Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infected - Browser Redirects - DCOM Process - Plug&Play Disabled - Scheduled Reboots


  • This topic is locked This topic is locked
47 replies to this topic

#1 misterklos

misterklos

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 26 January 2010 - 05:47 AM

Hello Everyone!

Iam new here. Found this page with google when i was looking for help to get my laptop rid of some annoying errors.

Since last week my laptop got several problems:

To beginn with, it started rebooting and I only found out it did when i came back to my laptop and found everything closed. I started wondering what happened and when I waited for around 5 minutes some windows popped up saying the DCOM Process had an error and the system automatically written a reboot in my schedule. Also the windows host process svchost.exe crashed.
My laptop is in japanese and i dont know if anyone here can read it so i just post the data windows gave me due the crash in that little window that usually pops up:

問題イベント名: BEX
アプリケーション名: svchost.exe
アプリケーションのバージョン: 6.0.6001.18000
アプリケーションのタイムスタンプ: 47918b89
障害モジュールの名前: StackHash_1703
障害モジュールのバージョン: 0.0.0.0
障害モジュールのタイムスタンプ: 00000000
例外オフセット: 01f2f0a8
例外コード: c0000005
例外データ: 00000008
OS バージョン: 6.0.6001.2.1.0.768.3
ロケール ID: 1031
追加情報 1: 1703
追加情報 2: 2264db07e74365624c50317d7b856ae9
追加情報 3: 1344
追加情報 4: 875fa2ef9d2bdca96466e8af55d1ae6e

I just copy and pasted this in its usuall form. Hope you can make something out if it.

Other symptoms I noticed, were that all Plug&Play devices were disabled, including my laptop-in-built speakers and USB-Drives, but strangely excluding my wireless mouse...

Furthermore my browser, I use Mozilla Firefox, started to redirect to different pages in a new tab using the words I typed into the google search bar.

I updated Firefox but the problem is still there, though the problem doesnt occure as often as before. I thought someone had his little trojan on the game here and used it to start some bot-net attacks. AntiVir popped up most of the time Firefox does that.

I ran scans with AntiVir, AdAware and MalwareBytes and found nothing with AntiVir, 1 Trojan with AdAware and 1 Spybot with MalwareBytes.
AdAware found the Win32.Trojan.Spy inside a game directory and MalwareBytes found the Broken.OpenCommand inside my registry at HKEY_CLASSES_ROOT\regfile\shell\open\command\(default)(Data: "regedit.exe""%1") - both are quarantied at the moment.

As I couldnt find out anything else I registered here. The problem is still there and it hasnt changed much!

Here is my HijackLog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:42, on 26.01.2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\RegCure\RegCure.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MFP Server\App\Common\MFPAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ServoApp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logicool\SetPoint\SetPoint.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...amp;M=P-6861jFX
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...amp;M=P-6861jFX
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...amp;M=P-6861jFX
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...amp;M=P-6861jFX
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...amp;M=P-6861jFX
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GDI Manager] "C:\Program Files\MFP Server\App\Common\MFPAgent.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Server Application] C:\Windows\system32\ServoApp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [EPSON Stylus SX400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "C:\Users\Fox\AppData\Local\Temp\E_SB02C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-996301808-105016373-1665267237-1000\..\Run: [] (User '?')
O4 - HKUS\S-1-5-21-996301808-105016373-1665267237-1000\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent (User '?')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logicool\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 9002 bytes


I found out how to abort the reboot process using shutdown - a !

Will add DDS files if requested! As for gmer, I know it might be necessary to run it. I want to add that it freezes after some seconds when I use it. Just for you information.

I appreciate any help and thank you for selflessly using your time to help others like me.


Will wait for further instructions

- misterklos

Edited by misterklos, 26 January 2010 - 05:52 AM.


BC AdBot (Login to Remove)

 


#2 misterklos

misterklos
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 27 January 2010 - 02:07 PM

I hear there were similiar errors but iam not sure if the way they did it works for me too.
Iam kinda scared to do any harm to my system.

Ill stay tuned

#3 misterklos

misterklos
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 30 January 2010 - 08:24 PM

I got bluescreens popping up now from time to time but they are too fast to read. Just shuts down in miliseconds....

I also found out to get my speakers back with services.msc !

Staying tunes for help

#4 misterklos

misterklos
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 31 January 2010 - 06:50 AM

Do you need any other logs? Or more information?

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 31 January 2010 - 10:31 AM.


#5 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:04:40 PM

Posted 02 February 2010 - 12:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#6 misterklos

misterklos
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 02 February 2010 - 07:06 PM

Thank you for your reply.

The Problem still exist but it slightly changed. I dont get bluescreens anymore after running AdAware, CrapCleaner and RegCure for a couple of times.
The browser problem still exists and sudenly opens tabs to game site, bet sites and a site that only shows a little cutout of the Adobe PDF reader of the save and print icons. If i get directed to that AntiVir usually alerts me that some virus and malware was detected.

Here is the DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Fox at 0:58:40.91 on 03.02.2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=JPN_JP&Sys=PTB&M=P-6861jFX
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=JPN_JP&Sys=PTB&M=P-6861jFX
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=JPN_JP&Sys=PTB&M=P-6861jFX
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=JPN_JP&Sys=PTB&M=P-6861jFX
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=JPN_JP&Sys=PTB&M=P-6861jFX
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
uRun: [<NO NAME>]
uRun: [EPSON Stylus SX400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiege.exe /fu "c:\users\fox\appdata\local\temp\E_SB02C.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GDI Manager] "c:\program files\mfp server\app\common\MFPAgent.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Server Application] c:\windows\system32\ServoApp.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logicool\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRfox000
IE: ????? Bluetooth ???????(&B)... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: ???? Bluetooth ???????(&B)... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\fox\appdata\roaming\mozilla\firefox\profiles\uqpcp3rt.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\media convert master\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\media convert master\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mywebsearch\bar\1.bin\NPMYWEBS.DLL
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-01 18:25:46 28672 ----a-w- c:\windows\system32\f3PSSavr.scr
2010-02-01 18:25:46 0 d-----w- c:\program files\FunWebProducts
2010-02-01 18:25:45 0 d-----w- c:\program files\MyWebSearch
2010-01-27 23:45:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-01-26 10:02:17 0 d-----w- c:\program files\Trend Micro
2010-01-21 17:40:25 0 d-----w- c:\users\fox\appdata\roaming\Malwarebytes
2010-01-21 17:40:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 17:40:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 17:40:14 0 d-----w- c:\programdata\Malwarebytes
2010-01-21 17:40:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 21:41:37 95 ----a-w- c:\windows\crackpdf.INI
2010-01-14 09:49:02 0 dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-12 12:28:55 0 d-----w- c:\program files\WinSCP
2010-01-11 20:03:00 0 d-----w- c:\program files\ElcomSoft
2010-01-11 19:52:13 0 d-----w- c:\program files\Information Packaging
2010-01-11 19:38:22 0 d-----w- c:\program files\RAR Password Cracker
2010-01-11 09:59:14 0 d-----w- c:\program files\PowerArchiver
2010-01-08 23:06:29 0 d-----w- c:\windows\pss
2010-01-08 23:00:58 0 d-----w- c:\program files\CCleaner
2010-01-06 20:04:57 0 d-----w- c:\program files\JDownloader

