Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, multiple Vundo, Win 32, Internet Security 2010


  • This topic is locked This topic is locked
19 replies to this topic

#1 cwbycrshr

cwbycrshr

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 15 December 2009 - 05:30 PM

Hi,
First, please excuse the previous post (posts). I was putting the cart before the horse and not following the directions.
Stinger, AVG, windows defender, and Spybot all find various versions of Vundo Trojans, WIN32Agents, and a few others. Malwarebytes use to work on my machine and was successful in removing "Internet Security 2010" a few weeks ago, or so I thought. However, it just know came back up (while I was downloading RootRepeal). I tried running Malwarebytes but it now says mbam.exe can not be found. uninstaled, re-installed Malwarebytes several times with the same results...no mbam.exe. I also attmpted to start my machine in Safe Mode and can not do that for some reason.
So, here I am. Please, please help. I have backed up what data I can...but I can not get Outlook (2007) to back up my emails. If I have to lose them, so be it.


DDS (Ver_09-12-01.01) - NTFSx86
Run by H at 15:41:54.01 on Tue 12/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2307 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\program files\ge security supra\syncservice.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 4800 Series\lxdemon.exe
C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\Documents and Settings\H\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\winlogon86.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4B0FAF5A-67C4-4625-AE07-B0DBADA16EBF} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [notepad] rundll32.exe c:\docume~1\h\ntload.dll,_IWMPEvents@0
uRunOnce: [SpybotDeletingB3080] command.com /c del "c:\windows\system32\nitekufi.dll_old"
uRunOnce: [SpybotDeletingD4342] cmd.exe /c del "c:\windows\system32\nitekufi.dll_old"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [lxdemon.exe] "c:\program files\lexmark 4800 series\lxdemon.exe"
mRun: [lxdeamon] "c:\program files\lexmark 4800 series\lxdeamon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
mRun: [iinjug] RUNDLL32.EXE c:\windows\system32\msilojzb.dll,w
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
mRun: [regilonej] Rundll32.exe "c:\windows\system32\zifewiba.dll",a
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA9716] command.com /c del "c:\windows\system32\nitekufi.dll_old"
mRunOnce: [SpybotDeletingC6456] cmd.exe /c del "c:\windows\system32\nitekufi.dll_old"
dRun: [notepad] rundll32.exe c:\docume~1\locals~1\ntload.dll,_IWMPEvents@0
dRun: [Internet Security 2010] c:\program files\internetsecurity2010\IS2010.exe
mExplorerRun: [QJHO] rundll32 "c:\windows\system32\netapi32F.dll",slcuxatr
StartupFolder: c:\docume~1\h\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\h\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: turbotax.com
Trusted Zone: antimalwareguard.com
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {179E5F53-6513-4FA6-867E-263D17DD253B} = 193.104.110.38,4.2.2.1
TCP: {AADEABCD-2492-4F95-ABF4-E14D52384469} = 193.104.110.38,4.2.2.1,66.180.96.12 64.238.96.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\windows\system32\gikuyaju.dll hilozepi.dll c:\windows\system32\zifewiba.dll
SSODL: hovogibep - {3a42de07-848e-4480-8c0e-f6f687e92108} - c:\windows\system32\gikuyaju.dll
SSODL: dedezupab - {c9c964fb-396c-45b5-a09b-4e8b5316f460} - c:\windows\system32\zifewiba.dll
STS: jugezatag: {3a42de07-848e-4480-8c0e-f6f687e92108} - c:\windows\system32\gikuyaju.dll
STS: mujuzedij: {c9c964fb-396c-45b5-a09b-4e8b5316f460} - c:\windows\system32\zifewiba.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli msele32.dll hulujige.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\h\applic~1\mozilla\firefox\profiles\vonipyo6.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {EEE3BE73-2E56-4A11-8953-97C510A1F21D} - c:\documents and settings\h\local settings\application data\{EEE3BE73-2E56-4A11-8953-97C510A1F21D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2009-09-15 15:36:29 53760 --sha-w- c:\windows\system32\hilozepi.dll
2009-09-15 15:36:29 53760 --sha-w- c:\windows\system32\hulujige.dll
2009-09-15 15:34:34 23105 --sha-w- c:\windows\system32\jolefayu.dll
2009-09-15 21:06:21 45568 --sha-w- c:\windows\system32\mopifobi.dll
2009-03-21 14:06:58 0 --sha-w- c:\windows\system32\notepad.dll
2009-09-14 17:46:21 45568 --sha-w- c:\windows\system32\tadovoyi.dll
2009-09-15 15:34:33 45568 --sha-w- c:\windows\system32\vosemuji.dll
2009-09-15 21:06:21 20480 --sha-w- c:\windows\system32\vulademu.exe
2009-09-15 21:06:21 20480 --sha-w- c:\windows\system32\winlogon86.exe
2009-09-15 21:06:21 20480 --sha-w- c:\windows\system32\winupdate86.exe
2009-09-15 21:06:22 7046 --sha-w- c:\windows\system32\yotenodo.dll
2009-09-15 21:06:21 92160 --sha-w- c:\windows\system32\zifewiba.dll

============= FINISH: 15:43:39.37 ===============

Attached Files


Edited by cwbycrshr, 15 December 2009 - 05:31 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 19 December 2009 - 09:50 AM

Hello, cwbycrshr.
Your machine is heavily infected. I have also noted the logs are incomplete. In order to help remove the malware, I need complete logs to understand what is happening on your system. We'll have to run two more scans to try and fill in that information before we can start to fix the machine.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!
I am a senior trainee, so my fix will be checked by a staff member. This may result in an extra day before I can reply.



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Step 1

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Step 2

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.



Step 3

Please post the complete OTL and GMER logs in your reply.
  • OTL logs (OTListIt.txt and Extra.txt)
  • GMER log


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 cwbycrshr

cwbycrshr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 19 December 2009 - 01:21 PM

Hi etavares and thank you for the help.
I look forward to working with you and will do everything I can to follow your instructions to the letter.
I will tell you that I have ran Kapersky since I first posted this and I hope it does not complicate matters. I will also check back as often as possible (morn. lunch, evening Central time zone) for updates.

I do not use this machine for legally synsative data. Mostly names, addresses, phone numbers, etc. Some contract information is on here, however, their is no SS#rs, DL#'s, Credit Card Info, etc for someone to steal on this machine. Unless instructed to re-format, I would rather attempt to repair. however, if you feel like the infection is to severe, please let me know and I will find someone to reformat it for me.

My machine will not start in Safe Mode or any variation there of. After pressing f8 and getting to the Safe Mode window and clicking on Safe Mode, a blue screen comes up for a mili-second and the computer restarts...I am sure this has to do with the Trojan or RootKit.

