Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Freezing PC with BSOD, maybe a rootkit infection?


  • This topic is locked This topic is locked
22 replies to this topic

#1 tanishaw

tanishaw

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Saint Louis, MO
  • Local time:05:21 PM

Posted 15 February 2010 - 08:08 PM

My computer has been freezing quite often. The longest I have had it on without it freezing is an hour. I get a BSOD about once a week, each with a difference error. The most recent error was "PAGE_FAULT_IN_NONPAGED_AREA." The associated file with this error was "uwroyfog.sys." It always freezes whenever you try to watch any type of video, be it from youtube or in Windows Media Player. In fact, all types of media cause it to freeze (i.e. listening to mp3s in any application, playing games, etc.) I have run many virus scans, and they have all come up clean. There has to be something wrong! Please help!

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 6:46:11.01 on Mon 02/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2042.1149 [GMT -6:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
svchost.exe
c:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/
uSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\5.0.317.0\npchrome_frame.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: intuit.com\ttlc
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://games.pogo.com/online2/pogo/dream_chronicles/dreamweb.1.0.0.9.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\5.0.317.0\npchrome_frame.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ASWLNPkg
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0nd1k4nm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-5-13 108752]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2008-5-13 51376]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-5-13 12928]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-5-13 12496]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-4-1 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-6-29 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-8-6 110984]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-1-16 206608]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\13.tmp --> c:\windows\system32\13.tmp [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-7 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-7 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-7 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-7 40552]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-12-4 23096]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-1-16 206608]

=============== Created Last 30 ================

2010-02-10 08:42:21 0 d-----w- c:\program files\common files\Real
2010-02-10 08:42:15 0 d-sh--w- c:\documents and settings\all users\DRM
2010-02-10 08:30:40 0 d-----w- c:\program files\V CAST Music with Rhapsody
2010-02-10 08:07:16 8350 ----a-w- c:\documents and settings\administrator\bitpim.csv
2010-02-10 04:59:42 0 d-----w- c:\docume~1\admini~1\applic~1\GetRightToGo
2010-02-10 04:57:48 9256 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2010-02-10 04:57:48 9256 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2010-02-10 04:57:48 9256 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2010-02-10 04:57:48 9256 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2010-02-10 04:57:48 86824 ----a-w- c:\windows\system32\drivers\sscdserd.sys
2010-02-10 04:57:48 80552 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2010-02-10 04:57:48 11944 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2010-02-10 04:57:48 106792 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2010-02-10 04:57:41 0 d-----w- c:\program files\Samsung
2010-02-09 21:26:48 850 ----a-w- c:\documents and settings\administrator\Application DataProductTweaks.xml
2010-02-09 01:47:54 376 ----a-w- c:\documents and settings\administrator\Application Dataprivacy.xml
2010-02-07 04:54:14 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-07 04:53:45 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-07 04:53:45 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-02-06 03:04:04 0 d-----w- c:\program files\Sophos
2010-02-04 04:17:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-01-31 22:21:25 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-01-28 17:05:07 52 ----a-w- c:\windows\system32\ashttpstats.csv
2010-01-28 15:25:29 0 d-----w- C:\Backup
2010-01-28 14:48:48 0 d-----w- c:\docume~1\admini~1\applic~1\Office Genuine Advantage
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\ph_spoof.sig
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\ph_sign.slf
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\ph_fuzzy.sig
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\pc_sign.slf
2010-01-28 12:55:37 0 ----a-w- c:\windows\system32\ab_sbl.sig
2010-01-27 23:10:01 385 ----a-w- c:\documents and settings\administrator\Application Datauser_gensett.xml
2010-01-27 17:19:17 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-27 17:17:38 850 ----a-w- c:\windows\system32\ProductTweaks.xml
2010-01-27 17:17:38 385 ----a-w- c:\windows\system32\user_gensett.xml
2010-01-27 17:04:21 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-01-27 17:04:21 16 ----a-w- c:\windows\system32\asdict.dat
2010-01-27 17:04:21 0 ----a-w- c:\windows\system32\ab_bl.sig
2010-01-27 16:32:36 0 d-----w- c:\docume~1\admini~1\applic~1\BitDefender
2010-01-27 16:31:39 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-01-27 16:31:38 0 d-----w- c:\program files\BitDefender
2010-01-27 16:30:02 0 d-----w- c:\program files\common files\BitDefender
2010-01-20 18:56:57 0 d-----w- c:\program files\common files\Config
2010-01-20 18:56:39 0 d-----w- c:\program files\common files\Inet
2010-01-20 18:51:32 4199784 ----a-w- c:\windows\system32\cdintf400.dll
2010-01-20 18:50:26 0 d-----w- c:\program files\Quicken
2010-01-20 18:50:12 120 ----a-w- c:\windows\QUICKEN.INI
2010-01-18 19:53:38 0 d-----w- c:\docume~1\admini~1\applic~1\SBC
2010-01-18 19:52:12 0 d--h--w- c:\program files\selfheal
2010-01-18 19:52:12 0 d-----w- c:\program files\CompApps
2010-01-16 22:03:05 0 d-----w- c:\docume~1\alluse~1\applic~1\JollyBear
2010-01-16 22:02:16 0 d-----w- c:\program files\PopCap Games
2010-01-16 21:02:07 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-01-16 21:02:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-16 21:02:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-16 21:01:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 21:01:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 18:19:34 1488125 ----a-w- c:\windows\setupapi.log.2.old
2010-01-16 18:19:24 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-01-16 18:18:59 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2010-02-09 13:05:43 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-09 13:05:42 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-01-27 17:13:20 110984 ----a-w- c:\windows\system32\drivers\bdfndisf.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-30 14:24:30 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-12-30 14:24:29 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-12-30 14:24:26 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-16 14:09:30 80008 ----a-w- c:\windows\fonts\linedraw.ttf
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-05 04:27:48 75128 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-02 21:11:59 77377 ----a-w- c:\windows\hpqins05.dat
2009-12-01 15:25:51 172814 ----a-w- c:\windows\hpwins21.dat
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-07-14 01:13:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071320090714\index.dat