==================== Find3M ====================

2010-02-02 20:16:00 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-02-02 20:15:52 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-02-02 20:15:52 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-02-02 20:15:13 422050 ----a-w- c:\programdata\nvModes.dat
2010-01-15 01:22:53 376442 ----a-w- c:\windows\system32\perfh011.dat
2010-01-15 01:22:53 101350 ----a-w- c:\windows\system32\perfc011.dat
2009-12-31 15:25:39 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-31 15:25:39 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-31 15:25:39 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-31 15:25:21 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-12-31 14:05:07 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-12-31 14:04:42 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-12-09 12:45:20 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2009-12-07 19:45:21 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-14 16:43:52 81920 ----a-w- c:\users\fox\appdata\roaming\ezpinst.exe
2009-11-14 16:43:52 47360 ----a-w- c:\users\fox\appdata\roaming\pcouffin.sys
2008-06-11 18:10:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 07:25:08 30674 ----a-w- c:\windows\inf\perflib\0411\perfd.dat
2008-01-21 07:25:08 30674 ----a-w- c:\windows\inf\perflib\0411\perfc.dat
2008-01-21 07:25:08 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2008-01-21 07:25:08 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2008-01-21 07:25:08 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2008-01-21 07:25:08 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2008-01-21 07:25:08 139030 ----a-w- c:\windows\inf\perflib\0411\perfi.dat
2008-01-21 07:25:08 139030 ----a-w- c:\windows\inf\perflib\0411\perfh.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 1:01:03.19 ===============






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
7500_7600_7700_Help
A Vampyre Story
ABBYY FineReader 6.0 Sprint
Acoustica MP3 CD Burner
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advanced Archive Password Recovery
Advertising Center
Anki
Anonymity 1.1
pPbgʐMœKc[
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 9.20
ASIO4ALL
Ask Toolbar
au W53CA Software
AusLogics Emergency Recovery
Avira AntiVir Personal - Free Antivirus
BigFix
BioShock Demo
Bonjour
Borderlands
BPD_HPSU
BPD_Scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Cakewalk VST Adapter 4.4.4.0
Camera Assistant Software for Gateway
Camera RAW Plug-In for EPSON Creativity Suite
Camtasia Studio 6
CCleaner
CDDRV_Installer
Cisco Systems VPN Client 5.0.04.0300
Collab
Connect
Counter-Strike
CreepSmash.com
Crysis®
CyberLink PowerDVD 9
Dead Space
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DriverAgent by eSupport.com
DriverMax 5
DVD Suite
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan
EPSON Scan Assistant
EPSON Stylus SX200_SX400_TX200_TX400 Handbuch
EPSON Stylus SX400 Series Printer Uninstall
erLT
eSupportQFolder
Exact Audio Copy 0.99pb4
Fallout 3
Fallout 3 - Complete DLC Pack
Fallout Mod Manager 0.9.14
Fax
ffdshow [rev 2975] [2009-05-28]
FL Studio 8
foobar2000 v1.0
Free Audio CD Burner version 1.2
Free PDF to Word Doc Converter v1.1
Free Studio version 4.2
Free YouTube to MP3 Converter version 3.2
FreeZ Online TV v1.20
GameCenter
Gateway Recovery Center Installer
getPlus® for Adobe
Google Earth
Google Earth Pro
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 8.0
HP Officejet Pro All-In-One Series
HP Solution Center 8.0
HPProductAssistant
IDT Audio
IL Download Manager
iTunes
Japanese Fonts Support For Adobe Reader 9
Java™ 6 Update 13
Java™ 6 Update 4
Java™ 6 Update 5
JDownloader
K-Lite Mega Codec Pack 2.01
KhalInstallWrapper
kuler
L7500
LimeWire PRO 4.16.2
Logitech SetPoint
Magic DVD Ripper V5.4.2
Magic ISO Maker v5.5 (build 0276)
Magic Workstation 0.94f
Malwarebytes' Anti-Malware
Media Convert Master 8.4.1.202
Microsoft .NET Framework 3.5 Language Pack SP1 - ???
Microsoft .NET Framework 3.5 Language Pack SP1 - jpn
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6)
Mozilla Thunderbird (3.0.1)
MSXML 4.0 SP2 (KB954430)
MTG Full Card Scans (up to Eventide)
MTG GamePack for Magic Workstation
My Web Search (My Web Face)
Nero 6 Demo
Nero BackItUp
Nero BackItUp 4 Essentials
Nero ControlCenter
Nero Installer
Nero Online Upgrade
NetDeviceManager
NVIDIA Drivers
NVIDIA PhysX
OpenOffice.org 3.1
PDF Settings CS4
Photoshop Camera Raw
PoiZone
Power2Go 5.0
PowerArchiver 2010
PowerDVD
ProductContext
PunkBuster Services
QuickTime
RAR Password Cracker 4.12
RAR Password Finder
Real Alternative 1.9.0
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
RegCure 2.0.0.0
RUBICon
Scan
SCR33xx USB Smartcard Reader
Skype 3.8
SolutionCenter
SONAR 5 Producer Edition
Status
Steam
Suite Shared Configuration CS4
Synaptics Pointing Device Driver
System Requirements Lab
TallStick TS-AudioToMIDI 3.30 (remove only)
TeamSpeak 2 RC2
The Owner Free File System 0.19.31
Toolbox
Toxic Biohazard
TrayApp
TuneUp Utilities
TuneUp Utilities Language Pack (de-DE)
UltraISO Premium V9.2
Uninstall 1.0.0.1
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
USB Multi-Channel Audio Device
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.762
Veoh Player
Veoh Web Player
VLC media player 1.0.1
Vuze
WBFS Manager 3.0
WebReg
WIDCOMM Bluetooth Software 6.0.1.5400
Windows Live installer
Windows Live Messenger
Windows Live Photo Gallery
Windows Media Player Firefox Plugin
WinRAR
WinSCP 4.2.5
ZoneAlarm