I followed your instructions and the requested information is attached or posted.
OTL froze up after producing the OTL.txt (produced OTL.txt not a OTListIt.txt). Therefor, OTL did not produce an Extra.txt. I ran it connected to the Internet and unconnected with all other systems off. Processes were at 100% with 20%+ for OTL and 80%+ for services.exe (of which I imagine is a virus or Trojan).



OTL logfile created on: 12/19/2009 10:17:12 AM - Run 1
OTL by OldTimer - Version 3.1.18.0 Folder = C:\Documents and Settings\H\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 3.88 Gb Available in Paging File | 97.10% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.70 Gb Total Space | 37.66 Gb Free Space | 67.61% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WAYNE
Current User Name: H
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/19 10:06:04 | 00,564,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\H\Desktop\OTL.exe
PRC - [2009/11/18 09:57:37 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/11/18 09:57:37 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/20 20:39:28 | 00,340,456 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
PRC - [2009/10/20 20:34:38 | 00,207,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
PRC - [2009/07/20 11:30:50 | 00,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/10 11:42:32 | 00,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/12/09 12:37:02 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/11 12:53:14 | 00,455,600 | ---- | M] () -- C:\Program Files\Lexmark 4800 Series\lxdemon.exe
PRC - [2007/06/01 07:06:10 | 00,020,480 | ---- | M] () -- C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
PRC - [2007/05/29 08:07:58 | 00,598,960 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdecoms.exe
PRC - [2006/10/26 23:47:42 | 00,031,016 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2006/09/07 10:05:16 | 00,053,248 | ---- | M] (GE Security Supra) -- c:\Program Files\GE Security Supra\SyncService.exe
PRC - [2006/09/07 10:05:16 | 00,011,776 | ---- | M] (GE Security Supra) -- C:\Program Files\GE Security Supra\ProxyDaemon.exe
PRC - [2005/12/09 14:49:42 | 15,691,264 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2005/11/30 11:25:22 | 00,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
PRC - [2005/11/28 12:55:58 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/11/28 12:55:14 | 00,098,304 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2005/11/28 12:52:00 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/11/16 10:34:28 | 00,073,216 | ---- | M] () -- C:\SSL\stunnel-4.10.exe
PRC - [2005/10/15 05:29:08 | 00,088,203 | ---- | M] (Agere Systems) -- C:\WINDOWS\agrsmmsg.exe
PRC - [2005/05/31 16:16:24 | 00,045,056 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2004/08/27 23:37:00 | 00,155,648 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe
PRC - [2004/08/27 23:33:00 | 00,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe


========== Modules (SafeList) ==========

MOD - [2009/12/19 10:06:04 | 00,564,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\H\Desktop\OTL.exe
MOD - [2009/09/15 09:36:29 | 00,053,760 | -HS- | M] () -- C:\WINDOWS\system32\hilozepi.dll
MOD - [2009/07/20 11:29:06 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2008/07/25 10:17:20 | 00,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (fastnetsrv)
SRV - [2009/11/18 09:57:37 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/10/20 20:39:28 | 00,340,456 | ---- | M] (Kaspersky Lab) [On_Demand | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe -- (AVP)
SRV - [2009/09/14 09:42:10 | 00,133,104 | ---- | M] (Google Inc.) [Disabled | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/07/20 11:28:10 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/03/23 19:32:02 | 00,183,280 | ---- | M] (Google) [Disabled | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/12/09 12:37:02 | 00,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/05/29 08:07:58 | 00,598,960 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdecoms.exe -- (lxde_device)
SRV - [2007/05/29 08:06:44 | 00,099,248 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdeserv.exe -- (lxdeCATSCustConnectService)
SRV - [2006/10/26 23:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2006/10/26 18:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/09/07 10:05:16 | 00,053,248 | ---- | M] (GE Security Supra) [Auto | Running] -- c:\Program Files\GE Security Supra\SyncService.exe -- (DkeySync)
SRV - [2004/08/27 23:33:00 | 00,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)


========== Driver Services (SafeList) ==========

DRV - [2009/12/16 08:35:29 | 00,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/10/14 21:18:34 | 00,036,880 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg)
DRV - [2009/10/02 19:39:44 | 00,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/09/14 14:42:46 | 00,032,272 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/09/01 15:29:50 | 00,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2009/07/09 11:16:16 | 00,039,424 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/06/17 10:56:16 | 00,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 10:56:06 | 00,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/06/17 10:55:34 | 00,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/11/20 13:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/10/31 12:38:08 | 00,023,600 | ---- | M] (EnTech Taiwan) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TVICHW32.SYS -- (TVICHW32)
DRV - [2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/13 12:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 10:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 10:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/15 14:30:48 | 00,034,064 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (npf)
DRV - [2006/09/07 10:00:18 | 00,089,808 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slabser.sys -- (slabser)
DRV - [2006/09/07 10:00:18 | 00,055,312 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slabbus.sys -- (slabbus) DisplayKEY USB Cradle driver (WDM)
DRV - [2006/07/25 17:39:32 | 01,707,776 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw3x32.sys -- (NETw3x32) Intel®
DRV - [2005/12/09 15:48:40 | 04,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/12/05 00:55:30 | 01,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/12/01 09:55:24 | 00,011,264 | ---- | M] (TOSHIBA ) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPwSav.sys -- (TPwSav)
DRV - [2005/11/30 10:01:02 | 00,043,392 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tvs.sys -- (Tvs)
DRV - [2005/11/30 09:12:36 | 00,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/11/28 13:20:20 | 01,353,820 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/11/15 08:00:22 | 01,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/10/10 14:31:42 | 00,163,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2005/06/02 02:33:00 | 00,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2001/08/23 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-507921405-1770027372-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-507921405-1770027372-725345543-1003\S-1-5-21-507921405-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-507921405-1770027372-725345543-1003\S-1-5-21-507921405-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox
FF - HKLM\software\mozilla\Firefox\Extensions\\{EEE3BE73-2E56-4A11-8953-97C510A1F21D}: C:\Documents and Settings\H\Local Settings\Application Data\{EEE3BE73-2E56-4A11-8953-97C510A1F21D} [2009/10/21 12:02:46 | 00,000,000 | ---D | M]

