Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring infection of vista antivirus 2010/av.exe


  • Please log in to reply
1 reply to this topic

#1 lamblaw

lamblaw

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 25 February 2010 - 11:13 AM

Hello, so i have been dealing with a recurring infection of viruses for over a month now. The trouble started with a full "vista antisypware 2010" attack that included all the fake notification of infection screens, limited access to my computers resources and difficulty starting up. I then used the recommendation from myantispyware.com that included "reparing the running of .exe files" by creating the following registry entry:
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

I then used malwarebytes. It found several entries and successfully deleted them all. I then installed kaspersky and scanned the computer: it still showed av.exe and indeed several other trojans such as TrojanScriptIframer, Trajan Win32 Generic, Win32 Fraud Pack alip among several others. In each instance the particular trijan is successfully deleted, but because the viruses recur so often, it seems like i may have something more serious. As a final note, when I ran gmer.exe i was not able to select all the options that were shown in the preparation guide because the boxes were not active. I am not sure what difference this makes. Thank you for your help!


DDS (Ver_09-12-01.01) - NTFSX64
Run by LHardcastle at 3:49:59.69 on Thu 02/25/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4062.1724 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vfsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\ngvpnmgr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\lxcccoms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files (x86)\Registry Mechanic\RMTray.exe
C:\Program Files (x86)\HP Bluetooth Laser Mobile Mouse\MulMouse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\DigitalPersona\Bin\DPAgent.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Users\LHardcastle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LHardcastle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LHardcastle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LHardcastle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LHardcastle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LHardcastle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LHardcastle\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\LHardcastle\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\mcbuilder.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\LHardcastle\Documents\Downloads\Defogger.exe
C:\Users\LHardcastle\Documents\Downloads\dds.scr
C:\Users\LHardcastle\AppData\Local\Temp\A39E.tmp\evP.exe
C:\Users\LHardcastle\Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} -
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\lhardcastle\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ISUSPM] "c:\program files (x86)\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [RegistryMechanic] c:\program files (x86)\registry mechanic\RMTray.exe /H
mRun: [DpAgent] c:\program files (x86)\digitalpersona\bin\dpagent.exe
mRun: [QlbCtrl.exe] "c:\program files (x86)\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [hpqSRMon] c:\program files (x86)\hp\digital imaging\bin\hpqSRMon.exe
mRun: [DVDAgent] "c:\program files (x86)\hewlett-packard\media\dvd\DVDAgent.exe"
mRun: [TSMAgent] "c:\program files (x86)\hewlett-packard\touchsmart\media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\program files (x86)\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
mRun: [TVAgent] "c:\program files (x86)\hewlett-packard\media\tv\TVAgent.exe"
mRun: [hpWirelessAssistant] c:\program files (x86)\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [UCam_Menu] "c:\program files (x86)\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files (x86)\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [HP Health Check Scheduler] c:\program files (x86)\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [BlackBerryAutoUpdate] c:\program files (x86)\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files (x86)\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AVP] "c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [UpdatePSTShortCut] "c:\program files (x86)\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files (x86)\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [SSDMonitor] "c:\program files (x86)\common files\pc tools\smonitor\SSDMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\hpblue~1.lnk - c:\program files (x86)\hp bluetooth laser mobile mouse\MulMouse.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: Add to Anti-Banner - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files (x86)\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: c:\progra~2\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~2\kasper~1\kasper~1\sbhook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli DPPWDFLT
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\x64\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\x64\klwtbbho.dll
BHO-X64: link filter bho - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun-x64: [IAAnotif] "c:\program files (x86)\intel\intel matrix storage manager\iaanotif.exe"
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
mRun-x64: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe
mRun-x64: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun-x64: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun-x64: [LXCCCATS] rundll32 c:\windows\system32\spool\drivers\x64\3\LXCCtime.dll,RunDLLEntry
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
AppInit_DLLs-X64: c:\progra~2\kasper~1\kasper~1\x64\sbhook64.dll,c:\progra~2\kasper~1\kasper~1\x64\kloehk.dll
STS-X64: Windows DreamScene: {E31004D1-A431-41B8-826F-E902F9D95C81} - %SystemRoot%\System32\DreamScene.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\lhardc~1\appdata\roaming\mozilla\firefox\profiles\k1lvll2a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files (x86)\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files (x86)\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files (x86)\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files (x86)\microsoft research\hdview for firefox\nphdview.dll
FF - plugin: c:\program files (x86)\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\lhardcastle\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\lhardcastle\appdata\roaming\mozilla\firefox\profiles\k1lvll2a.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\users\lhardcastle\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 40464]
R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2009-8-11 52856]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-9-14 27152]
R1 pfmfs_27B;pfmfs_27B;c:\windows\system32\drivers\pfmfs_27B.sys [2009-8-10 234168]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files (x86)\hewlett-packard\media\dvd\000.fcl [2008-7-23 27632]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt64.inf_86727c20\AESTSr64.exe [2008-10-8 89088]
R2 AVP;Kaspersky Internet Security;c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-18 23040]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2009-9-10 429080]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\common files\pc tools\smonitor\StartManSvc.exe [2010-2-14 583640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-9-10 361808]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-5-26 719152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files (x86)\viewpoint\common\ViewpointService.exe [2008-10-13 24652]
R3 AVerBDA6x_x64;AVerMedia SAA716x BDA Service;c:\windows\system32\drivers\AVerBDA716x_x64.sys [2008-10-8 1217792]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-9-9 228408]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-4 64000]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-4-17 138592]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 21008]
R3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw5v64.sys [2008-11-17 4751360]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2009-9-10 31256]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2009-9-10 102936]
R3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2009-9-10 28696]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2008-6-25 56352]
R3 vfs101a;vfs101a;c:\windows\system32\drivers\vfs101a.sys [2008-5-26 49968]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-9-16 89920]
S3 DIRECTIO;DIRECTIO;c:\program files (x86)\performancetest\DirectIo.sys [2010-2-14 16896]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw3v64.sys [2008-1-20 3154432]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2009-9-10 25624]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2008-10-9 5120]
S3 Sockblkd;Sockblkd;c:\program files\extegrity\exam4\Sockblkd.sys [2008-12-1 6784]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk60x64.sys [2006-11-2 273408]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-02-25 08:48:25 0 ----a-w- c:\users\lhardcastle\defogger_reenable
2010-02-25 07:51:00 726528 ----a-w- c:\windows\syswow64\jscript.dll
2010-02-25 07:49:53 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-02-25 07:49:29 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-25 07:48:13 471552 ----a-w- c:\windows\syswow64\secproc.dll
2010-02-25 07:48:12 518144 ----a-w- c:\windows\syswow64\RMActivate.exe
2010-02-25 07:48:06 347136 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
2010-02-25 07:48:06 152064 ----a-w- c:\windows\syswow64\secproc_ssp.dll
2010-02-25 07:48:03 526336 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
2010-02-25 07:48:03 471552 ----a-w- c:\windows\syswow64\secproc_isv.dll
2010-02-25 07:48:02 346624 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
2010-02-25 07:48:02 152576 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
2010-02-25 07:48:00 332288 ----a-w- c:\windows\syswow64\msdrm.dll
2010-02-25 07:47:58 599552 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-25 07:47:58 539136 ----a-w- c:\windows\system32\secproc.dll
2010-02-25 07:47:56 409600 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-25 07:47:56 160768 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-25 07:47:55 600576 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-25 07:47:55 538624 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-25 07:47:55 413696 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-25 07:47:55 160768 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-25 07:47:54 460288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-25 07:41:52 0 d-----w- c:\program files (x86)\Trend Micro
2010-02-25 07:41:42 28672 ----a-w- c:\windows\syswow64\Apphlpdm.dll
2010-02-25 07:41:36 4240384 ----a-w- c:\windows\syswow64\GameUXLegacyGDFs.dll
2010-02-25 07:41:36 1696256 ----a-w- c:\windows\syswow64\gameux.dll