==== End Of File ===========================


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:40 PM

Posted 03 February 2010 - 12:07 PM

Hello, misterklos
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 misterklos

misterklos
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 03 February 2010 - 02:20 PM

I ran gmer but it freezed at some point so I ran it in safe mode and it went all the way.
Here is text file:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-03 20:01:08
Windows 6.0.6001 Service Pack 1
Running: bxdz7iju.exe; Driver: C:\Users\Fox\AppData\Local\Temp\kfldypog.sys


---- System - GMER 1.0.15 ----

INT 0x51 ? 86113BF8
INT 0x62 ? 86113BF8
INT 0x72 ? 84B6ABF8
INT 0x82 ? 84B6ABF8
INT 0x92 ? 86113BF8
INT 0xA2 ? 84B6ABF8
INT 0xA2 ? 84B6ABF8
INT 0xA2 ? 86113BF8
INT 0xA2 ? 86113BF8
INT 0xA2 ? 84B6ABF8
INT 0xB2 ? 84B69BF8
INT 0xB3 ? 86113BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\sphj.sys ???????????????? !
.text USBPORT.SYS!DllUnload 8A93B46F 5 Bytes JMP 861131D8
.text a9grgmoq.SYS 8A771000 22 Bytes [26, 52, 5C, 82, 10, 51, 5C, ...]
.text a9grgmoq.SYS 8A771017 159 Bytes [00, 32, B7, D9, 82, 3D, B5, ...]
.text a9grgmoq.SYS 8A7710B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a9grgmoq.SYS 8A7710CE 80 Bytes [00, 00, 26, 00, 00, 00, E0, ...]
.text a9grgmoq.SYS 8A77111F 194 Bytes [7E, 38, 40, 39, 82, 3B, C4, ...]
.text ...
.text C:\Windows\system32\drivers\ACEDRV05.sys section is writeable [0x8E6DD000, 0x30A4A, 0xE8000020]
.pklstb C:\Windows\system32\drivers\ACEDRV05.sys entry point in ".pklstb" section [0x8E71F000]
.relo2 C:\Windows\system32\drivers\ACEDRV05.sys unknown last section [0x8E73A000, 0x8E, 0x42000040]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[600] ole32.dll!CoCreateInstance 757FE188 5 Bytes JMP 008E000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [82C926D2] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82C92040] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82C927FC] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [82C920BE] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82C9213C] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [82CA2048] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortCompleteRequest] F1642446
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortMoveMemory] 7E398A77
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] C7077528
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] F1902846
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 468B8A77
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortReadPortUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7468016A
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\a9grgmoq.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74127BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [741698C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7412D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7411F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74127599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7411E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7415B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7412D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7412012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74120095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741171F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [741AD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [741475E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7411DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7411668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741166BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74121E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8592C1F8

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

Device \Driver\sptd \Device\2332169084 sphj.sys
Device \Driver\volmgr \Device\VolMgrControl 84B6C1F8
Device \Driver\usbuhci \Device\USBPDO-0 85FEA500
Device \Driver\usbuhci \Device\USBPDO-1 85FEA500
Device \Driver\usbehci \Device\USBPDO-2 86007500
Device \Driver\usbuhci \Device\USBPDO-3 85FEA500
Device \Driver\usbuhci \Device\USBPDO-4 85FEA500
Device \Driver\usbuhci \Device\USBPDO-5 85FEA500
Device \Driver\usbehci \Device\USBPDO-6 86007500
Device \Driver\volmgr \Device\HarddiskVolume1 84B6C1F8
Device \Driver\volmgr \Device\HarddiskVolume2 84B6C1F8
Device \Driver\cdrom \Device\CdRom0 8609A1F8
Device \Driver\cdrom \Device\CdRom1 8609A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8592A1F8
Device \Driver\atapi \Device\Ide\IdePort0 8592A1F8
Device \Driver\atapi \Device\Ide\IdePort1 8592A1F8
Device \Driver\atapi \Device\Ide\IdePort2 8592A1F8
Device \Driver\atapi \Device\Ide\IdePort3 8592A1F8
Device \Driver\iScsiPrt \Device\RaidPort0 8609F1F8
Device \Driver\PCI_PNP5070 \Device\0000005e sphj.sys
Device \Driver\usbuhci \Device\USBFDO-0 85FEA500
Device \Driver\usbuhci \Device\USBFDO-1 85FEA500
Device \Driver\usbehci \Device\USBFDO-2 86007500
Device \Driver\usbuhci \Device\USBFDO-3 85FEA500
Device \Driver\usbuhci \Device\USBFDO-4 85FEA500
Device \Driver\usbuhci \Device\USBFDO-5 85FEA500
Device \Driver\usbehci \Device\USBFDO-6 86007500
Device \Driver\Si3531 \Device\Scsi\Si35311 8592B1F8
Device \Driver\a9grgmoq \Device\Scsi\a9grgmoq1Port6Path0Target0Lun0 8609E1F8
Device \Driver\a9grgmoq \Device\Scsi\a9grgmoq1 8609E1F8
Device \Driver\Si3531 \Device\Scsi\Si35311Port4Path0Target1fLun0 8592B1F8
Device \FileSystem\cdfs \Cdfs 86373500
Device -> \Driver\atapi \Device\Harddisk0\DR0 85A41856

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Bluetooth \x30c7\x30d0\x30a4\x30b9 (RFCOMM \x30d7\x30ed\x30c8\x30b3\x30eb TDI) 1?2?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Bluetooth \x30c7\x30d0\x30a4\x30b9 (\x30d1\x30fc\x30bd\x30ca\x30eb \x30a8\x30ea\x30a2 \x30cd\x30c3\x30c8\x30ef\x30fc\x30af) 1?2?
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cd631ac
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3aead861
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE8 0xAF 0x65 0xCF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD3 0xEA 0xF5 0xD2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB6 0x5D 0xA1 0x8E ...
Reg HKLM\SYSTEM\ControlSet014\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Bluetooth \x30c7\x30d0\x30a4\x30b9 (RFCOMM \x30d7\x30ed\x30c8\x30b3\x30eb TDI) 1?2?
Reg HKLM\SYSTEM\ControlSet014\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Bluetooth \x30c7\x30d0\x30a4\x30b9 (\x30d1\x30fc\x30bd\x30ca\x30eb \x30a8\x30ea\x30a2 \x30cd\x30c3\x30c8\x30ef\x30fc\x30af) 1?2?
Reg HKLM\SYSTEM\ControlSet014\Services\BTHPORT\Parameters\Keys\001e4cd631ac (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\BTHPORT\Parameters\Keys\001f3aead861 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE8 0xAF 0x65 0xCF ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD3 0xEA 0xF5 0xD2 ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB6 0x5D 0xA1 0x8E ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Fox\Desktop\ 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Fox\Desktop\ 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



The gmer.log file as requested is saved!