[2009/12/18 09:35:54 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/16 08:29:01 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2009/11/18 08:03:18 | 00,002,033 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: (317691 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 10898 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {4B0FAF5A-67C4-4625-AE07-B0DBADA16EBF} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {782206cb-d5d0-423d-8586-79eff195f037} - File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-507921405-1770027372-725345543-1003\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\agrsmmsg.exe (Agere Systems)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe (TOSHIBA CO.,LTD.)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [lxdeamon] C:\Program Files\Lexmark 4800 Series\lxdeamon.exe ()
O4 - HKLM..\Run: [lxdemon.exe] C:\Program Files\Lexmark 4800 Series\lxdemon.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O4 - HKLM..\Run: [notepad] C:\WINDOWS\System32\notepad.DLL ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [regilonej] C:\WINDOWS\System32\kogonubo.DLL File not found
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe (TOSHIBA Corporation)
O4 - HKU\.DEFAULT..\Run: [notepad] C:\DOCUME~1\LOCALS~1\ntload.DLL File not found
O4 - HKU\S-1-5-18..\Run: [notepad] C:\DOCUME~1\LOCALS~1\ntload.DLL File not found
O4 - HKU\S-1-5-21-507921405-1770027372-725345543-1003..\Run: [notepad] C:\Documents and Settings\H\ntload.dll ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsubleepa Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\H\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: QJHO = rundll32 "C:\WINDOWS\system32\netapi32F.dll",slcuxatr File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1770027372-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1770027372-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: antimalwareguard.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-507921405-1770027372-725345543-1003\..Trusted Domains: antimalwareguard.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-507921405-1770027372-725345543-1003\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-507921405-1770027372-725345543-1003\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/betapit/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll (PCPitstop AntiVirus)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\kogonubo.dll) - C:\WINDOWS\System32\kogonubo.dll File not found
O20 - AppInit_DLLs: (hilozepi.dll) - C:\WINDOWS\System32\hilozepi.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: dedezupab - {c9c964fb-396c-45b5-a09b-4e8b5316f460} - C:\WINDOWS\System32\zifewiba.dll File not found
O21 - SSODL: hovogibep - {3a42de07-848e-4480-8c0e-f6f687e92108} - C:\WINDOWS\System32\gikuyaju.dll File not found
O21 - SSODL: jujonatek - {0a9413e3-32d1-4255-837b-bb91aba92ae3} - C:\WINDOWS\System32\kogonubo.dll File not found
O22 - SharedTaskScheduler: {0a9413e3-32d1-4255-837b-bb91aba92ae3} - kupuhivus - C:\WINDOWS\System32\kogonubo.dll File not found
O22 - SharedTaskScheduler: {3a42de07-848e-4480-8c0e-f6f687e92108} - jugezatag - C:\WINDOWS\System32\gikuyaju.dll File not found
O22 - SharedTaskScheduler: {c9c964fb-396c-45b5-a09b-4e8b5316f460} - mujuzedij - C:\WINDOWS\System32\zifewiba.dll File not found
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/H/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/11 07:41:55 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{53ff1524-9885-11dd-b700-00130282c448}\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{53ff1524-9885-11dd-b700-00130282c448}\Shell\Shell00\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{53ff1524-9885-11dd-b700-00130282c448}\Shell\Shell01\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{53ff1524-9885-11dd-b700-00130282c448}\Shell\Shell02\Command - "" = F:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/19 10:06:03 | 00,564,736 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\H\Desktop\OTL.exe
[2009/12/18 09:23:43 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\H\Desktop\mbam-setup.exe
[2009/12/16 08:27:11 | 00,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2009/12/16 08:27:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2009/12/16 08:26:38 | 00,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/12/15 16:29:25 | 00,000,000 | -H-D | C] -- C:\kleaner.tmp
[2009/12/15 16:27:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2009/12/15 16:25:59 | 67,291,088 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\H\Desktop\kav2010_9.0.0.736en.exe
[2009/12/15 15:47:01 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\H\Desktop\RootRepeal.exe
[2009/12/15 15:21:58 | 00,000,000 | ---D | C] -- C:\Program Files\InternetSecurity2010
[2009/12/15 15:13:58 | 00,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2009/12/15 15:11:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\H\Desktop\Backup 12152009
[2009/12/15 14:30:09 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2009/12/03 14:34:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2009/12/03 14:13:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/11/25 19:28:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2009/09/27 10:49:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/09/21 18:32:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/09/21 18:26:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/09/14 09:47:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/09/14 09:42:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/08/03 18:52:10 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/03 18:52:10 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/01 11:01:38 | 01,200,128 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeserv.dll
[2009/08/01 11:01:38 | 00,950,272 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeusb1.dll
[2009/08/01 11:01:38 | 00,860,160 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdecomc.dll
[2009/08/01 11:01:38 | 00,663,552 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdehbn3.dll
[2009/08/01 11:01:38 | 00,647,168 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdepmui.dll
[2009/08/01 11:01:38 | 00,565,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdelmpm.dll
[2009/08/01 11:01:38 | 00,434,176 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdehcp.dll
[2009/08/01 11:01:38 | 00,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdecomm.dll
[2009/08/01 11:01:38 | 00,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeinpa.dll
[2009/08/01 11:01:38 | 00,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeiesc.dll
[2009/08/01 11:01:38 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeprox.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/19 10:16:11 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\H\Desktop\gmer.exe
[2009/12/19 10:15:01 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\wasitenu
[2009/12/19 10:06:04 | 00,564,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\H\Desktop\OTL.exe
[2009/12/19 10:04:02 | 00,002,713 | -HS- | M] () -- C:\WINDOWS\System32\narutapo.exe
[2009/12/19 10:03:39 | 00,002,713 | -HS- | M] () -- C:\WINDOWS\System32\vupowose.dll
[2009/12/18 10:08:38 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/18 10:07:36 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/18 10:07:31 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/18 10:05:55 | 09,699,328 | -H-- | M] () -- C:\Documents and Settings\H\NTUSER.DAT
[2009/12/18 10:05:49 | 06,947,326 | -H-- | M] () -- C:\Documents and Settings\H\Local Settings\Application Data\IconCache.db
[2009/12/18 10:02:16 | 00,000,000 | -HS- | M] () -- C:\WINDOWS\System32\ralijivi.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | M] () -- C:\putabami.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | M] () -- C:\Program Files\lalolezi.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\jasosise.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | M] () -- C:\WINDOWS\honomige.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | M] () -- C:\WINDOWS\System32\hajakari.dll
[2009/12/18 09:25:43 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\H\ntuser.ini
[2009/12/18 09:23:43 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\H\Desktop\mbam-setup.exe
[2009/12/17 12:35:22 | 02,067,049 | ---- | M] () -- C:\Documents and Settings\H\Desktop\thewearykind.mp3
[2009/12/17 11:15:14 | 00,134,656 | ---- | M] () -- C:\Documents and Settings\H\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/17 10:56:26 | 00,271,360 | ---- | M] () -- C:\Documents and Settings\H\Desktop\archivegmail.pst
[2009/12/17 09:37:46 | 00,271,360 | ---- | M] () -- C:\Documents and Settings\H\Desktop\archive.pst
[2009/12/16 15:54:01 | 00,001,517 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/12/16 10:02:00 | 01,835,583 | ---- | M] () -- C:\Documents and Settings\H\Desktop\Hinescontract.pdf
[2009/12/16 09:13:00 | 00,003,060 | -HS- | M] () -- C:\WINDOWS\System32\libupune.dll
[2009/12/16 08:35:29 | 00,315,408 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/12/16 08:32:41 | 00,002,704 | ---- | M] () -- C:\WINDOWS\System32\26500.exe
