Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit? - Google searches redirect to searchfindsite.com


  • This topic is locked This topic is locked
32 replies to this topic

#1 bassbloke

bassbloke

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 21 February 2010 - 02:33 PM

Hello -

I am running:
Dell e1505 notebook
1.83 GHz Core Duo (T2400)
1 GB RAM
100 GB HDD
XP Pro SP3
Symantec Endpoint Protection (SEP) v11.0.4014.26

The first problem was that the Auto-Protect feature of SEP was blocking malicious activity from certain IP addresses and deleting rootkits and trojans. I have attached that log so you can see what it looks like. I believe that Firefox may have been deleted, because when it cleaned these infections by deletion, Firefox mysteriously disappeared.

One day after I started having the outside activity/rootkits/trojans problem, I was running Mozilla Firefox (v3.6, I believe), and some of my Google searches started redirecting to "searchfindsite.com." The browser never actually traveled to the link I clicked on in the Google search, which I know because when I pressed the "back" button, the link in the Google search was still blue. I searched for "searchfindsite" and discovered this was probably a rootkit problem.

So, I have run full system scans with the most updated virus/malware definitions using both SEP and Malwarebytes. I have also run several Malwarebytes scans in safe mode, and they all come back with 3 "Disabled.SecurityCenter" infections (AntiVirusDisableNotify, FirewallDisableNotify, UpdatesDisableNotify). I have attached a log of that full scan as well.

DDS ran fine, but gmer is crashing my computer (blue screen of death) each time I have run it. Windows has no idea what the problem is, and the latest error appeared like this:

PAGE_FAULT_IN_NONPAGED_AREA

Stop: 0x00000050 (0xF98CC000, 0x00000000, 0xB6DCAFEC, 0x00000000)
fxldypow.sys - Address B6DCAFEC base at B6DCA000, Datestamp 4b274f8d

I would greatly appreciate it if you could help me get gmer working, as well as the other obvious problem I have!

Thanks!!!!!!!!!!!!!!!!!!!


Here is the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Scott at 20:08:11.01 on Thu 02/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.425 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\LSoft Technologies Inc\Active@ Hard Disk Monitor\DiskMonitorService.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\Scott\LOCALS~1\Temp\clclean.0001
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: EndNote Web: {82d2e569-25a7-4e4d-9fa3-c5025b4b7912} - c:\program files\endnote web\ENWIEPlug.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: EndNote Web: {945c8270-a848-11d5-a805-00b0d092f45b} - c:\program files\endnote web\ENWIEPlug.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Lookup on CD - c:\ahd4withthesaurus\ahd.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15030/CTSUEng.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1187747829875
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232428580968
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232428516625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli uscl32.dll

============= SERVICES / DRIVERS ===============

R0 phmcd;phmcd;c:\windows\system32\drivers\phmcd.sys [2008-4-8 44696]
R2 Active@ Disk Monitor;Active@ Disk Monitor;c:\program files\lsoft technologies inc\active@ hard disk monitor\DiskMonitorService.exe [2009-8-4 1123784]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-5-7 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-5-7 108392]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2006-8-16 14976]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-5-7 2440120]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-28 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-17 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100218.016\NAVENG.SYS [2010-2-18 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100218.016\NAVEX15.SYS [2010-2-18 1324720]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\systool.sys [2006-11-10 24064]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-4 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [2008-8-11 23888]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\scott\locals~1\temp\imspcloj.sys --> c:\docume~1\scott\locals~1\temp\iMSPCLOj.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]

=============== Created Last 30 ================

2010-02-19 01:02:43 0 d-sha-r- C:\cmdcons
2010-02-19 00:59:54 77312 ----a-w- c:\windows\MBR.exe
2010-02-19 00:59:53 98816 ----a-w- c:\windows\sed.exe
2010-02-19 00:59:53 261632 ----a-w- c:\windows\PEV.exe
2010-02-19 00:59:53 161792 ----a-w- c:\windows\SWREG.exe
2010-02-18 04:20:35 0 d-sh--w- c:\documents and settings\scott\PrivacIE
2010-02-18 02:10:16 120 ----a-w- c:\windows\Gpamez.dat
2010-02-18 02:10:16 0 ----a-w- c:\windows\Ydutum.bin
2010-02-18 02:08:11 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-18 02:08:11 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-18 02:08:07 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-02-18 02:08:07 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-02-11 19:10:46 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2010-02-11 19:10:43 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2010-02-11 19:10:37 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2010-02-11 19:10:37 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2010-02-11 19:10:36 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2010-02-11 19:10:36 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2010-02-11 19:10:35 343040 ------w- c:\windows\system32\dllcache\mspaint.exe

