Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MAJOR Root Repeal issue.=Moved to HJT


  • This topic is locked This topic is locked
14 replies to this topic

#1 SomeGuyNamedAnt

SomeGuyNamedAnt

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 05 December 2009 - 05:03 AM

Having been sent over from the techs at Symantec, I read the, 'Preparation Guide For Use,' but have a MAJOR problem.

EVERY time I run RootRepeal, regardless of HOW I run it, or from which account it's run, it crashes.

Every... Fraggin'... Time.

Here's what I get:

It gets to file, 'C:\Windows\winxs\msil_dfsvc_b03f5f7f11d50a3a_6.0.6000.16720_none_65f34b6a88ab23e7\' and pops up a dialog bos with, "Attempt to write to 0x00000004."

When I click the 'OK' button, ANOTHER one pops up! "Could not read our index block." Clicking, 'Details,' I get: "Read from 0x00000114." Clicking ok, I get....


*PLIK*

Nothing. It just dumps out without a going away present or so much as some witty, low-shot, insult.

So, long story short, I CAN'T run the prog to generate a log to get help with the crash which prevents said log from being generated. I *DID,* however, run the DDS and Blacklight apps... Logged and all.

All of this is solely to reinstall Symantec's NIS2010 and/ or NAV2010.

Someone recommended ComboFix, but STRONGLY recommended that I talk to someone here, first.



Okay.... Per instructed, here're the logs (I'm amazed that the second was actually allowed to run - not err'd out, I mean):

DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 14:13:30.40 on Fri 12/04/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3070.1814 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
c:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Windows\System32\svchost.exe -k LPDService
C:\Windows\system32\mqsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\mqtgsvc.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Steve\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL =
uDefault_Search_URL =
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://www.yahoo.com
uSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
mSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
mDefault_Search_Url = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15110/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: DeviceNP - DeviceNP.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\steve\appdata\roaming\mozilla\firefox\profiles\z9e8vz5a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\z9e8vz5a.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\steve\appdata\local\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\steve\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2008-6-4 72672]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2009-10-21 354176]
R3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-6-4 806272]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-12-9 3666432]
S2 .1205111534;1205111534;c:\program files\1205111534\Steve1205111534L.exe [2009-9-9 436104]
S3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\system32\drivers\AGUx86.sys [2009-2-3 892416]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-10-13 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-2 79360]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2007-8-28 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-7 21504]
S3 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;i:\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-11-2 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-1-22 7680]
S3 serusb;Motorola USB Comm Port;c:\windows\system32\drivers\usbser.sys [2009-5-29 27648]
S3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2008-4-7 11264]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-4-7 16896]
S4 EraserSvc10922;Symantec Eraser Service;"c:\program files\norton internet security\engine\17.1.0.19\ccsvchst.exe" /h cccommon --> c:\program files\norton internet security\engine\17.1.0.19\ccSvcHst.exe [?]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-12-03 17:39:46 0 d--h--w- c:\windows\AxInstSV
2009-12-03 14:42:28 23552 ----a-w- c:\windows\system32\tdlcmd.dll
2009-12-03 14:33:10 12800 ----a-w- c:\windows\system32\tdlclk.dll
2009-12-03 04:03:36 0 d-----w- c:\programdata\NortonInstaller
2009-12-02 21:32:45 0 d-----w- c:\program files\common files\Creative
2009-12-02 21:32:41 0 d--h--w- c:\program files\Creative Installation Information
2009-12-02 21:28:32 0 d-----w- C:\Temp
2009-12-02 20:58:37 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-02 20:56:20 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-12-02 20:56:19 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-12-02 20:56:16 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-12-02 19:59:05 0 d-----w- c:\program files\TEMP
2009-12-02 19:29:18 0 d-----w- c:\program files\1205111534
2009-12-02 18:58:15 0 d-----w- c:\program files\NortonInstaller(16)
2009-12-02 17:26:11 0 d-----w- c:\users\steve\temp
2009-12-02 17:20:11 0 d-----w- c:\program files\Tmp
2009-11-27 02:03:10 0 d-----w- c:\users\steve\appdata\roaming\Malwarebytes
2009-11-27 02:03:01 0 d-----w- c:\programdata\Malwarebytes
2009-11-24 14:30:42 0 d-----w- c:\users\steve\appdata\roaming\FreeFLVConverter
2009-11-20 04:52:34 0 d-----w- c:\program files\SHOUTcast
2009-11-14 19:47:07 0 d-----w- c:\users\steve\appdata\roaming\WinCare2009
2009-11-13 06:28:05 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-13 06:27:46 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-13 06:27:40 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 12:57:57 0 ----a-w- c:\windows\system32\tdlrm.dll
2009-11-08 09:12:06 0 d-----w- c:\program files\AviSynth 2.5

==================== Find3M ====================

2055-09-19 06:29:11 2012 ----a-w- c:\windows\system32\NAV_75_cltDynam.dat
2009-12-03 03:34:01 86016 ----a-w- c:\windows\inf\infpub.dat
2009-12-03 03:34:01 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-03 03:34:01 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-04 10:30:14 737280 ----a-w- c:\windows\iun6002.exe
2009-10-28 03:43:58 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-28 03:43:38 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 03:41:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-25 16:30:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-10-25 16:18:52 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-10-25 16:18:51 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-10-20 15:57:49 139152 ----a-w- c:\users\steve\appdata\roaming\PnkBstrK.sys
2009-10-20 15:18:39 782336 ----a-w- c:\windows\system32\1578.dll
2009-10-15 04:03:08 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-10-15 04:03:07 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-10-14 16:26:48 344386 ----a-w- c:\windows\system32\ProSetPackage.exe
2009-10-14 13:24:03 262144 ----a-w- C:\ntuser.dat
2009-10-13 07:28:56 118784 ----a-w- c:\windows\dsdxirmv.exe
2009-10-13 04:32:44 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-13 04:32:43 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-08 21:08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 19:47:02 1825280 ----a-w- c:\windows\NetworkCfg.exe
2009-10-01 14:29:14 195440 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 14:59:26 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 14:58:28 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-09-10 02:01:02 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-09-10 02:00:54 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-09-10 02:00:36 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2008-04-08 01:56:29 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-25 20:05:16 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-08-06 19:15:51 16384 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat

============= FINISH: 14:16:03.31 ===============


W32Diag:

Running from: C:\Users\Steve\Desktop\Win32kDiag.exe

Log file at : C:\Users\Steve\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-09-26 10:22:42 12 C:\Windows\bthservsdp.dat ()



Cannot access: C:\Windows\CSC\v2.0.6\pq

[1] 2007-08-28 01:58:18 64 C:\Windows\CSC\v2.0.6\pq ()



Cannot access: C:\Windows\CSC\v2.0.6\temp\ea-{00a316cb-050e-11dd-98a7-001cbf6c1d53}

[1] 2008-04-07 20:50:53 0 C:\Windows\CSC\v2.0.6\temp\ea-{00a316cb-050e-11dd-98a7-001cbf6c1d53} ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-12-05 14:12:07 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-12-05 14:11:09 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-ForwardedEvents.etl

[1] 2009-12-05 14:11:09 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-ForwardedEvents.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl

[1] 2009-12-05 14:11:08 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-12-05 14:11:30 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-12-05 14:11:30 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl

[1] 2009-12-05 14:12:11 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl ()



Finished!


Here's the 'Log.txt' of the DOS prompt command:

Volume in drive C has no label.
Volume Serial Number is 799A-F4B3

Directory of C:\Windows\System32

04/11/2009 01:28 177,152 scecli.dll

Directory of C:\Windows\System32

04/11/2009 01:28 592,896 netlogon.dll
2 File(s) 770,048 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 04:46 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/19/2008 02:36 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 01:28 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 04:46 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/19/2008 02:35 592,384 netlogon.dll
1 File(s) 592,384 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 01:28 592,896 netlogon.dll
1 File(s) 592,896 bytes

Total Files Listed:
8 File(s) 3,045,888 bytes
0 Dir(s) 32,317,214,720 bytes free


And there you have it!

Edited by garmanma, 05 December 2009 - 06:56 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 18 December 2009 - 03:36 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 SomeGuyNamedAnt

SomeGuyNamedAnt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 18 December 2009 - 08:58 PM

Since I included the DDS log in the original post, here's a NEW, newer, more recent one (with attach.txt attached):


DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 7:00:28.09 on Sat 12/19/2009
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3070.2188 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
c:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Windows\System32\svchost.exe -k LPDService
C:\Windows\system32\mqsvc.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\mqtgsvc.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Users\Steve\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL =
uDefault_Search_URL =
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://www.yahoo.com
uSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
mSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
mDefault_Search_Url = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15110/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: DeviceNP - DeviceNP.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\steve\appdata\roaming\mozilla\firefox\profiles\z9e8vz5a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\z9e8vz5a.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-

msvc\components\ipc.dll
FF - component: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\z9e8vz5a.default\extensions\{eebc5c3f-ec4b-4ad4-b5d1-fa51b3c42c57}\components\sehLibGlue_stub.dll
FF - component: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\steve\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\security-

prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2008-6-4 72672]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2009-10-21 354176]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-12-9 3666432]
S2 .1205111534;1205111534;c:\program files\1205111534\Steve1205111534L.exe [2009-9-9 436104]
S3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\system32\drivers\AGUx86.sys [2009-2-3 892416]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-10-13 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-2 79360]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2007-8-28 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-7 21504]
S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-6-4 806272]
S3 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;i:\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-

12 86016]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-11-2 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-1-22 7680]
S3 serusb;Motorola USB Comm Port;c:\windows\system32\drivers\usbser.sys [2009-5-29 27648]
S3 VDSDK;VDSDK;c:\users\steve\appdata\local\temp\vdsdk.sys [2009-12-13 13696]
S3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2008-4-7 11264]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-4-7 16896]
S4 EraserSvc10922;Symantec Eraser Service; [x]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-12-18 04:56:17 0 d-----w- c:\program files\EA Games
2009-12-16 23:20:51 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-16 23:20:42 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-16 23:19:27 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-16 18:51:20 0 d-----w- C:\UISpy Settings
2009-12-10 16:32:23 8192 ----a-w- c:\windows\system32\iisrstap.dll
2009-12-10 16:32:23 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 16:32:23 153600 ----a-w- c:\windows\system32\iisRtl.dll
2009-12-10 16:32:23 14848 ----a-w- c:\windows\system32\iisreset.exe
2009-12-10 16:32:20 51712 ----a-w- c:\windows\system32\admwprox.dll
2009-12-10 16:32:20 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-10 16:32:20 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 16:32:20 27136 ----a-w- c:\windows\system32\ahadmin.dll
2009-12-10 16:32:19 10752 ----a-w- c:\windows\system32\wamregps.dll
2009-12-10 16:11:35 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-03 17:39:46 0 d--h--w- c:\windows\AxInstSV
2009-12-03 04:03:36 0 d-----w- c:\programdata\NortonInstaller
2009-12-02 21:32:45 0 d-----w- c:\program files\common files\Creative
2009-12-02 21:32:41 0 d--h--w- c:\program files\Creative Installation Information
2009-12-02 21:28:32 0 d-----w- C:\Temp
2009-12-02 20:58:37 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-02 20:56:20 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-12-02 20:56:19 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-12-02 20:56:16 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-12-02 19:59:05 0 d-----w- c:\program files\TEMP
2009-12-02 19:29:18 0 d-----w- c:\program files\1205111534
2009-12-02 18:58:15 0 d-----w- c:\program files\NortonInstaller(16)
2009-12-02 17:26:11 0 d-----w- c:\users\steve\temp
2009-12-02 17:20:11 0 d-----w- c:\program files\Tmp
2009-11-27 02:03:10 0 d-----w- c:\users\steve\appdata\roaming\Malwarebytes
2009-11-27 02:03:01 0 d-----w- c:\programdata\Malwarebytes
2009-11-24 14:30:42 0 d-----w- c:\users\steve\appdata\roaming\FreeFLVConverter
2009-11-20 04:52:34 0 d-----w- c:\program files\SHOUTcast