============= FINISH: 6:48:32.01 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:21 AM

Posted 19 February 2010 - 11:41 AM

Hi tanishaw,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer. If you have installed or uninstalled new software please provide both the DDS logs. No need for GMER log.

#3 tanishaw

tanishaw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Saint Louis, MO
  • Local time:05:21 PM

Posted 19 February 2010 - 01:52 PM

Thank you so much. I have not made any changes at all since I posted the logs. The problem has not gotten any better.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:21 AM

Posted 19 February 2010 - 05:23 PM

QUOTE
The most recent error was "PAGE_FAULT_IN_NONPAGED_AREA." The associated file with this error was "uwroyfog.sys."

This one is related to running GMER, it has nothing to do with malware.

We are going to dig deeper.
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 tanishaw

tanishaw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Saint Louis, MO
  • Local time:05:21 PM

Posted 19 February 2010 - 06:55 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3764
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 5:18:13 PM
mbam-log-2010-02-19 (17-18-13).txt

Scan type: Quick Scan
Objects scanned: 203223
Time elapsed: 37 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 10-02-19.03 - Administrator 02/19/2010 17:31:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2042.1146 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\recycler\S-1-5-21-1708537768-602609370-725345543-500
c:\recycler\S-1-5-21-3969663122-2054155356-2530352525-500
c:\recycler\S-1-5-21-774274057-3006741432-2922594911-500
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-19 15:42 . 2010-02-19 15:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo!
2010-02-16 01:26 . 2001-08-17 19:28 576746 ----a-w- c:\windows\system32\dllcache\ltmdmntl.sys
2010-02-16 01:25 . 2001-08-17 19:47 13056 ----a-w- c:\windows\system32\dllcache\inport.sys
2010-02-16 01:24 . 2001-08-17 19:28 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-02-16 01:23 . 2001-08-18 04:36 89088 ----a-w- c:\windows\system32\dllcache\hpgt33.dll
2010-02-16 01:22 . 2004-08-04 13:00 14848 ----a-w- c:\windows\system32\dllcache\flattemp.exe
2010-02-16 01:21 . 2001-08-17 18:17 629952 ----a-w- c:\windows\system32\dllcache\eqn.sys
2010-02-16 01:20 . 2001-08-17 18:14 952007 ----a-w- c:\windows\system32\dllcache\diwan.sys
2010-02-16 01:19 . 2001-08-17 19:50 14848 ----a-w- c:\windows\system32\dllcache\cyclom-y.sys
2010-02-16 01:18 . 2001-08-18 04:36 74240 ----a-w- c:\windows\system32\dllcache\camexo20.dll
2010-02-16 01:17 . 2001-08-17 18:49 26880 ----a-w- c:\windows\system32\dllcache\atirtsnd.sys
2010-02-16 01:16 . 2004-08-04 13:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-02-16 01:16 . 2004-08-04 13:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-02-16 01:16 . 2004-08-04 13:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-02-16 01:16 . 2004-08-04 13:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-02-16 01:16 . 2004-08-04 13:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2010-02-16 01:16 . 2004-08-04 13:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-02-10 08:42 . 2010-02-10 08:42 -------- d-----w- c:\program files\Common Files\Real
2010-02-10 08:42 . 2010-02-10 08:42 -------- d-sh--w- c:\documents and settings\All Users\DRM
2010-02-10 08:30 . 2010-02-10 08:42 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2010-02-10 04:59 . 2010-02-10 05:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2010-02-10 04:57 . 2007-07-03 22:00 9256 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2010-02-10 04:57 . 2007-07-03 22:00 9256 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2010-02-10 04:57 . 2007-07-03 21:59 86824 ----a-w- c:\windows\system32\drivers\sscdserd.sys
2010-02-10 04:57 . 2007-07-03 21:58 106792 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2010-02-10 04:57 . 2007-07-03 21:57 11944 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2010-02-10 04:57 . 2007-07-03 21:56 9256 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2010-02-10 04:57 . 2007-07-03 21:56 9256 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2010-02-10 04:57 . 2007-07-03 21:54 80552 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2010-02-10 04:57 . 2010-02-10 04:57 -------- d-----w- c:\program files\Samsung
2010-02-07 04:54 . 2010-02-07 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-07 04:53 . 2010-02-07 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-07 04:53 . 2010-02-07 04:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-06 03:04 . 2010-02-06 03:04 -------- d-----w- c:\program files\Sophos