==================== Find3M ====================

2010-01-19 05:02:08 123677 ----a-w- c:\windows\system32\nvModes.dat
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ------w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ------w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\msrle32.dll
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2005-06-29 23:54:30 30720 --shatr- c:\windows\$hf_mig$\kb899588\update\arpidfix.exe
2007-03-06 01:22:33 14048 --shatr- c:\windows\$hf_mig$\kb943485\spmsg.dll
2007-03-06 01:22:56 716000 --shatr- c:\windows\$hf_mig$\kb946026\update\update.exe
2008-06-13 11:27:43 272128 --shatr- c:\windows\$hf_mig$\kb951376-v2\sp3qfe\bthport.sys
2008-08-26 09:08:35 124928 --shatr- c:\windows\$hf_mig$\kb956390-ie7\sp2qfe\advpack.dll
2009-02-09 10:56:35 473600 --shatr- c:\windows\$hf_mig$\kb956572\sp3qfe\fastprox.dll
2009-02-20 18:09:51 124928 --shatr- c:\windows\$hf_mig$\kb963027-ie7\sp3qfe\advpack.dll
2009-06-25 08:41:10 301568 --shatr- c:\windows\$hf_mig$\kb968389\sp3qfe\kerberos.dll
2009-08-28 10:07:35 173056 --shatr- c:\windows\$hf_mig$\kb974455-ie8\sp3qfe\ie4uinit.exe
2009-10-28 14:10:10 173056 --shatr- c:\windows\$hf_mig$\kb976325-ie8\sp3qfe\ie4uinit.exe
2004-08-04 04:10:08 53248 -csh-tr- c:\windows\$ntservicepackuninstall$\1394bus.sys
2006-09-21 20:24:24 56 --sh--r- c:\windows\system32\8696641427.sys
2006-09-21 20:24:24 3766 --sh--w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 20:09:04.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 21 February 2010 - 05:05 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* RKill log
* Combofix.txt
Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 bassbloke

bassbloke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 21 February 2010 - 05:48 PM

Here ya go!

Attached Files



#4 bassbloke

bassbloke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 21 February 2010 - 06:11 PM

I would like to add that when this first started happening, I backed up my computer to my external hard drive while in safe mode. I don't know if this complicates things or if I bleeped up all of the data on my external hard drive, but I would like to know if the external needs to be fixed as well. It has not been connected to my computer since I backed up and I will not connect it again until you advise me to.

Thanks a million!

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 21 February 2010 - 08:58 PM

Hello, smile.gif

Please read and follow my instructions...

From the intro
QUOTE
Please copy and paste all logs into your post unless directed otherwise.


==========

I see you have run Combofix unsupervised.....this is ill advised!!

excl.gif This is a complex and powerful tool that should not be used except under the supervision and direction of a malware expert. It can and will render your computer unbootable permanently!! Also realize that in most circumstances a single run of Combofix is ineffective. Specialized scripts will be written specifically directing this program to clean-up based on your logs!! excl.gif

I would like to see your first CF log. You will find it @ C:\ComboFix.txt

==========
  • Click on Start, then Run.
  • Copy and Paste the green bold text below in to the Run Box:

cmd /c dir /a /s C:\QooBox >log.txt&start log.txt

  • Then click on OK.
  • A Text File will open up, please Copy and Paste the contents in your next reply.

==========

Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

"C:\Qoobox\Add-Remove Programs.txt"

A text file opens up, copy and paste the content to your reply.

==========

QUOTE
I backed up my computer to my external hard drive


Thanks for telling me. Please connect all external and flash drives that might be infected and leave them connected till I give you the all clear. In addition...with the drives connected now please do this..............