I just have to say it again. Thank you! Tom, thank you!

Edited by misterklos, 03 February 2010 - 02:21 PM.


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:40 PM

Posted 03 February 2010 - 02:59 PM

Hi,

Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 misterklos

misterklos
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 03 February 2010 - 07:03 PM

Ok, so here is what happened. Downloaded combofix.exe and named it to schrauber.exe.
I ran it after I closed ZoneAlarm and disabled AntiVir. Still, combofix said ZoneAlarm is running. I couldnt find the process having enabled the task manager to show me all.
I ran combofix after all. System got rebooted and combofix popped up. Soon after AntiVir popped up, autostart is enabled, and showed me some Trojan named PatchedGen. I choose to ignore it as I didnt want to have AntiVir interfere with combofix. Combo fix found trouble in the root kit and had to restart again.
It went all the way down and set me back to my desktop and created a log file:

ComboFix 10-02-03.04 - Fox 04.02.2010 0:23.1.2 - x86
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1041.18.3070.2098 [GMT 1:00]
Running from: c:\users\Fox\Desktop\schrauber.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-996301808-105016373-1665267237-500
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\INSTALL.RDF
c:\program files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\1.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTml.dll
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\users\Fox\AppData\Roaming\inst.exe
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\stacsv.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
c:\windows\System32\autochk.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MyWebSearchService
-------\Service_STacSV


((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
.