[2009/12/16 08:28:42 | 00,108,059 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/12/16 08:28:42 | 00,095,259 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/12/16 08:12:40 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6334.exe
[2009/12/15 19:39:05 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2009/12/15 19:19:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\41.exe
[2009/12/15 17:06:46 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11478.exe
[2009/12/15 16:46:45 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\15724.exe
[2009/12/15 16:28:19 | 67,291,088 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\H\Desktop\kav2010_9.0.0.736en.exe
[2009/12/15 16:26:45 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19169.exe
[2009/12/15 15:52:14 | 00,277,272 | ---- | M] () -- C:\Documents and Settings\H\Desktop\RootRepeal.dmp
[2009/12/15 15:48:20 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\H\Desktop\settings.dat
[2009/12/15 15:47:17 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\H\Desktop\RootRepeal.exe
[2009/12/15 15:35:15 | 00,002,433 | ---- | M] () -- C:\Documents and Settings\H\Desktop\HiJackThis.lnk
[2009/12/15 15:14:05 | 00,000,772 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DriveImage XML.lnk
[2009/12/15 15:06:46 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\yeneriho.dll
[2009/12/15 09:35:54 | 00,053,760 | -HS- | M] () -- C:\WINDOWS\System32\supotala.dll
[2009/12/15 09:35:54 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\wavemile.dll
[2009/12/14 12:31:09 | 00,444,156 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/14 12:31:09 | 00,072,248 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/14 12:31:08 | 00,525,448 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/14 11:46:32 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\befomita.dll
[2009/12/14 11:41:23 | 00,068,096 | RHS- | M] () -- C:\WINDOWS\System32\netapi32F.dll_old
[2009/12/14 11:40:57 | 00,000,641 | -HS- | M] () -- C:\Documents and Settings\H\Start Menu\Programs\Startup\scandisk.lnk
[2009/12/14 11:40:55 | 00,008,704 | ---- | M] () -- C:\acad.exe
[2009/12/14 11:14:22 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/20 08:40:18 | 00,000,436 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2009/11/20 08:40:14 | 00,079,109 | ---- | M] () -- C:\xrvho.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/19 10:16:09 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\H\Desktop\gmer.exe
[2009/12/19 10:04:02 | 00,002,713 | -HS- | C] () -- C:\WINDOWS\System32\narutapo.exe
[2009/12/19 10:03:39 | 00,002,713 | -HS- | C] () -- C:\WINDOWS\System32\vupowose.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | C] () -- C:\WINDOWS\System32\ralijivi.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | C] () -- C:\putabami.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | C] () -- C:\Program Files\lalolezi.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\jasosise.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | C] () -- C:\WINDOWS\honomige.dll
[2009/12/18 10:02:16 | 00,000,000 | -HS- | C] () -- C:\WINDOWS\System32\hajakari.dll
[2009/12/17 12:35:21 | 02,067,049 | ---- | C] () -- C:\Documents and Settings\H\Desktop\thewearykind.mp3
[2009/12/17 09:38:49 | 00,271,360 | ---- | C] () -- C:\Documents and Settings\H\Desktop\archivegmail.pst
[2009/12/17 09:37:20 | 00,271,360 | ---- | C] () -- C:\Documents and Settings\H\Desktop\archive.pst
[2009/12/16 10:02:00 | 01,835,583 | ---- | C] () -- C:\Documents and Settings\H\Desktop\Hinescontract.pdf
[2009/12/16 09:13:00 | 00,003,060 | -HS- | C] () -- C:\WINDOWS\System32\libupune.dll
[2009/12/16 08:28:42 | 00,108,059 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/12/16 08:28:42 | 00,095,259 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/12/15 17:06:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11478.exe
[2009/12/15 16:46:45 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\15724.exe
[2009/12/15 16:26:45 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19169.exe
[2009/12/15 16:06:45 | 00,002,704 | ---- | C] () -- C:\WINDOWS\System32\26500.exe
[2009/12/15 15:52:14 | 00,277,272 | ---- | C] () -- C:\Documents and Settings\H\Desktop\RootRepeal.dmp
[2009/12/15 15:48:20 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\H\Desktop\settings.dat
[2009/12/15 15:46:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\6334.exe
[2009/12/15 15:26:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2009/12/15 15:14:05 | 00,000,772 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DriveImage XML.lnk
[2009/12/15 15:06:46 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\yeneriho.dll
[2009/12/15 15:06:43 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\41.exe
[2009/12/15 14:30:10 | 00,002,433 | ---- | C] () -- C:\Documents and Settings\H\Desktop\HiJackThis.lnk
[2009/12/15 09:35:54 | 00,053,760 | -HS- | C] () -- C:\WINDOWS\System32\supotala.dll
[2009/12/15 09:35:54 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\wavemile.dll
[2009/12/14 11:46:32 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\befomita.dll
[2009/12/14 11:41:23 | 00,068,096 | RHS- | C] () -- C:\WINDOWS\System32\netapi32F.dll_old
[2009/12/14 11:40:55 | 00,008,704 | ---- | C] () -- C:\acad.exe
[2009/11/20 08:40:18 | 00,000,436 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2009/11/20 08:39:34 | 00,079,109 | ---- | C] () -- C:\xrvho.exe
[2009/11/09 10:46:33 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\H\Local Settings\Application Data\housecall.guid.cache
[2009/09/17 09:25:55 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\sobipore.dll
[2009/09/17 09:25:53 | 00,045,568 | -HS- | C] () -- C:\WINDOWS\System32\sisazibo.dll
[2009/09/15 15:06:22 | 00,007,046 | -HS- | C] () -- C:\WINDOWS\System32\yotenodo.dll
[2009/09/15 09:36:29 | 00,053,760 | -HS- | C] () -- C:\WINDOWS\System32\hilozepi.dll
[2009/09/15 09:34:34 | 00,023,105 | -HS- | C] () -- C:\WINDOWS\System32\jolefayu.dll
[2009/09/15 09:34:33 | 00,045,568 | -HS- | C] () -- C:\WINDOWS\System32\vosemuji.dll
[2009/09/14 11:46:21 | 00,045,568 | -HS- | C] () -- C:\WINDOWS\System32\tadovoyi.dll
[2009/08/03 16:35:16 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/08/03 16:35:16 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/08/03 16:35:15 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/08/03 16:35:15 | 00,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/08/03 16:35:15 | 00,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/08/03 16:35:14 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/08/03 16:35:14 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/08/01 11:02:20 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdevs.dll
[2009/08/01 11:02:19 | 00,348,160 | ---- | C] () -- C:\WINDOWS\System32\lxdecoin.dll
[2009/08/01 11:02:03 | 00,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdedrs.dll
[2009/08/01 11:02:03 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdecnv4.dll
[2009/08/01 11:02:03 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxdecaps.dll
[2009/08/01 11:01:38 | 00,348,160 | ---- | C] () -- C:\WINDOWS\System32\lxdeinst.dll
[2009/08/01 11:01:38 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdegrd.dll
[2009/07/17 19:39:13 | 00,001,517 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/04/16 12:29:40 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\libssl32.dll
[2009/01/08 10:25:18 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\Zlib.dll
[2009/01/08 10:24:55 | 00,041,984 | ---- | C] () -- C:\WINDOWS\System32\ZFExt.dll
[2008/12/11 16:47:48 | 00,941,784 | ---- | C] () -- C:\WINDOWS\System32\drivers\CAMTHWDM.sys
[2008/10/31 13:16:58 | 00,000,156 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2008/10/21 19:39:13 | 00,000,566 | ---- | C] () -- C:\WINDOWS\System32\SP7302.INI
[2008/10/15 19:09:28 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/10/12 11:44:54 | 00,134,656 | ---- | C] () -- C:\Documents and Settings\H\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/11 23:56:30 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/10/11 23:48:25 | 00,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2008/10/11 23:48:25 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2008/10/11 23:34:23 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\EBLib.DLL
[2008/10/11 23:04:02 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2008/10/11 23:04:02 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2008/10/11 23:04:02 | 00,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2008/10/11 23:04:02 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/04/22 17:00:10 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2005/12/09 13:36:30 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll
[2005/11/23 12:41:28 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\HWS_Ctrl.dll
[2005/03/28 23:58:20 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/03/28 23:58:10 | 00,847,872 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2004/08/03 23:56:44 | 00,000,000 | -HS- | C] () -- C:\WINDOWS\System32\notepad.dll
[2001/08/23 06:00:00 | 00,000,008 | ---- | C] () -- C:\WINDOWS\System32\FInstall.sys
[1999/01/22 18:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 02:00:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\svchost.exe:SummaryInformation
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >



Do to the size of the file, GMER.LOG is attached instead of posted.
Thank you again and I will check back.

Attached Files

  • Attached File  gmer.log   83.63KB   19 downloads


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 19 December 2009 - 05:17 PM

Hello, cwbycrshr.
Choosing to fix it is up to you. Kapersky did eliminate much of what you had, but there still is malware active we can fix. Running Kapersky while waiting for someone to respond was good, but please don't run or change anything that I don't instruct you to do at this point. We have to bring out some stronger tools and current info is critical to ensure they work.

If you do want to proceed...



Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save KittyFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on KittyFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Edited by etavares, 19 December 2009 - 05:18 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 cwbycrshr

cwbycrshr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 20 December 2009 - 02:49 PM

I'm back again etavares,
I have ran ComboFix and attached the ComboFix.txt. It restarted my machine twice (once after finding a RootKit) and took about 35 minutes to run (just FYI).
Google still redirects to multiple other sites (as does Yahoo and I imagine any other search engine). System is over all slow and pages (including Outlook) take some time to load up.

Upon reboot, before running ComboFix, I would get several Error Logs for downloaders such as Notepad.dll etc. After ComboFix ran, I still recieved 3 Error Logs for huljige.dll, kogonubo.dll, and notepad.dll.

I have not ran any other programs and will await further instructions.
Thank you for your assistance in this nasty little matter.

Attached Files



#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 20 December 2009 - 05:52 PM

Hello, cwbycrshr.
You have a very infected machine, so it was taking CF a long time to run. We still have one more serious infection to deal with before we can begin to clean out the minor stuff. This may not yet fix your redirects but we're making progress.

Please let me know if after the next reboot you still get those errors about notepad.dll and the others. Combofix did remove the registry entries so nothing should be calling them, but it may take another reboot before the warnings go away. Thanks for noting them, please keep doing that.



Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

MIA::
c:\windows\system32\eventlog.dll
File::
C:\putabami.dll
C:\Program Files\lalolezi.dll
C:\WINDOWS\System32\supotala.dll
C:\acad.exe
C:\Documents and Settings\All Users\Application Data\jasosise.dll
C:\xrvho.exe
C:\WINDOWS\System32\sobipore.dll
C:\WINDOWS\System32\sisazibo.dll
C:\WINDOWS\System32\yotenodo.dll
C:\WINDOWS\System32\netapi32F.dll_old
c:\windows\Pdebezusu.bin
c:\windows\Yhezisawanu.dat
c:\windows\system32\daqdrv.sys
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000000
Driver::
daqdrv
DDS::
TCP: {179E5F53-6513-4FA6-867E-263D17DD253B} = 193.104.110.38,4.2.2.1
TCP: {AADEABCD-2492-4F95-ABF4-E14D52384469} = 193.104.110.38,4.2.2.1,66.180.96.12 64.238.96.12
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Step 2

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r



Step 3

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.



Step 4

Please copy and paste the logs (Combofix, Win32kdiag and Junction) into your reply instead of attaching them. It makes it easier for me, and searchable for others who have similar problems.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 cwbycrshr

cwbycrshr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 21 December 2009 - 11:36 AM

etavares...so far...I am impressed!
For full disclosure:
KittyFix.exe is what downloaded last time. I imagine it is the same thing...but not positive. I attmpted to drag CFScript.txt into KittyFix.exe and run it, but it came up as an outdated version and deleted KittyFix.exe automatically. I attempted to re-download from your previous link and got a 404. I then went to another post and found an open link for ComboFix and downloaded it. Dragged CFScript.txt into ComboFix and ran it. Log is posted below.

I screwed up on WIN32Diag and ran it without entering Bold txt into start --> run first. Came up with a log file on my desktop. Realized what I had done and re-ran with the Bold txt you provided and it came up with another log. However, since I did not delete the previous log, it did not save it. I manually deleted the first log, and ran again with the Bold txt in Start --> Run. Since their may be a small variance in the 1st scan and the second, I included both below. Sorry for the brain fart and I hope I did not screw the scan up.

Junction.exe ran flawlessly and is included.

Upon restart by ComboFix, the error log for Notepad.dll etc did not pop up.