==================== Find3M ====================

2055-09-19 06:29:11 2012 ----a-w- c:\windows\system32\NAV_75_cltDynam.dat
2009-12-03 03:34:01 86016 ----a-w- c:\windows\inf\infpub.dat
2009-12-03 03:34:01 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-03 03:34:01 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-04 10:30:14 737280 ----a-w- c:\windows\iun6002.exe
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 03:43:58 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-28 03:43:38 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 03:41:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-25 16:30:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-10-25 16:18:52 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-10-25 16:18:51 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-10-20 15:57:49 139152 ----a-w- c:\users\steve\appdata\roaming\PnkBstrK.sys
2009-10-20 15:18:39 782336 ----a-w- c:\windows\system32\1578.dll
2009-10-15 04:03:08 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-10-15 04:03:07 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-10-14 16:26:48 344386 ----a-w- c:\windows\system32\ProSetPackage.exe
2009-10-14 13:24:03 262144 ----a-w- C:\ntuser.dat
2009-10-13 07:28:56 118784 ----a-w- c:\windows\dsdxirmv.exe
2009-10-13 04:32:44 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-13 04:32:43 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-08 21:08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 19:47:02 1825280 ----a-w- c:\windows\NetworkCfg.exe
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2008-04-08 01:56:29 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-25 20:05:16 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-08-06 19:15:51 16384 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat

============= FINISH: 7:02:03.83 ===============

Edited by SomeGuyNamedAnt, 19 December 2009 - 07:06 AM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 19 December 2009 - 03:59 PM

Hello and welcome,

Let's try a scan with GMER...

Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Let me know if it works.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 SomeGuyNamedAnt

SomeGuyNamedAnt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 19 December 2009 - 07:20 PM

Well, after trying to copy and paste the log into the message, and getting an error saying that ht epost was too long (TWICE), I decided to just attach it, instead...

Or not.... Too large.

This is ridiculous.... Not only is POSTING it, too large, but ATTACHING it is, as well (1.02M).

How can I get this log on here, if I can't attach or post it?

Edited by SomeGuyNamedAnt, 19 December 2009 - 07:22 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 19 December 2009 - 08:43 PM

Hello.

Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/276503/major-root-repeal-issuemoved-to-hjt/
  • Click Browse and select the GMER logfile
  • Under the comments section, say that Extremeboy asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know once you have done that so I can take a look.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 SomeGuyNamedAnt

SomeGuyNamedAnt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 19 December 2009 - 10:01 PM

Sent, thanks! :(

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 19 December 2009 - 10:22 PM

Reason why the log is so long is I think because you didn't do the scan correctly as I mentioned. Don't worry about it, as I still can read it but just longer in length..

--

We'll start with Combofix.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 SomeGuyNamedAnt

SomeGuyNamedAnt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 December 2009 - 12:42 AM

Here ya go! One ComboFix log!

ComboFix 09-12-18.07 - Steve 12/19/2009 23:24:57.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3070.2234 [GMT -5:00]
Running from: c:\users\Steve\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2607811194-3811654364-3942395120-500
c:\$recycle.bin\S-1-5-21-734471015-3495249972-987241254-500
c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\1578.dll
c:\windows\system32\Ijl11.dll
c:\windows\system32\mi2.exe
c:\windows\system32\tdlrm.dll
E:\Autorun.inf
E:\resycled
F:\Autorun.inf
F:\resycled
I:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://resources.zune.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_TRIBUTE_SERVICE
-------\Service_BHDrvx86


