Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a mess, I think multiple issues, bluescreen


  • This topic is locked This topic is locked
10 replies to this topic

#1 aprilmofo

aprilmofo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Eugene, OR
  • Local time:05:34 AM

Posted 26 January 2010 - 07:47 PM

Been trying to tackle this on my own for at least a month, found several different viruses over time with different scanners (Housecall, bitdefender, malbytes). Finally learned about rootkits etc (a little), tried some scanners and so now I am sort of just left wondering where to clean up my loose ends. Not sure what is left on my system or not but for sure something is alive in there! Lots of slow-mo computer stuff and have had so many diff symptoms I can't begin to list. When doing steps for posting this, rootrepeal causes bluescreen with instant restart, then system config wants to run when windows loads now. Did some windows updating. Just stopped messing with it after this as things are acting even weirder and am posting now. Please help! smile.gif Thankyou


Most recent DDS


DDS (Ver_09-12-01.01) - NTFSx86
Run by euser at 18:03:20.21 on Tue 01/26/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.161 [GMT -8:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\euser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: MaxRecentDocs = 99 (0x63)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163575108187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli fiduzuku.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\euser\applic~1\mozilla\firefox\profiles\sefkhnxe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\euser\application data\mozilla\firefox\profiles\sefkhnxe.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\euser\my documents\netscape6\nppl3260.dll
FF - plugin: c:\documents and settings\euser\my documents\netscape6\nprjplug.dll
FF - plugin: c:\documents and settings\euser\my documents\netscape6\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-9-22 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-12-7 152456]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-10-19 110984]
S0 gimetfsk;gimetfsk;c:\windows\system32\drivers\uwxpq.sys --> c:\windows\system32\drivers\uwxpq.sys [?]
S2 MSSQL$MSDEeVertix;MSSQL$MSDEeVertix;c:\program files\microsoft sql server\mssql$msdeevertix\binn\sqlservr.exe -smsdeevertix --> c:\program files\microsoft sql server\mssql$msdeevertix\binn\sqlservr.exe -sMSDEeVertix [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SQLAgent$MSDEeVertix;SQLAgent$MSDEeVertix;c:\program files\microsoft sql server\mssql$msdeevertix\binn\sqlagent.exe -i msdeevertix --> c:\program files\microsoft sql server\mssql$msdeevertix\binn\sqlagent.EXE -i MSDEeVertix [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-9 24652]

=============== Created Last 30 ================

2010-01-27 01:52:44 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-01-27 01:52:15 201050 ----a-w- c:\windows\system32\nvapps.nvb
2010-01-27 01:48:38 0 d-----w- c:\docume~1\euser\applic~1\Windows Desktop Search
2010-01-27 01:48:01 0 d-----w- c:\windows\system32\GroupPolicy
2010-01-27 01:48:01 0 d-----w- c:\program files\Windows Desktop Search
2010-01-27 01:47:15 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-01-27 01:47:14 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-01-27 01:47:14 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-01-27 01:45:15 0 d-----w- c:\windows\system32\URTTEMP
2010-01-25 08:25:42 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-25 08:25:41 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-25 08:25:41 0 ----a-w- c:\windows\system32\ph_spoof.sig
2010-01-25 08:25:41 0 ----a-w- c:\windows\system32\ph_sign.slf
2010-01-25 08:25:41 0 ----a-w- c:\windows\system32\ph_fuzzy.sig
2010-01-25 08:25:40 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-25 08:25:40 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-25 08:25:39 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-25 08:25:39 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-25 08:25:39 0 ----a-w- c:\windows\system32\pc_sign.slf
2010-01-25 08:25:37 0 ---ha-w- c:\windows\system32\ab_sbl.sig
2010-01-23 07:12:55 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-23 03:31:50 0 ---ha-w- c:\windows\system32\ab_bl.sig
2010-01-23 03:31:49 4 ---ha-w- c:\windows\system32\aspdict-en.dat
2010-01-23 03:31:49 16 ---ha-w- c:\windows\system32\asdict.dat
2010-01-23 02:51:35 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-23 02:20:53 376 ----a-w- c:\documents and settings\euser\Application Dataprivacy.xml
2010-01-23 01:48:00 0 d-----w- c:\program files\BitDefender
2010-01-23 01:48:00 0 d-----w- c:\docume~1\euser\applic~1\BitDefender
2010-01-23 01:48:00 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-01-23 01:45:49 0 d-----w- c:\program files\common files\BitDefender
2010-01-23 01:24:54 0 d-----w- c:\docume~1\euser\applic~1\QuickScan
2010-01-19 00:04:13 10752 ----a-w- c:\windows\DCEBoot.exe
2010-01-18 23:31:57 46 ----a-w- C:\p2hhr.bat
2010-01-18 23:20:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-18 22:02:15 0 d-----w- c:\program files\Trend Micro
2010-01-05 18:36:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 18:36:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 18:36:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 18:36:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-05 18:28:30 0 d-----w- c:\docume~1\euser\applic~1\Malwarebytes
2010-01-05 18:11:46 0 d-----w- c:\docume~1\alluse~1\applic~1\3DVIA
2010-01-05 17:52:23 322089 ----a-w- C:\BdUninstallTool2010.01.05-09.52.21.reg