Right click and delete your current copy of Combofix.

Re-run RKill


Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

==========

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

QUOTE
To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.


==========

Try to re-run Gmer
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  • Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    CODE
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  • Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
  • Open your c:\folder right-click on fixme.bat and select Run as Administrator. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.

==========

With your next post please provide:

* 1st Combofix.txt log
* Qoobox.txt
* Add/Remove.txt
* Combofix.txt
* Gmer log (if able)
* Mbr log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 bassbloke

bassbloke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 25 February 2010 - 12:58 AM

Here is the whole enchilada. In case it matters, I had to forcibly shut my computer down after the GMER lock-up. The lock-up was characterized by the lsass process taking up ~50% of my processor power and another process or combination of processes (NOT the system idle process) taking up the other 50% of processing power. I would terminate a process that was taking up a significant portion of processor power for no significant reason, and the processing load would shift to another process that was previously taking 0% of processor power. I realized then that there was no way to fix my system by deleting running processes, and I had to hold the power button down. Below are the logs you requested.

______________________________________________________________________________________________________________________________________________________________________________

Volume in drive C has no label.
Volume Serial Number is 70BE-15F8

Directory of C:\QooBox

02/21/2010 04:41 PM <DIR> .
02/21/2010 04:41 PM <DIR> ..
02/21/2010 04:40 PM 10,630 Add-Remove Programs.txt
02/21/2010 04:24 PM <DIR> BackEnv
02/21/2010 04:41 PM 4,189 ComboFix-quarantined-files.txt
02/18/2010 07:19 PM 19,664 ComboFix2.txt
02/18/2010 07:04 PM <DIR> Quarantine
02/21/2010 04:40 PM 0 SnapShot@2010-02-21_22.34.48.dat
4 File(s) 34,483 bytes

Directory of C:\QooBox\BackEnv

02/21/2010 04:24 PM <DIR> .
02/21/2010 04:24 PM <DIR> ..
02/21/2010 04:24 PM 349 appdata.folder.dat
02/21/2010 04:24 PM 324 cache.folder.dat
02/21/2010 04:24 PM 196 Cookies.folder.dat
02/21/2010 04:24 PM 141 desktop.folder.dat
02/21/2010 04:24 PM 199 favorites.folder.dat
02/21/2010 04:24 PM 292 localappdata.folder.dat
02/21/2010 04:24 PM 283 localsettings.folder.dat
02/21/2010 04:24 PM 153 mypictures.folder.dat
02/21/2010 04:24 PM 117 personal.folder.dat
02/21/2010 04:24 PM 307 Profiles.Folder.dat
02/21/2010 04:24 PM 473 Profiles.Folder.folder.dat
02/21/2010 04:24 PM 177 programs.folder.dat
02/21/2010 04:24 PM 5,331 SetPath.bat
02/21/2010 04:24 PM 150 startmenu.folder.dat
02/21/2010 04:24 PM 201 startup.folder.dat
02/21/2010 04:24 PM 1,806 SysPath.dat
02/21/2010 04:24 PM 147 templates.folder.dat
17 File(s) 10,646 bytes

Directory of C:\QooBox\Quarantine

02/18/2010 07:04 PM <DIR> .
02/18/2010 07:04 PM <DIR> ..
02/18/2010 07:08 PM <DIR> C
02/21/2010 04:35 PM 723 catchme.log
02/21/2010 04:40 PM <DIR> Registry_backups
1 File(s) 723 bytes

Directory of C:\QooBox\Quarantine\C

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Documents and Settings
02/18/2010 07:08 PM <DIR> DOCUME~1
02/18/2010 07:08 PM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> All Users
02/18/2010 07:08 PM <DIR> Scott
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Application Data
02/18/2010 07:08 PM <DIR> Start Menu
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Microsoft
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Network
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Downloader
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 06:27 PM 5,479 qmgr0.dat.vir
02/18/2010 06:27 PM 7,043 qmgr1.dat.vir
2 File(s) 12,522 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Start Menu

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Programs
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Stop MotionMaker
02/18/2010 07:08 PM <DIR> Stop MotionMaker
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Stop MotionMaker

