Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS found in malwarebytes results


  • This topic is locked This topic is locked
27 replies to this topic

#1 rivers2tomlinson

rivers2tomlinson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 16 February 2010 - 09:56 PM

Ran a malwarebytes check on my Computer earlier since it had been a while. After rebooting, I ran another scan and got warning that I had 7 infected objects, all which are rootkit.TDSS. 6 are under the "file" category and one is under the "registry key" category


Here is my DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ken at 18:34:02.20 on Tue 02/09/2010
Internet Explorer: 7.0.6001.18000
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = *.local
BHO: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Orb] "c:\program files\orb networks\orb\bin\OrbTray.exe" /background
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2600 series\ezprint.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\PVT0y7g47.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\ken\appdata\roaming\mozilla\firefox\profiles\vkg9kdgb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.espn.com
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\ken\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\ken\appdata\roaming\mozilla\firefox\profiles\vkg9kdgb.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-15 16:46:31 0 d-----w- c:\program files\PeerBlock
2010-02-15 07:12:59 0 d-----w- c:\programdata\Lx_cats
2010-02-15 07:11:26 0 d-----w- C:\logs
2010-02-15 07:10:16 77304 ----a-w- c:\windows\system32\lxdnprpr.chm
2010-02-15 07:10:16 348160 ----a-w- c:\windows\system32\lxdncoin.dll
2010-02-15 07:08:53 0 d-----w- c:\programdata\Ezprint
2010-02-15 07:08:46 0 d-----w- c:\program files\Lexmark Toolbar
2010-02-15 07:08:23 0 d-----w- c:\program files\Lexmark 2600 Series
2010-02-15 04:31:43 0 d-----w- c:\program files\PeerGuardian2
2010-02-15 03:01:23 0 d-----w- C:\OEMSettings
2010-02-15 03:01:11 289280 ----a-w- c:\windows\system32\drivers\wg111v3.sys
2010-02-15 03:01:01 0 d-----w- c:\program files\NETGEAR
2010-02-15 02:59:48 0 d-----w- c:\windows\Downloaded Installations
2010-02-10 00:38:45 0 d-----w- c:\users\ken\appdata\roaming\Malwarebytes
2010-02-10 00:36:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 00:36:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 00:36:10 0 d-----w- c:\programdata\Malwarebytes
2010-02-10 00:36:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 00:16:16 45056 ----a-w- c:\windows\system32\_VOIDbrtytkitsc.dll
2010-02-10 00:16:15 32256 ----a-w- c:\windows\system32\_VOIDyfysnpwnqa.dll
2010-02-10 00:16:12 26624 ----a-w- c:\windows\system32\_VOIDqqroxwqqmy.dll
2010-02-10 00:16:12 233 ----a-w- c:\windows\system32\_VOIDepttweeixq.dat
2010-02-10 00:16:11 42496 ----a-w- c:\windows\system32\drivers\_VOIDyxokrcmcrj.sys
2010-01-15 01:32:26 295 ----a-w- c:\windows\system32\InstallUtil.InstallLog

==================== Find3M ====================

2010-02-15 07:11:15 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-15 07:11:15 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-15 07:10:57 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-15 03:00:19 17638912 ----a-w- c:\program files\NETGEAR WG111v3 wireless USB 2.0 adapter.msi
2010-02-15 03:00:10 6129 ----a-w- c:\program files\0x0409.ini
2010-01-14 19:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2008-11-07 09:02:52 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2007-12-28 22:59:30 342528 ----a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-12-28 22:58:30 289280 ----a-w- c:\windows\inf\wg111v3\WG111v3.sys
2007-12-28 22:58:30 289280 ----a-w- c:\windows\inf\wg111v3\vista\wg111v3.sys
2007-11-28 01:53:58 63488 ----a-w- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-28 01:52:44 32768 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2007-04-23 21:15:48 31016 ----a-w- c:\windows\inf\wg111v3\vista64\RtlProt.sys
2007-04-23 18:50:50 25896 ----a-w- c:\windows\inf\wg111v3\vista\RtlProt.sys
2007-04-20 05:22:44 75264 ----a-w- c:\windows\inf\wg111v3\vista64\rtkbind.exe
2007-04-20 05:22:28 74752 ----a-w- c:\windows\inf\wg111v3\vista\rtkbind.exe
2006-12-15 19:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 19:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 19:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 19:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 19:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-11-07 09:04:31 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:34:12.03 ===============