((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-20 04:32 . 2009-12-20 04:47 -------- d-----w- c:\users\Steve\AppData\Local\temp
2009-12-18 04:56 . 2009-12-18 04:56 -------- d-----w- c:\program files\EA Games
2009-12-16 23:20 . 2009-12-20 01:24 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-16 23:20 . 2009-12-20 01:56 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-16 23:19 . 2009-12-16 23:19 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-16 23:19 . 2009-12-16 23:19 -------- d-----w- c:\users\Steve\AppData\Local\PunkBuster
2009-12-16 18:51 . 2009-12-16 18:51 -------- d-----w- C:\UISpy Settings
2009-12-10 16:32 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 16:32 . 2009-11-09 12:30 8192 ----a-w- c:\windows\system32\iisrstap.dll
2009-12-10 16:32 . 2009-11-09 12:30 153600 ----a-w- c:\windows\system32\iisRtl.dll
2009-12-10 16:32 . 2009-11-09 10:48 14848 ----a-w- c:\windows\system32\iisreset.exe
2009-12-10 16:32 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 16:32 . 2009-11-09 12:28 27136 ----a-w- c:\windows\system32\ahadmin.dll
2009-12-10 16:32 . 2009-11-09 12:28 51712 ----a-w- c:\windows\system32\admwprox.dll
2009-12-10 16:32 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-10 16:32 . 2009-11-09 12:32 10752 ----a-w- c:\windows\system32\wamregps.dll
2009-12-10 16:11 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-03 19:15 . 2009-12-03 19:15 -------- d-----w- c:\users\Administrator\AppData\Roaming\DivX
2009-12-03 17:39 . 2009-12-03 17:39 -------- d--h--w- c:\windows\AxInstSV
2009-12-03 04:03 . 2009-12-11 23:16 -------- d-----w- c:\programdata\NortonInstaller
2009-12-02 21:39 . 2009-12-02 21:39 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2009-12-02 21:32 . 2009-12-02 21:32 -------- d-----w- c:\program files\Common Files\Creative
2009-12-02 21:32 . 2009-12-02 21:34 -------- d--h--w- c:\program files\Creative Installation Information
2009-12-02 21:28 . 2009-12-02 21:28 -------- d-----w- C:\Temp
2009-12-02 21:28 . 2009-12-02 21:28 -------- d-----w- c:\users\Administrator\AppData\Roaming\WinCare2009
2009-12-02 21:23 . 2009-12-03 19:20 -------- d-----w- c:\users\Administrator\AppData\Local\CrashDumps
2009-12-02 20:58 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-02 20:56 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-12-02 20:56 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-12-02 19:59 . 2009-12-02 19:59 -------- d-----w- c:\program files\TEMP
2009-12-02 19:29 . 2009-12-13 01:26 -------- d-----w- c:\program files\1205111534
2009-12-02 18:58 . 2009-12-02 18:59 -------- d-----w- c:\program files\NortonInstaller(16)
2009-12-02 17:26 . 2009-12-02 17:26 -------- d-----w- c:\users\Steve\temp
2009-12-02 17:20 . 2009-12-02 17:20 -------- d-----w- c:\program files\Tmp
2009-11-27 02:03 . 2009-11-27 02:03 -------- d-----w- c:\users\Steve\AppData\Roaming\Malwarebytes
2009-11-27 02:03 . 2009-11-27 02:03 -------- d-----w- c:\programdata\Malwarebytes
2009-11-24 14:30 . 2009-11-24 14:33 -------- d-----w- c:\users\Steve\AppData\Roaming\FreeFLVConverter
2009-11-22 06:48 . 2009-11-22 06:48 -------- d-----w- c:\users\Steve\AppData\Roaming\Leadertech
2009-11-20 04:52 . 2009-11-20 07:12 -------- d-----w- c:\program files\SHOUTcast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2055-09-19 06:29 . 2009-09-19 06:00 2012 ----a-w- c:\windows\system32\NAV_75_cltDynam.dat
2009-12-19 02:55 . 2008-06-13 01:24 -------- d-----w- c:\program files\Steam
2009-12-18 04:56 . 2007-08-28 07:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-15 13:58 . 2008-04-12 18:01 -------- d-----w- c:\program files\Common Files\Steam
2009-12-13 21:23 . 2009-06-03 02:50 -------- d-----w- c:\programdata\Creative
2009-12-10 22:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 16:34 . 2007-08-28 07:43 -------- d-----w- c:\programdata\Microsoft Help
2009-12-03 15:03 . 2008-03-21 02:35 -------- d-----w- c:\program files\MSECache
2009-12-03 03:43 . 2007-08-28 08:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-03 02:44 . 2008-09-14 15:01 -------- d-----w- c:\program files\Applications
2009-12-02 21:35 . 2009-05-29 01:42 -------- d-----w- c:\program files\Creative
2009-12-02 21:29 . 2009-12-02 21:28 12846328 ----a-w- c:\programdata\Creative\Software Update\cache\Creative WaveStudio 7.11.00__\WAVESTD_PCAPP_LB_7_11_00.exe
2009-12-02 21:28 . 2009-12-02 21:27 12907880 ----a-w- c:\programdata\Creative\Software Update\cache\Creative WaveStudio 7.12.00__\WAVESTD_PCAPP_LB_7_12_00.exe
2009-12-02 21:27 . 2009-12-02 21:24 37634288 ----a-w- c:\programdata\Creative\Software Update\cache\Creative MediaSource 5 Player_Organizer 5.26.02__\CMS5_PCAPP_LB_5_26_02.exe
2009-12-02 20:42 . 2009-10-14 13:23 -------- d-----w- c:\programdata\Yahoo! Companion
2009-12-02 19:29 . 2009-10-06 08:09 -------- d---a-w- c:\programdata\Norton
2009-12-02 19:19 . 2009-10-13 07:17 -------- d-----w- c:\users\Steve\AppData\Roaming\REAPER
2009-12-02 19:19 . 2009-10-12 22:58 -------- d-----w- c:\users\Steve\AppData\Roaming\Steinberg
2009-12-02 19:19 . 2009-09-27 23:20 -------- d-----w- c:\users\Steve\AppData\Roaming\Plazmic
2009-12-02 19:19 . 2009-04-30 17:28 -------- d-----w- c:\users\Steve\AppData\Roaming\Winamp
2009-12-02 19:19 . 2009-01-25 00:20 -------- d-----w- c:\users\Steve\AppData\Roaming\mIRC
2009-12-02 19:19 . 2008-11-02 07:40 -------- d-----w- c:\users\Steve\AppData\Roaming\teamspeak2
2009-12-02 19:19 . 2008-07-09 19:32 -------- d-----w- c:\users\Steve\AppData\Roaming\Thunderbird
2009-12-02 19:19 . 2008-06-04 20:05 -------- d-----w- c:\users\Steve\AppData\Roaming\U3
2009-12-02 19:19 . 2008-05-04 03:37 -------- d-----w- c:\users\Steve\AppData\Roaming\Talkback
2009-12-02 19:19 . 2009-05-19 20:02 -------- d-----w- c:\users\Steve\AppData\Roaming\Folding@home-x86
2009-12-02 19:19 . 2009-04-21 17:41 -------- d-----w- c:\users\Steve\AppData\Roaming\Ace
2009-12-02 19:19 . 2008-03-09 20:39 -------- d-----w- c:\programdata\FLEXnet
2009-12-02 19:18 . 2009-08-15 16:10 -------- d-----w- c:\program files\NOS
2009-12-02 19:18 . 2008-11-14 13:22 -------- d-----w- c:\program files\DivX
2009-12-02 19:18 . 2009-09-19 07:45 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-12-02 19:18 . 2009-04-16 12:47 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-02 19:10 . 2008-12-03 03:18 680 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2009-12-02 19:07 . 2008-06-04 20:45 302312 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-27 14:22 . 2008-03-27 19:34 680 ----a-w- c:\users\Steve\AppData\Local\d3d9caps.dat
