\Uninstall
g:\windows\system32\arpibpwv.ini
g:\windows\system32\jcfhppcw.ini
g:\windows\system32\ltwwhyrd.ini
g:\windows\system32\ndyafxoq.ini
g:\windows\system32\udgdifjo.ini
g:\windows\system32\UFNUutwa.ini
g:\windows\system32\UFNUutwa.ini2
g:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTNDIS


((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))
.

2009-12-07 00:12 . 2009-12-07 00:12 -------- d-----w- g:\documents and settings\Michael\Local Settings\Application Data\Conduit
2009-12-07 00:12 . 2009-12-07 00:12 -------- d-----w- g:\documents and settings\Michael\Local Settings\Application Data\TvOnline_by_WebDessign
2009-12-07 00:12 . 2009-12-07 00:12 -------- d-----w- g:\program files\TvOnline_by_WebDessign
2009-12-07 00:12 . 2009-12-07 00:12 -------- d-----w- g:\program files\Conduit
2009-11-23 06:23 . 2009-11-23 06:23 -------- d-----w- g:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-11-23 06:23 . 2009-11-23 06:23 -------- d-----w- g:\documents and settings\LocalService\Application Data\Yahoo!
2009-11-22 15:14 . 2009-11-22 15:14 -------- d-----w- g:\documents and settings\Michael\Application Data\Malwarebytes
2009-11-22 15:14 . 2009-09-10 20:54 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 15:14 . 2009-11-22 15:14 -------- d-----w- g:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-22 15:14 . 2009-09-10 20:53 19160 ----a-w- g:\windows\system32\drivers\mbam.sys
2009-11-22 15:14 . 2009-11-22 15:14 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2009-11-22 13:36 . 2009-12-06 17:09 -------- d-----w- g:\documents and settings\All Users\Application Data\eca
2009-11-20 06:05 . 2009-11-24 14:54 -------- d-----w- g:\program files\mIRC
2009-11-17 06:45 . 2009-11-24 15:36 -------- d-----w- g:\documents and settings\Michael\Application Data\mIRC
2009-11-14 04:56 . 2009-11-14 04:56 89088 ----a-w- g:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\mlypzrx1.default\gsl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 16:50 . 2007-12-22 05:08 -------- d-----w- g:\program files\Symantec AntiVirus
2009-12-12 16:50 . 2008-01-14 02:06 -------- d-----w- g:\program files\Winamp Remote
2009-12-12 12:39 . 2008-10-19 03:58 -------- d-----w- g:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 04:38 . 2009-09-03 22:42 117760 ----a-w- g:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 04:37 . 2008-09-20 17:09 -------- d-----w- g:\program files\SUPERAntiSpyware
2009-11-18 00:20 . 2008-06-06 23:33 -------- d-----w- g:\documents and settings\Michael\Application Data\dvdcss
2009-10-12 04:25 . 2009-10-12 04:25 127872 ----a-w- g:\documents and settings\Michael\Application Data\Move Networks\uninstall.exe
2009-10-12 04:25 . 2009-06-16 06:35 4183416 ----a-w- g:\documents and settings\Michael\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-02 12:14 . 2009-08-05 10:00 3 ----a-w- g:\program files\Common Files\time.cv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{77d0b2ea-9fb1-491c-bd40-04e2232bdd22}"= "g:\program files\TvOnline_by_WebDessign\tbTvOn.dll" [2009-11-10 2331672]

[HKEY_CLASSES_ROOT\clsid\{77d0b2ea-9fb1-491c-bd40-04e2232bdd22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77d0b2ea-9fb1-491c-bd40-04e2232bdd22}]
2009-11-10 00:38 2331672 ----a-w- g:\program files\TvOnline_by_WebDessign\tbTvOn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{77d0b2ea-9fb1-491c-bd40-04e2232bdd22}"= "g:\program files\TvOnline_by_WebDessign\tbTvOn.dll" [2009-11-10 2331672]

[HKEY_CLASSES_ROOT\clsid\{77d0b2ea-9fb1-491c-bd40-04e2232bdd22}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{77D0B2EA-9FB1-491C-BD40-04E2232BDD22}"= "g:\program files\TvOnline_by_WebDessign\tbTvOn.dll" [2009-11-10 2331672]

