Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinSpywareProtect and SysGuard via virtumonde


  • This topic is locked This topic is locked
23 replies to this topic

#1 noobalicious

noobalicious

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 14 January 2010 - 02:53 AM

I can't get on the internet, or boot in safe mode, so anything that I install is via flashdrive from my laptop that IS working on the internet. So websites that do free scans won't work until navigation functions are restored.

Here's my HJT, I'm pretty sure it's the R entries........Thanks, you guys dominate malware!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:46 PM, on 1/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CStat - {DD92DE22-ED91-4560-B788-DEE2B26612E6} - C:\Program Files\DeviceVM\Browser Configuration Utility\IEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pgyjwrsn] C:\Documents and Settings\Alan\Local Settings\Application Data\ikbrdg\eqqqsysguard.exe
O4 - HKCU\..\Run: [pgyjwrsn] C:\Documents and Settings\Alan\Local Settings\Application Data\ikbrdg\eqqqsysguard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flysuite.com/flyword/loaderword_win.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231403778687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231403773968
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7139 bytes


BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 AM

Posted 20 January 2010 - 02:35 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 21 January 2010 - 10:43 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:58 AM, on 1/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Alan\Local Settings\Application Data\ikbrdg\eqqqsysguard.exe
C:\Documents and Settings\Alan\Local Settings\Application Data\ikbrdg\eqqqsysguard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CStat - {DD92DE22-ED91-4560-B788-DEE2B26612E6} - C:\Program Files\DeviceVM\Browser Configuration Utility\IEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pgyjwrsn] C:\Documents and Settings\Alan\Local Settings\Application Data\ikbrdg\eqqqsysguard.exe
O4 - HKCU\..\Run: [pgyjwrsn] C:\Documents and Settings\Alan\Local Settings\Application Data\ikbrdg\eqqqsysguard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flysuite.com/flyword/loaderword_win.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231403778687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231403773968
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7284 bytes


#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:31 AM

Posted 21 January 2010 - 02:27 PM

Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.



  • Step # 2: Download and Run Gmer

    Please download gmer.zip from Gmer and save it to your desktop.

    ***Please close any open programs ***

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
    • Click No.
    • Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
    If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
    • Click the Scan button and let the program do its work. GMER will produce a log.
    • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

    DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

    Please post the results from the GMER scan in your reply.


    In your next post/reply, I need to see the following:

    1. The two DDS Logs (DDS and Attach.txt)
    2. The GMER Log

    Use multiple posts if you can't fit everything into one post.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #5 noobalicious

    noobalicious
    • Topic Starter

    • Members
    • 69 posts
    • OFFLINE
    •  
    • Local time:03:31 AM

    Posted 22 January 2010 - 02:28 AM

    I forgot how to ZIP up. Sorry

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/1/2007 1:32:00 AM
    System Uptime: 1/21/2010 7:35:58 AM (12 hours ago)

    Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA785G-UD3H
    Processor: AMD Athlon™ 64 X2 Dual Core Processor 3800+ | Socket M2 | 2009/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 128 GiB total, 20.726 GiB free.
    D: is CDROM (CDFS)
    F: is FIXED (NTFS) - 170 GiB total, 169.589 GiB free.
    G: is CDROM (CDFS)
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP21: 10/26/2009 7:30:04 AM - Installed Browser Configuration Utility
    RP22: 10/26/2009 7:30:36 AM - Installed AMD Processor Driver
    RP23: 10/26/2009 7:31:00 AM - Installed Realtek High Definition Audio Driver
    RP24: 10/26/2009 7:33:42 AM - Installed REALTEK GbE & FE Ethernet PCI-E NIC Driver
    RP25: 10/26/2009 8:21:46 AM - SiSoftware Sandra Lite
    RP26: 10/26/2009 9:21:41 AM - Software Distribution Service 3.0
    RP27: 10/26/2009 9:52:30 AM - Avira AntiVir Personal - 10/26/2009 9:52
    RP28: 10/26/2009 9:55:07 AM - Avira AntiVir Personal - 10/26/2009 9:55
    RP29: 10/26/2009 10:01:46 AM - Installed Java™ 6 Update 15
    RP30: 10/27/2009 9:44:43 AM - Removed Rome - Total War
    RP31: 10/27/2009 9:51:45 AM - Configured NVIDIA ForceWare Network Access Manager
    RP32: 10/27/2009 9:52:40 AM - Configured NVIDIA ForceWare Network Access Manager
    RP33: 10/27/2009 10:26:36 AM - Software Distribution Service 3.0
    RP34: 10/27/2009 10:29:44 AM - Software Distribution Service 3.0
    RP35: 10/27/2009 12:18:22 PM - Installed Rome - Total War
    RP36: 10/27/2009 12:35:49 PM - Installed DirectX 9.0
    RP37: 10/27/2009 2:13:03 PM - Installed Windows Media Player 11
    RP38: 10/27/2009 2:14:19 PM - Installed Windows XP MSCompPackV1.
    RP39: 10/28/2009 2:30:05 PM - System Checkpoint
    RP40: 10/28/2009 12:04:32 AM - System Checkpoint
    RP41: 10/29/2009 1:21:38 AM - Software Distribution Service 3.0
    RP42: 10/30/2009 1:33:28 AM - System Checkpoint
    RP43: 10/31/2009 1:34:33 AM - System Checkpoint
    RP44: 11/1/2009 2:33:28 AM - System Checkpoint
    RP45: 11/2/2009 3:33:28 AM - System Checkpoint
    RP46: 11/3/2009 4:33:28 AM - System Checkpoint
    RP47: 11/4/2009 5:33:28 AM - System Checkpoint
    RP48: 11/5/2009 6:33:28 AM - System Checkpoint
    RP49: 11/6/2009 7:33:28 AM - System Checkpoint
    RP50: 11/7/2009 8:33:28 AM - System Checkpoint
    RP51: 11/8/2009 8:07:26 AM - System Checkpoint
    RP52: 11/9/2009 8:52:27 AM - System Checkpoint
    RP53: 11/10/2009 9:52:27 AM - System Checkpoint
    RP54: 11/11/2009 1:35:15 PM - System Checkpoint
    RP55: 11/12/2009 2:22:34 PM - System Checkpoint
    RP56: 11/13/2009 3:22:33 PM - System Checkpoint
    RP57: 11/14/2009 4:25:47 PM - System Checkpoint
    RP58: 11/15/2009 5:22:33 PM - System Checkpoint
    RP59: 11/16/2009 6:29:52 PM - System Checkpoint
    RP60: 11/17/2009 6:30:06 PM - System Checkpoint
    RP61: 11/18/2009 6:34:34 PM - System Checkpoint
    RP62: 11/19/2009 7:23:38 PM - System Checkpoint
    RP63: 11/20/2009 8:22:33 PM - System Checkpoint
    RP64: 11/21/2009 10:22:54 PM - System Checkpoint
    RP65: 11/22/2009 11:18:55 PM - System Checkpoint
    RP66: 11/23/2009 11:41:16 PM - System Checkpoint
    RP67: 11/24/2009 11:46:11 PM - System Checkpoint
    RP68: 11/26/2009 12:25:30 AM - System Checkpoint
    RP69: 11/27/2009 1:16:43 AM - System Checkpoint
    RP70: 1/13/2010 9:09:54 PM - System Checkpoint
    RP71: 1/14/2010 9:52:00 PM - System Checkpoint
    RP72: 1/15/2010 10:46:49 PM - System Checkpoint
    RP73: 1/21/2010 7:57:35 AM - System Checkpoint