2009-11-21 06:40 . 2009-12-10 16:12 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 16:12 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 16:12 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 16:12 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-20 04:39 . 2008-03-20 00:41 -------- d-----w- c:\program files\Winamp
2009-11-14 19:47 . 2009-11-14 19:47 -------- d-----w- c:\users\Steve\AppData\Roaming\WinCare2009
2009-11-13 05:45 . 2008-05-03 23:16 -------- d-----w- c:\users\Steve\AppData\Roaming\Yahoo!
2009-11-13 03:31 . 2009-10-22 01:38 -------- d-----w- c:\programdata\Remote Control PC
2009-11-08 09:12 . 2009-11-08 09:12 -------- d-----w- c:\program files\AviSynth 2.5
2009-11-04 10:31 . 2009-11-04 10:31 535 ----a-w- c:\windows\eReg.dat
2009-11-04 10:30 . 2009-11-04 10:29 737280 ----a-w- c:\windows\iun6002.exe
2009-11-03 01:42 . 2009-10-02 22:12 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 17:34 . 2008-03-09 23:39 302312 ----a-w- c:\users\Steve\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-28 03:44 . 2009-10-28 03:44 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-28 03:43 . 2009-10-28 03:43 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 03:41 . 2009-10-28 03:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-25 16:30 . 2009-10-25 16:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-10-25 16:18 . 2009-10-25 16:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-10-25 16:18 . 2009-10-25 16:18 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-10-22 19:36 . 2007-08-28 07:23 -------- d-----w- c:\program files\Intel
2009-10-22 17:20 . 2009-10-22 17:20 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-21 17:05 . 2009-10-21 17:05 -------- d-----w- c:\programdata\AIM
2009-10-21 17:05 . 2009-10-21 17:05 -------- d-----w- c:\program files\AIM
2009-10-21 17:05 . 2008-05-25 19:39 -------- d-----w- c:\program files\Common Files\AOL
2009-10-20 17:33 . 2009-10-22 20:02 545280 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-10-20 17:33 . 2009-10-22 20:02 4716544 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\components\cooliris.dll
2009-10-20 17:33 . 2009-10-22 20:02 344064 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-10-20 17:33 . 2009-10-22 20:02 153600 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-10-20 17:33 . 2009-10-22 20:02 103424 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-10-20 15:57 . 2009-10-20 15:57 139152 ----a-w- c:\users\Steve\AppData\Roaming\PnkBstrK.sys
2009-10-20 15:57 . 2009-10-20 15:57 139152 ----a-w- c:\users\Steve\AppData\Roaming\PnkBstrK.sys
2009-10-15 04:03 . 2009-10-15 04:03 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-10-15 04:03 . 2009-10-15 04:03 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-10-14 16:26 . 2009-10-14 16:26 344386 ----a-w- c:\windows\system32\ProSetPackage.exe
2009-10-14 13:24 . 2009-10-14 13:24 262144 ----a-w- C:\ntuser.dat
2009-10-13 07:28 . 2009-10-13 07:28 118784 ----a-w- c:\windows\dsdxirmv.exe
2009-10-13 05:05 . 2009-10-13 05:04 7811800 ----a-w- c:\programdata\Creative\Software Update\cache\Creative System Information for Sound Blaster X-Fi Go!1.10.13__\SBXG_CSI_PCApp_LB_1_10_13.exe
2009-10-13 05:04 . 2009-10-13 05:04 8512328 ----a-w- c:\programdata\Creative\Software Update\cache\Creative ALchemy 1.25.10__\ALMY_PCVTAPP_LB_1_25_10.exe
2009-10-13 04:32 . 2009-10-13 04:32 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-13 04:32 . 2009-10-13 04:32 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-08 21:08 . 2009-10-28 03:37 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-10-28 03:37 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-10-28 03:37 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 19:47 . 2009-10-22 01:40 1825280 ----a-w- c:\windows\NetworkCfg.exe
2009-10-06 06:37 . 2009-10-06 06:37 9158 ----a-r- c:\users\Steve\AppData\Roaming\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-10-01 01:02 . 2009-10-28 03:38 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-28 03:38 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-28 03:38 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-28 03:38 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-28 03:38 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-28 03:38 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-28 03:38 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-28 03:38 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-28 03:38 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-28 03:38 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-28 03:38 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-28 03:38 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-28 03:38 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-28 03:38 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-28 03:38 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-28 03:38 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-26 15:22 . 2006-11-09 21:07 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-25 02:10 . 2009-10-28 03:39 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-28 03:39 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-28 03:39 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"MsmqIntCert"="mqrt.dll" [2009-04-11 150528]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Creative SB Monitoring Utility"="sbavmon.dll" [2009-05-25 98816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 16:04 49152 ----a-r- c:\windows\System32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
backup=c:\windows\pss\DVD Check.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Steve^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
backup=c:\windows\pss\SDK Tray Menu.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-03-30 03:14 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 03:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 11:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-07-27 02:37 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-06-11 15:55 163840 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 19:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-28 07:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:40,a1,2d,9e,e2,e0,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3910216494-3710295605-2001009560-1006]
"EnableNotificationsRef"=dword:00000002