2010-02-04 04:17 . 2010-02-04 04:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LostKing
2010-02-04 04:17 . 2010-02-04 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-01-29 20:37 . 2010-01-29 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-28 15:25 . 2010-01-28 15:50 -------- d-----w- C:\Backup
2010-01-28 14:48 . 2010-01-28 14:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage
2010-01-28 12:55 . 2010-01-28 12:55 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-28 12:55 . 2010-01-28 12:55 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-28 12:55 . 2010-01-28 12:55 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-28 12:55 . 2010-01-28 12:55 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-28 12:55 . 2010-01-28 12:55 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-28 12:55 . 2010-01-28 12:55 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-27 17:19 . 2010-01-28 13:37 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-27 17:04 . 2010-01-27 17:04 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-01-27 17:04 . 2010-01-27 17:04 16 ----a-w- c:\windows\system32\asdict.dat
2010-01-27 16:32 . 2010-01-27 16:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender
2010-01-27 16:31 . 2010-01-27 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-27 16:31 . 2010-01-27 16:31 -------- d-----w- c:\program files\BitDefender
2010-01-27 16:30 . 2010-01-27 16:32 -------- d-----w- c:\program files\Common Files\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 15:40 . 2009-07-14 02:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-02-10 05:14 . 2008-06-22 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-10 04:11 . 2009-11-01 16:40 -------- d-----w- c:\program files\BitPim
2010-02-09 13:05 . 2009-06-29 20:12 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-09 13:05 . 2009-06-29 20:12 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-02-07 06:25 . 2009-07-31 22:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-07 04:51 . 2009-11-03 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-06 03:02 . 2010-01-16 21:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-04 04:15 . 2009-11-10 03:03 -------- d-----w- c:\program files\Games
2010-02-03 23:54 . 2009-07-12 22:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\GrabIt
2010-01-31 22:21 . 2010-01-31 22:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-01-28 16:38 . 2009-10-18 01:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2010-01-28 00:08 . 2009-08-02 14:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-27 17:13 . 2009-08-06 22:34 110984 ----a-w- c:\windows\system32\drivers\bdfndisf.sys
2010-01-27 16:56 . 2010-01-04 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-25 06:47 . 2010-01-05 05:40 403448 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-20 18:57 . 2010-01-20 18:50 -------- d-----w- c:\program files\Quicken
2010-01-20 18:56 . 2010-01-20 18:56 -------- d-----w- c:\program files\Common Files\Config
2010-01-20 18:56 . 2010-01-20 18:56 -------- d-----w- c:\program files\Common Files\Inet
2010-01-20 18:52 . 2010-01-05 03:37 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2010-01-20 18:51 . 2008-06-22 03:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-20 18:50 . 2010-01-05 03:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit
2010-01-20 18:49 . 2010-01-05 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-01-20 18:33 . 2010-01-20 18:33 -------- d-----w- c:\program files\Smart Projects
2010-01-20 18:13 . 2009-07-12 22:51 -------- d-----w- c:\program files\GrabIt
2010-01-20 17:53 . 2010-01-02 00:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 20:27 . 2009-07-22 07:16 100512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-18 19:57 . 2010-01-18 19:52 -------- d--h--w- c:\program files\selfheal
2010-01-18 19:53 . 2010-01-18 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\SBC
2010-01-18 19:52 . 2010-01-18 19:52 -------- d-----w- c:\program files\CompApps
2010-01-16 22:03 . 2010-01-16 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2010-01-16 22:02 . 2010-01-16 22:02 -------- d-----w- c:\program files\PopCap Games
2010-01-16 21:02 . 2010-01-16 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-16 21:02 . 2010-01-16 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-16 18:19 . 2009-10-23 18:18 -------- d-----w- c:\program files\Trend Micro
2010-01-16 18:18 . 2010-01-16 18:18 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-13 14:12 . 2009-07-17 14:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-09 09:17 . 2009-12-01 19:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2010-01-07 22:07 . 2010-01-16 21:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2010-01-16 21:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 11:50 . 2009-12-02 20:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\HpUpdate