Here is my Attach log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
Absolute Poker
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
Bonjour
Cake Poker
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
DiskAid 3.1
Full Tilt Poker
Google Chrome
Hardware Diagnostic Tools
Holdem Manager
HP Recovery Manager RSS
ImgBurn
iTunes
Java™ 6 Update 7
K-Lite Codec Pack 4.4.5 (Full)
Lexmark 2600 Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Works
Mozilla Firefox (3.0.5)
NETGEAR WG111v3 wireless USB 2.0 adapter
Norton Internet Security
NVIDIA Drivers
Orb
PeerBlock 1.0.0 (r181)
PeerGuardian 2.0
PokerStars
PokerStove version 1.21
PostgreSQL 8.3
Python 2.5.2
QuickTime
Realtek High Definition Audio Driver
Skype™ 4.0
Spybot - Search & Destroy
UltimateBet
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
Viewpoint Media Player (Remove Only)
Visual Install Pack
Windows Media Player Firefox Plugin
WinRAR archiver
Wise Registry Cleaner 4 Free 4.22

==== End Of File ===========================



Lastly, here is my GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-09 18:51:00
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Ken\AppData\Local\Temp\kfldqpow.sys


---- Services - GMER 1.0.15 ----

Service system32\drivers\_VOIDmilfpgrbtt.sys (*** hidden *** ) [SYSTEM] _VOIDd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDmilfpgrbtt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDmilfpgrbtt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDqusgbgbppv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDmilfpgrbtt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDmilfpgrbtt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDqusgbgbppv.dll

---- EOF - GMER 1.0.15 ----



Thank you for the help.



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:04 AM

Posted 18 February 2010 - 07:43 PM

Hello, rivers2tomlinson.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Leaving the settings at default, click Scan.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:04 AM

Posted 21 February 2010 - 06:15 AM

Hello rivers2tomlinson
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 rivers2tomlinson

rivers2tomlinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 21 February 2010 - 08:55 PM

Tried running RSIT and after I hit "continue," I got a message stating


Line -1:

Error: Variable used without being declared

Edited by rivers2tomlinson, 21 February 2010 - 09:01 PM.


#5 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:04 AM

Posted 21 February 2010 - 09:48 PM

Hi!

In that case, please run a DDS scan instead. We'll work from that.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#6 rivers2tomlinson

rivers2tomlinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 21 February 2010 - 10:01 PM

DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Ken at 18:59:03.58 on Sun 02/21/2010
Internet Explorer: 8.0.6001.18702
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = *.local
BHO: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Orb] "c:\program files\orb networks\orb\bin\OrbTray.exe" /background
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2600 series\ezprint.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\ken\appdata\roaming\mozilla\firefox\profiles\vkg9kdgb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.espn.com
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\ken\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\ken\appdata\roaming\mozilla\firefox\profiles\vkg9kdgb.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-18 22:43:40 0 d-----w- c:\users\ken\appdata\roaming\UB
2010-02-15 16:46:31 0 d-----w- c:\program files\PeerBlock
2010-02-15 07:12:59 0 d-----w- c:\programdata\Lx_cats
2010-02-15 07:11:26 0 d-----w- C:\logs
2010-02-15 07:10:16 77304 ----a-w- c:\windows\system32\lxdnprpr.chm
2010-02-15 07:10:16 348160 ----a-w- c:\windows\system32\lxdncoin.dll
2010-02-15 07:08:53 0 d-----w- c:\programdata\Ezprint
2010-02-15 07:08:46 0 d-----w- c:\program files\Lexmark Toolbar
2010-02-15 07:08:23 0 d-----w- c:\program files\Lexmark 2600 Series
2010-02-15 04:31:43 0 d-----w- c:\program files\PeerGuardian2
2010-02-15 03:01:23 0 d-----w- C:\OEMSettings
2010-02-15 03:01:01 0 d-----w- c:\program files\NETGEAR
2010-02-15 02:59:48 0 d-----w- c:\windows\Downloaded Installations
2010-02-10 04:05:43 54016 ----a-w- c:\windows\system32\drivers\pcdhcgtq.sys
2010-02-10 00:38:45 0 d-----w- c:\users\ken\appdata\roaming\Malwarebytes
2010-02-10 00:36:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 00:36:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 00:36:10 0 d-----w- c:\programdata\Malwarebytes
2010-02-10 00:36:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-02-18 23:50:01 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-18 23:50:01 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-18 23:50:00 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-15 03:00:19 17638912 ----a-w- c:\program files\NETGEAR WG111v3 wireless USB 2.0 adapter.msi
2010-02-15 03:00:10 6129 ----a-w- c:\program files\0x0409.ini
2010-01-14 19:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2008-11-07 09:02:52 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2007-12-28 22:59:30 342528 ----a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-12-28 22:58:30 289280 ----a-w- c:\windows\inf\wg111v3\WG111v3.sys
2007-12-28 22:58:30 289280 ----a-w- c:\windows\inf\wg111v3\vista\wg111v3.sys
2007-11-28 01:53:58 63488 ----a-w- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-28 01:52:44 32768 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2007-04-23 21:15:48 31016 ----a-w- c:\windows\inf\wg111v3\vista64\RtlProt.sys
2007-04-23 18:50:50 25896 ----a-w- c:\windows\inf\wg111v3\vista\RtlProt.sys
2007-04-20 05:22:44 75264 ----a-w- c:\windows\inf\wg111v3\vista64\rtkbind.exe
2007-04-20 05:22:28 74752 ----a-w- c:\windows\inf\wg111v3\vista\rtkbind.exe
2006-12-15 19:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 19:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 19:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 19:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 19:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-11-07 09:04:31 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:59:20.37 ===============