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 23:32 Ant 189736]
R2 LxrSII1d;Secure II Driver;c:\windows\System32\drivers\LxrSII1d.sys [6/4/2008 15:48 Ant 72672]
R2 supersafer;supersafer;c:\windows\System32\drivers\supersafer.sys [10/21/2009 21:43 Ant 354176]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [12/9/2008 23:47 Ant 3666432]
S2 .1205111534;1205111534;c:\program files\1205111534\Steve1205111534L.exe [9/9/2009 23:44 Ant 436104]
S3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\System32\drivers\AGUx86.sys [2/3/2009 10:32 Ant 892416]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [10/13/2009 00:06 Ant 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/2/2009 19:45 Ant 79360]
S3 DAMDrv;DAMDrv;c:\windows\System32\drivers\DAMDrv.sys [8/28/2007 03:00 Ant 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\System32\flcdlock.exe [6/8/2007 11:06 Ant 172131]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [4/7/2008 17:38 Ant 21504]
S3 ksaud;Creative USB Audio Driver;c:\windows\System32\drivers\ksaud.sys [6/4/2009 08:49 Ant 806272]
S3 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;i:\autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 16:36 Ant 86016]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [11/2/2007 14:36 Ant 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 18:33 Ant 7680]
S3 serusb;Motorola USB Comm Port;c:\windows\System32\drivers\usbser.sys [5/29/2009 19:57 Ant 27648]
S3 WMSvc;Web Management Service;c:\windows\System32\inetsrv\WMSvc.exe [4/7/2008 17:37 Ant 11264]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [4/7/2008 17:39 Ant 16896]
S4 EraserSvc10922;Symantec Eraser Service; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
LPDService REG_MULTI_SZ LPDSVC
ipripsvc REG_MULTI_SZ iprip
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL =
uDefault_Search_URL =
mSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\{eebc5c3f-ec4b-4ad4-b5d1-fa51b3c42c57}\components\sehLibGlue_stub.dll
FF - component: c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Steve\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3910216494-3710295605-2001009560-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FC059E76-5A55-A0EC-AD52-8AE2CD7BD7D7}*]
"iaeahpfhikieifafcf"=hex:6b,61,69,6a,61,6d,70,6f,66,6e,6c,68,68,63,6c,6a,61,63,
61,65,70,6a,00,7f
"hakpbnmckpiiibgc"=hex:6b,61,68,6a,66,6d,69,68,61,6b,63,61,6d,65,64,62,6a,6f,
70,65,6a,66,00,00
"hadnlgnifljjemap"=hex:66,61,63,6a,6a,6d,6f,64,6a,64,68,62,00,bc

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:3d,ad,fa,fd,dc,35,74,40,0a,bc,6b,8b,9e,ba,ef,c2,64,86,07,1b,a6,
a5,b2,71,1f,32,a3,a1,88,b8,f9,50,93,1a,bd,80,13,90,6d,ea,98,4f,6f,e2,cf,ce,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\mqsvc.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
.
**************************************************************************
.
Completion time: 2009-12-19 23:57:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 04:56

Pre-Run: 37,401,468,928 bytes free
Post-Run: 39,107,866,624 bytes free

- - End Of File - - 4AE6BACFF09D6E9AA3A8CA1FA03584A4

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 20 December 2009 - 11:47 AM

Hello.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    DirLook::
    c:\program files\1205111534
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    RegNull::
    [HKEY_USERS\S-1-5-21-3910216494-3710295605-2001009560-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FC059E76-5A55-A0EC-AD52-8AE2CD7BD7D7}*]
    Driver::
    EraserSvc10922
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 SomeGuyNamedAnt

SomeGuyNamedAnt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 December 2009 - 01:50 PM

Okay... Ran CFix w/ the script, but When I ran FlashDisinfector, nothing happened. Literally NOTHING. In fact, task manager only briefly showed that it ran. Execute, 2sec delay, termination.