==================== Find3M ====================

2010-01-18 23:32:19 98432 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-01-05 17:53:04 81984 ---ha-w- c:\windows\system32\bdod.bin
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-11 08:24:05 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-08 02:49:08 105736 ----a-w- c:\windows\system32\drivers\bdhv.sys
2009-12-08 02:46:28 152456 ----a-w- c:\windows\system32\drivers\bdfm.sys
2009-11-23 02:08:39 62208 ----a-w- c:\windows\iun1401.exe
2009-11-01 21:06:34 249856 ------w- c:\windows\Setup1.exe
2009-11-01 21:06:30 73216 ----a-w- c:\windows\ST6UNST.EXE
2008-09-21 05:04:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 18:05:43.56 ===============

Attached Files


Edited by aprilmofo, 26 January 2010 - 09:08 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 AM

Posted 02 February 2010 - 06:21 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 aprilmofo

aprilmofo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Eugene, OR
  • Local time:05:34 AM

Posted 02 February 2010 - 10:12 PM

Thanks a lot for replying back, I'm feeling really stuck as I don't want to set off any more weird things. Ok well I had many symptoms before I even started scanning, had turned off the bit defender real time virus shield and sometime during that period it became unavailable to be able to turn back on.. I uninstalled bit defender and didn't think about it for awhile. Finally started having fake spyware ads etc show up, and suddenly my isp was suspending my web traffic, said reports of malicious emails being sent from my connection, had to confirm i was virus free to reinstate service, etc etc. Well used malbytes and housecall to get rid of alot of that (had to use the random named file download for malbytes, it was also not letting me use housecall til later). Removed several viruses, didn't save names, vundo and lots of trojan.ad.generic type stuff if i remember right. Anyway got bit defender back on (man i hate it, though maybe my issues are causing system slowness not it) and havent had any more issues with the rogue spyware type messages but continued to have slow performance and odd behaviors. Learned about rootkits and went at it with some of those scanners etc, seemed to set off alot of new things.. also kept finding rootkits in various scans (be it full scans with housecall, malbytes or bitdefender) not every time but every once in awhile. So something wasn't going away somewhere.

I know that was probably way TMI sorry, this has all just been so long and drawn out and non specific. So when I ran dds first time for my topic post, that went fine, came to rootrepeal and it gave me blue screen, tried it in safe mode, blue screen also. After that restart I suddenly notice I can only choose to log on as the euser, no admin option available. (It still comes up available in safe mode however) It also gives me a message each time i start that system configuration utility has been used, and brings me to a screen about some of that, options to do a normal boot or others. Been x'ing out of those, as I'm nervous things are part of the infection instead of legit programs. Also gives me delayed start sound sometimes, random error/exclamation windows sounds, with no error windows or messages. Runs very slow at times still. Laggy stuff with command responses and loading as well. Once in awhile get adobe flash update request, seems I allowed it at some point recently so been cancelling that as well. When looking through system32 folder, seen alot of questionable files.