Attach:

DDS (Ver_09-12-01.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
Absolute Poker
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
Bonjour
Cake Poker
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
DiskAid 3.1
Full Tilt Poker
Google Chrome
Hardware Diagnostic Tools
Holdem Manager
HP Recovery Manager RSS
ImgBurn
iTunes
Java™ 6 Update 7
K-Lite Codec Pack 4.4.5 (Full)
Lexmark 2600 Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Works
Mozilla Firefox (3.0.5)
NETGEAR WG111v3 wireless USB 2.0 adapter
Norton Internet Security
NVIDIA Drivers
Orb
PeerBlock 1.0.0 (r181)
PeerGuardian 2.0
PokerStars
PokerStove version 1.21
PostgreSQL 8.3
Python 2.5.2
QuickTime
Realtek High Definition Audio Driver
Skype™ 4.0
Spybot - Search & Destroy
UB
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
Viewpoint Media Player (Remove Only)
Visual Install Pack
Windows Media Player Firefox Plugin
WinRAR archiver
Wise Registry Cleaner 4 Free 4.22

==== End Of File ===========================


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:04 AM

Posted 21 February 2010 - 10:07 PM

Hi!

Hello, rivers2tomlinson.
P2P Program Warning!

uTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




Poker Program Warning!

Absolute Poker, Cake Poker, Full Tilt Poker, PokerStars, PokerStove version 1.21

Your logs show that you have been visiting online poker sites with applets installed on your computer. I know that you may use these this game on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programs yourself on purpose.
There are so many online poker games out there these days that it is close to impossible to keep track of whether a program is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the program, then you can do so by following the below steps:

Please uninstall the programs listed above. You can do so via Control Panel >> Add or Remove Programs.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial




Viewpoint Warning!

The logs also show Viewpoint Manager installed, Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

Viewpoint to Plunge Into Adware

I suggest you remove the program now. Go to Start > Control Panel > Add or Remove Programs. From within Add or Remove Programs uninstall the following if they exist:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player




Registry Cleaner Program Warning!

Wise Registry Cleaner 4 Free 4.22

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.




We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • gmer.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 rivers2tomlinson

rivers2tomlinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 21 February 2010 - 11:14 PM

GMER log should be done in the next few minutes

#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:04 AM

Posted 21 February 2010 - 11:20 PM

Okay smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 rivers2tomlinson

rivers2tomlinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 21 February 2010 - 11:21 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-21 20:19:01
Windows 6.0.6001 Service Pack 1
Running: ppc3z1c2.exe; Driver: C:\Users\Ken\AppData\Local\Temp\kfldqpow.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\cdfs \Cdfs 99F6B05C

---- EOF - GMER 1.0.15 ----

#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:04 AM

Posted 21 February 2010 - 11:56 PM

Hello, rivers2tomlinson.
We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 rivers2tomlinson

rivers2tomlinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 22 February 2010 - 12:16 AM

Combofix deleted a file that won't let me open up firefox. Is that normal? Anyways, here are the logs



ComboFix 10-02-21.02 - Ken 02/21/2010 21:01:18.1.2 - x86
Running from: c:\users\Ken\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3111819155-4270058277-1591444449-500
c:\$recycle.bin\S-1-5-21-3240346748-4036201183-4289981945-1000
c:\$recycle.bin\S-1-5-21-617803501-2362016699-3706508713-500
c:\program files\Mozilla Firefox\plc4.dll
c:\program files\temp
c:\program files\temp\HideWin.exe
c:\windows\system32\Drivers\pcdhcgtq.sys