[HKEY_CLASSES_ROOT\clsid\{77d0b2ea-9fb1-491c-bd40-04e2232bdd22}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="g:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Yahoo! Pager"="c:\yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Orb"="g:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
"DAEMON Tools Pro Agent"="d:\daemon tools pro\DTProAgent.exe" [2007-09-06 136136]
"SUPERAntiSpyware"="g:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-25 2001648]
"swg"="g:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-19 39408]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2008-08-01 13529088]
"nwiz"="nwiz.exe" [2008-08-01 1630208]
"ccApp"="g:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="g:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"NeroFilterCheck"="g:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"WinampAgent"="c:\winamp\winampa.exe" [2007-12-20 37376]
"amd_dc_opt"="g:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"LogitechCommunicationsManager"="g:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-04-05 488984]
"LVCOMSX"="g:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-03-09 252704]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-06 16858112]
"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2008-08-01 86016]
"ArcSoft Connection Service"="g:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-10-11 31232]
"SunJavaUpdateSched"="g:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Malwarebytes Anti-Malware (reboot)"="g:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - g:\program files\Logitech\SetPoint\SetPoint.exe [2008-1-27 805392]
PHOTOfunSTUDIO -viewer-.lnk - d:\camera pics\PhAutoRun.exe [2009-1-14 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "g:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-25 04:37 548352 ----a-w- g:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- g:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=g:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=g:\windows\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-10-19 03:58 39408 ----a-w- g:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"g:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"g:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"g:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"g:\\Program Files\\AIM6\\aim6.exe"=
"d:\\LimeWire\\LimeWire.exe"=
"g:\\Program Files\\Tremulous\\tremulous.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 sptd;sptd;g:\windows\system32\drivers\sptd.sys [12/15/2007 6:50 PM 715248]
R1 SASDIFSV;SASDIFSV;g:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;g:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 1:07 PM 74480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;g:\program files\Viewpoint\Common\ViewpointService.exe [12/15/2007 7:10 PM 24652]
R3 EraserUtilDrvI9;EraserUtilDrvI9;g:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [12/11/2009 8:03 PM 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;g:\windows\system32\drivers\nvhda32.sys [11/18/2008 3:22 AM 39456]
R3 SASENUM;SASENUM;g:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 1:07 PM 7408]
R3 TNET1130;802.11 WLAN;g:\windows\system32\drivers\TNET1130.sys [9/4/2005 1:42 AM 386688]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;g:\windows\system32\drivers\NetWlan5.sys [1/16/2008 1:53 PM 132695]
S3 P0630VID;Creative WebCam Live!;g:\windows\system32\drivers\P0630Vid.sys [1/8/2008 1:54 PM 67968]
S3 SavRoam;SAVRoam;g:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://isohunt.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Clean Traces - g:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: E&xport to Microsoft Excel - c:\micros~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - g:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://g:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://g:\windows\Java\classes\xmldso.cab
FF - ProfilePath - g:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\mlypzrx1.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=
FF - component: g:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\mlypzrx1.default\gsl.dll
FF - plugin: c:\divx\DivX Content Uploader\npUpload.dll
FF - plugin: c:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\opera\program\plugins\npdsplay.dll
FF - plugin: c:\opera\program\plugins\NPSWF32.dll
FF - plugin: c:\opera\program\plugins\NPSWF32_back.dll
FF - plugin: c:\opera\program\plugins\npwmsdrm.dll
FF - plugin: g:\documents and settings\Michael\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: g:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: g:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - g:\program files\AskBarDis\bar\bin\askBar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - g:\program files\AskBarDis\bar\bin\askBar.dll
Notify-wvUkIXnn - wvUkIXnn.dll
AddRemove-Ask Toolbar_is1 - g:\program files\AskBarDis\unins000.exe
AddRemove-Septerra Core - c:\septerra core\Uninst.isu
AddRemove-{E280923D-C5D9-4728-8C79-AC9A0DC75875} - c:\program files\InstallShield Installation Information\{E280923D-C5D9-4728-8C79-AC9A0DC75875}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-12 10:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A75C1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba669cb8
\Driver\atapi -> 0x8a75c1f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
NDIS: Intel® PRO/100+ PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba4f3ba0
PacketIndicateHandler -> NDIS.sys @ 0xba4e2a0b
SendHandler -> NDIS.sys @ 0xba4f6b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-1450960922-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:eb,33,51,14,da,ee,dc,93,8d,d3,8e,3b,56,54,1f,d8,46,60,5c,7f,42,d3,c5,
16,16,c9,e1,8c,3d,cd,ba,76,30,08,25,84,3c,8d,9f,36,99,da,04,d0,eb,61,70,36,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1202660629-1450960922-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:c8,ce,6b,b0,0e,ff,18,b3,c3,9c,22,aa,39,e7,dd,41,f6,72,2a,fc,70,
a9,59,93,c8,76,3c,79,84,f4,6f,28,25,10,f7,f3,2a,4d,5b,a7,a3,34,0b,23,a6,09,\
"rkeysecu"=hex:c8,9f,25,26,5b,3f,78,d3,a3,c0,32,30,2a,8c,e3,1b