2010-02-03 23:35 . 2010-02-03 23:38 -------- d-----w- c:\users\Fox\AppData\Local\temp
2010-02-03 23:35 . 2010-02-03 23:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-03 22:55 . 2010-02-03 23:07 -------- dc----w- C:\32788R22FWJFW
2010-01-26 10:02 . 2010-01-26 10:02 -------- d-----w- c:\program files\Trend Micro
2010-01-21 17:40 . 2010-01-21 17:40 -------- d-----w- c:\users\Fox\AppData\Roaming\Malwarebytes
2010-01-21 17:40 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 17:40 . 2010-01-21 17:40 -------- d-----w- c:\programdata\Malwarebytes
2010-01-21 17:40 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 17:40 . 2010-01-21 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 09:49 . 2010-01-14 09:49 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-12 12:28 . 2010-01-12 12:28 -------- d-----w- c:\program files\WinSCP
2010-01-11 20:03 . 2010-01-11 20:03 -------- d-----w- c:\program files\ElcomSoft
2010-01-11 19:52 . 2010-01-11 19:52 -------- d-----w- c:\program files\Information Packaging
2010-01-11 19:38 . 2010-01-11 19:38 -------- d-----w- c:\program files\RAR Password Cracker
2010-01-11 09:59 . 2010-01-11 10:00 -------- d-----w- c:\program files\PowerArchiver
2010-01-08 23:00 . 2010-01-08 23:00 -------- d-----w- c:\program files\CCleaner
2010-01-06 20:04 . 2010-01-28 22:15 -------- d-----w- c:\program files\JDownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 23:37 . 2008-10-30 14:03 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-02-03 23:37 . 2008-10-30 14:03 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-02-03 23:37 . 2008-11-10 20:41 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-02-03 23:36 . 2009-06-11 15:10 422050 ----a-w- c:\programdata\nvModes.dat
2010-02-03 23:35 . 2008-04-15 06:15 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-03 22:41 . 2008-06-05 12:36 -------- d-----w- c:\users\Fox\AppData\Roaming\foobar2000
2010-02-03 18:46 . 2008-06-26 16:58 1356 ----a-w- c:\users\Fox\AppData\Local\d3d9caps.dat
2010-02-02 20:34 . 2009-06-11 12:38 1 ----a-w- c:\users\Fox\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-29 14:10 . 2008-06-05 15:19 -------- d-----w- c:\users\Fox\AppData\Roaming\Azureus
2010-01-29 00:22 . 2008-06-05 15:19 -------- d-----w- c:\program files\Azureus
2010-01-28 00:20 . 2008-11-19 15:50 40356051 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-27 23:45 . 2010-01-27 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-01-27 21:37 . 2008-06-05 14:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-27 21:30 . 2008-06-05 14:17 -------- d-----w- c:\users\Fox\AppData\Roaming\Thunderbird
2010-01-24 18:23 . 2008-04-15 06:36 -------- d-----w- c:\program files\Google
2010-01-22 19:41 . 2010-01-22 19:43 2850816 ----a-w- c:\windows\Internet Logs\xDBFB02.tmp
2010-01-21 19:26 . 2009-11-14 17:36 -------- d-----w- c:\programdata\FLEXnet
2010-01-20 17:39 . 2008-10-23 21:30 -------- d-----w- c:\program files\Steam
2010-01-20 17:37 . 2008-10-23 21:30 -------- d-----w- c:\program files\Common Files\Steam
2010-01-15 01:22 . 2008-01-21 07:26 376442 ----a-w- c:\windows\system32\perfh011.dat
2010-01-15 01:22 . 2008-01-21 07:26 101350 ----a-w- c:\windows\system32\perfc011.dat
2010-01-14 12:36 . 2009-09-19 21:27 -------- d-----w- c:\users\Fox\AppData\Roaming\vlc
2010-01-14 09:50 . 2009-10-03 23:39 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2010-01-14 09:50 . 2009-10-03 23:39 2353992 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2010-01-13 20:12 . 2008-06-05 12:36 -------- d-----w- c:\program files\foobar2000
2010-01-12 20:00 . 2009-09-19 22:10 -------- d-----w- c:\users\Fox\AppData\Roaming\dvdcss
2010-01-11 09:09 . 2009-12-10 12:23 -------- d-----w- c:\program files\MagicDVDRipper
2010-01-11 08:45 . 2009-05-11 08:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-01-11 08:45 . 2009-05-11 08:12 -------- d-----w- c:\program files\DVDVideoSoft
2010-01-10 14:23 . 2008-09-15 11:33 -------- d-----w- c:\users\Fox\AppData\Roaming\Skype
2010-01-10 12:49 . 2008-09-15 11:40 -------- d-----w- c:\users\Fox\AppData\Roaming\skypePM
2010-01-06 16:53 . 2008-06-09 01:21 -------- d-----w- c:\users\Fox\AppData\Roaming\Apple Computer
2010-01-06 16:44 . 2008-06-09 01:17 -------- d-----w- c:\programdata\Apple
2010-01-05 20:23 . 2008-06-05 12:45 -------- d-----w- c:\programdata\Media Center Programs
2010-01-05 20:17 . 2009-12-12 20:32 -------- d-----w- c:\program files\RegCure
2009-12-31 15:27 . 2009-12-31 15:27 -------- d-----w- c:\users\Fox\AppData\Roaming\Logitech
2009-12-31 15:25 . 2009-12-31 15:25 -------- d-----w- c:\users\Fox\AppData\Roaming\Leadertech
2009-12-31 15:25 . 2008-09-18 13:44 -------- d-----w- c:\program files\Common Files\Logishrd
2009-12-31 15:25 . 2008-06-06 14:00 -------- d-----w- c:\programdata\LogiShrd
2009-12-31 15:25 . 2009-12-31 15:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-12-31 15:23 . 2008-06-06 14:03 -------- d-----w- c:\programdata\Logitech
2009-12-31 15:22 . 2008-04-15 06:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-31 15:14 . 2009-12-12 20:32 -------- d-----w- c:\programdata\RegCure
2009-12-31 15:12 . 2008-06-06 14:01 -------- d-----w- c:\program files\Common Files\Logicool
2009-12-31 14:05 . 2009-12-31 14:05 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-12-31 14:04 . 2009-12-31 14:04 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-12-31 14:03 . 2009-10-01 15:02 -------- d-sh--w- c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-12-31 13:25 . 2009-12-31 13:25 -------- d-----w- c:\program files\TuneUp Utilities 2010
2009-12-30 19:31 . 2009-05-13 18:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-21 23:31 . 2009-12-21 23:29 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-21 23:31 . 2009-12-21 23:29 -------- d-----w- c:\program files\iTunes
2009-12-21 23:29 . 2009-12-21 23:29 -------- d-----w- c:\program files\iPod
2009-12-21 23:29 . 2008-06-09 01:17 -------- d-----w- c:\program files\Common Files\Apple
2009-12-21 23:27 . 2009-12-21 23:27 -------- d-----w- c:\program files\Bonjour
2009-12-21 23:20 . 2009-12-21 23:20 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-21 23:18 . 2009-12-21 23:18 -------- d-----w- c:\program files\Apple Software Update
2009-12-14 12:11 . 2008-06-09 02:44 -------- d-----w- c:\program files\Magic Workstation
2009-12-10 14:56 . 2009-12-10 14:56 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-12-10 14:56 . 2009-12-10 14:56 -------- d-----w- c:\program files\TechSmith
2009-12-09 12:45 . 2009-12-31 13:26 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2009-12-07 19:45 . 2009-10-01 18:45 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-23 08:33 . 2009-11-23 19:25 3024896 ----a-w- c:\windows\Internet Logs\xDBB4A1.tmp
2009-11-15 23:16 . 2009-11-16 06:47 1624576 ----a-w- c:\windows\Internet Logs\xDB29E0.tmp
2009-11-15 20:42 . 2009-11-15 20:42 177024 ----a-w- c:\users\Fox\AppData\Roaming\Mozilla\Firefox\Profiles\uqpcp3rt.default\FlashGot.exe
2009-11-14 17:37 . 2008-06-05 12:24 52776 ----a-w- c:\users\Fox\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-14 16:43 . 2009-11-14 16:43 81920 ----a-w- c:\users\Fox\AppData\Roaming\ezpinst.exe
2009-11-14 16:43 . 2009-11-14 16:43 81920 ----a-w- c:\users\Fox\AppData\Roaming\ezpinst.exe
2009-11-14 16:43 . 2008-09-13 18:44 47360 ----a-w- c:\users\Fox\AppData\Roaming\pcouffin.sys
2009-11-14 16:43 . 2008-09-13 18:44 47360 ----a-w- c:\users\Fox\AppData\Roaming\pcouffin.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 08:32 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-11-09 409600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"GDI Manager"="c:\program files\MFP Server\App\Common\MFPAgent.exe" [2008-05-06 741376]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"Server Application"="c:\windows\system32\ServoApp.exe" [2007-05-20 417792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-8-14 727592]
Logitech SetPoint.lnk - c:\program files\Logicool\SetPoint\SetPoint.exe [2009-12-31 813584]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-7-15 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer7"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk /r \??\c:\0autocheck autochk /p \??\c:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Fox^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Produktregistrierung.lnk]
backup=c:\windows\pss\Logitech . Produktregistrierung.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax]
2009-09-30 13:48 7924056 ----a-w- c:\program files\Innovative Solutions\DriverMax\devices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-12-23 19:18 2642168 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"PowerArchiver Tray"=c:\program files\PowerArchiver\PASTARTER.EXE
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" -agent
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DriverMax_RESTART"="c:\program files\Innovative Solutions\DriverMax\devices.exe" -RESTART
"EPSON Stylus SX400 Series (1 ???)"=c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "c:\windows\TEMP\E_S7ACC.tmp" /EF "HKCU"
"EPSON Stylus SX400 Series (2 ???)"=c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "c:\windows\TEMP\E_S4108.tmp" /EF "HKCU"
"EPSON Stylus SX400 Series (3 ???)"=c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "c:\windows\TEMP\E_S28D4.tmp" /EF "HKCU"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe"
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe"
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NBKeyScan"="c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe"
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [04.10.2009 00:40 64160]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\System32\drivers\Si3531.sys [05.02.2009 17:38 212520]
R2 ALIWEHCD;MFP Server Enhanced Controller;c:\windows\System32\drivers\mfpec.sys [13.05.2009 18:06 34944]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [01.10.2009 19:45 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03.07.2009 15:49 1028432]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [09.12.2009 13:42 1044808]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [04.10.2009 00:28 4233728]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14.10.2009 07:24 10064]
R3 WUSBVBus;MFP Server Detector;c:\windows\System32\drivers\mfpvbus.sys [13.05.2009 18:06 10240]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10.10.2009 15:55 133104]
S3 AliWGP;Composite Device;c:\windows\System32\drivers\mfpcomp.sys [13.05.2009 18:06 10880]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [21.01.2008 03:23 179712]
S3 SCR33x USB Smart Card Reader;SCR33x USB Smart Card Reader;c:\windows\System32\drivers\SCR33X2K.sys [25.08.2005 15:00 45568]
S3 STC2DFU;STCII DFU Adapter;c:\windows\System32\drivers\Stc2Dfu.sys [15.09.2008 14:43 7796]
S3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\System32\drivers\CM106.sys [19.09.2009 21:01 1501696]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [05.06.2008 16:15 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 23:39]