.
((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-22 05:05 . 2010-02-22 05:05 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-02-22 05:05 . 2010-02-22 05:05 -------- d-----w- c:\users\holdemmanager\AppData\Local\temp
2010-02-22 05:05 . 2010-02-22 05:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-22 04:37 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-22 04:37 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-22 04:37 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-22 04:37 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-22 04:37 . 2010-02-11 18:38 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-02-22 04:36 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-22 04:36 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-22 04:36 . 2010-02-22 04:36 -------- d-----w- c:\programdata\Alwil Software
2010-02-22 04:36 . 2010-02-22 04:36 -------- d-----w- c:\program files\Alwil Software
2010-02-22 01:55 . 2010-02-22 01:55 -------- d-----w- C:\rsit
2010-02-18 22:57 . 2010-02-19 00:43 159744 ----a-w- c:\users\Ken\AppData\Roaming\UB\DownLoadInst\liveupdate.exe
2010-02-18 22:43 . 2010-02-19 00:37 -------- d-----w- c:\users\Ken\AppData\Roaming\UB
2010-02-15 16:46 . 2010-02-22 05:06 -------- d-----w- c:\program files\PeerBlock
2010-02-15 07:12 . 2010-02-19 17:23 -------- d-----w- c:\programdata\Lx_cats
2010-02-15 07:11 . 2010-02-15 07:11 -------- d-----w- C:\logs
2010-02-15 07:11 . 2008-02-27 11:05 115200 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdndrpp.dll
2010-02-15 07:10 . 2008-02-15 04:52 348160 ----a-w- c:\windows\system32\lxdncoin.dll
2010-02-15 04:31 . 2010-02-15 07:16 -------- d-----w- c:\program files\PeerGuardian2
2010-02-15 03:01 . 2010-02-15 03:15 -------- d-----w- C:\OEMSettings
2010-02-15 03:01 . 2010-02-15 03:01 -------- d-----w- c:\program files\NETGEAR
2010-02-15 03:00 . 2010-02-15 03:00 17638912 ----a-w- c:\program files\NETGEAR WG111v3 wireless USB 2.0 adapter.msi
2010-02-15 02:59 . 2010-02-15 02:59 -------- d-----w- c:\windows\Downloaded Installations
2010-02-10 00:38 . 2010-02-10 00:38 -------- d-----w- c:\users\Ken\AppData\Roaming\Malwarebytes
2010-02-10 00:36 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 00:36 . 2010-02-10 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 00:36 . 2010-02-10 00:36 -------- d-----w- c:\programdata\Malwarebytes
2010-02-10 00:36 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-04 17:17 . 2010-02-04 17:20 -------- d-----w- c:\users\Ken\AppData\Local\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 20:16 . 2009-02-05 06:47 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-19 00:42 . 2009-06-14 14:40 -------- d---a-w- c:\program files\Cake Poker
2010-02-15 07:13 . 2010-02-15 07:08 -------- d-----w- c:\program files\Lexmark 2600 Series
2010-02-15 07:08 . 2010-02-15 07:08 -------- d-----w- c:\programdata\Ezprint
2010-02-15 07:08 . 2010-02-15 07:08 -------- d-----w- c:\program files\Lexmark Toolbar
2010-02-15 06:49 . 2009-03-31 20:51 -------- d-----w- c:\program files\Executor
2010-02-15 05:50 . 2008-11-07 09:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-15 05:42 . 2009-03-31 13:17 -------- d-----w- c:\program files\TeamViewer
2010-02-15 05:33 . 2009-01-08 21:56 139272 ----a-w- c:\users\Ken\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-15 04:59 . 2008-11-07 09:29 -------- d-----w- c:\program files\Cyberlink
2010-02-15 04:58 . 2008-11-07 09:36 53319 ----a-w- c:\programdata\Temp\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
2010-02-15 03:00 . 2010-02-15 03:00 6129 ----a-w- c:\program files\0x0409.ini
2010-02-10 02:14 . 2009-01-08 22:35 -------- d-----w- c:\users\Ken\AppData\Roaming\uTorrent
2010-01-22 01:02 . 2009-01-09 20:13 -------- d-----w- c:\program files\Common Files\AOL
2010-01-22 01:02 . 2008-11-07 09:52 -------- d-----w- c:\programdata\Norton
2010-01-22 01:02 . 2009-04-01 04:52 -------- d-----w- c:\program files\Conduit
2010-01-15 01:52 . 2008-11-07 09:28 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-15 01:51 . 2008-11-07 09:44 -------- d-----w- c:\programdata\WildTangent
2010-01-15 01:49 . 2008-11-07 09:30 53319 ----a-w- c:\programdata\Temp\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
2010-01-15 01:48 . 2008-11-07 09:36 -------- d---a-w- c:\program files\Common Files\LightScribe
2010-01-15 01:42 . 2008-11-07 09:32 36864 ----a-w- c:\programdata\Temp\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe
2010-01-15 01:40 . 2008-11-07 09:29 36864 ----a-w- c:\programdata\Temp\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
2010-01-15 01:35 . 2009-09-04 01:57 -------- d-----w- c:\users\Ken\AppData\Roaming\SUPERAntiSpyware.com
2010-01-15 01:35 . 2009-09-04 01:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-15 01:35 . 2009-07-29 16:50 -------- d-----w- c:\program files\Yahoo!
2010-01-15 01:34 . 2008-11-07 09:25 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-14 19:12 . 2009-11-28 17:53 181120 ------w- c:\windows\system32\MpSigStub.exe
2008-11-07 09:04 . 2008-11-07 09:02 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2009-07-14 510416]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1529432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2008-03-27 660136]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2008-03-27 107176]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-6-13 2498560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PictureMover.lnk]
backup=c:\windows\pss\PictureMover.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 10:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-04 17:17 135664 ----atw- c:\users\Ken\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-05-30 19:30 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
2007-06-02 23:59 1457152 ----a-w- c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-08-25 11:57 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe [2008-02-27 98984]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-09-10 20640]
S1 aswSP;aswSP; [x]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-02-11 51792]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2008-02-27 594600]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys [2009-10-14 348160]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-21 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2008-01-21 251904]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMONFLT
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
.
Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3111819155-4270058277-1591444449-1000Core.job
- c:\users\Ken\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-04 17:17]