    ==== Installed Programs ======================

    3DMark06
    a-squared Free 2.1
    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player Plugin
    Adobe Photoshop 6.0
    Adobe Reader 7.0.9
    Adobe SVG Viewer
    AI Booster
    AMD Processor Driver
    AnyDVD
    Apple Mobile Device Support
    Apple Software Update
    ASUSUpdate
    Auto Gordian Knot 2.40
    Avira AntiVir Personal - Free Antivirus
    AviSynth 2.5
    Bonjour
    Browser Configuration Utility
    CardRd81
    CCleaner (remove only)
    CCScore
    CloneDVD2
    Compatibility Pack for the 2007 Office system
    Cool & Quiet
    CR2
    Driver Sweeper 2.0.5
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    DVDFab Decrypter 3.0.8.6
    EA Link
    ESSBrwr
    ESSCDBK
    ESScore
    ESSCT
    ESSgui
    ESShelp
    ESSini
    ESSPCD
    ESSPDock
    ESSSONIC
    ESSTOOLS
    ESSTUTOR
    ESSvpaht
    ESSvpot
    FEAR
    FEAR Extraction Point
    Google Earth
    GUI for dvdauthor 1.02
    Half-Life® 2
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    HLPIndex
    HLPPDOCK
    HLPRFO
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    ImgBurn (Remove Only)
    iTunes
    Java™ 6 Update 15
    KODAK EASYSHARE Gallery Upload ActiveX Control
    Kodak EasyShare software
    KSU
    Logitech SetPoint
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Bootvis
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional with FrontPage
    Microsoft Plus! for Windows XP
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Move Networks Media Player for Internet Explorer
    Mozilla Firefox (2.0.0.20)
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    Notifier
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    OTtBP
    OTtBPSDK
    PC Probe II
    PCMark05
    Power Tab Editor 1.7
    Quake 4™
    QuickTime
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    ResChanger 2005
    RipIt4Me
    RivaTuner v2.0 Final Release
    Rome - Total War
    Scarface: The World is Yours
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    SFR
    SHASTA
    SKIN0001
    SKINXSDK
    SoundMAX
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    SpywareGuard v2.2
    Steam™
    System Requirements Lab
    TMPGEnc 4.0 XPress
    Uninstall Startup Inspector
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    VPRINTOL
    WebFldrs XP
    Windows Backup Utility
    Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Messenger
    Windows Media Encoder 9 Series
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WIRELESS
    Xiph QuickTime Components

    ==== Event Viewer Messages From Past Week ========

    1/14/2010 7:43:35 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    1/14/2010 7:43:35 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    1/14/2010 7:43:16 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The authentication service is unknown.

    ==== End Of File ===========================


    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Alan at 19:31:03.39 on Thu 01/21/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.637 [GMT -8:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Documents and Settings\Alan\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uWindow Title = Windows Internet Explorer provided by Comcast
    mWindow Title = Windows Internet Explorer provided by Comcast
    uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: BHO Class: {dd92de22-ed91-4560-b788-dee2b26612e6} - c:\program files\devicevm\browser configuration utility\IEHelper.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    EB: Search panel: {fe622b33-c226-5ae1-38c4-fc64869ed120} - c:\windows\system32\ibpwlrfljxmp.dll
    uRun: [pgyjwrsn] c:\documents and settings\alan\local settings\application data\ikbrdg\eqqqsysguard.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [pgyjwrsn] c:\documents and settings\alan\local settings\application data\ikbrdg\eqqqsysguard.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} - hxxp://www.flysuite.com/flyword/loaderword_win.cab
    DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231403778687
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231403773968
    DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\alan\applic~1\mozilla\firefox\profiles\pfiugin7.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-26 11608]
    R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-26 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-26 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-26 55656]
    R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2009-10-26 212232]
    S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-3-2 4096]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-26 1684736]
    S3 AntiAries;Anti Aries Helper Driver;c:\windows\system32\drivers\RKL66.tmp.sys [2007-5-27 7680]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
    S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2007-6-5 419448]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2008-09-07 00:02:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

    ============= FINISH: 19:32:16.10 ===============

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-01-21 23:24:46
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Alan\LOCALS~1\Temp\afecrkod.sys