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Stop MotionMaker

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
10/17/2006 10:26 PM 1,539 StopMotionMakerFull.lnk.vir
10/17/2006 10:26 PM 1,577 Uninstall Stop MotionMaker .lnk.vir
2 File(s) 3,116 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Scott

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Local Settings
02/18/2010 07:08 PM <DIR> Start Menu
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Scott\Local Settings

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Application Data
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Scott\Local Settings\Application Data

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> {B2B91BE1-25F7-4E64-B905-F66D18DDC519}
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Scott\Local Settings\Application Data\{B2B91BE1-25F7-4E64-B905-F66D18DDC519}

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> chrome
02/17/2010 08:10 PM 122 chrome.manifest.vir
02/17/2010 08:10 PM 764 install.rdf.vir
2 File(s) 886 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Scott\Local Settings\Application Data\{B2B91BE1-25F7-4E64-B905-F66D18DDC519}\chrome

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> content
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Scott\Local Settings\Application Data\{B2B91BE1-25F7-4E64-B905-F66D18DDC519}\chrome\content

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/17/2010 08:10 PM 6,778 overlay.xul.vir
02/17/2010 08:10 PM 2,014 _cfg.js.vir
2 File(s) 8,792 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Scott\Start Menu

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Programs
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Scott\Start Menu\Programs

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:10 PM <DIR> Startup
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Scott\Start Menu\Programs\Startup

02/18/2010 07:10 PM <DIR> .
02/18/2010 07:10 PM <DIR> ..
04/14/2008 04:42 AM 28,160 monnid32.exe.vir
02/18/2010 07:08 PM 20,421 _monnid32_.exe.zip
2 File(s) 48,581 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Scott
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1\Scott

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> LOCALS~1
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1\Scott\LOCALS~1

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> Temp
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1\Scott\LOCALS~1\Temp

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> clclean.0001.dir.0004
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1\Scott\LOCALS~1\Temp\clclean.0001.dir.0004

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 06:27 PM 697,884 ~df394b.tmp.vir
1 File(s) 697,884 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
04/14/2008 04:42 AM 163,840 iqetamuxudipota.dll.vir
02/18/2010 07:08 PM <DIR> Stop MotionMaker
02/18/2010 07:08 PM <DIR> system32
02/18/2010 07:08 PM <DIR> Temp
1 File(s) 163,840 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\Stop MotionMaker

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
10/17/2006 10:26 PM 451,072 uninstall.exe.vir
1 File(s) 451,072 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/18/2010 07:08 PM <DIR> drivers
11/28/2009 06:34 PM 100 prsgrc.dll.vir
02/18/2010 07:08 PM <DIR> Settings
1 File(s) 100 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32\drivers

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
11/28/2008 10:04 PM 5 1028_DELL_XPS_MM061 .MRK.vir
11/28/2008 10:04 PM 5 DELL_XPS_MM061 .MRK.vir
2 File(s) 10 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32\Settings

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
12/05/2006 01:24 AM 0 Settings.ini.vir
1 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\Temp

02/18/2010 07:08 PM <DIR> .
02/18/2010 07:08 PM <DIR> ..
02/21/2010 04:35 PM <DIR> logishrd
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\Temp\logishrd

02/21/2010 04:35 PM <DIR> .
02/21/2010 04:35 PM <DIR> ..
02/05/2008 06:20 PM 109,080 LVPrcInj01.dll.vir
02/21/2010 04:35 PM 107,900 _LVPrcInj01_.dll.zip
2 File(s) 216,980 bytes

Directory of C:\QooBox\Quarantine\Registry_backups

02/21/2010 04:40 PM <DIR> .
02/21/2010 04:40 PM <DIR> ..
02/18/2010 07:18 PM 1,260 AddRemove-Stop MotionMaker 1.41.reg.dat
02/18/2010 07:18 PM 912 AddRemove-WebCyberCoach_wtrb.reg.dat
02/18/2010 07:18 PM 158 HKLM-Run-Uvudiziresoxiw.reg.dat
02/18/2010 07:18 PM 306 Notify-NavLogon.reg.dat
02/18/2010 07:18 PM 582 SafeBoot-Symantec Antvirus.reg.dat
02/21/2010 04:30 PM 10,039 tcpip.reg
6 File(s) 13,257 bytes