ComboFix 09-12-20.08 - H 12/21/2009 9:37.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2443 [GMT -6:00]
Running from: c:\documents and settings\H\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\H\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"C:\acad.exe"
"c:\documents and settings\All Users\Application Data\jasosise.dll"
"c:\program files\lalolezi.dll"
"C:\putabami.dll"
"c:\windows\Pdebezusu.bin"
"c:\windows\system32\daqdrv.sys"
"c:\windows\System32\netapi32F.dll_old"
"c:\windows\System32\sisazibo.dll"
"c:\windows\System32\sobipore.dll"
"c:\windows\System32\supotala.dll"
"c:\windows\System32\yotenodo.dll"
"c:\windows\Yhezisawanu.dat"
"C:\xrvho.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\acad.exe
c:\documents and settings\All Users\Application Data\jasosise.dll
c:\program files\lalolezi.dll
C:\putabami.dll
c:\windows\Pdebezusu.bin
c:\windows\System32\netapi32F.dll_old
c:\windows\system32\sisazibo.dll
c:\windows\System32\sobipore.dll
c:\windows\System32\supotala.dll
c:\windows\System32\yotenodo.dll
c:\windows\Yhezisawanu.dat
C:\xrvho.exe

c:\windows\system32\eventlog.dll was missing
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DAQDRV
-------\Service_daqdrv


((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-21 15:43 . 2009-12-21 15:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-12-21 15:41 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-12-16 14:28 . 2009-12-16 14:28 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-16 14:28 . 2009-12-16 14:28 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-16 14:27 . 2009-12-21 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-16 14:27 . 2009-12-16 14:27 -------- d-----w- c:\program files\Kaspersky Lab
2009-12-15 22:29 . 2009-12-15 22:29 -------- d-----w- C:\kleaner.tmp
2009-12-15 22:27 . 2009-12-15 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-12-15 21:13 . 2009-12-15 21:13 -------- d-----w- c:\program files\Runtime Software
2009-12-15 20:30 . 2009-12-15 20:30 -------- d-----w- c:\program files\TrendMicro
2009-12-15 14:34 . 2009-12-15 14:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 15:49 . 2009-05-20 19:36 -------- d-----w- c:\program files\GE Security Supra
2009-12-16 14:35 . 2009-12-16 14:35 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2009-12-16 14:35 . 2009-12-16 14:35 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2009-12-16 14:35 . 2009-12-16 14:35 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2009-12-16 14:35 . 2009-12-16 14:35 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2009-12-16 14:35 . 2009-12-16 14:35 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2009-12-16 14:35 . 2009-12-16 14:35 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2009-12-15 22:29 . 2009-08-04 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-15 20:31 . 2008-10-12 05:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-15 20:30 . 2009-12-15 20:30 388096 ----a-r- c:\documents and settings\H\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-14 17:13 . 2009-09-21 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-18 15:58 . 2008-10-12 04:56 -------- d-----w- c:\program files\Java
2009-11-18 15:57 . 2009-07-30 03:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-18 15:57 . 2009-11-18 15:57 152576 ----a-w- c:\documents and settings\H\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-18 15:55 . 2009-11-18 15:55 79488 ----a-w- c:\documents and settings\H\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-03 18:25 . 2009-11-03 18:25 -------- d-----w- c:\documents and settings\H\Application Data\Uniblue
2009-11-03 02:42 . 2009-11-17 23:29 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45 . 2004-08-04 05:56 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 05:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 05:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 02:34 . 2009-10-21 02:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 03:18 . 2009-10-15 03:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-13 10:30 . 2004-08-04 05:56 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 05:56 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 05:56 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-03 01:39 . 2009-10-03 01:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-05-31 282624]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2007-06-11 455600]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2007-06-01 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-18 149280]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]

c:\documents and settings\H\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-12 813584]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2008-10-11 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^H^Start Menu^Programs^Startup^uPlayMe.lnk]
path=c:\documents and settings\H\Start Menu\Programs\Startup\uPlayMe.lnk
backup=c:\windows\pss\uPlayMe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 19:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdemon.exe"=
"c:\\WINDOWS\\system32\\lxdecfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdepswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdetime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdejswx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\lxdecoms.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [9/12/2009 1:59 PM 10384]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2009 9:42 AM 133104]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [8/1/2009 11:02 AM 99248]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 09:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1416)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3336)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ge security supra\syncservice.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\GE Security Supra\ProxyDaemon.exe
c:\ssl\stunnel-4.10.exe
c:\windows\system32\lxdecoms.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-12-21 09:52:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 15:52

Pre-Run: 40,497,434,624 bytes free
Post-Run: 40,516,116,480 bytes free

- - End Of File - - 3261295A4E5E4E96E6907E3C2E22DBBE


First Win32Diag.txt

Running from: C:\Documents and Settings\H\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\H\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}



Finished!

Last Win32Diag Scan

Running from: C:\Documents and Settings\H\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\H\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\WINDOWS\System Volume Information: Access is denied.


..

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\2.1.72.10__540d4816ead86321: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.72.10_x-ww_a732e08
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.72.10_x-ww_a732e08

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\2.1.72.10__540d4816ead86321: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.10_x-ww_c5e9e600
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.10_x-ww_c5e9e600

...

...

...

...

...

...

...

...

...

...

I'll look forward to hearing from you again.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 21 December 2009 - 07:05 PM

Hello, cwbycrshr.
Thanks, glad you're impressed. Does that mean the redirects have stopped? Also, are you able to get into safe mode now? Once you check, please reboot into normal mode to continue with the instructions below.

For now, let's see if you can get MBAM working again by following the instructions below. Then, we'll get a second opinion from an online scanner, Once that's done we'll know better where we stand. Don't be alarmed if MBAM and/or ESET have positives, they should detect a lot of the files we just quarantined. We're making some good progress.



Step 1

Try to launch Malwarebytes' Anti-Malware. If it works, please skip to Step 2. If not, please continue below.

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Malwarebytes' Anti-Malware


Be sure to reboot when done.



Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 3

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Step 4

In your reply, please include:
  • If your redirect problem is fixed.
  • If you can get into safe mode now.
  • The MBAM log.
  • The ESET log. (there wont' be one if it didn't find anything)
  • A new DDS log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 cwbycrshr

cwbycrshr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 22 December 2009 - 09:30 AM

etavares,
I think we are making great progress...I also believe ETES uncovered the main problems.
The redirect issue is fixed and I can boot into safe mode now. Start up is still very slow with one of 7(??) SVCHOST.EXE eating 85-100% CPU.
Below are the MBAM, ESET, and DDS Logs. I did not include the Attach.Log from DDS as it was not requested.
Note: I did not request ESET to delete the results of the scan. I did not see where you had requested me to do so.

Malwarebytes' Anti-Malware 1.42
Database version: 3406
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/21/2009 6:51:56 PM
mbam-log-2009-12-21 (18-51-56).txt

Scan type: Quick Scan
Objects scanned: 117579
Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\H\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.