2010-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3111819155-4270058277-1591444449-1000UA.job
- c:\users\Ken\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-04 17:17]

2010-01-28 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\vkg9kdgb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.espn.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Ken\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\vkg9kdgb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-HP Health Check Scheduler - c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
MSConfigStartUp-UpdateP2GoShortCut - c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdatePDIRShortCut - c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdatePSTShortCut - c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 21:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP000000465BCBF1C6367EA326 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-21 21:07:44
ComboFix-quarantined-files.txt 2010-02-22 05:07

Pre-Run: 155,583,221,760 bytes free
Post-Run: 155,708,567,552 bytes free

- - End Of File - - F0D78BFB704055F3E2B73EB0C7AD796A






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:05 PM, on 2/21/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Ken\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ken\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ken\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ken\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ken\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ken\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ken\Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cndt
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2600 Series\ezprint.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKUS\S-1-5-21-3111819155-4270058277-1591444449-1000\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3111819155-4270058277-1591444449-1000\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (User '?')
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Ken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Ken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra button: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\Ken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UB\UB.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\Ken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UB\UB.lnk (file missing) (HKCU)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\Windows\system32\lxdncoms.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

--
End of file - 5358 bytes


#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:04 AM

Posted 22 February 2010 - 01:07 AM

Hello, rivers2tomlinson.
Not too sure why it did that. We'll restore the file on this run. Let me know if this fixes your problem. Also, do you seem to be experiencing any other problems?

We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    Dequarantine::
    C:\Qoobox\Quarantine\C\program files\Mozilla Firefox\plc4.dll
    Quit::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT:

We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 18 (JDK or JRE)".
  3. Click the Download JRE button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  12. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run a Panda Active Scan
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Scan Now button
  4. If it wants to install an ActiveX component allow it
  5. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  6. When download is complete, click on My Computer to start the scan
  7. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In your next reply, please include the following:
  • ComboFix.txt
  • Description of any remaining problems
  • ActiveScan Report

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 rivers2tomlinson

rivers2tomlinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 22 February 2010 - 01:25 AM

Ran the combofix report but when I tried to open any browser (IE, chrome, or firefox), I got a message sayng "illegal operation attempted on a registry key that has been marked for deletion." I am posting this from my iphone.

#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:04 AM

Posted 22 February 2010 - 01:27 AM

Hi!

Please restart your computer. Combofix probably has a few reg keys it would like to delete. We can restore them if need-be.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users