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:wjY*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="?A?\11?\16?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"e:\\ati\\atidrv\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
g:\program files\SUPERAntiSpyware\SASWINLO.DLL
g:\program files\common files\logitech\bluetooth\LBTWlgn.dll
g:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3296)
g:\program files\Logitech\SetPoint\GameHook.dll
g:\program files\Logitech\SetPoint\lgscroll.dll
g:\progra~1\WINDOW~2\wmpband.dll
g:\windows\system32\WPDShServiceObj.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
g:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
g:\windows\RTHDCPL.EXE
g:\windows\system32\RUNDLL32.EXE
g:\program files\Common Files\Symantec Shared\ccSetMgr.exe
g:\program files\Symantec AntiVirus\DefWatch.exe
g:\program files\Java\jre6\bin\jqs.exe
g:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
g:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
g:\program files\Symantec AntiVirus\Rtvscan.exe
g:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
g:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
g:\program files\Winamp Remote\bin\Orb.exe
c:\yahoo!\Messenger\ymsgr_tray.exe
g:\windows\system32\wscntfy.exe
g:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-12-12 10:54:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-12 16:54

Pre-Run: 4,318,973,952 bytes free
Post-Run: 4,783,058,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer

- - End Of File - - 292ED7AEA17D3D2267367D2B634027DA

The DDS Log

DDS (Ver_09-07-30.01) - NTFSx86
Run by Michael at 11:04:03.42 on Sat 12/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1461 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

G:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
G:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Winamp\winampa.exe
G:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
G:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
G:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
G:\WINDOWS\RTHDCPL.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\Winamp Remote\bin\OrbTray.exe
D:\DAEMON Tools Pro\DTProAgent.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Camera Pics\PhAutoRun.exe
G:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
G:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
G:\WINDOWS\System32\svchost.exe -k imgsvc
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
G:\Program Files\Viewpoint\Common\ViewpointService.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\Program Files\Winamp Remote\bin\Orb.exe
C:\Yahoo!\Messenger\ymsgr_tray.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Java\jre6\bin\jucheck.exe
G:\WINDOWS\explorer.exe
G:\WINDOWS\system32\notepad.exe
C:\Opera\opera.exe
G:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://isohunt.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: TvOnline by WebDessign Toolbar: {77d0b2ea-9fb1-491c-bd40-04e2232bdd22} - g:\program files\tvonline_by_webdessign\tbTvOn.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\yahoo!\companion\installs\cpn\yt.dll
BHO: TvOnline by WebDessign Toolbar: {77d0b2ea-9fb1-491c-bd40-04e2232bdd22} - g:\program files\tvonline_by_webdessign\tbTvOn.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - g:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - g:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: TvOnline by WebDessign Toolbar: {77d0b2ea-9fb1-491c-bd40-04e2232bdd22} - g:\program files\tvonline_by_webdessign\tbTvOn.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "g:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Yahoo! Pager] "c:\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Orb] "g:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [DAEMON Tools Pro Agent] "d:\daemon tools pro\DTProAgent.exe"
uRun: [SUPERAntiSpyware] g:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "g:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE g:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "g:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] g:\progra~1\symant~1\VPTray.exe
mRun: [NeroFilterCheck] g:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] c:\winamp\winampa.exe
mRun: [amd_dc_opt] g:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechCommunicationsManager] "g:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "g:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [Adobe Reader Speed Launcher] "g:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE g:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] g:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "g:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "g:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - g:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - d:\camera pics\PhAutoRun.exe
IE: &Clean Traces - g:\program files\dap\privacy package\dapcleanerie.htm
IE: E&xport to Microsoft Excel - c:\micros~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - g:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - g:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\micros~1\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://g:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://g:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197765635765
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197765630625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - g:\program files\superantispyware\SASWINLO.DLL
Notify: LBTWlgn - g:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: NavLogon - g:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - g:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - g:\docume~1\michael\applic~1\mozilla\firefox\profiles\mlypzrx1.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=
FF - component: g:\documents and settings\michael\application data\mozilla\firefox\profiles\mlypzrx1.default\gsl.dll
FF - plugin: c:\divx\divx content uploader\npUpload.dll
FF - plugin: c:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\divx web player\npdivx32.dll
FF - plugin: c:\opera\program\plugins\npdsplay.dll
FF - plugin: c:\opera\program\plugins\NPSWF32.dll
FF - plugin: c:\opera\program\plugins\NPSWF32_back.dll
FF - plugin: c:\opera\program\plugins\npwmsdrm.dll
FF - plugin: g:\documents and settings\michael\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: g:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: g:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: g:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;g:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;g:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 74480]
R1 SAVRT;SAVRT;g:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;g:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;g:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;g:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 SeaPort;SeaPort;g:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 Symantec AntiVirus;Symantec AntiVirus;g:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R2 Viewpoint Manager Service;Viewpoint Manager Service;g:\program files\viewpoint\common\ViewpointService.exe [2007-12-15 24652]
R3 EraserUtilDrvI9;EraserUtilDrvI9;g:\program files\common files\symantec shared\eengine\EraserUtilDrvI9.sys [2009-12-11 102448]
R3 NAVENG;NAVENG;g:\progra~1\common~1\symant~1\virusd~1\20091211.002\naveng.sys [2009-12-11 84912]
R3 NAVEX15;NAVEX15;g:\progra~1\common~1\symant~1\virusd~1\20091211.002\navex15.sys [2009-12-11 1323568]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;g:\windows\system32\drivers\nvhda32.sys [2008-11-18 39456]
R3 SASENUM;SASENUM;g:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
R3 TNET1130;802.11 WLAN;g:\windows\system32\drivers\TNET1130.sys [2005-9-4 386688]
S3 ccPwdSvc;Symantec Password Validation;g:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;g:\windows\system32\drivers\NetWlan5.sys [2008-1-16 132695]
S3 P0630VID;Creative WebCam Live!;g:\windows\system32\drivers\P0630Vid.sys [2008-1-8 67968]
S3 SavRoam;SAVRoam;g:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

