Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have a Rootkit or something


  • This topic is locked This topic is locked
16 replies to this topic

#1 mystycgurl

mystycgurl

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 19 January 2010 - 09:08 PM

& task manager has 5 iexplorer.exe processes running. When I reset all IE advanced settings it works for a few mins then it shuts down & I keep getting errors with the send/ don't send screen. I ran malwarebytes antimalware & it didn't find anything. Also I couldn't run rootrepeal so I ran Sopos.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Sabrina at 22:00:30.37 on Mon 01/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.252 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 100118-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\windows\System32\WLTRYSVC.EXE
C:\windows\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\windows\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\windows\system32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\windows\vVX3000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Sabrina\My Documents\Downloads\Firefox Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: MessengerUpdate Class: {5948a52a-ba3a-49a8-bcaf-d578502bda9d} - c:\documents and settings\sabrina\application data\messenger\drivers\MsgUpdate.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Desktop Architect] "c:\program files\desktop architect\datray.exe" -S
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [IgfxSys] rundll32.exe "c:\documents and settings\sabrina\application data\messenger\drivers\IgfxSys.dll",StartProtector
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SystemTray] SysTray.Exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ezLife] 0 (0x0)
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: <NO NAME> =
IE: &Search
IE: Block image &source with HOSTS - c:\program files\internet explorer\plugins\hbris.html
IE: Block link &target with HOSTS - c:\program files\internet explorer\plugins\hbrlr.html
IE: Block site &URL with HOSTS - c:\program files\internet explorer\plugins\hbrdu.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso4.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} - hxxp://www.worldwinner.com/games/v54/zengems/zengems.cab
DPF: {0B195D55-0AB4-48C7-828F-34BE10BA4266} - hxxp://www.worldwinner.com/games/v53/dealornodeal/dealornodeal.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Amazing%20Heists%20-%20Dillinger/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www.freerealms.com/gamedata/FreeRealmsInstaller.cab
DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} - hxxp://www.worldwinner.com/games/v47/solitairerush/solitairerush.cab
DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} - hxxp://www.worldwinner.com/games/v56/trivialpursuit/trivialpursuit.cab
DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234865034687
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236208756531
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.17.01.0/iewwload.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} - hxxp://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} - hxxp://www.worldwinner.com/games/v68/clue/clue.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v50/luxor/luxor.cab
DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Amazing%20Heists%20-%20Dillinger/Images/armhelper.ocx
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v53/wwspades/wwspades.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sabrina\applic~1\mozilla\firefox\profiles\a4s6qtoy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_id={2E8FEDAB-4A35-A6C5-0D11-6AF61F746447}&query=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={2E8FEDAB-4A35-A6C5-0D11-6AF61F746447}&query=
FF - component: c:\documents and settings\sabrina\application data\mozilla\firefox\profiles\a4s6qtoy.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\sabrina\application data\mozilla\firefox\profiles\a4s6qtoy.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\sabrina\application data\move networks\plugins\npqmp071502000008.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCARDS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npganymedenet.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMAHJONG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSOLITAIRE.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-15 114768]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2009-12-18 244608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-15 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-15 138680]
R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-15 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-15 352920]
S2 gupdate1ca1b3d290a08;Google Update Service (gupdate1ca1b3d290a08);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
S3 DCamUSBSvis;Oregon Scientific DShotI/DShotII;c:\windows\system32\drivers\svstream.sys --> c:\windows\system32\drivers\svstream.sys [?]
S3 M3usb;M3CHIP USB;c:\windows\system32\drivers\M3usb.sys [2009-12-27 75347]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-2-26 42512]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-8-29 16640]
S4 ptssvc;ptssvc;c:\program files\kodak\kodak picture transfer software\ptssvc.exe --> c:\program files\kodak\kodak picture transfer software\PTSsvc.exe [?]