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-10 14:55]

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-10 14:55]

2010-02-01 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 20:13]

2010-02-03 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 20:13]

2010-01-24 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=JPN_JP&Sys=PTB&M=P-6861jFX
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=JPN_JP&Sys=PTB&M=P-6861jFX
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRfox000
IE: ????? Bluetooth ???????(&B)... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: ???? Bluetooth ???????(&B)... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Fox\AppData\Roaming\Mozilla\Firefox\Profiles\uqpcp3rt.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Media Convert Master\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\Media Convert Master\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cm106Sound - cm106.cpl
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-996301808-105016373-1665267237-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\00000\0000 *000]
"Order"=hex:08,00,00,00,02,00,00,00,d0,08,00,00,01,00,00,00,0b,00,00,00,fc,00,
00,00,00,00,00,00,ee,00,00,00,41,75,67,4d,04,00,00,00,01,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-996301808-105016373-1665267237-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6d,e5,07,7d,64,3a,39,d4,77,58,d1,20,e3,6b,88,50,b2,2b,07,c5,e2,8c,b4,
a1,ce,57,19,ad,38,61,f1,e0,b6,a5,a9,ef,de,84,6e,a0,8c,27,43,0e,e5,e4,a3,9a,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-996301808-105016373-1665267237-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:c8,14,73,14,94,f2,68,47,9f,14,ce,33,3a,10,a3,f4,3d,4b,0e,0b,51,
44,f3,de,3c,5a,0b,39,14,42,68,c9,cd,35,6c,93,60,17,e3,69,67,31,e7,f3,9a,6b,\
"rkeysecu"=hex:d4,8a,f5,b9,4d,24,5c,2f,31,ea,f5,e2,dd,d5,a8,ad

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{036fe380-ae2f-4664-92c7-78b17f4570c6}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:11001f3c
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{144c8dd9-f6a7-4d18-b287-ea97f5188521}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:24000000
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{1ddb7728-f019-4b03-bade-fb9165eb11b2}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:16000000
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{283e9c71-cce6-4a93-ac18-df2380feb561}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:1e005056
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{2a276d6d-a9a9-4053-a646-431f84a205e2}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:19005056
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{4209b82c-d3bc-487a-af8e-3e9b437d0c60}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:17005056
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{4ac0f757-b52d-4a28-8d1a-164f092dd790}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:1d020054
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{605c9b06-aa5c-4f88-a683-d312dae4ef60}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0f000325
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{783c9233-7dda-4100-8934-b4d771af363c}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0f001d72
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:07001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ae32e40c-5940-40fd-9b01-66c1038d747d}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:1c000000
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ba32a50a-3d27-4fae-8591-5916311409be}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{bec76a45-051f-41ef-9f2e-ee2dd922e031}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:20005056
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{d9269bb3-3c6f-42d4-ae02-0bb53c3e88f6}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:25000000
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{e3150b27-57ff-4158-ab3a-0dfa4dc8aff0}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:1c001f3a
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:06001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f70a361f-6437-4fcc-91a4-cd88d468d91b}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0e001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{fa37d369-76bc-4649-b87c-f7e4b2816db7}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:15001e4c
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{fdf6bc3b-0dfe-4565-80ce-22e40c7e2b72}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:1c000000
"Dhcpv6State"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1788)
c:\program files\Logicool\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\System32\ZoneLabs\vsmon.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Nero\Nero BackItUp 4\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\rpcnet.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conime.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-02-04 00:46:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-03 23:46

Pre-Run: 9.263.874.048 ????????
Post-Run: 9.223.700.480 bytes free

- - End Of File - - C001ED3DAE7B5C730DA87596D4C75A43


Combofix created two files, actually. log.txt and ComboFix.txt. Looked roughly through the files and they should be identically.
Maybe its just normal. Its my first experience with combofix after all.

Staying tuned

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:40 PM

Posted 05 February 2010 - 12:21 PM

Hi,




Ask Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know as stated in the following Articles:

http://www.benedelman.org/spyware/ask-toolbars/
http://vil.nai.com/vil/content/v_185490.htm


I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Ask Toolbar.




1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
MIA::
c:\windows\System32\autochk.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 misterklos

misterklos
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 05 February 2010 - 01:54 PM

Hey Tom!

Combofix ran on my desktop and finished the process. No rebooting whatsoever. However I couldnt open any programs, so I had to reboot the machine.
Hope thats just normal smile.gif
And something new happened this yesterday night. The browser redirects me to an ebay site. Dont think its the real one. It happens when I search with google and then click on one of the links!

Here is my new Combofix log :