Total Files Listed:
47 File(s) 1,662,892 bytes
107 Dir(s) 27,453,198,336 bytes free

______________________________________________________________________________________________________________________________________________________________________________

2d3 SteadyMove for Adobe Premiere Pro
2d3 SteadyMove for Adobe Premiere Pro 2.0
32 Bit HP CIO Components Installer
ACD/Labs Software in C:\Program Files\ACDFREE12\
Active@ Hard Disk Monitor
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 2.0
Adobe Audition 2.0 Loopology Content
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Center 2.0
Adobe Help Viewer CS3
Adobe Illustrator 10
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS
Adobe Photoshop Elements 4.0
Adobe Premiere Elements 4.0
Adobe Premiere Elements 4.0 Templates
Adobe Premiere Pro 2.0
Adobe Reader 9.3
Adobe Setup
Adobe Shockwave Player
Adobe SING CS3
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 6
Amazon MP3 Downloader 1.0.3
American Heritage Dictionary, 4th Ed.
Andrea VoiceCenter
AOLIcon
AutoHotkey 1.0.47.06
AutoUpdate
Backup Chunker 2.2 Free Edition
BitTorrent 4.22.1
BounceBack Express
Broadcom Management Programs
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator 3.0
Canon MP460
Canon MP460 User Registration
Canon My Printer
Canon PhotoRecord
Canon PowerShot G3 WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CCleaner
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Consumer Complete Care Services Agreement
Creative Media Lite
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative ZEN Stone Plus User's Guide
Creative Zen Vision M
Dell Digital Jukebox Driver
Dell ResourceCD
Dell Support 3.1
Dell System Restore
Digital Content Portal
Digital Line Detect
DivX Converter
DivX Player
DivX Web Player
Documentation & Support Launcher
DVD Decrypter (Remove Only)
Easy-WebPrint
EasyCleaner
EducateU
ELIcon
eMusic - 50 Free MP3 offer
EndNote Web 2.5
Finale NotePad 2008
Google Chrome
Google Earth
Google Gears
Google Update Helper
GoToAssist 8.0.0.514
Grapher 6
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
ImgBurn
Intel® PROSet/Wireless Software
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
Joystick 2 Mouse 3
KhalSetup
KoolMoves 5.5
Lexmark 730 Series
LiveUpdate 3.3 (Symantec Corporation)
Logitech Audio Echo Cancellation Component
Logitech Legacy USB Camera Driver Package
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech SetPoint
Logitech Updater
Logitech Video Enumerator
LucasArts' TIE Fighter
LucasArts' X-Wing
LucasArts' X-Wing vs. TIE Fighter
Magic ISO Maker v5.5 (build 0273)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
mCore
MCU
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2006
Microsoft IntelliType Pro 5.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works Suite 2006 Setup Launcher
mIWA
mLogView
mMHouse
Move Media Player
MovieEdit Task
MOViewer
MP3 Player Recovery Tool
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mXML
mZConfig
NCH Toolbox
NVIDIA Drivers
NVIDIA nTune
PDF Settings
PeakSimple 3.29
PhotoStitch
POV-Ray for Windows v3.6.1c
PowerDVD 5.7
Qualxserve Service Agreement
QuickSet
QuickTime
Rainlendar2 (remove only)
RAW Image Task 1.2
RealPlayer
RemoteCapture Task 1.1
ResearchSoft Direct Export Helper
Roxio DLA
ScanSoft OmniPage SE 4.0
Search Assist
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
SigmaPlot 11.0
Skype 3.8
Sonic Copy Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Spybot - Search & Destroy 1.4
Star Wars Jedi Knight Jedi Academy
Symantec Endpoint Protection
Synaptics Pointing Device Driver
System Requirements Lab
TempoPerfect
UMVPLStandalone
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
URL Assistant
VideoLAN VLC media player 0.8.6a
Viewpoint Media Player
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
WinSCP 4.1.8
X-Wing & TIE Fighter 95 Compatibility Fix
XML Paper Specification Shared Components Pack 1.0
xRC 1.1
Yahoo! Internet Mail
Yahoo! Toolbar
ZENcast Organizer