ESET LOG
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Nurech1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentieu.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentwiw.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentwiw1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt7.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt8.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\H\Application Data\Sun\Java\Deployment\cache\6.0\47\7db5b32f-605862fa probably a variant of Win32/Agent trojan
C:\Documents and Settings\H\Application Data\Sun\Java\Deployment\cache\6.0\7\4a543a07-6675229a probably a variant of Win32/Agent trojan
C:\Documents and Settings\H\Application Data\Sun\Java\Deployment\cache\6.0\9\10e47c09-13e4b5fd probably a variant of Win32/Agent trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsm32.sys.vir a variant of Win32/TrojanClicker.VB.NMD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.OF virus
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus


DDS (Ver_09-12-01.01) - NTFSx86
Run by H at 8:19:03.06 on Tue 12/22/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2486 [GMT -6:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\ge security supra\syncservice.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 4800 Series\lxdemon.exe
C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Documents and Settings\H\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [lxdemon.exe] "c:\program files\lexmark 4800 series\lxdemon.exe"
mRun: [lxdeamon] "c:\program files\lexmark 4800 series\lxdeamon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avp] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\docume~1\h\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-12-16 315408]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-9-12 10384]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-14 133104]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [2009-8-1 99248]

=============== Created Last 30 ================

2009-12-22 01:00:44 0 d-----w- c:\program files\ESET
2009-12-22 00:43:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 00:43:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 00:43:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 16:01:24 95616 ----a-w- c:\windows\junction.exe
2009-12-21 15:41:05 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-12-21 15:41:05 56320 ------w- c:\windows\system32\eventlog.dll
2009-12-21 15:35:50 98816 ----a-w- c:\windows\sed.exe
2009-12-21 15:35:50 77312 ----a-w- c:\windows\MBR.exe
2009-12-21 15:35:50 261632 ----a-w- c:\windows\PEV.exe
2009-12-21 15:35:50 161792 ----a-w- c:\windows\SWREG.exe
2009-12-20 18:56:49 0 d-sha-r- C:\cmdcons
2009-12-16 14:28:42 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-16 14:28:42 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-16 14:27:11 0 d-----w- c:\program files\Kaspersky Lab
2009-12-16 14:27:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-12-15 22:29:25 0 d-----w- C:\kleaner.tmp
2009-12-15 22:27:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-12-15 21:13:58 0 d-----w- c:\program files\Runtime Software
2009-12-15 20:30:09 0 d-----w- c:\program files\TrendMicro

==================== Find3M ====================

2009-11-18 15:57:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 02:34:56 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 8:19:51.46 ===============

I am leaving to go out of town for a couple of days. I will be back on Thursday and will resume with your directions.
Thank you for all your help. This machine is already running better and I llok forward to getting the rest of the problums removed.

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 22 December 2009 - 03:36 PM

EDIT: didn't mean to post here. I'll post something in the next day or two once I look at your logs.

Edited by etavares, 22 December 2009 - 03:36 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 22 December 2009 - 07:14 PM

Hello, cwbycrshr.
Glad to hear things are working better. Thanks for letting me know you'll be out of town, we can keep this thread open since it's only a couple of days. We need to take care of a few more items that ESET found. We'll also run a script to see what exactly svchost.exe is calling. Many legit processes use it and we need more information to understand if it is a malware problem.





Step 1

We need to clear your java cache as some malware is hiding there.
  • Go to Start --> Control Panel
  • Double-click the Java icon and the control panel will appear as shown below.
    Posted Image
  • Click Settings under Temporary Internet Files
  • Click Delete Files
    Posted Image
  • Ensure ALL three boxes are checked as shown below.
    Posted Image
  • Click OK twice, then close down the Java window.


Step 2

Please download Processes.vbs by PropagandaPandaand save it to your desktop.

Double-click processes.vbs on your desktop. If security software blocks it, please allow it to run. If you can't get it to run, please unplug your computer from the internet, turn off your antivirus and any anti-spyware programs then run it.

A log file will open in a moment. Please copy and paste it into your reply.

If you did have to unplug from the internet and turn off your security software, please turn it back on first, then plug your network cable back into your computer.



Step 3

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Step 4

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Step 5

In your reply, please:
  • Confirm you deleted the java cache
  • post the combofix log
  • Post the results of the Kapersky scan
  • Please attach the log from the processes.vbs script.
  • Please post a updated DDS log, please include attach.txt this time.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 cwbycrshr

cwbycrshr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 24 December 2009 - 01:04 PM

Hi etavares,
I'm back in town and have attempted to do the everything you asked.
The Java Cache has been deleted.
ComboFix.Log is included.
Kaspersky Online Scanner is unavailable at this time.
I re-downloaded DDS.scr and attempted to run it a couple of time. Each time it came up with a blank screen that went away in a second. It did not perform any scans. Not sure what I am doing wong their...I went back to the 1st topic in the HJT Forum and followed the instructions again just to make sure. Same result.
Process.vbs log is attached.
Just for good measure I included the attach.txt from DDS when I scanned it a few days ago and did not attach it.

ComboFix 09-12-24.02 - H 12/24/2009 11:33:52.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2441 [GMT -6:00]
Running from: c:\documents and settings\H\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\H\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt

.
((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-22 01:00 . 2009-12-22 01:00 -------- d-----w- c:\program files\ESET
2009-12-22 00:43 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 00:43 . 2009-12-22 00:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 00:43 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 16:01 . 2007-07-24 21:58 95616 ----a-w- c:\windows\junction.exe
2009-12-21 15:43 . 2009-12-21 15:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-12-16 14:35 . 2009-12-16 14:35 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2009-12-16 14:35 . 2009-12-16 14:35 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2009-12-16 14:35 . 2009-12-16 14:35 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2009-12-16 14:35 . 2009-12-16 14:35 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2009-12-16 14:35 . 2009-12-16 14:35 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2009-12-16 14:35 . 2009-12-16 14:35 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2009-12-16 14:28 . 2009-12-16 14:28 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-16 14:28 . 2009-12-16 14:28 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-16 14:27 . 2009-12-23 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-16 14:27 . 2009-12-16 14:27 -------- d-----w- c:\program files\Kaspersky Lab
2009-12-15 22:29 . 2009-12-15 22:29 -------- d-----w- C:\kleaner.tmp
2009-12-15 22:27 . 2009-12-15 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-12-15 21:13 . 2009-12-15 21:13 -------- d-----w- c:\program files\Runtime Software
2009-12-15 20:30 . 2009-12-15 20:30 388096 ----a-r- c:\documents and settings\H\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-15 20:30 . 2009-12-15 20:30 -------- d-----w- c:\program files\TrendMicro
2009-12-15 14:34 . 2009-12-15 14:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 17:39 . 2009-05-20 19:36 -------- d-----w- c:\program files\GE Security Supra
2009-12-24 17:01 . 2008-10-30 20:04 -------- d-----w- c:\program files\Google
2009-12-15 22:29 . 2009-08-04 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-15 20:31 . 2008-10-12 05:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-14 17:13 . 2009-09-21 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-18 15:58 . 2008-10-12 04:56 -------- d-----w- c:\program files\Java
2009-11-18 15:57 . 2009-07-30 03:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-18 15:57 . 2009-11-18 15:57 152576 ----a-w- c:\documents and settings\H\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-18 15:55 . 2009-11-18 15:55 79488 ----a-w- c:\documents and settings\H\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-03 18:25 . 2009-11-03 18:25 -------- d-----w- c:\documents and settings\H\Application Data\Uniblue
2009-11-03 02:42 . 2009-11-17 23:29 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45 . 2004-08-04 05:56 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 05:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 05:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 02:34 . 2009-10-21 02:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 03:18 . 2009-10-15 03:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-13 10:30 . 2004-08-04 05:56 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 05:56 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 05:56 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-03 01:39 . 2009-10-03 01:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-05-31 282624]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2007-06-11 455600]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2007-06-01 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-18 149280]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]