=============== Created Last 30 ================

2010-01-19 05:42:48 0 d-----w- c:\program files\Trend Micro
2010-01-18 23:44:38 4314 -c--a-w- C:\chntpw 080802.mds
2010-01-18 23:44:35 3702784 -c--a-w- C:\chntpw 080802.iso
2010-01-18 05:59:38 0 d--h--w- c:\docume~1\alluse~1\applic~1\SugarGames
2010-01-18 05:59:38 0 d-----w- c:\program files\Sugar Games
2010-01-18 04:00:55 0 d-----w- c:\program files\iMahjongClient
2010-01-17 10:44:51 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-17 10:42:40 0 d--h--w- c:\windows\ie8
2010-01-17 03:40:11 0 dc----w- c:\windows\ie8(2)
2010-01-14 01:04:27 0 d-----w- c:\program files\Coby
2010-01-13 13:37:05 0 d-----w- c:\docume~1\sabrina\applic~1\ezLife
2010-01-13 13:36:56 0 d-----w- c:\docume~1\sabrina\applic~1\Smart-Ads-Solutions
2010-01-13 13:36:33 0 d-----w- c:\docume~1\sabrina\applic~1\Messenger
2010-01-13 13:36:31 0 d-----w- c:\program files\ezLife
2010-01-13 13:36:29 0 d-----w- c:\program files\Smart-Ads-Solutions
2010-01-13 12:23:24 0 d-----w- c:\docume~1\sabrina\applic~1\HTSK
2010-01-13 06:19:43 34662400 -c--a-w- C:\MediaWiper.iso
2010-01-13 06:18:02 32094208 -c--a-w- C:\WipeDrive.iso
2010-01-13 04:25:15 1374 ----a-w- c:\windows\imsins.BAK
2010-01-13 00:23:33 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 00:21:38 0 d-----w- c:\docume~1\alluse~1\applic~1\WorldWinner
2010-01-10 07:42:48 0 d-----w- c:\program files\Collapse!
2010-01-09 07:56:53 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2010-01-09 07:56:51 27904 ----a-w- c:\windows\system32\uxt1FB.tmp
2010-01-09 07:56:45 0 d-----w- c:\docume~1\sabrina\applic~1\TuneUp Software
2010-01-09 07:56:07 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-01-09 07:55:12 0 d-sh--w- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2010-01-08 15:01:36 494080 ----a-w- c:\windows\system32\jzelacvnmrlftq.dll
2010-01-08 00:55:52 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-08 00:40:22 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-01-07 02:17:05 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-07 00:32:38 435 ----a-w- c:\windows\cncscore.ini
2010-01-07 00:27:36 0 d-----w- c:\program files\Jack Games
2010-01-06 08:58:51 0 d-----w- c:\docume~1\sabrina\applic~1\Curious Sense
2010-01-06 08:58:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Curious Sense
2010-01-06 00:59:57 0 d-----r- c:\program files\Skype
2010-01-06 00:38:32 676720 ----a-w- c:\windows\system32\LCCoin30.dll
2010-01-06 00:37:47 0 d-----w- c:\program files\Microsoft LifeCam
2010-01-05 04:25:16 0 d-----w- c:\program files\CCTools
2010-01-05 01:09:29 0 d-----w- c:\program files\Yahoo! Games
2010-01-03 05:05:57 198656 ----a-w- c:\windows\system32\Comdlg32.ocx
2010-01-02 15:41:09 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-02 15:41:09 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-01 09:56:05 0 d-----w- c:\documents and settings\all users\TheFallTrilogy
2009-12-31 08:15:35 0 d-----w- c:\docume~1\sabrina\applic~1\Jetdogs Studios
2009-12-31 05:29:29 0 d-----w- c:\docume~1\sabrina\applic~1\LaJangada
2009-12-29 10:40:23 0 d-----w- c:\docume~1\sabrina\applic~1\Thinstall
2009-12-27 23:53:43 75347 ----a-w- c:\windows\system32\drivers\M3usb.sys
2009-12-27 23:33:26 0 d-----w- c:\program files\Consumer Update Firmware
2009-12-26 04:29:16 0 d-----w- c:\docume~1\alluse~1\applic~1\PlayPond
2009-12-26 04:28:01 0 d-----w- c:\program files\PlayPond
2009-12-23 01:07:58 301056 ----a-w- c:\windows\system32\cfyurkgc.dll
2009-12-23 01:07:40 319488 ----a-w- c:\windows\system32\icxloazf.dll
2009-12-22 11:30:19 0 d-----w- c:\program files\Sandlot Games
2009-12-21 11:30:12 0 d-----w- c:\program files\Escape the Museum 2
2009-12-21 07:29:20 26 ----a-w- c:\windows\DVDCreator.INI
2009-12-21 07:21:51 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-12-21 07:21:51 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-12-21 07:21:50 0 d-----w- c:\program files\Aplus DVD Creator
2009-12-21 06:45:11 0 d-----w- c:\documents and settings\all users\sonic
2009-12-20 07:27:52 0 d-----w- c:\docume~1\alluse~1\applic~1\The Mirror Mysteries