ComboFix 10-02-03.04 - Fox 05.02.2010 19:31:41.2.2 - x86
Microsoft Windows Vista™ Home Premium 6.0.6001.1.1252.1.1041.18.3070.2247 [GMT 1:00]
Running from: c:\users\Fox\Desktop\schrauber.exe
Command switches used :: c:\users\Fox\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\autochk.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-05 18:41 . 2010-02-05 18:41 -------- d-----w- c:\users\Fox\AppData\Local\temp
2010-02-05 18:41 . 2010-02-05 18:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-05 18:41 . 2010-02-05 18:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-05 18:29 . 2010-02-05 18:30 -------- dc----w- C:\32788R22FWJFW
2010-02-04 15:20 . 2010-02-04 15:20 -------- dc----w- C:\VIDS
2010-01-26 10:02 . 2010-01-26 10:02 -------- d-----w- c:\program files\Trend Micro
2010-01-21 17:40 . 2010-01-21 17:40 -------- d-----w- c:\users\Fox\AppData\Roaming\Malwarebytes
2010-01-21 17:40 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 17:40 . 2010-01-21 17:40 -------- d-----w- c:\programdata\Malwarebytes
2010-01-21 17:40 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 17:40 . 2010-01-21 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 09:49 . 2010-01-14 09:49 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-12 12:28 . 2010-01-12 12:28 -------- d-----w- c:\program files\WinSCP
2010-01-11 20:03 . 2010-01-11 20:03 -------- d-----w- c:\program files\ElcomSoft
2010-01-11 19:52 . 2010-01-11 19:52 -------- d-----w- c:\program files\Information Packaging
2010-01-11 19:38 . 2010-01-11 19:38 -------- d-----w- c:\program files\RAR Password Cracker
2010-01-11 09:59 . 2010-01-11 10:00 -------- d-----w- c:\program files\PowerArchiver
2010-01-08 23:00 . 2010-01-08 23:00 -------- d-----w- c:\program files\CCleaner
2010-01-06 20:04 . 2010-01-28 22:15 -------- d-----w- c:\program files\JDownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 18:14 . 2008-10-30 14:03 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-02-05 18:14 . 2008-10-30 14:03 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-02-05 18:14 . 2008-11-10 20:41 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-02-05 18:13 . 2009-06-11 15:10 422050 ----a-w- c:\programdata\nvModes.dat
2010-02-05 09:57 . 2008-04-15 06:15 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-05 07:57 . 2008-11-19 15:50 42672288 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-05 00:18 . 2008-06-05 12:36 -------- d-----w- c:\users\Fox\AppData\Roaming\foobar2000
2010-02-04 23:34 . 2009-06-11 12:38 1 ----a-w- c:\users\Fox\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-04 21:09 . 2008-04-15 06:36 -------- d-----w- c:\program files\Google
2010-02-04 20:16 . 2008-06-05 15:19 -------- d-----w- c:\users\Fox\AppData\Roaming\Azureus
2010-02-04 14:34 . 2008-06-05 15:19 -------- d-----w- c:\program files\Azureus
2010-02-03 18:46 . 2008-06-26 16:58 1356 ----a-w- c:\users\Fox\AppData\Local\d3d9caps.dat
2010-01-27 23:45 . 2010-01-27 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-01-27 21:37 . 2008-06-05 14:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-27 21:30 . 2008-06-05 14:17 -------- d-----w- c:\users\Fox\AppData\Roaming\Thunderbird
2010-01-22 19:41 . 2010-01-22 19:43 2850816 ----a-w- c:\windows\Internet Logs\xDBFB02.tmp
2010-01-21 19:26 . 2009-11-14 17:36 -------- d-----w- c:\programdata\FLEXnet
2010-01-20 17:39 . 2008-10-23 21:30 -------- d-----w- c:\program files\Steam
2010-01-20 17:37 . 2008-10-23 21:30 -------- d-----w- c:\program files\Common Files\Steam
2010-01-15 01:22 . 2008-01-21 07:26 376442 ----a-w- c:\windows\system32\perfh011.dat
2010-01-15 01:22 . 2008-01-21 07:26 101350 ----a-w- c:\windows\system32\perfc011.dat
2010-01-14 12:36 . 2009-09-19 21:27 -------- d-----w- c:\users\Fox\AppData\Roaming\vlc
2010-01-14 09:50 . 2009-10-03 23:39 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2010-01-14 09:50 . 2009-10-03 23:39 2353992 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2010-01-13 20:12 . 2008-06-05 12:36 -------- d-----w- c:\program files\foobar2000
2010-01-12 20:00 . 2009-09-19 22:10 -------- d-----w- c:\users\Fox\AppData\Roaming\dvdcss
2010-01-11 09:09 . 2009-12-10 12:23 -------- d-----w- c:\program files\MagicDVDRipper
2010-01-11 08:45 . 2009-05-11 08:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-01-11 08:45 . 2009-05-11 08:12 -------- d-----w- c:\program files\DVDVideoSoft
2010-01-10 14:23 . 2008-09-15 11:33 -------- d-----w- c:\users\Fox\AppData\Roaming\Skype
2010-01-10 12:49 . 2008-09-15 11:40 -------- d-----w- c:\users\Fox\AppData\Roaming\skypePM
2010-01-06 16:53 . 2008-06-09 01:21 -------- d-----w- c:\users\Fox\AppData\Roaming\Apple Computer
2010-01-06 16:44 . 2008-06-09 01:17 -------- d-----w- c:\programdata\Apple
2010-01-05 20:23 . 2008-06-05 12:45 -------- d-----w- c:\programdata\Media Center Programs
2010-01-05 20:17 . 2009-12-12 20:32 -------- d-----w- c:\program files\RegCure
2009-12-31 15:27 . 2009-12-31 15:27 -------- d-----w- c:\users\Fox\AppData\Roaming\Logitech
2009-12-31 15:25 . 2009-12-31 15:25 -------- d-----w- c:\users\Fox\AppData\Roaming\Leadertech
2009-12-31 15:25 . 2008-09-18 13:44 -------- d-----w- c:\program files\Common Files\Logishrd
2009-12-31 15:25 . 2008-06-06 14:00 -------- d-----w- c:\programdata\LogiShrd
2009-12-31 15:25 . 2009-12-31 15:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-12-31 15:23 . 2008-06-06 14:03 -------- d-----w- c:\programdata\Logitech
2009-12-31 15:22 . 2008-04-15 06:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-31 15:14 . 2009-12-12 20:32 -------- d-----w- c:\programdata\RegCure
2009-12-31 15:12 . 2008-06-06 14:01 -------- d-----w- c:\program files\Common Files\Logicool
2009-12-31 14:05 . 2009-12-31 14:05 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-12-31 14:04 . 2009-12-31 14:04 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-12-31 14:03 . 2009-10-01 15:02 -------- d-sh--w- c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-12-31 13:25 . 2009-12-31 13:25 -------- d-----w- c:\program files\TuneUp Utilities 2010
2009-12-30 19:31 . 2009-05-13 18:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-21 23:31 . 2009-12-21 23:29 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-21 23:31 . 2009-12-21 23:29 -------- d-----w- c:\program files\iTunes
2009-12-21 23:29 . 2009-12-21 23:29 -------- d-----w- c:\program files\iPod
2009-12-21 23:29 . 2008-06-09 01:17 -------- d-----w- c:\program files\Common Files\Apple
2009-12-21 23:27 . 2009-12-21 23:27 -------- d-----w- c:\program files\Bonjour
2009-12-21 23:20 . 2009-12-21 23:20 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-21 23:18 . 2009-12-21 23:18 -------- d-----w- c:\program files\Apple Software Update
2009-12-14 12:11 . 2008-06-09 02:44 -------- d-----w- c:\program files\Magic Workstation
2009-12-10 14:56 . 2009-12-10 14:56 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-12-10 14:56 . 2009-12-10 14:56 -------- d-----w- c:\program files\TechSmith
2009-12-09 12:45 . 2009-12-31 13:26 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2009-12-07 19:45 . 2009-10-01 18:45 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-23 08:33 . 2009-11-23 19:25 3024896 ----a-w- c:\windows\Internet Logs\xDBB4A1.tmp
2009-11-15 23:16 . 2009-11-16 06:47 1624576 ----a-w- c:\windows\Internet Logs\xDB29E0.tmp
2009-11-15 20:42 . 2009-11-15 20:42 177024 ----a-w- c:\users\Fox\AppData\Roaming\Mozilla\Firefox\Profiles\uqpcp3rt.default\FlashGot.exe
2009-11-14 17:37 . 2008-06-05 12:24 52776 ----a-w- c:\users\Fox\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-14 16:43 . 2009-11-14 16:43 81920 ----a-w- c:\users\Fox\AppData\Roaming\ezpinst.exe
2009-11-14 16:43 . 2009-11-14 16:43 81920 ----a-w- c:\users\Fox\AppData\Roaming\ezpinst.exe
2009-11-14 16:43 . 2008-09-13 18:44 47360 ----a-w- c:\users\Fox\AppData\Roaming\pcouffin.sys
2009-11-14 16:43 . 2008-09-13 18:44 47360 ----a-w- c:\users\Fox\AppData\Roaming\pcouffin.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-11-09 409600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"GDI Manager"="c:\program files\MFP Server\App\Common\MFPAgent.exe" [2008-05-06 741376]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"Server Application"="c:\windows\system32\ServoApp.exe" [2007-05-20 417792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-8-14 727592]
Logitech SetPoint.lnk - c:\program files\Logicool\SetPoint\SetPoint.exe [2009-12-31 813584]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-7-15 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer7"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk /r \??\c:\0autocheck autochk /p \??\c:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Fox^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Produktregistrierung.lnk]
backup=c:\windows\pss\Logitech . Produktregistrierung.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax]
2009-09-30 13:48 7924056 ----a-w- c:\program files\Innovative Solutions\DriverMax\devices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-12-23 19:18 2642168 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"PowerArchiver Tray"=c:\program files\PowerArchiver\PASTARTER.EXE
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" -agent
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DriverMax_RESTART"="c:\program files\Innovative Solutions\DriverMax\devices.exe" -RESTART
"EPSON Stylus SX400 Series (1 ???)"=c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "c:\windows\TEMP\E_S7ACC.tmp" /EF "HKCU"
"EPSON Stylus SX400 Series (2 ???)"=c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "c:\windows\TEMP\E_S4108.tmp" /EF "HKCU"
"EPSON Stylus SX400 Series (3 ???)"=c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "c:\windows\TEMP\E_S28D4.tmp" /EF "HKCU"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe"
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe"
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NBKeyScan"="c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe"
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [04.10.2009 00:40 64160]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\System32\drivers\Si3531.sys [05.02.2009 17:38 212520]
R2 ALIWEHCD;MFP Server Enhanced Controller;c:\windows\System32\drivers\mfpec.sys [13.05.2009 18:06 34944]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [01.10.2009 19:45 108289]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [09.12.2009 13:42 1044808]
R3 NETw5v32;Intel Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [04.10.2009 00:28 4233728]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14.10.2009 07:24 10064]
R3 WUSBVBus;MFP Server Detector;c:\windows\System32\drivers\mfpvbus.sys [13.05.2009 18:06 10240]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10.10.2009 15:55 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03.07.2009 15:49 1028432]
S3 AliWGP;Composite Device;c:\windows\System32\drivers\mfpcomp.sys [13.05.2009 18:06 10880]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [21.01.2008 03:23 179712]
S3 SCR33x USB Smart Card Reader;SCR33x USB Smart Card Reader;c:\windows\System32\drivers\SCR33X2K.sys [25.08.2005 15:00 45568]
S3 STC2DFU;STCII DFU Adapter;c:\windows\System32\drivers\Stc2Dfu.sys [15.09.2008 14:43 7796]
S3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\System32\drivers\CM106.sys [19.09.2009 21:01 1501696]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [05.06.2008 16:15 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 23:39]