Hm.

Anyway, Here's the CFix log:

ComboFix 09-12-18.07 - Steve 12/20/2009 12:44:48.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3070.2023 [GMT -5:00]
Running from: c:\users\Steve\Desktop\ComboFix.exe
Command switches used :: c:\users\Steve\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ERASERSVC10922
-------\Service_BHDrvx86
-------\Service_EraserSvc10922


((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-20 17:52 . 2009-12-20 18:13 -------- d-----w- c:\users\Steve\AppData\Local\temp
2009-12-20 17:52 . 2009-12-20 17:52 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-20 17:52 . 2009-12-20 17:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-20 17:52 . 2009-12-20 17:52 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-12-18 04:56 . 2009-12-18 04:56 -------- d-----w- c:\program files\EA Games
2009-12-16 23:20 . 2009-12-20 01:24 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-16 23:20 . 2009-12-20 01:56 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-16 23:19 . 2009-12-16 23:19 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-16 23:19 . 2009-12-16 23:19 -------- d-----w- c:\users\Steve\AppData\Local\PunkBuster
2009-12-16 18:51 . 2009-12-16 18:51 -------- d-----w- C:\UISpy Settings
2009-12-10 16:32 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 16:32 . 2009-11-09 12:30 8192 ----a-w- c:\windows\system32\iisrstap.dll
2009-12-10 16:32 . 2009-11-09 12:30 153600 ----a-w- c:\windows\system32\iisRtl.dll
2009-12-10 16:32 . 2009-11-09 10:48 14848 ----a-w- c:\windows\system32\iisreset.exe
2009-12-10 16:32 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 16:32 . 2009-11-09 12:28 27136 ----a-w- c:\windows\system32\ahadmin.dll
2009-12-10 16:32 . 2009-11-09 12:28 51712 ----a-w- c:\windows\system32\admwprox.dll
2009-12-10 16:32 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-10 16:32 . 2009-11-09 12:32 10752 ----a-w- c:\windows\system32\wamregps.dll
2009-12-10 16:11 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-03 19:15 . 2009-12-03 19:15 -------- d-----w- c:\users\Administrator\AppData\Roaming\DivX
2009-12-03 17:39 . 2009-12-03 17:39 -------- d--h--w- c:\windows\AxInstSV
2009-12-03 04:03 . 2009-12-11 23:16 -------- d-----w- c:\programdata\NortonInstaller
2009-12-02 21:39 . 2009-12-02 21:39 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2009-12-02 21:32 . 2009-12-02 21:32 -------- d-----w- c:\program files\Common Files\Creative
2009-12-02 21:32 . 2009-12-02 21:34 -------- d--h--w- c:\program files\Creative Installation Information
2009-12-02 21:28 . 2009-12-02 21:28 -------- d-----w- C:\Temp
2009-12-02 21:28 . 2009-12-02 21:28 -------- d-----w- c:\users\Administrator\AppData\Roaming\WinCare2009
2009-12-02 21:23 . 2009-12-03 19:20 -------- d-----w- c:\users\Administrator\AppData\Local\CrashDumps
2009-12-02 20:58 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-02 20:56 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-12-02 20:56 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-12-02 19:59 . 2009-12-02 19:59 -------- d-----w- c:\program files\TEMP
2009-12-02 19:29 . 2009-12-13 01:26 -------- d-----w- c:\program files\1205111534
2009-12-02 18:58 . 2009-12-02 18:59 -------- d-----w- c:\program files\NortonInstaller(16)
2009-12-02 17:26 . 2009-12-02 17:26 -------- d-----w- c:\users\Steve\temp
2009-12-02 17:20 . 2009-12-02 17:20 -------- d-----w- c:\program files\Tmp
2009-11-27 02:03 . 2009-11-27 02:03 -------- d-----w- c:\users\Steve\AppData\Roaming\Malwarebytes
2009-11-27 02:03 . 2009-11-27 02:03 -------- d-----w- c:\programdata\Malwarebytes
2009-11-24 14:30 . 2009-11-24 14:33 -------- d-----w- c:\users\Steve\AppData\Roaming\FreeFLVConverter
2009-11-22 06:48 . 2009-11-22 06:48 -------- d-----w- c:\users\Steve\AppData\Roaming\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2055-09-19 06:29 . 2009-09-19 06:00 2012 ----a-w- c:\windows\system32\NAV_75_cltDynam.dat
2009-12-19 02:55 . 2008-06-13 01:24 -------- d-----w- c:\program files\Steam
2009-12-18 04:56 . 2007-08-28 07:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-15 13:58 . 2008-04-12 18:01 -------- d-----w- c:\program files\Common Files\Steam
2009-12-13 21:23 . 2009-06-03 02:50 -------- d-----w- c:\programdata\Creative
2009-12-10 22:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 16:34 . 2007-08-28 07:43 -------- d-----w- c:\programdata\Microsoft Help
2009-12-03 15:03 . 2008-03-21 02:35 -------- d-----w- c:\program files\MSECache
2009-12-03 03:43 . 2007-08-28 08:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-03 02:44 . 2008-09-14 15:01 -------- d-----w- c:\program files\Applications
2009-12-02 21:35 . 2009-05-29 01:42 -------- d-----w- c:\program files\Creative
2009-12-02 21:29 . 2009-12-02 21:28 12846328 ----a-w- c:\programdata\Creative\Software Update\cache\Creative WaveStudio 7.11.00__\WAVESTD_PCAPP_LB_7_11_00.exe
2009-12-02 21:28 . 2009-12-02 21:27 12907880 ----a-w- c:\programdata\Creative\Software Update\cache\Creative WaveStudio 7.12.00__\WAVESTD_PCAPP_LB_7_12_00.exe
2009-12-02 21:27 . 2009-12-02 21:24 37634288 ----a-w- c:\programdata\Creative\Software Update\cache\Creative MediaSource 5 Player_Organizer 5.26.02__\CMS5_PCAPP_LB_5_26_02.exe
2009-12-02 20:42 . 2009-10-14 13:23 -------- d-----w- c:\programdata\Yahoo! Companion
2009-12-02 19:29 . 2009-10-06 08:09 -------- d---a-w- c:\programdata\Norton
2009-12-02 19:19 . 2009-10-13 07:17 -------- d-----w- c:\users\Steve\AppData\Roaming\REAPER
2009-12-02 19:19 . 2009-10-12 22:58 -------- d-----w- c:\users\Steve\AppData\Roaming\Steinberg
2009-12-02 19:19 . 2009-09-27 23:20 -------- d-----w- c:\users\Steve\AppData\Roaming\Plazmic
2009-12-02 19:19 . 2009-04-30 17:28 -------- d-----w- c:\users\Steve\AppData\Roaming\Winamp
2009-12-02 19:19 . 2009-01-25 00:20 -------- d-----w- c:\users\Steve\AppData\Roaming\mIRC
2009-12-02 19:19 . 2008-11-02 07:40 -------- d-----w- c:\users\Steve\AppData\Roaming\teamspeak2
2009-12-02 19:19 . 2008-07-09 19:32 -------- d-----w- c:\users\Steve\AppData\Roaming\Thunderbird
2009-12-02 19:19 . 2008-06-04 20:05 -------- d-----w- c:\users\Steve\AppData\Roaming\U3
2009-12-02 19:19 . 2008-05-04 03:37 -------- d-----w- c:\users\Steve\AppData\Roaming\Talkback
2009-12-02 19:19 . 2009-05-19 20:02 -------- d-----w- c:\users\Steve\AppData\Roaming\Folding@home-x86
2009-12-02 19:19 . 2009-04-21 17:41 -------- d-----w- c:\users\Steve\AppData\Roaming\Ace
2009-12-02 19:19 . 2008-03-09 20:39 -------- d-----w- c:\programdata\FLEXnet
2009-12-02 19:18 . 2009-08-15 16:10 -------- d-----w- c:\program files\NOS
2009-12-02 19:18 . 2008-11-14 13:22 -------- d-----w- c:\program files\DivX
2009-12-02 19:18 . 2009-09-19 07:45 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-12-02 19:18 . 2009-04-16 12:47 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-02 19:10 . 2008-12-03 03:18 680 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2009-12-02 19:07 . 2008-06-04 20:45 302312 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-27 14:22 . 2008-03-27 19:34 680 ----a-w- c:\users\Steve\AppData\Local\d3d9caps.dat
2009-11-21 06:40 . 2009-12-10 16:12 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 16:12 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 16:12 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 16:12 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-20 07:12 . 2009-11-20 04:52 -------- d-----w- c:\program files\SHOUTcast
2009-11-20 04:39 . 2008-03-20 00:41 -------- d-----w- c:\program files\Winamp
2009-11-14 19:47 . 2009-11-14 19:47 -------- d-----w- c:\users\Steve\AppData\Roaming\WinCare2009
2009-11-13 05:45 . 2008-05-03 23:16 -------- d-----w- c:\users\Steve\AppData\Roaming\Yahoo!
2009-11-13 03:31 . 2009-10-22 01:38 -------- d-----w- c:\programdata\Remote Control PC
2009-11-08 09:12 . 2009-11-08 09:12 -------- d-----w- c:\program files\AviSynth 2.5
2009-11-04 10:31 . 2009-11-04 10:31 535 ----a-w- c:\windows\eReg.dat
2009-11-04 10:30 . 2009-11-04 10:29 737280 ----a-w- c:\windows\iun6002.exe
2009-11-03 01:42 . 2009-10-02 22:12 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 17:34 . 2008-03-09 23:39 302312 ----a-w- c:\users\Steve\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-28 03:44 . 2009-10-28 03:44 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-28 03:43 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-28 03:43 . 2009-10-28 03:43 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 03:41 . 2009-10-28 03:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-25 16:30 . 2009-10-25 16:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-10-25 16:18 . 2009-10-25 16:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-10-25 16:18 . 2009-10-25 16:18 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-10-22 19:36 . 2007-08-28 07:23 -------- d-----w- c:\program files\Intel
2009-10-22 17:20 . 2009-10-22 17:20 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-20 17:33 . 2009-10-22 20:02 545280 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-10-20 17:33 . 2009-10-22 20:02 4716544 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\components\cooliris.dll
2009-10-20 17:33 . 2009-10-22 20:02 344064 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-10-20 17:33 . 2009-10-22 20:02 153600 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-10-20 17:33 . 2009-10-22 20:02 103424 ----a-w- c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-10-20 15:57 . 2009-10-20 15:57 139152 ----a-w- c:\users\Steve\AppData\Roaming\PnkBstrK.sys
2009-10-20 15:57 . 2009-10-20 15:57 139152 ----a-w- c:\users\Steve\AppData\Roaming\PnkBstrK.sys
2009-10-15 04:03 . 2009-10-15 04:03 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-10-15 04:03 . 2009-10-15 04:03 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-10-14 16:26 . 2009-10-14 16:26 344386 ----a-w- c:\windows\system32\ProSetPackage.exe
2009-10-14 13:24 . 2009-10-14 13:24 262144 ----a-w- C:\ntuser.dat
2009-10-13 07:28 . 2009-10-13 07:28 118784 ----a-w- c:\windows\dsdxirmv.exe
2009-10-13 05:05 . 2009-10-13 05:04 7811800 ----a-w- c:\programdata\Creative\Software Update\cache\Creative System Information for Sound Blaster X-Fi Go!1.10.13__\SBXG_CSI_PCApp_LB_1_10_13.exe
2009-10-13 05:04 . 2009-10-13 05:04 8512328 ----a-w- c:\programdata\Creative\Software Update\cache\Creative ALchemy 1.25.10__\ALMY_PCVTAPP_LB_1_25_10.exe
2009-10-13 04:32 . 2009-10-13 04:32 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-13 04:32 . 2009-10-13 04:32 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-08 21:08 . 2009-10-28 03:37 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-10-28 03:37 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-10-28 03:37 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 19:47 . 2009-10-22 01:40 1825280 ----a-w- c:\windows\NetworkCfg.exe
2009-10-06 06:37 . 2009-10-06 06:37 9158 ----a-r- c:\users\Steve\AppData\Roaming\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-10-01 01:02 . 2009-10-28 03:38 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-28 03:38 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-28 03:38 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-28 03:38 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-28 03:38 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-28 03:38 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-28 03:38 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-28 03:38 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-28 03:38 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-28 03:38 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-28 03:38 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-28 03:38 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-28 03:38 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-28 03:38 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-28 03:38 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-28 03:38 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-26 15:22 . 2006-11-09 21:07 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-25 02:10 . 2009-10-28 03:39 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-28 03:39 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-28 03:39 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-28 03:39 1554432 ----a-w- c:\windows\system32\xpsservices.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\1205111534 ----