==================== Find3M ====================

2010-01-15 02:20:16 159744 ----a-w- c:\windows\system32\hkcmd.exe
2009-12-10 20:30:43 156672 ------w- c:\windows\system32\rmc_fixasf.exe
2009-12-10 20:30:42 237568 ------w- c:\windows\system32\rmc_rtspdl.dll
2009-12-10 20:05:10 3448 ----a-w- c:\program files\TubeHoardertmp.dat
2009-12-01 05:57:54 117193 ----a-w- c:\windows\hpoins11.dat
2009-11-26 06:18:40 0 ------w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-26 06:18:36 0 ------w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-11-14 00:47:32 90112 ------w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ------w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ------w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ------w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ------w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ------w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ------w- c:\windows\system32\DivX.dll
2009-11-02 22:03:26 53248 ------w- c:\windows\system32\CSVer.dll
2009-10-30 00:46:12 413696 ------w- c:\windows\system32\wrap_oal.dll
2009-10-30 00:46:11 110592 ------w- c:\windows\system32\OpenAL32.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-25 02:35:52 452016 ----a-w- c:\program files\Uninstall Fun Web Products.dll
2009-10-24 09:03:15 46334188 ----a-w- c:\program files\Ricochet Infinity.rar
2009-02-17 07:38:50 266 --sha-w- c:\program files\desktop.ini
2009-02-17 07:38:50 11079 -c-ha-w- c:\program files\folder.htt

============= FINISH: 22:00:59.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 PM

Posted 25 January 2010 - 12:57 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 mystycgurl

mystycgurl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 27 January 2010 - 03:51 AM

I am still unable to use Internet Explorer however there a 5-6 iexplorer.exe processes running in task manager which sometimes stops other programs on my pc from starting right away (I have to go into task manager & end all of the iexplorer processes before the program will start & every so often I'll get a pop up saying internet explorer closes unexpectedly blah blah blah send/don't send even if I'm not even doing anything on the computer.




DDS (Ver_09-12-01.01) - NTFSx86
Run by Sabrina at 21:30:17.51 on Tue 01/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.317 [GMT -8:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\windows\System32\WLTRYSVC.EXE
C:\windows\System32\bcmwltry.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\windows\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\windows\system32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\windows\vVX3000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Desktop Architect\datray.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\windows\system32\OSK.exe
C:\windows\system32\MSSWCHX.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\windows\explorer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\SearchProtocolHost.exe
C:\Documents and Settings\Sabrina\My Documents\Downloads\Firefox Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uSearch Page =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: MessengerUpdate Class: {5948a52a-ba3a-49a8-bcaf-d578502bda9d} - c:\documents and settings\sabrina\application data\messenger\drivers\MsgUpdate.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Desktop Architect] "c:\program files\desktop architect\datray.exe" -S
uRun: [IgfxSys] rundll32.exe "c:\documents and settings\sabrina\application data\messenger\drivers\IgfxSys.dll",StartProtector
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SystemTray] SysTray.Exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: <NO NAME> =
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: worldwinner.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso4.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} - hxxp://www.worldwinner.com/games/v54/zengems/zengems.cab
DPF: {0B195D55-0AB4-48C7-828F-34BE10BA4266} - hxxp://www.worldwinner.com/games/v53/dealornodeal/dealornodeal.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Amazing%20Heists%20-%20Dillinger/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www.freerealms.com/gamedata/FreeRealmsInstaller.cab
DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} - hxxp://www.worldwinner.com/games/v47/solitairerush/solitairerush.cab
DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} - hxxp://www.worldwinner.com/games/v56/trivialpursuit/trivialpursuit.cab
DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234865034687
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.17.01.0/iewwload.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} - hxxp://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} - hxxp://www.worldwinner.com/games/v68/clue/clue.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v50/luxor/luxor.cab
DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Amazing%20Heists%20-%20Dillinger/Images/armhelper.ocx
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v53/wwspades/wwspades.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sabrina\applic~1\mozilla\firefox\profiles\a4s6qtoy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_id={2E8FEDAB-4A35-A6C5-0D11-6AF61F746447}&query=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={2E8FEDAB-4A35-A6C5-0D11-6AF61F746447}&query=
FF - component: c:\documents and settings\sabrina\application data\mozilla\firefox\profiles\a4s6qtoy.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\sabrina\application data\mozilla\firefox\profiles\a4s6qtoy.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\sabrina\application data\move networks\plugins\npqmp071502000008.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCARDS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npganymedenet.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMAHJONG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSOLITAIRE.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2009-12-18 244608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
S3 cpuz128;cpuz128;\??\c:\docume~1\sabrina\locals~1\temp\cpuz_x32.sys --> c:\docume~1\sabrina\locals~1\temp\cpuz_x32.sys [?]
S3 DCamUSBSvis;Oregon Scientific DShotI/DShotII;c:\windows\system32\drivers\svstream.sys --> c:\windows\system32\drivers\svstream.sys [?]
S3 M3usb;M3CHIP USB;c:\windows\system32\drivers\M3usb.sys [2009-12-27 75347]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8.tmp --> c:\windows\system32\8.tmp [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-2-26 42512]
S3 NUVision;NUVision Video Service;c:\windows\system32\drivers\NUVision.sys [2010-1-24 135424]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [2010-1-18 34816]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-8-29 16640]
S4 gupdate1ca1b3d290a08;Google Update Service (gupdate1ca1b3d290a08);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
S4 ptssvc;ptssvc;c:\program files\kodak\kodak picture transfer software\ptssvc.exe --> c:\program files\kodak\kodak picture transfer software\PTSsvc.exe [?]

