Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent/Gen-PEC


  • This topic is locked This topic is locked
14 replies to this topic

#1 Daddys_Jewel

Daddys_Jewel

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 23 March 2010 - 11:42 AM

Hello,

I think I might have a recurring infection. Yesterday I ran a partial scan (in safe mode) on my laptop (Windows XP) and got the following log (I had to stop early because I had to leave and didn't realize it would take so long to scan):

SUPERAntiSpyware Scan Log

Generated 03/22/2010 at 01:07 PM

Application Version : 4.34.1000

Core Rules Database Version : 4709
Trace Rules Database Version: 2521

Scan type : Complete Scan
Total Scan Time : 00:25:00

Memory items scanned : 254
Memory threats detected : 0
Registry items scanned : 9758
Registry threats detected : 0
File items scanned : 1247
File threats detected : 2

Trojan.Agent/Gen
C:\Program Files\DRV

Trojan.Agent/Gen-PEC
C:\32788R22FWJFW\PEV.EXE

*****************************************************************************

So I ran the full scan overnight and got this log:

SUPERAntiSpyware Scan Log

Generated 03/23/2010 at 02:38 AM

Application Version : 4.34.1000

Core Rules Database Version : 4709
Trace Rules Database Version: 2521

Scan type : Complete Scan
Total Scan Time : 02:56:06

Memory items scanned : 253
Memory threats detected : 0
Registry items scanned : 9747
Registry threats detected : 0
File items scanned : 35067
File threats detected : 4

Trojan.Agent/Gen-PEC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP437\A0127363.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP437\A0127437.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP437\A0127464.EXE

C:\WINDOWS\PEV.EXE

*******************************************************************

I'm not sure if the same virus repropogated after I rebooted last night, or if I just didn't scan long enough the first time to find the items in the second scan.

I should also mention that I ran my McAfee scan a few days ago and it found some items that look like they could be the same problem. I can't for the life of me figure out how to get a log from McAfee, so here is a screenshot of some of the recent items that were quarantined:



A little more from the McAfee scan that didn't fit in the first screenshot:



I'm concerned because it looks like I'm not getting rid of the problem. I may be paranoid, but I just used a secure computer to change my passwords at my online financial institutions in case this is a password stealing virus.

Thanks in advance for your help.

Julie

Edited by Daddys_Jewel, 23 March 2010 - 11:46 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:35 PM

Posted 26 March 2010 - 05:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 26 March 2010 - 09:27 PM

Hello,

The only thing that has changed since my first post is that I dumped McAfee and installed Kaspersky. Kaspersky found a trojan and deleted it. Now I would like peace of mind that I'm actually clean.

Here is the DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Julie Pickett at 17:59:26.31 on Fri 03/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.597 [GMT -6:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Julie Pickett\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/p/2.html
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Document Manager] "c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [hpppta] "c:\program files\hewlett-packard\hp precisionscan\precisionscan pro\hpppta.exe" /ICON
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
StartupFolder: c:\docume~1\juliep~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
Trusted Zone: davidrumsey.com\www
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file://d:\julie\health\ltocx12n.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\super mah jong solitaire\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215548044421
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\super mah jong solitaire\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-3-23 315408]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2007-3-9 23200]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2007-3-13 18864]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-3-11 100992]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-03-23 19:55:57 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-23 19:55:57 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-23 19:54:16 0 d-----w- c:\program files\Kaspersky Lab
2010-03-23 19:54:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-03-23 19:23:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-03-23 19:01:47 0 d-s---w- C:\ComboFix
2010-03-22 15:54:11 0 d-----w- C:\Autoruns
2010-03-11 21:46:13 0 d-----w- c:\docume~1\juliep~1\applic~1\Smith Micro
2010-03-11 21:31:10 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2010-03-11 21:31:10 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-03-11 21:31:10 103168 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2010-03-11 21:31:10 101120 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-03-11 21:31:10 100992 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-03-11 21:30:33 0 d-----w- c:\program files\Alltel
2010-03-09 07:19:07 601 ----a-w- C:\MFW6.xml
2010-03-04 01:37:08 601 ----a-w- C:\MFW5.xml
2010-02-25 06:11:54 0 d-----w- c:\docume~1\juliep~1\applic~1\Office Genuine Advantage