2010-01-05 11:39 . 2009-02-03 23:28 -------- d-----w- c:\program files\Microsoft Works
2010-01-05 03:37 . 2010-01-05 03:33 -------- d-----w- c:\program files\Common Files\Intuit
2010-01-05 03:31 . 2010-01-05 03:31 -------- d-----w- c:\program files\TurboTax
2010-01-04 13:06 . 2010-01-04 13:06 -------- d-----w- c:\program files\AVG
2010-01-04 13:04 . 2009-07-07 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-04 12:07 . 2009-07-08 00:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SACore
2010-01-04 02:15 . 2009-07-16 16:11 -------- d-----w- c:\program files\Java
2010-01-04 01:07 . 2010-01-04 01:07 95112 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-03 20:45 . 2009-11-03 17:54 -------- d-----w- c:\program files\Replay Media Catcher
2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 14:24 . 2009-11-03 17:56 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-12-30 14:24 . 2009-11-03 17:56 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-12-30 14:24 . 2009-11-03 17:56 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-12-25 16:43 . 2009-12-25 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-12-25 16:42 . 2009-12-25 16:21 -------- d-----w- c:\program files\Electronic Arts
2009-12-25 16:42 . 2009-12-25 16:42 -------- d-----w- c:\program files\Microsoft WSE
2009-12-21 19:14 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 08:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 08:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 08:00 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-05 04:27 . 2009-12-05 04:27 75128 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-04 18:22 . 2004-08-04 08:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-02 21:11 . 2009-12-02 21:03 77377 ----a-w- c:\windows\hpqins05.dat
2009-12-01 15:25 . 2009-12-01 15:17 172814 ----a-w- c:\windows\hpwins21.dat
2009-11-27 17:11 . 2004-08-04 08:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2004-08-04 08:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2004-08-04 08:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-04 08:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2004-08-04 08:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 08:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2004-08-04 08:00 11264 ----a-w- c:\windows\system32\msrle32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-08 39408]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-28 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-18 178712]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-01-28 1120704]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2010-01-27 71152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2008-05-21 00:42 111888 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]
2008-06-09 15:10 82224 ----a-w- c:\windows\system32\accelerometerST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accrdsub]
2007-05-15 23:08 293168 ----a-w- c:\program files\ActivIdentity\ActivClient\accrdsub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 21:57 948672 ------w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 19:32 203264 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-11-17 01:04 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CognizanceTS]
2008-05-21 00:42 24848 ----a-w- c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2008-05-14 19:36 61440 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 19:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 21:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 13:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 21:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2008-04-14 00:11 177152 ----a-w- c:\windows\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 13:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2008-05-08 00:34 238984 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-05-14 18:26 177456 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2008-03-24 21:43 884736 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2008-04-04 15:09 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 20:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-16 16:11 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-08 01:00 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-27 18:28 1040384 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-10-06 00:14 2075384 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqwmiex"=3 (0x3)
"Com4QLBEx"=3 (0x3)
"MotoConnect Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7136:TCP"= 7136:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"2350:TCP"= 2350:TCP:Services
"7881:TCP"= 7881:TCP:Services
"3246:TCP"= 3246:TCP:Services