=============== Created Last 30 ================

2010-01-27 04:31:49 0 d-----w- c:\docume~1\sabrina\applic~1\Windows Search
2010-01-26 05:56:48 0 d-----w- c:\docume~1\sabrina\applic~1\Windows Desktop Search
2010-01-26 05:56:15 0 d-----w- c:\program files\Windows Desktop Search
2010-01-26 05:56:14 0 d-----w- c:\windows\system32\GroupPolicy
2010-01-26 05:55:01 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2010-01-26 05:55:01 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2010-01-26 05:55:01 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2010-01-26 05:53:33 0 d-----w- c:\windows\system32\URTTEMP
2010-01-25 11:10:59 1374 ----a-w- c:\windows\imsins.BAK
2010-01-25 10:18:22 0 d-----w- c:\docume~1\sabrina\applic~1\BanzaiInteractive
2010-01-25 10:18:22 0 d-----w- c:\docume~1\alluse~1\applic~1\BanzaiInteractive
2010-01-25 10:08:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Million
2010-01-25 07:14:42 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-25 05:30:03 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-25 04:53:46 0 d-----w- c:\program files\ACW
2010-01-24 08:10:06 61440 ----a-w- c:\windows\system32\nuvyuv.dll
2010-01-24 08:10:06 139264 ----a-w- c:\windows\system32\NUVTwain.dll
2010-01-24 08:10:05 135424 ----a-w- c:\windows\system32\drivers\NUVision.sys
2010-01-24 08:10:04 49664 ----a-w- c:\windows\system32\NUVision.ax
2010-01-23 12:20:05 0 d-----w- c:\docume~1\sabrina\applic~1\LegacyInteractive
2010-01-21 20:10:45 166 ----a-w- c:\windows\system32\Compress.res
2010-01-21 20:10:40 232 ----a-w- c:\windows\reimage.ini
2010-01-21 20:10:11 0 d-----w- c:\program files\Reimage
2010-01-19 06:13:08 0 d-----w- c:\program files\Sophos
2010-01-19 06:03:29 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2010-01-19 05:42:48 0 d-----w- c:\program files\Trend Micro
2010-01-18 23:44:38 4314 -c--a-w- C:\chntpw 080802.mds
2010-01-18 23:44:35 3702784 -c--a-w- C:\chntpw 080802.iso
2010-01-18 05:59:38 0 d--h--w- c:\docume~1\alluse~1\applic~1\SugarGames
2010-01-17 10:44:51 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-17 10:42:40 0 d--h--w- c:\windows\ie8
2010-01-17 03:40:11 0 dc----w- c:\windows\ie8(2)
2010-01-14 01:04:27 0 d-----w- c:\program files\Coby
2010-01-13 13:37:05 0 d-----w- c:\docume~1\sabrina\applic~1\ezLife
2010-01-13 13:36:56 0 d-----w- c:\docume~1\sabrina\applic~1\Smart-Ads-Solutions
2010-01-13 13:36:33 0 d-----w- c:\docume~1\sabrina\applic~1\Messenger
2010-01-13 13:36:31 0 d-----w- c:\program files\ezLife
2010-01-13 13:36:29 0 d-----w- c:\program files\Smart-Ads-Solutions
2010-01-13 12:23:24 0 d-----w- c:\docume~1\sabrina\applic~1\HTSK
2010-01-13 06:19:43 34662400 -c--a-w- C:\MediaWiper.iso
2010-01-13 06:18:02 32094208 -c--a-w- C:\WipeDrive.iso
2010-01-13 00:23:33 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 07:42:48 0 d-----w- c:\program files\Collapse!
2010-01-09 07:56:53 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2010-01-09 07:56:45 0 d-----w- c:\docume~1\sabrina\applic~1\TuneUp Software
2010-01-09 07:56:07 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-01-09 07:55:12 0 d-sh--w- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2010-01-08 00:55:52 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-08 00:40:22 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-01-07 02:17:05 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-07 00:32:38 435 ----a-w- c:\windows\cncscore.ini
2010-01-07 00:27:36 0 d-----w- c:\program files\Jack Games
2010-01-06 08:58:51 0 d-----w- c:\docume~1\sabrina\applic~1\Curious Sense
2010-01-06 08:58:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Curious Sense
2010-01-06 00:59:57 0 d-----r- c:\program files\Skype
2010-01-06 00:38:32 676720 ----a-w- c:\windows\system32\LCCoin30.dll
2010-01-06 00:37:47 0 d-----w- c:\program files\Microsoft LifeCam
2010-01-05 04:25:16 0 d-----w- c:\program files\CCTools
2010-01-05 01:09:29 0 d-----w- c:\program files\Yahoo! Games
2010-01-03 05:05:57 198656 ----a-w- c:\windows\system32\Comdlg32.ocx
2010-01-02 15:41:09 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-02 15:41:09 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-01 09:56:05 0 d-----w- c:\documents and settings\all users\TheFallTrilogy
2009-12-31 08:15:35 0 d-----w- c:\docume~1\sabrina\applic~1\Jetdogs Studios
2009-12-31 05:29:29 0 d-----w- c:\docume~1\sabrina\applic~1\LaJangada
2009-12-29 10:40:23 0 d-----w- c:\docume~1\sabrina\applic~1\Thinstall