    ---- System - GMER 1.0.15 ----

    SSDT F7B88CB6 ZwCreateKey
    SSDT F7B88CAC ZwCreateThread
    SSDT F7B88CBB ZwDeleteKey
    SSDT F7B88CC5 ZwDeleteValueKey
    SSDT F7B88CCA ZwLoadKey
    SSDT F7B88C98 ZwOpenProcess
    SSDT F7B88C9D ZwOpenThread
    SSDT F7B88CD4 ZwReplaceKey
    SSDT F7B88CCF ZwRestoreKey
    SSDT F7B88CC0 ZwSetValueKey
    SSDT F7B88CA7 ZwTerminateProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73267A4]
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF1127360, 0x3E57A5, 0xE8000020]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 870F2618

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    #6 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:12:31 AM

    Posted 22 January 2010 - 03:30 PM

    QUOTE
    I forgot how to ZIP up. Sorry


    No worries. smile.gif


    According to your logs, Avira is out of date. Please update it as soon as possible.


    Step # 1: Download and Run ComboFix

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    *Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #7 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:12:31 AM

    Posted 25 January 2010 - 02:18 PM

    noobalicious? Do you still need help?

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #8 noobalicious

    noobalicious
    • Topic Starter

    • Members
    • 69 posts
    • OFFLINE
    •  
    • Local time:03:31 AM

    Posted 25 January 2010 - 08:25 PM

    Yes I still need help. I was out of town this weekend.

    Running combofix now...

    #9 noobalicious

    noobalicious
    • Topic Starter

    • Members
    • 69 posts
    • OFFLINE
    •  
    • Local time:03:31 AM

    Posted 25 January 2010 - 09:42 PM

    ComboFix 10-01-25.02 - Alan 01/25/2010 17:47:07.4.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.704 [GMT -8:00]
    Running from: c:\documents and settings\Alan\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\2F.tmp
    C:\30.tmp
    C:\32.tmp
    C:\7.tmp
    C:\8.tmp
    C:\9.tmp
    C:\A.tmp
    C:\desktop.ini
    c:\documents and settings\Alan\Application Data\MSN6
    c:\documents and settings\Alan\Application Data\MSN6\msndata.dat
    c:\documents and settings\Alan\Application Data\MSN6\msndata001.dat
    c:\documents and settings\Alan\Local Settings\Application Data\ikbrdg
    c:\documents and settings\Alan\Local Settings\Application Data\ikbrdg\eqqqsysguard.exe
    c:\documents and settings\All Users\Application Data\MSN6
    c:\documents and settings\All Users\Application Data\MSN6\au.ini
    c:\windows\system32\logs
    c:\windows\system32\logs\{3CD8E5B4-244D-450B-84B8-566ADF05B691}.log
    c:\windows\system32\nvsvc32.exe
    c:\windows\unins000.dat
    c:\windows\unins000.exe

    Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
    Restored copy from - Kitty ate it tongue.gif
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_nvsvc
    -------\Service_nvsvc


    ((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-14 05:49 . 2007-03-04 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-11-28 05:04 . 2007-03-01 10:23 22200 ----a-w- c:\documents and settings\Alan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-10-26 14:47 . 2007-05-13 04:21 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
    2009-10-26 14:47 . 2007-05-13 04:21 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
    2009-10-26 14:47 . 2007-05-13 04:21 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
    2009-10-26 14:47 . 2007-05-13 04:21 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
    2009-10-26 14:47 . 2007-05-13 04:21 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-09-24 1657448]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 28160]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\iPod\\bin\\iPodService.exe"=
    "c:\\Program Files\\QuickTime\\QTTask.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "19184:TCP"= 19184:TCP:@xpsp2res.dll,-22005
    "10519:TCP"= 10519:TCP:@xpsp2res.dll,-22005
    "33082:TCP"= 33082:TCP:@xpsp2res.dll,-22005
    "34289:TCP"= 34289:TCP:@xpsp2res.dll,-22005

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/26/2009 8:55 AM 108289]
    R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/26/2009 6:30 AM 212232]
    S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [3/2/2007 11:29 PM 4096]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/26/2009 6:23 AM 1684736]
    S3 AntiAries;Anti Aries Helper Driver;c:\windows\system32\drivers\RKL66.tmp.sys [5/27/2007 1:09 PM 7680]
    S4 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [6/5/2007 6:05 PM 419448]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 01:57]