2009-09-19 06:00 . 2055-09-19 06:29 2012 ----a-w- c:\program files\1205111534\NAV_75_cltDynam.dat
2009-09-10 04:44 . 2009-09-19 09:42 436104 ----a-w- c:\program files\1205111534\Steve1205111534L.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"MsmqIntCert"="mqrt.dll" [2009-04-11 150528]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Creative SB Monitoring Utility"="sbavmon.dll" [2009-05-25 98816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 16:04 49152 ----a-r- c:\windows\System32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
backup=c:\windows\pss\DVD Check.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Steve^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
backup=c:\windows\pss\SDK Tray Menu.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-03-30 03:14 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 03:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 11:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-07-27 02:37 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-06-11 15:55 163840 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 19:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-28 07:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:40,a1,2d,9e,e2,e0,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3910216494-3710295605-2001009560-1006]
"EnableNotificationsRef"=dword:00000002

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 23:32 Ant 189736]
R2 LxrSII1d;Secure II Driver;c:\windows\System32\drivers\LxrSII1d.sys [6/4/2008 15:48 Ant 72672]
R2 supersafer;supersafer;c:\windows\System32\drivers\supersafer.sys [10/21/2009 21:43 Ant 354176]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [12/9/2008 23:47 Ant 3666432]
S2 .1205111534;1205111534;c:\program files\1205111534\Steve1205111534L.exe [9/9/2009 23:44 Ant 436104]
S3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\System32\drivers\AGUx86.sys [2/3/2009 10:32 Ant 892416]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [10/13/2009 00:06 Ant 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/2/2009 19:45 Ant 79360]
S3 DAMDrv;DAMDrv;c:\windows\System32\drivers\DAMDrv.sys [8/28/2007 03:00 Ant 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\System32\flcdlock.exe [6/8/2007 11:06 Ant 172131]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [4/7/2008 17:38 Ant 21504]
S3 ksaud;Creative USB Audio Driver;c:\windows\System32\drivers\ksaud.sys [6/4/2009 08:49 Ant 806272]
S3 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;i:\autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 16:36 Ant 86016]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [11/2/2007 14:36 Ant 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 18:33 Ant 7680]
S3 serusb;Motorola USB Comm Port;c:\windows\System32\drivers\usbser.sys [5/29/2009 19:57 Ant 27648]
S3 WMSvc;Web Management Service;c:\windows\System32\inetsrv\WMSvc.exe [4/7/2008 17:37 Ant 11264]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [4/7/2008 17:39 Ant 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
LPDService REG_MULTI_SZ LPDSVC
ipripsvc REG_MULTI_SZ iprip
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL =
uDefault_Search_URL =
mSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\{eebc5c3f-ec4b-4ad4-b5d1-fa51b3c42c57}\components\sehLibGlue_stub.dll
FF - component: c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\z9e8vz5a.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Steve\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:3d,ad,fa,fd,dc,35,74,40,0a,bc,6b,8b,9e,ba,ef,c2,64,86,07,1b,a6,
a5,b2,71,1f,32,a3,a1,88,b8,f9,50,93,1a,bd,80,13,90,6d,ea,98,4f,6f,e2,cf,ce,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\mqsvc.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
.
**************************************************************************
.
Completion time: 2009-12-20 13:23:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 18:23

Pre-Run: 38,926,729,216 bytes free
Post-Run: 38,832,295,936 bytes free

- - End Of File - - 0D5F72A3EC10AFAB7CD345E123D14F41



And Here's the MBAM log:

Malwarebytes' Anti-Malware 1.42
Database version: 3398
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

12/20/2009 13:49:47 Ant
mbam-log-2009-12-20 (13-49-47).txt

Scan type: Quick Scan
Objects scanned: 117730
Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Switch (Switch.Dialer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 20 December 2009 - 02:44 PM

Hello.

Don't worry about the flash-drive disinfector, it's because you're using Vista here.

--

Download and Run USBNoRisk

You are infected with a flash-drive infection. We will help you disinfect them using UsbNoRisk.
  • Please download USBNoRisk by Bobby and save it to your desktop.
  • Double-click on UsbNoRisk.exe to run it. If you are using Windows Vista, please right-click and select Run as Administrator.
  • It will now begin to scan, please wait a few seconds for it to complete.
  • Once it's done you will hear some music being played. This is normal.
  • Now begin to connect/insert all of the USB and other removable storage devices to the PC, one at a time.
Keep each one connected at least for 10 seconds before connecting the next one, so they can be scanned.

Note: If there are more USB storage devices that needed to be scanned, please take a note about the order in which these were connected.[/color]
  • Once you have all of them connected to the computer, and they have been scanned, please right-click in the open field under the Monitor Tab.
  • Then select Save Log. Notepad will open telling you that it has been saved to the C:\USBNoRisk folder.
  • Please post the contents of that log file in your next reply.
--

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 SomeGuyNamedAnt

SomeGuyNamedAnt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 21 December 2009 - 12:37 AM

While I've appreciated all of your help, I no longer need it....

I ended up nuking my entire computer and installing Windows7 Enterprise.

I was having WAY to many problems that seemed to come about, all at once, with Vista.

You all are a great resource and I've already recommended you all to numerous people.

Thanks for all of your help!

Ant

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 21 December 2009 - 11:39 AM

Thanks for letting us know. You're welcome.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 21 December 2009 - 11:41 AM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help :(
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users