==================== Find3M ====================

2010-01-26 05:37:40 638816 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-01-15 02:20:16 159744 ----a-w- c:\windows\system32\hkcmd.exe
2009-12-23 01:07:58 301056 ----a-w- c:\windows\system32\cfyurkgc.dll
2009-12-23 01:07:40 319488 ----a-w- c:\windows\system32\icxloazf.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-10 20:30:43 156672 ------w- c:\windows\system32\rmc_fixasf.exe
2009-12-10 20:30:42 237568 ------w- c:\windows\system32\rmc_rtspdl.dll
2009-12-10 20:05:10 3448 ----a-w- c:\program files\TubeHoardertmp.dat
2009-12-01 05:57:54 117193 ----a-w- c:\windows\hpoins11.dat
2009-11-14 00:47:32 90112 ------w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ------w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ------w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ------w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ------w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ------w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ------w- c:\windows\system32\DivX.dll
2009-11-02 22:03:26 53248 ------w- c:\windows\system32\CSVer.dll
2009-10-30 00:46:12 413696 ------w- c:\windows\system32\wrap_oal.dll
2009-10-30 00:46:11 110592 ------w- c:\windows\system32\OpenAL32.dll
2009-10-25 02:35:52 452016 ----a-w- c:\program files\Uninstall Fun Web Products.dll
2009-10-24 09:03:15 46334188 ----a-w- c:\program files\Ricochet Infinity.rar
2009-02-17 07:38:50 266 --sha-w- c:\program files\desktop.ini
2009-02-17 07:38:50 11079 -c-ha-w- c:\program files\folder.htt

============= FINISH: 21:30:53.06 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 PM

Posted 27 January 2010 - 09:31 AM

Thanks for those logs, but did you run RootRepeal? Please post that log too.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 mystycgurl

mystycgurl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 28 January 2010 - 05:41 AM

I tried to run rootrepeal but it said RootRepeal Error Exception Address 0x004eca19 So I ran Sophos Anti-Rootkit instead here is the log file for Sophos

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 PM

Posted 28 January 2010 - 12:46 PM

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Now, try running a scan with GMER.

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 mystycgurl

mystycgurl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 29 January 2010 - 11:21 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-28 23:50:53
Windows 5.1.2600 Service Pack 3
Running: rf1qtyi1.exe; Driver: C:\DOCUME~1\Sabrina\LOCALS~1\Temp\uwtdapoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 PM

Posted 29 January 2010 - 11:35 PM

Was that scan ran in Safe Mode or Normal Mode?