    2010-01-26 c:\windows\Tasks\User_Feed_Synchronization-{BEE92AF5-C12F-4032-B699-DB25ADE88A6E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title = Windows Internet Explorer provided by Comcast
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} - hxxp://www.flysuite.com/flyword/loaderword_win.cab
    FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\pfiugin7.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-pgyjwrsn - c:\documents and settings\Alan\Local Settings\Application Data\ikbrdg\eqqqsysguard.exe
    HKLM-Run-pgyjwrsn - c:\documents and settings\Alan\Local Settings\Application Data\ikbrdg\eqqqsysguard.exe
    SafeBoot-AVG Anti-Spyware Driver
    SafeBoot-AVG Anti-Spyware Guard
    AddRemove-AutoGK - c:\program files\AutoGK\uninst.exe
    AddRemove-HijackThis - c:\docume~1\Alan\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis[1].zip\HijackThis.exe
    AddRemove-RivaTuner - c:\program files\RivaTuner v2.0 Final Release\uninstall.exe
    AddRemove-Spybot - Search & Destroy_is1 - c:\windows\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-25 17:53
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1060284298-1532298954-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:d4,38,bb,d3,f2,58,1c,0a,69,ce,74,b9,d5,88,fa,2a,ff,f9,15,9a,48,4f,23,
    7e,11,16,42,f4,41,61,86,57,e3,80,6e,33,ad,e8,31,a6,4c,3b,b0,d5,87,79,49,95,\
    "??"=hex:b0,a9,bf,29,d4,4b,f0,92,ed,4b,51,8d,dd,14,70,04
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1852)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\RUNDLL32.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-01-25 17:56:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-26 01:56

    Pre-Run: 22,525,759,488 bytes free
    Post-Run: 22,754,566,144 bytes free

    - - End Of File - - C60AAC91A54FF13EB3050D7ACFC73017


    #10 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:12:31 AM

    Posted 26 January 2010 - 01:27 AM

    Avira is out of date, please update it as soon as possible.


    I'd like for you to delete ComboFix.exe off of your Desktop.

    Once that is done, download the latest version of ComboFix from one of the links below:

    Be sure that ComboFix.exe is saved to your Desktop.

    Link 1
    Link 2

    Once that is done, follow the instructions below:

    Step # 1: Run CFScript
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      CODE
      KILLALL::

      Dequarantine::

      C:\Qoobox\Quarantine\C\Documents and Settings\Alan\Application Data\MSN6
      C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\MSN6

      Fcopy::

      C:\Qoobox\Quarantine\C\windows\system32\nvsvc32.exe.vir | c:\windows\system32\nvsvc32.exe



    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







      Note: This CFScript is for use on noobalicious's computer only! Do not use it on your computer.


    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    In your next post/reply, I need to see the following:

    1. The DeQuarantine Log
    1. The ComboFix Log that appears after Step 1 has been completed.
    2. A fresh DDS Log taken after Step 1 has been completed.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #11 noobalicious

    noobalicious
    • Topic Starter

    • Members
    • 69 posts
    • OFFLINE
    •  
    • Local time:03:31 AM

    Posted 26 January 2010 - 11:29 PM

    ComboFix 10-01-26.02 - Alan 01/26/2010 20:17:19.5.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.647 [GMT -8:00]
    Running from: h:\malware fix transfers 2010\ComboFix.exe
    Command switches used :: c:\documents and settings\Alan\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    --------------- FCopy ---------------

    c:\qoobox\Quarantine\C\windows\system32\nvsvc32.exe.vir --> c:\windows\system32\nvsvc32.exe
    .
    ((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
    .