2010-02-25 07:41:32 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-25 07:41:31 1927680 ----a-w- c:\windows\system32\gameux.dll
2010-02-25 07:41:29 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-25 07:17:55 65536 --sha-w- c:\users\lhardcastle\ntuser.dat{a86dc860-21dd-11df-bde3-f5eb85509606}.TM.blf
2010-02-25 07:17:55 524288 --sha-w- c:\users\lhardcastle\ntuser.dat{a86dc860-21dd-11df-bde3-f5eb85509606}.TMContainer00000000000000000002.regtrans-ms
2010-02-25 07:17:55 524288 --sha-w- c:\users\lhardcastle\ntuser.dat{a86dc860-21dd-11df-bde3-f5eb85509606}.TMContainer00000000000000000001.regtrans-ms
2010-02-17 02:00:50 0 d-----w- c:\programdata\NOS
2010-02-15 00:33:35 0 d-----w- c:\program files (x86)\uTorrent
2010-02-14 23:59:47 467984 ----a-w- c:\windows\syswow64\d3dx10_39.dll
2010-02-14 23:59:47 1493528 ----a-w- c:\windows\syswow64\D3DCompiler_39.dll
2010-02-14 23:59:46 3851784 ----a-w- c:\windows\syswow64\D3DX9_39.dll
2010-02-14 23:59:45 2414360 ----a-w- c:\windows\syswow64\d3dx9_31.dll
2010-02-14 23:58:38 0 d-----w- c:\programdata\PassMark
2010-02-14 23:58:38 0 d-----w- c:\program files (x86)\PerformanceTest
2010-02-14 23:46:08 0 d-----w- c:\users\lhardc~1\appdata\roaming\ConsumerSoft
2010-02-14 23:46:05 0 d-----w- c:\program files (x86)\ConsumerSoft
2010-02-14 20:33:21 65536 --sha-w- c:\users\lhardcastle\NTUSER.DAT{2af04d3a-18e6-11df-bbbb-002186ba7e97}.TM.blf
2010-02-14 20:33:21 524288 --sha-w- c:\users\lhardcastle\NTUSER.DAT{2af04d3a-18e6-11df-bbbb-002186ba7e97}.TMContainer00000000000000000002.regtrans-ms
2010-02-14 20:33:21 524288 --sha-w- c:\users\lhardcastle\NTUSER.DAT{2af04d3a-18e6-11df-bbbb-002186ba7e97}.TMContainer00000000000000000001.regtrans-ms
2010-02-14 20:25:05 0 d-----w- c:\users\lhardc~1\appdata\roaming\Registry Mechanic
2010-02-14 20:20:07 880640 ----a-w- c:\windows\syswow64\UniBox10.ocx
2010-02-14 20:20:07 506368 ----a-w- c:\windows\syswow64\msxml.dll
2010-02-14 20:20:07 212992 ----a-w- c:\windows\syswow64\UniBoxVB12.ocx
2010-02-14 20:20:07 1101824 ----a-w- c:\windows\syswow64\UniBox210.ocx
2010-02-14 20:20:06 0 d-----w- c:\program files (x86)\common files\PC Tools
2010-02-14 17:58:41 0 d-----w- c:\program files\iPod
2010-02-14 17:58:40 0 d-----w- c:\program files\iTunes
2010-02-14 17:58:40 0 d-----w- c:\program files (x86)\iTunes
2010-02-10 19:31:48 0 d-----w- c:\users\lhardc~1\appdata\roaming\Malwarebytes
2010-02-10 19:31:42 0 d-----w- c:\programdata\Malwarebytes
2010-02-10 19:31:41 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 16:24:11 1570816 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 16:24:11 1314816 ----a-w- c:\windows\syswow64\quartz.dll
2010-02-10 16:24:10 54272 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 16:24:10 38400 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 16:24:10 25600 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 16:24:10 14848 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 16:24:08 31744 ----a-w- c:\windows\syswow64\msvidc32.dll
2010-02-10 16:24:08 22528 ----a-w- c:\windows\syswow64\msyuv.dll
2010-02-10 16:24:08 15872 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 16:24:08 13312 ----a-w- c:\windows\syswow64\msrle32.dll
2010-02-10 16:24:08 12288 ----a-w- c:\windows\syswow64\tsbyuv.dll
2010-02-10 16:24:00 50176 ----a-w- c:\windows\syswow64\iyuv_32.dll
2010-02-10 16:23:59 91136 ----a-w- c:\windows\syswow64\avifil32.dll
2010-02-10 16:23:59 82944 ----a-w- c:\windows\syswow64\mciavi32.dll
2010-02-10 16:23:59 123904 ----a-w- c:\windows\syswow64\msvfw32.dll
2010-02-10 16:23:52 453632 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 16:23:52 142336 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 16:23:51 273408 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 16:23:51 135168 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 16:23:48 1425480 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 16:23:47 40448 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 16:23:41 4698184 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-02 18:37:44 0 d-----w- c:\users\lhardc~1\appdata\roaming\hpqLog
2010-01-30 19:10:55 23145 ----a-w- c:\windows\hpqins15.dat
2010-01-30 19:09:24 0 d-----w- c:\programdata\HP Product Assistant
2010-01-30 19:08:23 77381 ----a-w- c:\windows\hpqins05.dat
2010-01-29 22:02:55 143387 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-29 22:02:54 104987 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-29 21:07:34 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-01-29 20:34:54 524288 --sha-w- c:\users\lhardcastle\NTUSER.DAT{622a8a0e-0d11-11df-9b22-002186ba7e97}.TMContainer00000000000000000002.regtrans-ms
2010-01-29 20:34:53 65536 --sha-w- c:\users\lhardcastle\NTUSER.DAT{622a8a0e-0d11-11df-9b22-002186ba7e97}.TM.blf
2010-01-29 20:34:53 524288 --sha-w- c:\users\lhardcastle\NTUSER.DAT{622a8a0e-0d11-11df-9b22-002186ba7e97}.TMContainer00000000000000000001.regtrans-ms
2010-01-29 07:44:33 524288 --sha-w- c:\users\lhardcastle\NTUSER.DAT{88f7e54d-0ca0-11df-b600-002186ba7e97}.TMContainer00000000000000000002.regtrans-ms
2010-01-29 07:44:32 65536 --sha-w- c:\users\lhardcastle\NTUSER.DAT{88f7e54d-0ca0-11df-b600-002186ba7e97}.TM.blf
2010-01-29 07:44:32 524288 --sha-w- c:\users\lhardcastle\NTUSER.DAT{88f7e54d-0ca0-11df-b600-002186ba7e97}.TMContainer00000000000000000001.regtrans-ms
2010-01-28 20:01:07 0 d-----w- c:\programdata\Kaspersky Lab
2010-01-28 20:01:06 0 d-----w- c:\program files (x86)\Kaspersky Lab
2010-01-28 19:56:30 0 d-----w- c:\programdata\{34474EFD-D329-4A99-A967-410E40B3419A}(108)