--
Does FireFox work okay? Internet Explorer 8 is suppose to have multiple iexplore.exe processes running.

It's getting late here, I'll look into this problem tomorrow however, at the moment I don't see any active infections going on.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 mystycgurl

mystycgurl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 30 January 2010 - 11:05 PM

I ran it in Safe mode
Firefox works fine

I keep constantly getting pop ups for IE saying it has encountered a problem & needs to close.... The error report Appname: iexplorer.exe AppVer: 8.0.6001.18702 ModName: msgasst84.dll ModVer: 0.0.0.0 Offset: 00003c33


When I try to open IE it starts loading the homepage which is msn.com & after 2seconds it says Website Restore Error & acts like it's trying to load but it just gets "stuck" & keeps doing that. But, if I got to Control Panel>Internet Options> Advanced & Rest internet settings it works ok I can use it but whenever I am using it I still get an error pop up saying it needs to close but if I just move it off to the side I am able to still use IE. Until I exit out 7 then I have to got through the same thing to get it to work. I have absolutely no idea what could be happening. & I really appreciate you trying to help me.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 PM

Posted 31 January 2010 - 12:39 PM

Hello.

Perhaps try re-install Internet Explorer 8? Doesn't seem malware related from the logs.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 mystycgurl

mystycgurl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 01 February 2010 - 04:30 PM

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, February 1, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, February 01, 2010 13:54:30
Records in database: 3393933
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
F:\
Scan statistics
Objects scanned 129402
Threats found 3
Infected objects found 5
Suspicious objects found 0
Scan duration 04:43:47

File name Threat Threats count
C:\Documents and Settings\Sabrina\Application Data\Messenger\Drivers\MsgUpdate.dll Infected: not-a-virus:AdWare.Win32.BHO.kvf 1
C:\Documents and Settings\Sabrina\Application Data\Messenger\Sys\mu.dll Infected: not-a-virus:AdWare.Win32.BHO.kvf 1
C:\Documents and Settings\Sabrina\Local Settings\Application Data\Ares\My Shared Folder\edition gold heatseek v1 zip.exe Infected: not-a-virus:AdWare.Win32.BHO.kvf 1
C:\Documents and Settings\Sabrina\Local Settings\Application Data\Ares\My Shared Folder\edition gold heatseek v1 zip.exe Infected: not-a-virus:AdWare.Win32.Favev.l 1
C:\Recycled\Dc9\WirelessKeyView.exe Infected: not-a-virus:PSWTool.Win32.Messen.ct 1
Selected area has been scanned.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 PM

Posted 01 February 2010 - 08:18 PM

Hello.

I would delete those things Kaspersky detected.

Other than that how's your computer running?

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 mystycgurl

mystycgurl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 02 February 2010 - 09:09 AM