c:\documents and settings\H\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-12 813584]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2008-10-11 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^H^Start Menu^Programs^Startup^uPlayMe.lnk]
path=c:\documents and settings\H\Start Menu\Programs\Startup\uPlayMe.lnk
backup=c:\windows\pss\uPlayMe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 19:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdemon.exe"=
"c:\\WINDOWS\\system32\\lxdecfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdepswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdetime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdejswx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\lxdecoms.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [9/12/2009 1:59 PM 10384]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2009 9:42 AM 133104]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [8/1/2009 11:02 AM 99248]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 11:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1432)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-12-24 11:42:34
ComboFix-quarantined-files.txt 2009-12-24 17:42
ComboFix2.txt 2009-12-21 15:52

Pre-Run: 40,218,939,392 bytes free
Post-Run: 40,343,359,488 bytes free

- - End Of File - - D1AEF18AD176AE951FFE509F8D45C0E2

I will attempt the Kaspersky Online scanner again after Christmas and re-try the DDS scan when i reboot.
Have a Merry Christmas and I will look forward to hearing from you again.

Attached Files



#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 26 December 2009 - 11:14 AM

Hello, cwbycrshr.
Merry Christmas!

If you can't get DDS to work, please run the OTL scan as below (Step 1), otherwise just post the new DDS log.
If you can't get the Kapersky scan to work, please run the BitDefender scan below (Step 2).
We also need to update Adobe Reader...you have version 9.1.3 installed, and 9.2 is the current versions with more security updates. Please see Step 3.

I believe the svchost.exe high CPU usage you are experienced is not due to malware, and this final check will shed some light on it. If it's not malware, I'll refer you to another forum.

Thanks!




Step 1

If you cant' run DDS:

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Step 2

If Kapersky is still down....

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.


Step 3

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.
Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 4

In your reply, please post:
  • DDS or OTL log
  • Kapersky or Bitdefender log
  • List of any remaining issues
Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 cwbycrshr

cwbycrshr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 26 December 2009 - 03:35 PM

etavares,
I have had a wonderful Christmas break and I hope you have also.
I did get DDS to run and checked on Kasparskys online scanner and it is still unavailable.
I tried BitDefenders and after a few minutes after clicking Scan Know...it just times out. I am short on time today, but will re-attempt monday.
For now, the new DDS results are included. (UPDATE...do not see the attachment icon. For some reason it is missing. I will re-try to Attach.txt on Monday.)
After I finish all instructions Monday, I will post results along with an update when i get Adobe re-installed.

Thanks for all your help and enjoy what is left of th weekend....and year for that matter:)

DDS (Ver_09-12-01.01) - NTFSx86
Run by H at 14:22:19.12 on Sat 12/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2486 [GMT -6:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\ge security supra\syncservice.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Lexmark 4800 Series\lxdemon.exe
C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Documents and Settings\H\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [lxdemon.exe] "c:\program files\lexmark 4800 series\lxdemon.exe"
mRun: [lxdeamon] "c:\program files\lexmark 4800 series\lxdeamon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avp] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\docume~1\h\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-12-16 315408]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-9-12 10384]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-14 133104]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [2009-8-1 99248]

=============== Created Last 30 ================

2009-12-22 01:00:44 0 d-----w- c:\program files\ESET
2009-12-22 00:43:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 00:43:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 00:43:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 16:01:24 95616 ----a-w- c:\windows\junction.exe
2009-12-21 15:41:05 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-12-21 15:41:05 56320 ------w- c:\windows\system32\eventlog.dll
2009-12-21 15:35:50 98816 ----a-w- c:\windows\sed.exe
2009-12-21 15:35:50 77312 ----a-w- c:\windows\MBR.exe
2009-12-21 15:35:50 261632 ----a-w- c:\windows\PEV.exe
2009-12-21 15:35:50 161792 ----a-w- c:\windows\SWREG.exe
2009-12-20 18:56:49 0 d-sha-r- C:\cmdcons
2009-12-16 14:28:42 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-16 14:28:42 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-16 14:27:11 0 d-----w- c:\program files\Kaspersky Lab
2009-12-16 14:27:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-12-15 22:29:25 0 d-----w- C:\kleaner.tmp
2009-12-15 22:27:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-12-15 21:13:58 0 d-----w- c:\program files\Runtime Software
2009-12-15 20:30:09 0 d-----w- c:\program files\TrendMicro

==================== Find3M ====================

2009-11-18 15:57:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 02:34:56 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 14:22:45.96 ===============

#15 cwbycrshr

cwbycrshr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 27 December 2009 - 07:31 PM

etavares,
I snuck into the office tonight to try Bitdefender and/or Kasparsky online scanner again to no avail. Kasparsky online is still un-available and Bitdefender will not download the virus signatures. It pops up with a window saying "Bit Defender failed to update virus signatures...do you want to scan anyway".
I clicked no, since I am assuming that without the virus signatures, scanning would be in vein.
I did get the Attach.txt from the last DDS scan to attach this time. I also made time to un-install the previous Adobe and install Adobe 9.2.

I will re-try Kasparsky or Bit-Defender ASAP.

Only other noticable issues are:
Slow restart time wich likely has to do with so many processes starting.
Upon opening my MLS web page (A web page that has to be logged into) it pops up dozens of times when I click on it from my Favorites file just once. Their is repeat window that shows up that says "do you want to close this page" with Yes or No boxes to click. Fairly annoying when you have to click Yes 20 times to get into the secure site.

Thanks and I will post as soon as I get Kasparsky or BitDefender to run.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users