    2010-01-27 04:17 . 2010-01-27 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
    2010-01-27 04:17 . 2009-09-28 01:19 172100 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-01-27 04:17 . 2010-01-27 04:17 -------- d-----w- c:\documents and settings\Alan\Application Data\MSN6

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-14 05:49 . 2007-03-04 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-11-28 05:04 . 2007-03-01 10:23 22200 ----a-w- c:\documents and settings\Alan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-10-26 14:47 . 2007-05-13 04:21 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
    2009-10-26 14:47 . 2007-05-13 04:21 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
    2009-10-26 14:47 . 2007-05-13 04:21 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
    2009-10-26 14:47 . 2007-05-13 04:21 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
    2009-10-26 14:47 . 2007-05-13 04:21 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-01-26_01.53.42 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2010-01-26 01:53 . 2010-01-26 01:53 16384 c:\windows\temp\Perflib_Perfdata_55c.dat
    + 2010-01-27 04:21 . 2010-01-27 04:21 16384 c:\windows\temp\Perflib_Perfdata_55c.dat
    + 2001-08-18 12:00 . 2010-01-26 01:57 65284 c:\windows\system32\perfc009.dat
    - 2001-08-18 12:00 . 2010-01-26 01:50 65284 c:\windows\system32\perfc009.dat
    + 2001-08-18 12:00 . 2010-01-26 01:57 426400 c:\windows\system32\perfh009.dat
    - 2001-08-18 12:00 . 2010-01-26 01:50 426400 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-09-24 1657448]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 28160]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\iPod\\bin\\iPodService.exe"=
    "c:\\Program Files\\QuickTime\\QTTask.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "19184:TCP"= 19184:TCP:@xpsp2res.dll,-22005
    "10519:TCP"= 10519:TCP:@xpsp2res.dll,-22005
    "33082:TCP"= 33082:TCP:@xpsp2res.dll,-22005
    "34289:TCP"= 34289:TCP:@xpsp2res.dll,-22005

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/26/2009 8:55 AM 108289]
    R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/26/2009 6:30 AM 212232]
    S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [3/2/2007 11:29 PM 4096]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/26/2009 6:23 AM 1684736]
    S3 AntiAries;Anti Aries Helper Driver;c:\windows\system32\drivers\RKL66.tmp.sys [5/27/2007 1:09 PM 7680]
    S4 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [6/5/2007 6:05 PM 419448]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 01:57]

    2010-01-27 c:\windows\Tasks\User_Feed_Synchronization-{BEE92AF5-C12F-4032-B699-DB25ADE88A6E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title = Windows Internet Explorer provided by Comcast
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} - hxxp://www.flysuite.com/flyword/loaderword_win.cab
    FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\pfiugin7.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-26 20:21
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1060284298-1532298954-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:d4,38,bb,d3,f2,58,1c,0a,69,ce,74,b9,d5,88,fa,2a,ff,f9,15,9a,48,4f,23,
    7e,11,16,42,f4,41,61,86,57,e3,80,6e,33,ad,e8,31,a6,4c,3b,b0,d5,87,79,49,95,\
    "??"=hex:b0,a9,bf,29,d4,4b,f0,92,ed,4b,51,8d,dd,14,70,04
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3792)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\RUNDLL32.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-01-26 20:24:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-27 04:24
    ComboFix2.txt 2010-01-26 01:56
    C:\DeQuarantine.txt

    Pre-Run: 22,796,455,936 bytes free
    Post-Run: 22,767,251,456 bytes free

    - - End Of File - - E25C5F736C4EE2FB3C8FE682B6D8A1C2


    #12 noobalicious

    noobalicious
    • Topic Starter

    • Members
    • 69 posts
    • OFFLINE
    •  
    • Local time:03:31 AM

    Posted 26 January 2010 - 11:34 PM

    And here's the DDS. You asked for a "Dequarantine" log, but you didn't describe it at all. What is this, and how do I do it? Thanks again.