everything seems to be fine ever since i ran kaspersky yesterday



DDS (Ver_09-12-01.01) - NTFSx86
Run by Sabrina at 6:06:25.29 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.320 [GMT -8:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\windows\System32\WLTRYSVC.EXE
C:\windows\System32\bcmwltry.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\windows\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\windows\system32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\windows\vVX3000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Desktop Architect\datray.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\Sabrina\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sabrina\My Documents\Downloads\Firefox Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: MessengerUpdate Class: {5948a52a-ba3a-49a8-bcaf-d578502bda9d} - c:\documents and settings\sabrina\application data\messenger\drivers\MsgUpdate.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Desktop Architect] "c:\program files\desktop architect\datray.exe" -S
uRun: [IgfxSys] rundll32.exe "c:\documents and settings\sabrina\application data\messenger\drivers\IgfxSys.dll",StartProtector
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [SansaDispatch] c:\documents and settings\sabrina\application data\sandisk\sansa updater\SansaDispatch.exe
mRun: [SystemTray] SysTray.Exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: <NO NAME> =
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: worldwinner.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso4.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} - hxxp://www.worldwinner.com/games/v54/zengems/zengems.cab
DPF: {0B195D55-0AB4-48C7-828F-34BE10BA4266} - hxxp://www.worldwinner.com/games/v53/dealornodeal/dealornodeal.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Amazing%20Heists%20-%20Dillinger/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www.freerealms.com/gamedata/FreeRealmsInstaller.cab
DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} - hxxp://www.worldwinner.com/games/v47/solitairerush/solitairerush.cab
DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} - hxxp://www.worldwinner.com/games/v56/trivialpursuit/trivialpursuit.cab
DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234865034687
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.20.01.0/iewwload.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} - hxxp://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} - hxxp://www.worldwinner.com/games/v68/clue/clue.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v50/luxor/luxor.cab
DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Amazing%20Heists%20-%20Dillinger/Images/armhelper.ocx
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v53/wwspades/wwspades.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sabrina\applic~1\mozilla\firefox\profiles\a4s6qtoy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_id={2E8FEDAB-4A35-A6C5-0D11-6AF61F746447}&query=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={2E8FEDAB-4A35-A6C5-0D11-6AF61F746447}&query=
FF - component: c:\documents and settings\sabrina\application data\mozilla\firefox\profiles\a4s6qtoy.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\sabrina\application data\mozilla\firefox\profiles\a4s6qtoy.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\sabrina\application data\move networks\plugins\npqmp071502000008.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCARDS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npganymedenet.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMAHJONG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSOLITAIRE.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2009-12-18 244608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
S3 cpuz128;cpuz128;\??\c:\docume~1\sabrina\locals~1\temp\cpuz_x32.sys --> c:\docume~1\sabrina\locals~1\temp\cpuz_x32.sys [?]
S3 DCamUSBSvis;Oregon Scientific DShotI/DShotII;c:\windows\system32\drivers\svstream.sys --> c:\windows\system32\drivers\svstream.sys [?]
S3 M3usb;M3CHIP USB;c:\windows\system32\drivers\M3usb.sys [2009-12-27 75347]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-2-26 42512]
S3 NUVision;NUVision Video Service;c:\windows\system32\drivers\NUVision.sys [2010-1-24 135424]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [2010-1-18 34816]
S3 rootrepeal3;rootrepeal3;\??\c:\windows\system32\drivers\rootrepeal3.sys --> c:\windows\system32\drivers\rootrepeal3.sys [?]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-8-29 16640]
S4 gupdate1ca1b3d290a08;Google Update Service (gupdate1ca1b3d290a08);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
S4 ptssvc;ptssvc;c:\program files\kodak\kodak picture transfer software\ptssvc.exe --> c:\program files\kodak\kodak picture transfer software\PTSsvc.exe [?]