______________________________________________________________________________________________________________________________________________________________________________


ComboFix 10-02-21.02 - Scott 02/22/2010 20:56:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.594 [GMT -6:00]
Running from: c:\documents and settings\Scott\Desktop\thcbytes.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
The following files were disabled during the run:
c:\windows\TEMP\logishrd\LVPrcInj01.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-21 22:10 . 2010-02-21 22:10 -------- d--h--w- c:\windows\PIF
2010-02-21 20:27 . 2010-02-21 20:27 -------- d-----w- C:\spoolerlogs
2010-02-18 04:20 . 2010-02-18 04:20 -------- d-sh--w- c:\documents and settings\Scott\PrivacIE
2010-02-18 02:10 . 2010-02-18 19:57 0 ------w- c:\windows\Ydutum.bin
2010-02-18 02:10 . 2010-02-18 02:10 120 ------w- c:\windows\Gpamez.dat
2010-02-18 02:08 . 2008-04-14 06:10 34688 ------w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-18 02:08 . 2008-04-14 06:10 34688 ------w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-18 02:08 . 2008-04-14 06:11 8192 ------w- c:\windows\system32\drivers\Changer.sys
2010-02-18 02:08 . 2008-04-14 06:11 8192 ------w- c:\windows\system32\dllcache\changer.sys
2010-02-11 19:10 . 2009-12-14 07:08 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2010-02-11 19:10 . 2009-11-27 17:11 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2010-02-11 19:10 . 2009-11-27 16:07 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2010-02-11 19:10 . 2009-11-27 16:07 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2010-02-11 19:10 . 2009-11-27 16:07 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2010-02-11 19:10 . 2009-11-27 16:07 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2010-02-11 19:10 . 2009-12-16 18:43 343040 ------w- c:\windows\system32\dllcache\mspaint.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 01:31 . 2009-02-13 04:39 -------- d-----w- c:\documents and settings\Scott\Application Data\EndNote
2010-02-21 21:01 . 2006-08-04 03:10 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-20 00:41 . 2008-10-08 21:04 -------- d-----w- c:\documents and settings\Scott\Application Data\U3
2010-02-19 00:30 . 2010-02-19 00:30 24 ------w- c:\documents and settings\LocalService\Application Data\cqfyto.dat
2010-02-18 02:04 . 2010-02-18 02:04 24 ------w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat
2010-02-14 21:41 . 2009-05-09 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-19 05:02 . 2006-07-31 15:23 123677 ----a-w- c:\windows\system32\nvModes.dat
2010-01-18 05:13 . 2010-01-17 18:17 -------- d-----w- c:\program files\PeakSimple 3.29
2010-01-18 03:47 . 2009-09-12 18:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 03:47 . 2010-01-18 03:47 5115824 ------w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-13 04:35 . 2010-01-13 04:06 -------- d-----w- c:\program files\Lexmark 730 Series
2010-01-07 22:07 . 2009-09-12 18:42 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-09-12 18:42 19160 ------w- c:\windows\system32\drivers\mbam.sys
2010-01-01 18:15 . 2006-09-03 05:05 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-01 16:50 . 2010-01-01 08:50 -------- d-----w- c:\program files\Backup Chunker
2009-12-31 16:50 . 2006-07-31 15:11 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-29 20:25 . 2007-05-22 03:52 -------- d-----w- c:\program files\Joystick 2 Mouse 3
2009-12-26 23:32 . 2006-07-31 16:00 -------- d-----w- c:\program files\Google
2009-12-21 19:14 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-11 22:11 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-11 22:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-07-31 15:11 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-11 22:00 1291776 ------w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ------w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-11 22:00 28672 ------w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ------w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-11 22:00 11264 ------w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-11 22:00 84992 ------w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ------w- c:\windows\system32\iyuv_32.dll
2005-06-29 23:54 . 2006-07-31 15:35 30720 --sh-tr- c:\windows\$hf_mig$\KB899588\update\arpidfix.exe
2007-03-06 01:22 . 2008-01-19 18:39 14048 --sh-tr- c:\windows\$hf_mig$\KB943485\spmsg.dll
2007-03-06 01:22 . 2008-05-09 03:19 716000 --sh-tr- c:\windows\$hf_mig$\KB946026\update\update.exe
2008-06-13 11:27 . 2008-06-24 21:14 272128 --sh-tr- c:\windows\$hf_mig$\KB951376-v2\SP3QFE\bthport.sys
2008-08-26 09:08 . 2008-10-22 04:31 124928 --sh-tr- c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\advpack.dll
2009-02-09 10:56 . 2009-04-16 05:23 473600 --sh-tr- c:\windows\$hf_mig$\KB956572\SP3QFE\fastprox.dll
2009-02-20 18:09 . 2009-04-16 05:24 124928 --sh-tr- c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\advpack.dll
2009-06-25 08:41 . 2009-08-18 23:52 301568 --sh-tr- c:\windows\$hf_mig$\KB968389\SP3QFE\kerberos.dll
2009-08-28 10:07 . 2009-10-23 01:10 173056 --sh-tr- c:\windows\$hf_mig$\KB974455-IE8\SP3QFE\ie4uinit.exe
2009-10-28 14:10 . 2009-12-25 06:09 173056 --sh-tr- c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\ie4uinit.exe
2004-08-04 04:10 . 2008-06-08 03:59 53248 -csh-tr- c:\windows\$NtServicePackUninstall$\1394bus.sys
2006-09-21 20:24 . 2006-09-21 18:13 56 --sh--r- c:\windows\system32\8696641427.sys
2006-09-21 20:24 . 2006-09-21 20:24 3766 --sh--w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
"Google Update"="c:\documents and settings\Scott\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"nwiz"="nwiz.exe" [2006-05-01 1519616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"MBMon"="CTMBHA.DLL" [2006-03-03 1355938]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-07 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-29 03:49 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 phmcd;phmcd;c:\windows\system32\drivers\phmcd.sys [4/8/2008 12:41 PM 44696]
R2 Active@ Disk Monitor;Active@ Disk Monitor;c:\program files\LSoft Technologies Inc\Active@ Hard Disk Monitor\DiskMonitorService.exe [8/4/2009 2:10 PM 1123784]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [8/16/2006 8:10 PM 14976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/28/2008 8:39 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/17/2010 12:53 PM 102448]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\systool.sys [11/10/2006 7:08 AM 24064]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/4/2009 9:35 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [8/11/2008 8:01 AM 23888]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\Scott\LOCALS~1\Temp\iMSPCLOj.sys --> c:\docume~1\Scott\LOCALS~1\Temp\iMSPCLOj.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 4:00 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-04 15:35]