=============== Created Last 30 ================

2009-12-12 10:31 261,632 a------- g:\windows\PEV.exe
2009-12-12 10:31 77,312 a------- g:\windows\MBR.exe
2009-12-12 10:30 161,792 a------- g:\windows\SWREG.exe
2009-12-12 10:30 98,816 a------- g:\windows\sed.exe
2009-12-12 10:28 <DIR> --d----- G:\comfix
2009-12-06 18:12 <DIR> --d----- g:\program files\TvOnline_by_WebDessign
2009-12-06 18:12 <DIR> --d----- g:\program files\Conduit
2009-11-22 09:14 <DIR> --d----- g:\docume~1\michael\applic~1\Malwarebytes
2009-11-22 09:14 38,224 a------- g:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 09:14 19,160 a------- g:\windows\system32\drivers\mbam.sys
2009-11-22 09:14 <DIR> --d----- g:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-22 09:14 <DIR> --d----- g:\program files\Malwarebytes' Anti-Malware
2009-11-22 07:36 <DIR> --d----- g:\docume~1\alluse~1\applic~1\eca
2009-11-20 00:05 <DIR> --d----- g:\program files\mIRC
2009-11-17 00:45 <DIR> --d----- g:\docume~1\michael\applic~1\mIRC

==================== Find3M ====================

2009-09-02 06:14 3 a------- g:\program files\common files\time.cv

============= FINISH: 11:04:24.03 ===============

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:46 AM

Posted 12 December 2009 - 12:30 PM

That looks good. :(

Let's run an online scanner to check for leftovers. make sure you set ESET to remove anything it finds.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Next, let's update Java and remove older versions.


Old versions of Java are big doors to malware. JavaRa removes them and updates your version to the most current.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Please make sure you turn on the Java Automatic Update Feature

    Then you will not have to remember to update it when Java introduces a new version.
    Java is updated very frequently, and the old versions are malware magnets.

    Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.
Let me know how the PC is going too

Thanks :(
Posted Image
m0le is a proud member of UNITE

#9 Xael

Xael
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 13 December 2009 - 06:37 PM

the computer seems to be working very well now, thank you for all the help.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:46 AM

Posted 13 December 2009 - 07:38 PM

Did the ESET scan not produce a log?
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:46 AM

Posted 18 December 2009 - 08:25 PM

Are you still there, Xael?
Posted Image
m0le is a proud member of UNITE

#12 Xael

Xael
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 19 December 2009 - 11:54 PM

oh, sorry for the delay

ESET Log
D:\test\Software\Office 2003\Office.2003.SP1.AIO-XiSO.iso probably a variant of Win32/Agent trojan deleted - quarantined
G:\Qoobox\Quarantine\G\WINDOWS\system32\arpibpwv.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
G:\Qoobox\Quarantine\G\WINDOWS\system32\jcfhppcw.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
G:\Qoobox\Quarantine\G\WINDOWS\system32\ltwwhyrd.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
G:\Qoobox\Quarantine\G\WINDOWS\system32\ndyafxoq.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
G:\Qoobox\Quarantine\G\WINDOWS\system32\udgdifjo.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
G:\Qoobox\Quarantine\G\WINDOWS\system32\UFNUutwa.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
G:\Qoobox\Quarantine\G\WINDOWS\system32\UFNUutwa.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
G:\WINDOWS\system32\drivers\etc\hosts1 Win32/Qhost trojan cleaned by deleting - quarantined

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:46 AM

Posted 20 December 2009 - 06:23 AM

That's looking done. :(


You're clean. Good stuff! :(

Let's do some clearing up

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it xael, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:46 AM

Posted 26 December 2009 - 07:24 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users