==================== Find3M ====================

2010-02-25 08:28:06 4969 ----a-w- c:\windows\bthservsdp.dat
2010-02-25 08:25:47 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-25 08:25:47 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-25 08:25:47 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-25 07:00:54 97365 ----a-w- c:\programdata\nvModes.dat
2010-02-24 14:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-02-15 04:15:04 665158 ----a-w- c:\windows\system32\perfh013.dat
2010-02-15 04:15:04 126364 ----a-w- c:\windows\system32\perfc013.dat
2010-01-14 23:08:34 59880 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-01-14 23:08:33 41888 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-01-14 23:08:31 65072 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-01-02 07:08:29 1147904 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 07:03:21 77312 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 07:03:21 132096 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:38:20 916480 ----a-w- c:\windows\syswow64\wininet.dll
2010-01-02 06:38:04 1208832 ----a-w- c:\windows\syswow64\urlmon.dll
2010-01-02 06:36:10 206848 ----a-w- c:\windows\syswow64\occache.dll
2010-01-02 06:33:34 5942784 ----a-w- c:\windows\syswow64\mshtml.dll
2010-01-02 06:33:32 594432 ----a-w- c:\windows\syswow64\msfeeds.dll
2010-01-02 06:33:32 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-01-02 06:32:51 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2010-01-02 06:32:33 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2010-01-02 06:32:33 164352 ----a-w- c:\windows\syswow64\ieui.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2010-01-02 06:32:32 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2010-01-02 06:32:32 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2010-01-02 06:32:32 11070464 ----a-w- c:\windows\syswow64\ieframe.dll
2010-01-02 06:32:26 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-01-02 05:25:39 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-02 04:57:00 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2010-01-02 04:56:50 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2010-01-02 04:56:14 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\syswow64\GPhotos.scr
2009-12-09 03:55:59 148956 ----a-w- c:\windows\hpoins19.dat
2009-11-17 15:06:32 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-12 15:51:58 41976 ----a-w- c:\windows\inf\perflib\0413\perfd.dat
2009-05-12 15:51:58 41976 ----a-w- c:\windows\inf\perflib\0413\perfc.dat
2009-05-12 15:51:58 336440 ----a-w- c:\windows\inf\perflib\0413\perfi.dat
2009-05-12 15:51:58 336440 ----a-w- c:\windows\inf\perflib\0413\perfh.dat
2008-01-21 03:21:14 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:14 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-17 17:28:46 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-12 07:32:03 245760 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-09-10 04:41:20 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 3:51:35.22 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 27 February 2010 - 08:58 PM

Welcome to Bleeping Computer lamblaw,

Not seeing any infection in these log so far. Were these scans run during some period where you had just removed the infection (and before it reoccurred)? If you would, go to the Logs tab in Malwarebytes and post back here the log from whatever recent scan was run first - one that reflects the gist of the infection issues.
Ad eundum quo no duck ante iit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users