After your reply, ran dds, here is current scan. Ran rootrepeal, got error I've received each time, "Error- Invalid PE image found!", froze during scan, clicked stop, stuck on that awhile, finally closed program. Retried rootrepeal, received new error message: " FOPS Device IO Control Error!" (have more if needed) Clicking scan gave same error. Closed program. Restarted computer since everything was mega slow suddenly, received blue screen with "STOP: Ocx000000B8" (have more if needed) before it shut down. Reset button for restart.
Reboot to safe mode, ran root repeal received PE error, intialized, blue screen with same error.


Newest DDS:

DDS (Ver_09-12-01.01) - NTFSx86
Run by euser at 17:53:21.32 on Tue 02/02/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.119 [GMT -8:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\WINDOWS\system32\HDAShCut.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\euser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: MaxRecentDocs = 99 (0x63)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163575108187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli fiduzuku.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\euser\applic~1\mozilla\firefox\profiles\sefkhnxe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\euser\application data\mozilla\firefox\profiles\sefkhnxe.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\euser\my documents\netscape6\nppl3260.dll
FF - plugin: c:\documents and settings\euser\my documents\netscape6\nprjplug.dll
FF - plugin: c:\documents and settings\euser\my documents\netscape6\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-9-22 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-12-7 152456]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-10-19 110984]
S0 gimetfsk;gimetfsk;c:\windows\system32\drivers\uwxpq.sys --> c:\windows\system32\drivers\uwxpq.sys [?]
S2 MSSQL$MSDEeVertix;MSSQL$MSDEeVertix;c:\program files\microsoft sql server\mssql$msdeevertix\binn\sqlservr.exe -smsdeevertix --> c:\program files\microsoft sql server\mssql$msdeevertix\binn\sqlservr.exe -sMSDEeVertix [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SQLAgent$MSDEeVertix;SQLAgent$MSDEeVertix;c:\program files\microsoft sql server\mssql$msdeevertix\binn\sqlagent.exe -i msdeevertix --> c:\program files\microsoft sql server\mssql$msdeevertix\binn\sqlagent.EXE -i MSDEeVertix [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-9 24652]