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [5/13/2008 6:36 PM 108752]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [5/13/2008 6:36 PM 51376]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [5/13/2008 6:36 PM 12928]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 4:14 AM 24064]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [5/13/2008 6:36 PM 12496]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 5:08 PM 182576]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 2:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 2:00 AM 14336]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [4/1/2009 11:25 AM 83208]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [5/14/2008 2:41 PM 34184]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [5/13/2008 6:35 PM 256512]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [6/29/2009 2:12 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [8/6/2009 4:34 PM 110984]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/16/2010 12:19 PM 206608]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/27/2009 6:33 PM 135664]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [6/25/2009 4:04 PM 183880]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\13.tmp --> c:\windows\system32\13.tmp [?]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [12/4/2009 10:35 PM 23096]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/16/2010 12:19 PM 206608]
S4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/21/2008 10:43 PM 193840]
S4 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/30/2009 8:03 PM 91392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 00:33]

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 00:33]

2010-02-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3912795529-913963262-1930933378-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-13 00:33]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3912795529-913963262-1930933378-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-13 00:33]

2010-02-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]

2010-02-19 c:\windows\Tasks\User_Feed_Synchronization-{D6390640-CF1F-4AE2-8F35-A0572635169C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://games.pogo.com/online2/pogo/dream_chronicles/dreamweb.1.0.0.9.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0nd1k4nm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 17:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D07968]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74fbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72d2852
\Driver\iaStor -> iaStor.sys @ 0xf723978c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> 0x832f6690
PacketIndicateHandler -> NDIS.sys @ 0xf70a3a0d
SendHandler -> NDIS.sys @ 0xf70b7b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\13.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3912795529-913963262-1930933378-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,72,c3,1a,38,80,40,41,a5,86,94,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,72,c3,1a,38,80,40,41,a5,86,94,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,59,4b,1e,3c,5b,3f,4a,a6,a5,64,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(2044)
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aipingui.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\brand.dll
c:\program files\Hewlett-Packard\IAM\Bin\AsChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\HPPlugIn.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHostServices.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.HPQWMIEXLib.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTHstServsLib.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHstServs.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\BIOSDomain.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTPluginLib.dll
c:\program files\Hewlett-Packard\Drive Encryption\SbHpFve.dll
c:\program files\Hewlett-Packard\Drive Encryption\SbUILib.dll
c:\windows\system32\WININET.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\HPjCard.dll
c:\windows\system32\acomx.dll
c:\windows\system32\acbsi21.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\ItVCard.dll
c:\program files\Hewlett-Packard\IAM\Bin\NetAdmin.dll

- - - - - - - > 'explorer.exe'(7176)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\program files\MediaMonkey\DeskPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2010\vsserv.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\mqsvc.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\BitDefender\BitDefender 2010\seccenter.exe
.
**************************************************************************
.
Completion time: 2010-02-19 17:50:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-19 23:50

Pre-Run: 88,334,245,888 bytes free
Post-Run: 88,493,256,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3F5D7D00E7721CF32D491F4FB820CB87


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:21 AM

Posted 20 February 2010 - 07:19 AM

There is and have been something there.
  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @ECHO OFF
    net user >log.txt
    net user helpassistant >>log.txt
    dir /a /b /o c:\documents and settings >>log.txt 2>&1
    dir /a /b /o c:\documents and settings\HelpAssistant >>log.txt 2>&1
    sc query type= driver group= "SCSI Miniport" >>Log.txt
    dir /a /s /oe c:\atapi.* >>log.txt
    dir /a/s /oe c:\iastor.* >>log.txt
    start log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click dirlook.bat on the desktop.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  2. Download noahdfear profiles.exe and run it.
    Copy and paste the content of the log to your reply.


#7 tanishaw

tanishaw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Saint Louis, MO
  • Local time:05:21 PM

Posted 20 February 2010 - 09:37 AM

User accounts for \\METRO6730S

-------------------------------------------------------------------------------
Administrator ASPNET BitDefenderComm
Guest HelpAssistant SUPPORT_388945a0
The command completed successfully.