2010-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-04 15:35]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-561761137-4247001159-1847809302-1005Core.job
- c:\documents and settings\Scott\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-21 02:06]

2010-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-561761137-4247001159-1847809302-1005UA.job
- c:\documents and settings\Scott\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-21 02:06]

2009-05-09 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-22 07:00]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Lookup on CD - c:\ahd4withthesaurus\ahd.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 21:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:35,49,87,94,a9,22,37,7f,6b,aa,e2,a8,e6,8c,60,20,c9,0a,4a,ca,4d,
21,4a,65,69,ae,48,e8,6e,c5,32,5a,6e,cd,af,02,2a,3d,47,7d,31,cf,a9,d3,3c,ad,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:35,49,87,94,a9,22,37,7f,6b,aa,e2,a8,e6,8c,60,20,c9,0a,4a,ca,4d,
21,4a,65,69,ae,48,e8,6e,c5,32,5a,6e,cd,af,02,2a,3d,47,7d,31,cf,a9,d3,3c,ad,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(8632)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\Scott\LOCALS~1\Temp\clclean.0001
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\documents and settings\Scott\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-02-22 21:11:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-23 03:11
ComboFix2.txt 2010-02-21 22:41
ComboFix3.txt 2010-02-19 01:19

Pre-Run: 27,451,867,136 bytes free
Post-Run: 27,412,799,488 bytes free

- - End Of File - - 13689816CB9AD63FE65C4DD6D3F4D9C3

______________________________________________________________________________________________________________________________________________________________________________


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

______________________________________________________________________________________________________________________________________________________________________________

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 25 February 2010 - 12:51 PM

Hello,

Thanks for the detailed info in regards to Gmer.