=============== Created Last 30 ================

2010-02-03 01:47:03 52 ----a-w- c:\windows\system32\ashttpstats.csv
2010-01-27 14:22:15 385 ----a-w- c:\windows\system32\user_gensett.xml
2010-01-27 10:41:57 0 d-----w- c:\docume~1\euser\applic~1\Windows Search
2010-01-27 01:52:44 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-01-27 01:52:15 201050 ----a-w- c:\windows\system32\nvapps.nvb
2010-01-27 01:48:38 0 d-----w- c:\docume~1\euser\applic~1\Windows Desktop Search
2010-01-27 01:48:01 0 d-----w- c:\windows\system32\GroupPolicy
2010-01-27 01:48:01 0 d-----w- c:\program files\Windows Desktop Search
2010-01-27 01:47:15 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-01-27 01:47:14 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-01-27 01:47:14 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-01-27 01:45:15 0 d-----w- c:\windows\system32\URTTEMP
2010-01-25 08:25:42 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-25 08:25:41 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-25 08:25:41 0 ----a-w- c:\windows\system32\ph_spoof.sig
2010-01-25 08:25:41 0 ----a-w- c:\windows\system32\ph_sign.slf
2010-01-25 08:25:41 0 ----a-w- c:\windows\system32\ph_fuzzy.sig
2010-01-25 08:25:40 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-25 08:25:40 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-25 08:25:39 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-25 08:25:39 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-25 08:25:39 0 ----a-w- c:\windows\system32\pc_sign.slf
2010-01-25 08:25:37 0 ---ha-w- c:\windows\system32\ab_sbl.sig
2010-01-23 07:12:55 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-23 03:31:50 0 ---ha-w- c:\windows\system32\ab_bl.sig
2010-01-23 03:31:49 4 ---ha-w- c:\windows\system32\aspdict-en.dat
2010-01-23 03:31:49 16 ---ha-w- c:\windows\system32\asdict.dat
2010-01-23 02:20:53 376 ----a-w- c:\documents and settings\euser\Application Dataprivacy.xml
2010-01-23 01:48:00 0 d-----w- c:\program files\BitDefender
2010-01-23 01:48:00 0 d-----w- c:\docume~1\euser\applic~1\BitDefender
2010-01-23 01:48:00 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-01-23 01:45:49 0 d-----w- c:\program files\common files\BitDefender
2010-01-23 01:24:54 0 d-----w- c:\docume~1\euser\applic~1\QuickScan
2010-01-19 00:04:13 10752 ----a-w- c:\windows\DCEBoot.exe
2010-01-18 23:31:57 46 ----a-w- C:\p2hhr.bat
2010-01-18 23:20:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-18 22:02:15 0 d-----w- c:\program files\Trend Micro
2010-01-05 18:36:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 18:36:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 18:36:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 18:36:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-05 18:28:30 0 d-----w- c:\docume~1\euser\applic~1\Malwarebytes
2010-01-05 18:11:46 0 d-----w- c:\docume~1\alluse~1\applic~1\3DVIA
2010-01-05 17:52:23 322089 ----a-w- C:\BdUninstallTool2010.01.05-09.52.21.reg

==================== Find3M ====================

2010-01-18 23:32:19 98432 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-01-05 17:53:04 81984 ---ha-w- c:\windows\system32\bdod.bin
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-11 08:24:05 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-08 02:49:08 105736 ----a-w- c:\windows\system32\drivers\bdhv.sys
2009-12-08 02:46:28 152456 ----a-w- c:\windows\system32\drivers\bdfm.sys
2009-11-23 02:08:39 62208 ----a-w- c:\windows\iun1401.exe
2008-09-21 05:04:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 17:53:54.59 ===============

Attached Files


Edited by aprilmofo, 03 February 2010 - 06:12 AM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 AM

Posted 03 February 2010 - 07:07 PM

Try GMER.

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 aprilmofo

aprilmofo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Eugene, OR
  • Local time:05:34 AM

Posted 04 February 2010 - 04:55 AM

Most recent gmer scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-04 01:53:07
Windows 5.1.2600 Service Pack 3
Running: vh0479yc.exe; Driver: C:\DOCUME~1\euser\LOCALS~1\Temp\uxtdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwAllocateVirtualMemory [0xECAD1884]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwAssignProcessToJobObject [0xECAD1BF0]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwConnectPort [0xECAD2DA0]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateFile [0xECAD25B6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateKey [0xECAD320A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateProcess [0xECAD1D3A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateProcessEx [0xECAD1DBC]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateSection [0xECAD23DA]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateThread [0xECAD1486]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwDeviceIoControlFile [0xECAD330A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwDuplicateObject [0xECAD59F4]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwFsControlFile [0xECAD344E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwLoadDriver [0xECAD3D92]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenFile [0xECAD24CA]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenProcess [0xECAD5746]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenSection [0xECAD22FA]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenThread [0xECAD5874]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwProtectVirtualMemory [0xECAD1782]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwQueueApcThread [0xECAD1C92]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwRequestPort [0xECAD2E30]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwRequestWaitReplyPort [0xECAD2BEC]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSecureConnectPort [0xECAD2FBA]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSetContextThread [0xECAD1576]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSetSystemInformation [0xECAD1988]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSuspendProcess [0xECAD16E4]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSuspendThread [0xECAD1646]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSystemDebugControl [0xECAD1B4E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwTerminateProcess [0xECAD56B6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwTerminateThread [0xECAD5B02]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwWriteVirtualMemory [0xECAD1384]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)
AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