    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Alan at 20:24:51.17 on Tue 01/26/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.696 [GMT -8:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Alan\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title = Windows Internet Explorer provided by Comcast
    uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: BHO Class: {dd92de22-ed91-4560-b788-dee2b26612e6} - c:\program files\devicevm\browser configuration utility\IEHelper.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    EB: Search panel: {fe622b33-c226-5ae1-38c4-fc64869ed120} - c:\windows\system32\ibpwlrfljxmp.dll
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} - hxxp://www.flysuite.com/flyword/loaderword_win.cab
    DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231403778687
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231403773968
    DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\alan\applic~1\mozilla\firefox\profiles\pfiugin7.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-26 11608]
    R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-26 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-26 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-26 55656]
    R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2009-10-26 212232]
    S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-3-2 4096]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-26 1684736]
    S3 AntiAries;Anti Aries Helper Driver;c:\windows\system32\drivers\RKL66.tmp.sys [2007-5-27 7680]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
    S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2007-6-5 419448]

    =============== Created Last 30 ================

    2010-01-27 04:17:18 172100 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-01-26 01:36:12 98816 ----a-w- c:\windows\sed.exe
    2010-01-26 01:36:12 77312 ----a-w- c:\windows\MBR.exe
    2010-01-26 01:36:12 261632 ----a-w- c:\windows\PEV.exe
    2010-01-26 01:36:12 161792 ----a-w- c:\windows\SWREG.exe

    ==================== Find3M ====================

    2008-09-07 00:02:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

    ============= FINISH: 20:25:09.26 ===============


    #13 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:12:31 AM

    Posted 27 January 2010 - 12:24 AM

    QUOTE
    You asked for a "Dequarantine" log, but you didn't describe it at all. What is this, and how do I do it? Thanks again.


    Sorry about that.

    After ComboFix finished running did another log besides the ComboFix Log pop up? If it did, that's the log I want you to post. You can also try looking for dequarantine.txt in either the C:\ or C:\ComboFix folders.

    If you can't find it, that's ok as it looks like ComboFix dequarantined what I wanted it to dequarantine. smile.gif




    Step # 1 Update Java

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

    Please follow these steps to remove older version Java components and update.

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6u18.
    • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Remove the following old versions of Java:

    • Java TM 6 Update 15

    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • From your desktop double-click on the download to install the newest version.



    Step # 2 Run CCleaner

    CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
    • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
    • Then select the items you wish to clean up.
    • In the Windows Tab:
    • Clean all entries in the Internet Explorer section except Cookies
    • Clean all the entries in the Windows Explorer section
    • Clean all entries in the System section
    • Clean all entries in the Advanced section
    • Clean any others that you choose
    • In the Applications Tab:
    • Clean all except cookies in the Firefox/Mozilla section if you use it
    • Clean all in the Opera section if you use it
    • Clean Sun Java in the Internet Section
    • Clean any others that you choose
    • Click the Run Cleaner button.
    • A pop up box will appear advising this process will permanently delete files from your system.
    • Click OK and it will scan and clean your system.
    • Click exit when done.
    • If it asks you to reboot at the end, click NO



    Step # 3 Run Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware.
    • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
    • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location.
    • You can also access the log by doing the following:
    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.


    Post the MalwareBytes' Log in your next post/reply.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #14 noobalicious

    noobalicious
    • Topic Starter

    • Members
    • 69 posts
    • OFFLINE
    •  
    • Local time:03:31 AM

    Posted 27 January 2010 - 10:52 PM

    Looks like it came up clean.

    My internet still doesn't work so I can't "update" malware bytes and Java/Avira, I can only download and transfer what I can save to my flashdrive.

    I think it should probably be working now. I did the usual: Tools->internet options->connections->LAN setting and ticked automatically detect settings, and when it asked if I wanted to repair the connections I said "yes", and still no connection. I'm getting "..cannot display webpage...".

    I guess I'll try a little harder......


    Malwarebytes' Anti-Malware 1.44
    Database version: 3510
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/27/2010 7:40:47 PM
    mbam-log-2010-01-27 (19-40-47).txt

    Scan type: Quick Scan
    Objects scanned: 127344
    Time elapsed: 3 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    #15 noobalicious

    noobalicious
    • Topic Starter

    • Members
    • 69 posts
    • OFFLINE
    •  
    • Local time:03:31 AM

    Posted 27 January 2010 - 11:05 PM

    Yeah I still can't get the connection to work. hmmm...




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users