2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-10 14:55]

2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-10 14:55]

2010-02-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 20:13]

2010-02-05 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 20:13]

2010-01-24 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=JPN_JP&Sys=PTB&M=P-6861jFX
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=JPN_JP&Sys=PTB&M=P-6861jFX
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRfox000
IE: ????? Bluetooth ???????(&B)... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: ???? Bluetooth ???????(&B)... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Fox\AppData\Roaming\Mozilla\Firefox\Profiles\uqpcp3rt.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Media Convert Master\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\Media Convert Master\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 19:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-996301808-105016373-1665267237-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\00000\0000 *000]
"Order"=hex:08,00,00,00,02,00,00,00,d0,08,00,00,01,00,00,00,0b,00,00,00,fc,00,
00,00,00,00,00,00,ee,00,00,00,41,75,67,4d,04,00,00,00,01,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-996301808-105016373-1665267237-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6d,e5,07,7d,64,3a,39,d4,77,58,d1,20,e3,6b,88,50,b2,2b,07,c5,e2,8c,b4,
a1,ce,57,19,ad,38,61,f1,e0,b6,a5,a9,ef,de,84,6e,a0,8c,27,43,0e,e5,e4,a3,9a,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-996301808-105016373-1665267237-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:c8,14,73,14,94,f2,68,47,9f,14,ce,33,3a,10,a3,f4,3d,4b,0e,0b,51,
44,f3,de,3c,5a,0b,39,14,42,68,c9,cd,35,6c,93,60,17,e3,69,67,31,e7,f3,9a,6b,\
"rkeysecu"=hex:d4,8a,f5,b9,4d,24,5c,2f,31,ea,f5,e2,dd,d5,a8,ad

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4028)
c:\program files\Logicool\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
.
Completion time: 2010-02-05 19:43:51
ComboFix-quarantined-files.txt 2010-02-05 18:43
ComboFix2.txt 2010-02-03 23:46

Pre-Run: 6.345.101.312 ????????
Post-Run: 6.333.022.208 ????????

- - End Of File - - 34A4F0138B9D83B1E1A052271F255643


Again, thanks a lot for helping me out!

Edited by misterklos, 05 February 2010 - 02:05 PM.


#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:40 PM

Posted 05 February 2010 - 02:08 PM

Hi,



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    c:\windows\System32\autochk.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Do you have a windows CD?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 misterklos

misterklos
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 05 February 2010 - 03:34 PM

Hi Tom!

Heres the log file :

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:30 on 05/02/2010 by Fox (Administrator - Elevation successful)

========== filefind ==========

Searching for "c:\windows\System32\autochk.exe"
No files found.

-=End Of File=-

Hope this is good.

I only have a Recovery CD for Vista

Regards

-misterklos

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:40 PM

Posted 06 February 2010 - 07:06 AM

My bad, please run systemlook again, now with this script:

:filefind
autochk*
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users