---- EOF - GMER 1.0.15 ----


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 AM

Posted 05 February 2010 - 07:49 PM

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 aprilmofo

aprilmofo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Eugene, OR
  • Local time:05:34 AM

Posted 06 February 2010 - 07:05 AM

Quick note: I ran it the first time, and accidentally closed the log.txt that came up before copying. Searched for all files *.txt (also exact filename search) on the computer and didn't get any combofix.txt at all. I'm tired and it's late so ran combofix a second time without fully thinking, to see where it may have tried to put it or at least get a new one to show you. Well it mentioned combofix2.txt in the end of it, and it was there this time in the folder I'd tried before. Got a send don't send debug thingy on 'n.exe' during all this, also everything slowed so much I reset the computer. Anyway I'm posting my first combofix log (the one that seemed lost) and then the 2nd one I did in panic mode blink.gif Sorry if it makes it confusing (or if I do, but that's my usual)




ComboFix 10-01-30.04 - euser 02/06/2010 0:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.129 [GMT -8:00]
Running from: c:\documents and settings\euser\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\p2hhr.bat
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\desktop
c:\windows\desktop\Instal~1.lnk
c:\windows\EventSystem.log
c:\windows\run.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_SSHNAS
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-01-27 19:56 . 2010-01-27 19:57 -------- d-----w- c:\documents and settings\euser\Local Settings\Application Data\ApplicationHistory
2010-01-27 10:41 . 2010-01-27 10:41 -------- d-----w- c:\documents and settings\euser\Application Data\Windows Search
2010-01-27 03:19 . 2010-01-27 03:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-27 03:11 . 2010-01-27 03:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender
2010-01-27 01:52 . 2008-07-08 16:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-01-27 01:48 . 2010-01-27 01:48 -------- d-----w- c:\documents and settings\euser\Application Data\Windows Desktop Search
2010-01-27 01:48 . 2010-01-27 14:21 -------- d-----w- c:\program files\Windows Desktop Search
2010-01-27 01:48 . 2010-01-27 01:48 -------- d-----w- c:\windows\system32\GroupPolicy
2010-01-27 01:47 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-01-27 01:47 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-01-27 01:47 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-01-27 01:45 . 2010-01-27 01:45 -------- d-----w- c:\windows\system32\URTTEMP
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-23 07:12 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-23 03:31 . 2010-01-23 03:31 4 ---ha-w- c:\windows\system32\aspdict-en.dat
2010-01-23 03:31 . 2010-01-23 03:31 16 ---ha-w- c:\windows\system32\asdict.dat
2010-01-23 01:48 . 2010-01-23 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-23 01:48 . 2010-01-23 01:48 -------- d-----w- c:\documents and settings\euser\Application Data\BitDefender
2010-01-23 01:48 . 2010-01-23 01:48 -------- d-----w- c:\program files\BitDefender
2010-01-23 01:45 . 2010-01-23 01:48 -------- d-----w- c:\program files\Common Files\BitDefender
2010-01-23 01:24 . 2010-01-23 07:27 -------- d-----w- c:\documents and settings\euser\Application Data\QuickScan
2010-01-19 00:04 . 2010-01-19 00:04 10752 ----a-w- c:\windows\DCEBoot.exe
2010-01-18 23:20 . 2010-01-18 23:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-18 22:02 . 2010-01-18 22:02 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 05:03 . 2010-01-05 18:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 05:02 . 2010-01-09 22:26 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-23 00:19 . 2007-06-07 03:30 -------- d-----w- c:\program files\Microsoft SQL Server
2010-01-18 23:32 . 2005-08-12 22:31 98432 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-01-18 22:52 . 2005-12-09 18:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-13 11:37 . 2009-12-24 15:28 -------- d-----w- c:\documents and settings\euser\Application Data\uTorrent