User name HelpAssistant
Full Name HelpAssistant
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 1/27/2010 9:52 AM
Password expires Never
Password changeable 1/27/2010 9:52 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/27/2010 9:52 AM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

File Not Found
File Not Found
The system cannot find the file specified.

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: iaStor
DISPLAY_NAME: Intel AHCI Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Volume in drive C has no label.
Volume Serial Number is 6A08-6B42

Directory of c:\cmdcons

08/03/2004 10:59 PM 49,558 ATAPI.SY_
1 File(s) 49,558 bytes

Directory of c:\i386

08/04/2004 07:00 AM 49,558 ATAPI.SY_
1 File(s) 49,558 bytes

Directory of c:\WINDOWS\$NtServicePackUninstall$

08/03/2004 06:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes

Directory of c:\WINDOWS\ERDNT\cache

04/13/2008 12:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\ServicePackFiles\i386

04/13/2008 12:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\dllcache

04/13/2008 12:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\drivers

04/13/2008 12:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Total Files Listed:
7 File(s) 580,524 bytes
0 Dir(s) 88,580,198,400 bytes free
Volume in drive C has no label.
Volume Serial Number is 6A08-6B42

Directory of c:\Program Files\Intel\Intel Matrix Storage Manager\driver

04/17/2008 08:23 PM 11,215 iaStor.cat
04/15/2008 10:53 AM 8,114 iaStor.inf
04/15/2008 11:53 AM 312,344 IaStor.sys
3 File(s) 331,673 bytes

Directory of c:\Program Files\Intel\Intel Matrix Storage Manager\driver64

04/17/2008 08:23 PM 11,215 iaStor.cat
04/15/2008 10:53 AM 8,114 iaStor.inf
04/15/2008 11:54 AM 388,120 IaStor.sys
3 File(s) 407,449 bytes

Directory of c:\SwSetup\HDD

04/17/2008 08:23 PM 11,215 iaStor.cat
04/15/2008 10:53 AM 8,114 iaStor.inf
06/21/2008 09:35 PM 13,516 iaStor.PNF
04/15/2008 11:53 AM 312,344 IaStor.sys
4 File(s) 345,189 bytes

Directory of c:\SwSetup\INTELMSM\Winall\Driver

04/17/2008 08:23 PM 11,215 iaStor.cat
04/15/2008 10:53 AM 8,114 iaStor.inf
04/15/2008 11:53 AM 312,344 IaStor.sys
3 File(s) 331,673 bytes

Directory of c:\SwSetup\INTELMSM\Winall\Driver64

04/17/2008 08:23 PM 11,215 iaStor.cat
04/15/2008 10:53 AM 8,114 iaStor.inf
04/15/2008 11:54 AM 388,120 IaStor.sys
3 File(s) 407,449 bytes

Directory of c:\WINDOWS\system32\drivers

04/15/2008 11:53 AM 312,344 iaStor.sys
1 File(s) 312,344 bytes

Directory of c:\WINDOWS\system32\DRVSTORE\iaAHCI_E7EB69FF3449D216602D0D37A1D73969621673A9

04/15/2008 11:53 AM 312,344 iaStor.sys
1 File(s) 312,344 bytes

Directory of c:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles

04/15/2008 11:53 AM 312,344 iaStor.sys
1 File(s) 312,344 bytes

Total Files Listed:
19 File(s) 2,760,465 bytes
0 Dir(s) 88,573,308,928 bytes free



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3912795529-913963262-1930933378-1007
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.METRO6730S

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3912795529-913963262-1930933378-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:21 AM

Posted 20 February 2010 - 12:24 PM

Yes there are rootkit and Backdoor infections.

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.


Removal Instructions
  1. Go to start => Control Panel => open "System "
    Select Advanced tab. Under User Profiles section select HelpAssistant.
    Press Delete and confirm.
    Tell me if you get any error and proceed with the next step anyway.

  2. We are going to run this special tool.
    • Please download TDSSKiller.zip and save it to your desktop.
    • Extract the zip file to your desktop.
    • Double-Click TDSSKiller.exe to run it.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.