Please note...

excl.gif P2P Warning excl.gif

Your log indicates that you have BitTorrent 4.22.1 installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smrgsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall BitTorrent 4.22.1, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Viewpoint

Additional instructions can be found here if needed.

==========

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

==========

Remote Control Program WARNING
You appear to have a Remote Control application installed. In your case, this is refering to GoToAssist 8.0.0.514.
Remote Control programs allow complete control of your machine as if you are sitting in front of it, even if you are in some distant location. While this can be a good thing, we need to make sure that this software was installed for a benign purpose, and not for a malicious one. If an attacker installed one of these programs, it would allow them to remotely control your computer, steal critical system information and download and execute files.

If you have this application installed on purpose, than you can safely ignore this warning but if you wish you may wish to uninstall it as it is a risk. If you didn't install this application, please remove (uninstall) it from Add or Remove Programs now.

==========

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]

File::
c:\windows\Ydutum.bin
c:\windows\Gpamez.dat
c:\documents and settings\LocalService\Application Data\cqfyto.dat
c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please re-open Gmer and uncheck "Devices". Now try to run it again and let me know if you have problems.

==========

With your next post please provide:

* Was GoToAssist installed purposely?
* Combofix.txt
* Gmer log (if able)
* What problems remain?

Kind regards,
~t



Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 bassbloke

bassbloke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 25 February 2010 - 08:47 PM

So I have a slight emergency...

I pulled up Gmer, and although I was not planning to run the scan at the moment, I wanted to see which box was the "devices" box that I should uncheck. I'm pretty sure that I closed out of the program, although I am not totally sure, and I walked away for a minute and came back to the stop error blue screen of death. Since then, my computer will boot all the way until when my icons should show up on my desktop, and then it gets no further, just showing my desktop background.

Thanks!

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 25 February 2010 - 10:16 PM

Hi,
  1. Please press Ctl/Shift/Esc
  2. This will open Task Manager
  3. Press File
  4. Run
  5. Type explorer.exe
  6. Repeat the steps and type..
    firefox.exe

Success??

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 bassbloke

bassbloke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 25 February 2010 - 11:00 PM

I had to type chrome.exe because I removed Firefox from my computer, but I have the browser running. I tried to access my wireless application from chrome and get it running, but so far I only can access the intranet of my undergraduate institution. Explorer does not seem to work either, even though it is running.

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 26 February 2010 - 01:53 PM

Quick question before we proceed. Did you carry out the steps I outlined here before Gmer crashed?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 bassbloke

bassbloke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 26 February 2010 - 02:13 PM

Yes. I uninstalled BitTorrent, Viewpoint, and GoToAssist (which I believe was installed legitimately but I haven't used it in over a year), and TeaTimer was already disabled. I didn't even start a gmer scan - it just crashed. I had run combofix using the script you gave me.

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 26 February 2010 - 05:28 PM

Please do this....

Please save the following instructions into Notepad and print it out as this webpage would not be available when you're carrying out the process.

To open notepad open the task manager again and type notepad

Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start.
Use the up and down arrow key to select Microsoft Windows Recovery Console.
You must enter which Windows installation to log onto. Type 1 and press enter.
At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying.
At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.
Success?

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 bassbloke

bassbloke
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 26 February 2010 - 08:23 PM

Not so much...I got to the same screen as before, but my hard drive is being accessed a lot more than before. Unless the recovery process needs to take more than 10 minutes when loading windows, I think we should try something else. I will provide an update in a few hours.

Thanks!

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 26 February 2010 - 09:54 PM

Do you have a clean computer that you could burn a cd on?

So you do not have any desktop icons or task bar. Correct?

Can you boot into Safe Mode?

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.

Please try this....

Reboot into Safe Mode.

==========
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

==========

Then this...

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. A report will open. Copy and Paste that report in your next reply.
  9. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users