2010-01-12 01:33 . 2010-01-23 01:24 789320 ----a-w- c:\documents and settings\euser\Application Data\Mozilla\Firefox\Profiles\sefkhnxe.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-01-12 01:32 . 2010-01-23 01:24 698184 ----a-w- c:\documents and settings\euser\Application Data\Mozilla\Firefox\Profiles\sefkhnxe.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2010-01-08 00:07 . 2010-01-05 18:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2010-01-05 18:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 18:36 . 2010-01-05 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 18:28 . 2010-01-05 18:28 -------- d-----w- c:\documents and settings\euser\Application Data\Malwarebytes
2010-01-05 18:11 . 2010-01-05 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA
2010-01-05 17:56 . 2010-01-05 17:52 322089 ----a-w- C:\BdUninstallTool2010.01.05-09.52.21.reg
2010-01-05 17:53 . 2009-01-15 15:28 81984 ---ha-w- c:\windows\system32\bdod.bin
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-25 07:13 . 2009-12-25 07:10 -------- d-----w- c:\documents and settings\euser\Application Data\ImgBurn
2009-12-25 07:04 . 2009-12-25 07:04 -------- d-----w- c:\program files\ImgBurn
2009-12-25 05:32 . 2009-12-25 05:31 -------- d-----w- c:\program files\Ultra AVI Converter
2009-12-24 15:29 . 2009-12-24 15:29 -------- d-----w- c:\program files\uTorrent
2009-12-14 22:09 . 2009-12-14 22:09 -------- d-----w- c:\program files\Coupons
2009-12-12 22:42 . 2009-12-12 22:42 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-11 08:57 . 2009-10-28 04:47 -------- d-----w- c:\program files\Google
2009-12-11 08:24 . 2009-12-11 08:24 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-08 02:49 . 2009-12-08 02:49 105736 ----a-w- c:\windows\system32\drivers\bdhv.sys
2009-12-08 02:46 . 2009-12-08 02:46 152456 ----a-w- c:\windows\system32\drivers\bdfm.sys
2009-11-23 02:08 . 2009-11-23 02:08 62208 ----a-w- c:\windows\iun1401.exe
2009-11-23 02:07 . 2009-11-23 02:06 283 ----a-w- c:\windows\EReg077.dat
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 16:27 . 2009-11-12 16:27 152576 ----a-w- c:\documents and settings\euser\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 16:27 . 2009-11-12 16:27 79488 ----a-w- c:\documents and settings\euser\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-20 02:59 . 2010-01-23 02:20 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-01-27 1381376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-01-28 1120704]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-20 71152]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-29 22:51 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 152456]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
S0 gimetfsk;gimetfsk;c:\windows\system32\drivers\uwxpq.sys --> c:\windows\system32\drivers\uwxpq.sys [?]
S2 MSSQL$MSDEeVertix;MSSQL$MSDEeVertix;c:\program files\Microsoft SQL Server\MSSQL$MSDEeVertix\Binn\sqlservr.exe -sMSDEeVertix --> c:\program files\Microsoft SQL Server\MSSQL$MSDEeVertix\Binn\sqlservr.exe -sMSDEeVertix [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 SQLAgent$MSDEeVertix;SQLAgent$MSDEeVertix;c:\program files\Microsoft SQL Server\MSSQL$MSDEeVertix\Binn\sqlagent.EXE -i MSDEeVertix --> c:\program files\Microsoft SQL Server\MSSQL$MSDEeVertix\Binn\sqlagent.EXE -i MSDEeVertix [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/9/2008 5:44 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
FF - ProfilePath - c:\documents and settings\euser\Application Data\Mozilla\Firefox\Profiles\sefkhnxe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\euser\Application Data\Mozilla\Firefox\Profiles\sefkhnxe.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 01:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.EXE'(3148)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\HDAShCut.exe
.
**************************************************************************
.
Completion time: 2010-02-06 01:17:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 09:17

Pre-Run: 129,338,966,016 bytes free
Post-Run: 130,272,215,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9111E34713F1900445744A83F64D7E0D



2nd run log:




ComboFix 10-02-05.04 - euser 02/06/2010 3:42.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.129 [GMT -8:00]
Running from: c:\documents and settings\euser\Desktop\April\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-01-27 19:56 . 2010-01-27 19:57 -------- d-----w- c:\documents and settings\euser\Local Settings\Application Data\ApplicationHistory
2010-01-27 10:41 . 2010-01-27 10:41 -------- d-----w- c:\documents and settings\euser\Application Data\Windows Search
2010-01-27 03:19 . 2010-01-27 03:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-27 03:11 . 2010-01-27 03:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender
2010-01-27 01:52 . 2008-07-08 16:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-01-27 01:48 . 2010-01-27 01:48 -------- d-----w- c:\documents and settings\euser\Application Data\Windows Desktop Search
2010-01-27 01:48 . 2010-01-27 14:21 -------- d-----w- c:\program files\Windows Desktop Search
2010-01-27 01:48 . 2010-01-27 01:48 -------- d-----w- c:\windows\system32\GroupPolicy
2010-01-27 01:47 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-01-27 01:47 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-01-27 01:47 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-01-27 01:45 . 2010-01-27 01:45 -------- d-----w- c:\windows\system32\URTTEMP
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-25 08:25 . 2010-01-25 08:25 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-23 07:12 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-23 03:31 . 2010-01-23 03:31 4 ---ha-w- c:\windows\system32\aspdict-en.dat
2010-01-23 03:31 . 2010-01-23 03:31 16 ---ha-w- c:\windows\system32\asdict.dat
2010-01-23 01:48 . 2010-01-23 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-23 01:48 . 2010-01-23 01:48 -------- d-----w- c:\documents and settings\euser\Application Data\BitDefender
2010-01-23 01:48 . 2010-01-23 01:48 -------- d-----w- c:\program files\BitDefender
2010-01-23 01:45 . 2010-01-23 01:48 -------- d-----w- c:\program files\Common Files\BitDefender
2010-01-23 01:24 . 2010-01-23 07:27 -------- d-----w- c:\documents and settings\euser\Application Data\QuickScan
2010-01-23 01:24 . 2010-01-12 01:33 789320 ----a-w- c:\documents and settings\euser\Application Data\Mozilla\Firefox\Profiles\sefkhnxe.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-01-23 01:24 . 2010-01-12 01:32 698184 ----a-w- c:\documents and settings\euser\Application Data\Mozilla\Firefox\Profiles\sefkhnxe.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2010-01-19 00:04 . 2010-01-19 00:04 10752 ----a-w- c:\windows\DCEBoot.exe
2010-01-18 23:20 . 2010-01-18 23:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-18 22:02 . 2010-01-18 22:02 -------- d-----w- c:\program files\Trend Micro
2010-01-09 22:26 . 2010-01-26 05:02 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 05:03 . 2010-01-05 18:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 00:19 . 2007-06-07 03:30 -------- d-----w- c:\program files\Microsoft SQL Server
2010-01-18 23:32 . 2005-08-12 22:31 98432 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-01-18 22:52 . 2005-12-09 18:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-13 11:37 . 2009-12-24 15:28 -------- d-----w- c:\documents and settings\euser\Application Data\uTorrent
2010-01-08 00:07 . 2010-01-05 18:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2010-01-05 18:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 18:36 . 2010-01-05 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 18:28 . 2010-01-05 18:28 -------- d-----w- c:\documents and settings\euser\Application Data\Malwarebytes
2010-01-05 18:11 . 2010-01-05 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA
2010-01-05 17:56 . 2010-01-05 17:52 322089 ----a-w- C:\BdUninstallTool2010.01.05-09.52.21.reg
2010-01-05 17:53 . 2009-01-15 15:28 81984 ---ha-w- c:\windows\system32\bdod.bin
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-25 07:13 . 2009-12-25 07:10 -------- d-----w- c:\documents and settings\euser\Application Data\ImgBurn
2009-12-25 07:04 . 2009-12-25 07:04 -------- d-----w- c:\program files\ImgBurn