=============== Created Last 30 ================

2010-02-02 09:28:05 0 d-----w- c:\program files\Luxor Adventures
2010-02-02 08:53:51 0 d-----w- c:\docume~1\sabrina\applic~1\TitanicMystery
2010-02-02 08:31:12 0 d-----w- c:\docume~1\sabrina\applic~1\GhostFleet
2010-01-30 04:07:18 0 d-----w- c:\docume~1\alluse~1\applic~1\WorldWinner
2010-01-29 04:20:29 20 ----a-w- c:\documents and settings\sabrina\defogger_reenable
2010-01-29 02:57:30 0 d-----w- c:\docume~1\sabrina\applic~1\SanDisk
2010-01-27 04:31:49 0 d-----w- c:\docume~1\sabrina\applic~1\Windows Search
2010-01-26 05:56:15 0 d-----w- c:\program files\Windows Desktop Search
2010-01-26 05:56:14 0 d-----w- c:\windows\system32\GroupPolicy
2010-01-26 05:55:01 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2010-01-26 05:55:01 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2010-01-26 05:55:01 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2010-01-26 05:53:33 0 d-----w- c:\windows\system32\URTTEMP
2010-01-25 10:18:22 0 d-----w- c:\docume~1\sabrina\applic~1\BanzaiInteractive
2010-01-25 10:18:22 0 d-----w- c:\docume~1\alluse~1\applic~1\BanzaiInteractive
2010-01-25 10:08:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Million
2010-01-25 07:14:42 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-25 05:30:03 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-25 04:53:46 0 d-----w- c:\program files\ACW
2010-01-24 08:10:06 61440 ----a-w- c:\windows\system32\nuvyuv.dll
2010-01-24 08:10:06 139264 ----a-w- c:\windows\system32\NUVTwain.dll
2010-01-24 08:10:05 135424 ----a-w- c:\windows\system32\drivers\NUVision.sys
2010-01-24 08:10:04 49664 ----a-w- c:\windows\system32\NUVision.ax
2010-01-23 12:20:05 0 d-----w- c:\docume~1\sabrina\applic~1\LegacyInteractive
2010-01-21 20:10:45 166 ----a-w- c:\windows\system32\Compress.res
2010-01-21 20:10:40 232 ----a-w- c:\windows\reimage.ini
2010-01-21 20:10:11 0 d-----w- c:\program files\Reimage
2010-01-19 06:13:08 0 d-----w- c:\program files\Sophos
2010-01-19 06:03:29 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2010-01-19 05:42:48 0 d-----w- c:\program files\Trend Micro
2010-01-18 23:44:38 4314 -c--a-w- C:\chntpw 080802.mds
2010-01-18 23:44:35 3702784 -c--a-w- C:\chntpw 080802.iso
2010-01-18 05:59:38 0 d--h--w- c:\docume~1\alluse~1\applic~1\SugarGames
2010-01-17 10:44:51 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-17 10:42:40 0 d--h--w- c:\windows\ie8
2010-01-17 03:40:11 0 dc----w- c:\windows\ie8(2)
2010-01-14 01:04:27 0 d-----w- c:\program files\Coby
2010-01-13 13:37:05 0 d-----w- c:\docume~1\sabrina\applic~1\ezLife
2010-01-13 13:36:56 0 d-----w- c:\docume~1\sabrina\applic~1\Smart-Ads-Solutions
2010-01-13 13:36:33 0 d-----w- c:\docume~1\sabrina\applic~1\Messenger
2010-01-13 13:36:31 0 d-----w- c:\program files\ezLife
2010-01-13 13:36:29 0 d-----w- c:\program files\Smart-Ads-Solutions
2010-01-13 06:19:43 34662400 -c--a-w- C:\MediaWiper.iso
2010-01-13 06:18:02 32094208 -c--a-w- C:\WipeDrive.iso
2010-01-13 00:23:33 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 07:42:48 0 d-----w- c:\program files\Collapse!
2010-01-09 07:56:53 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2010-01-09 07:56:45 0 d-----w- c:\docume~1\sabrina\applic~1\TuneUp Software
2010-01-09 07:56:07 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-01-09 07:55:12 0 d-sh--w- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2010-01-08 00:55:52 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-08 00:40:22 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-01-07 02:17:05 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-07 00:32:38 435 ----a-w- c:\windows\cncscore.ini
2010-01-07 00:27:36 0 d-----w- c:\program files\Jack Games
2010-01-06 08:58:51 0 d-----w- c:\docume~1\sabrina\applic~1\Curious Sense
2010-01-06 08:58:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Curious Sense
2010-01-06 00:59:57 0 d-----r- c:\program files\Skype
2010-01-06 00:38:32 676720 ----a-w- c:\windows\system32\LCCoin30.dll
2010-01-06 00:37:47 0 d-----w- c:\program files\Microsoft LifeCam
2010-01-05 04:25:16 0 d-----w- c:\program files\CCTools
2010-01-05 01:09:29 0 d-----w- c:\program files\Yahoo! Games

==================== Find3M ====================

2010-01-26 05:37:40 638816 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-01-15 02:20:16 159744 ----a-w- c:\windows\system32\hkcmd.exe
2009-12-23 01:07:58 301056 ----a-w- c:\windows\system32\cfyurkgc.dll
2009-12-23 01:07:40 319488 ----a-w- c:\windows\system32\icxloazf.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-10 20:30:43 156672 ------w- c:\windows\system32\rmc_fixasf.exe
2009-12-10 20:30:42 237568 ------w- c:\windows\system32\rmc_rtspdl.dll
2009-12-10 20:05:10 3448 ----a-w- c:\program files\TubeHoardertmp.dat
2009-12-01 05:57:54 117193 ----a-w- c:\windows\hpoins11.dat
2009-11-14 00:47:32 90112 ------w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ------w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ------w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ------w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ------w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ------w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ------w- c:\windows\system32\DivX.dll
2009-10-25 02:35:52 452016 ----a-w- c:\program files\Uninstall Fun Web Products.dll
2009-10-24 09:03:15 46334188 ----a-w- c:\program files\Ricochet Infinity.rar
2009-02-17 07:38:50 266 --sha-w- c:\program files\desktop.ini
2009-02-17 07:38:50 11079 -c-ha-w- c:\program files\folder.htt

============= FINISH: 6:06:59.06 ===============

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 PM

Posted 02 February 2010 - 04:20 PM

Looks good. Let's cleanup.

Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. smile.gif

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck thumbup2.gif


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 mystycgurl

mystycgurl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 02 February 2010 - 05:02 PM

OMG!!! I just want to say a million, billion, trillion, gazillion, X's THANK YOU!!! Thank you very much. thumbup.gif smilie_colors1.gif thumbup.gif specool.gif hug.gif icon_bananas.gif bounce.gif clapping.gif smilie_colors1.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users