  3. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @ECHO OFF
    reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
    net stop RDSessMgr
    net user HelpAssistant /active:no >nul 2>&1
    net localgroup Administrators HelpAssistant /delete >nul 2>&1
    attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
    attrib -s -h -r C:\docume~\HelpAssistant.METRO6730S\* /s /d
    del  /a /f /q C:\docume~\HelpAssistant\*.*
    rmdir /s /q C:\docume~\HelpAssistant
    del  /a /f /q  C:\docume~\HelpAssistant.METRO6730S\*.*
    rmdir /s /q C:\docume~\HelpAssistant.METRO6730S
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3912795529-913963262-1930933378-1007" /f
    reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%systemroot^%\System32\termsrv.dll /f
    Reg delete HKLM\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List /v 3389:TCP /f
    reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService /v Start /t REG_DWORD /d 0x3 /f
    del %0

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click dirlook.bat on the desktop.
    • A command window opens and then closes.

  4. Reboot the computer.

  5. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @ECHO OFF
    mbr -t
    net user helpassistant >log.txt
    dir /a /b /o "c:\documents and settings" >>log.txt 2>&1
    dir /a /b /o "c:\documents and settings\HelpAssistant.METRO6730S" >>log.txt 2>&1
    type mbr.log >>log.txt
    start log.txt
    del %0

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click dirlook.bat on the desktop.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#9 tanishaw

tanishaw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Saint Louis, MO
  • Local time:05:21 PM

Posted 20 February 2010 - 01:09 PM

After the TDSSKiller it did not need a reboot.

User name HelpAssistant
Full Name HelpAssistant
Comment
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 1/27/2010 9:52 AM
Password expires Never
Password changeable 1/27/2010 9:52 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/27/2010 9:52 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

Administrator
All Users
Default User
HelpAssistant
LocalService
NetworkService
File Not Found
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89BB1C70]<<
kernel: MBR read successfully
user & kernel MBR OK


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:21 AM

Posted 20 February 2010 - 05:18 PM

  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @ECHO OFF
    net user HelpAssistant /active:no
    net localgroup Administrators HelpAssistant /delete
    xcopy /h /y c:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\iaStor.sys c:\ >log.txt
    copy /y c:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\ >>log.txt
    del %0

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: copy.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click copy.bat on the desktop.
    • A text file (log.txt) opens. Only if "1 file(s) copied" 2 times is listed proceed with the next step.

  2. Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      CODE
      Comment:
      start to process
      Files to move:
      C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
      C:\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
      Folders to delete:
      c:\documents and settings\HelpAssistant
    • In the avenger window, click the Paste Script from Clipboard, button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.

  3. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @ECHO OFF
    mbr -t
    net user helpassistant >log.txt
    dir /a /b /o "c:\documents and settings" >>log.txt 2>&1
    type mbr.log >>log.txt
    start log.txt
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click dirlook.bat on the desktop.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  4. Run profiles.exe once more.
    Copy and paste the content of the log to your reply.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:21 AM

Posted 20 February 2010 - 06:32 PM

I received your PM about the open command window not completing. It should not take that long unless some of the earlier commands don't get executed. This is a nasty new type of multiple rootkit infections.

Please close the open command window and make a batch file this time just with the following lines, run it and proceed:

CODE
xcopy /h /y c:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\iaStor.sys c:\ >log.txt
copy /y c:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\ >>log.txt
del %0




#12 tanishaw

tanishaw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Saint Louis, MO
  • Local time:05:21 PM

Posted 20 February 2010 - 06:47 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.
File move operation "C:\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" completed successfully.
Folder "c:\documents and settings\HelpAssistant" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


User name HelpAssistant
Full Name HelpAssistant
Comment
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 1/27/2010 9:52 AM
Password expires Never
Password changeable 1/27/2010 9:52 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/27/2010 9:52 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

Administrator
All Users
Default User
LocalService
NetworkService
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89B087A0]<<
kernel: MBR read successfully
user & kernel MBR OK


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:21 AM

Posted 20 February 2010 - 06:59 PM

Please do the step 4 too. smile.gif

#14 tanishaw

tanishaw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Saint Louis, MO
  • Local time:05:21 PM

Posted 20 February 2010 - 07:02 PM

Sorry!



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3912795529-913963262-1930933378-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:21 AM

Posted 20 February 2010 - 07:15 PM

We got rid of the HelpAssistant fully. thumbup2.gif

But still there is something we have to research and eventually fix.
  1. Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • If DeFogger ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  2. Please run GMER with the following settings:
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users