2009-12-25 05:32 . 2009-12-25 05:31 -------- d-----w- c:\program files\Ultra AVI Converter
2009-12-24 15:29 . 2009-12-24 15:29 -------- d-----w- c:\program files\uTorrent
2009-12-14 22:09 . 2009-12-14 22:09 -------- d-----w- c:\program files\Coupons
2009-12-12 22:42 . 2009-12-12 22:42 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-11 08:57 . 2009-10-28 04:47 -------- d-----w- c:\program files\Google
2009-12-11 08:24 . 2009-12-11 08:24 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-08 02:49 . 2009-12-08 02:49 105736 ----a-w- c:\windows\system32\drivers\bdhv.sys
2009-12-08 02:46 . 2009-12-08 02:46 152456 ----a-w- c:\windows\system32\drivers\bdfm.sys
2009-11-23 02:08 . 2009-11-23 02:08 62208 ----a-w- c:\windows\iun1401.exe
2009-11-23 02:07 . 2009-11-23 02:06 283 ----a-w- c:\windows\EReg077.dat
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 16:27 . 2009-11-12 16:27 152576 ----a-w- c:\documents and settings\euser\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 16:27 . 2009-11-12 16:27 79488 ----a-w- c:\documents and settings\euser\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-20 02:59 . 2010-01-23 02:20 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-01-27 1381376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-01-28 1120704]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-20 71152]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-29 22:51 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 152456]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
S0 gimetfsk;gimetfsk;c:\windows\system32\drivers\uwxpq.sys --> c:\windows\system32\drivers\uwxpq.sys [?]
S2 MSSQL$MSDEeVertix;MSSQL$MSDEeVertix;c:\program files\Microsoft SQL Server\MSSQL$MSDEeVertix\Binn\sqlservr.exe -sMSDEeVertix --> c:\program files\Microsoft SQL Server\MSSQL$MSDEeVertix\Binn\sqlservr.exe -sMSDEeVertix [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 SQLAgent$MSDEeVertix;SQLAgent$MSDEeVertix;c:\program files\Microsoft SQL Server\MSSQL$MSDEeVertix\Binn\sqlagent.EXE -i MSDEeVertix --> c:\program files\Microsoft SQL Server\MSSQL$MSDEeVertix\Binn\sqlagent.EXE -i MSDEeVertix [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/9/2008 5:44 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
FF - ProfilePath - c:\documents and settings\euser\Application Data\Mozilla\Firefox\Profiles\sefkhnxe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\euser\Application Data\Mozilla\Firefox\Profiles\sefkhnxe.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 03:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-06 03:51:06
ComboFix-quarantined-files.txt 2010-02-06 11:51
ComboFix2.txt 2010-02-06 09:17

Pre-Run: 130,182,635,520 bytes free
Post-Run: 130,131,841,024 bytes free

- - End Of File - - D48AA83A92E39BCE978B161DAC9FEF9F

Edited by aprilmofo, 06 February 2010 - 07:09 AM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 AM

Posted 07 February 2010 - 02:12 PM

Hello again.

okay, thanks for the description. Let's get an online scan done now.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 aprilmofo

aprilmofo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Location:Eugene, OR
  • Local time:05:34 AM

Posted 10 February 2010 - 02:32 PM

Kaspersky scan (man it took forever)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, February 10, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, February 10, 2010 17:13:42
Records in database: 3468173
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 80816
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:50:32


File name / Threat / Threats count
C:\Documents and Settings\euser\.housecall6.6\Quarantine\CMDOW.EXE.bac_a01300 Infected: not-a-virus:RiskTool.Win32.HideWindows 1

Selected area has been scanned.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 AM

Posted 11 February 2010 - 08:17 PM

Hi again,

Empty everything out in the following folder:
C:\Documents and Settings\euser\.housecall6.6\ Quarantine <- This folder

Then, let's get a new scan. Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 AM

Posted 19 February 2010 - 05:23 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users