==================== Find3M ====================

2010-03-21 02:51:18 76173 ----a-w- c:\windows\system32\nvModes.dat
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-12 13:00:12 7649344 -c--a-w- c:\program files\TOPSBDM.exe
2009-05-13 03:18:29 621151 -c--a-w- c:\program files\Belkin.zip
2009-05-10 13:52:55 545936 -c--a-w- c:\program files\TaskswitchPowertoySetup.exe
2009-05-10 13:50:24 526448 -c--a-w- c:\program files\MagnifierPowertoySetup.exe
2009-05-10 13:39:43 532616 -c--a-w- c:\program files\ImageResizerPowertoySetup.exe
2009-03-21 06:31:13 37452296 -c--a-w- c:\program files\Ad-AwareAE.exe
2009-03-01 14:48:58 26404188 -c--a-w- c:\program files\FSIndexing_Setup.exe
2009-02-03 16:42:26 2058849 -c--a-w- c:\program files\ieSpellSetup251106.exe
2008-11-28 12:47:26 7508624 -c--a-w- c:\program files\Firefox Setup 3.0.4.exe
2008-09-13 20:34:30 76576104 -c--a-w- c:\program files\Zoombrowser 6.1.exe
2008-09-13 02:47:29 20989952 ----a-w- c:\program files\Family archive viewer.exe
2008-08-21 15:23:59 299294000 -c--a-w- c:\program files\ADBEDRWVCS3_WWE.exe
2008-08-21 06:17:05 7281152 -c--a-w- c:\program files\irfanview_plugins_420_setup.exe
2008-08-21 06:05:54 1305600 -c--a-w- c:\program files\iview420_setup.exe
2008-08-20 02:40:13 17950304 -c--a-w- c:\program files\gimp-2.4.6-i686-setup.exe
2008-08-17 02:30:54 9132408 -c--a-w- c:\program files\bookcollectorsetup_10077703.exe
2008-08-09 20:21:40 9627504 -c--a-w- c:\program files\yahoo_bejeweled2_tm6-2.exe
2008-08-09 17:14:47 9627504 -c--a-w- c:\program files\yahoo_bejeweled2_tm6-2b.exe
2008-08-08 06:17:21 63530280 -c--a-w- c:\program files\iTunesSetup.exe
2008-07-22 05:34:47 39910 -c--a-w- c:\program files\gzip.exe
2008-07-12 03:56:30 34130184 -c--a-w- c:\program files\GoogleSketchUpWEN.exe
2008-06-11 22:45:35 10091750 -c--a-w- c:\program files\PAF5EnglishSetup.exe
2008-06-07 06:05:37 6039048 -c--a-w- c:\program files\Firefox Setup 2.0.0.14.exe
2008-05-11 06:02:34 23510720 -c--a-w- c:\program files\dotnetfx.exe
2008-05-11 04:58:05 33364256 -c--a-w- c:\program files\ArcGISExplorerDownload.exe
2008-02-13 03:00:16 25685128 ----a-w- c:\program files\wordview_en-us.exe
2007-10-28 01:58:22 779312 -c--a-w- c:\program files\MoveMediaPlayer_07074039.exe
2007-10-25 03:01:51 13411824 -c--a-w- c:\program files\Google_Earth_BZXV.exe
2007-03-21 21:36:20 10857 -c--a-w- c:\program files\Dreamweaver CS3 Read Me.html
2005-05-26 21:35:42 1422 -c--a-w- c:\program files\ReadMe.txt
2009-10-31 19:50:41 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-02-27 13:48:49 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022720090228\index.dat

============= FINISH: 17:59:54.73 ===============



Here is the gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-26 20:09:20
Windows 5.1.2600 Service Pack 3
Running: ddq7ci50.exe; Driver: C:\DOCUME~1\JULIEP~1\LOCALS~1\Temp\pxdyyaod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF40B358C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xF40B3E0C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xF40B4922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xF40B4E94]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xF40B40EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xF40B2436]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xF40B4D6C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xF40B3192]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xF40B4C28]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xF40B334E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xF40B4FC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF40B6C08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xF40B3AAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xF40B4CCA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xF40B65FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xF40B29FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xF40B2D88]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xF40B4576]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xF40B75CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xF40B2ECA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xF40B2F74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xF40B4382]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xF40B668C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xF40B2412]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xF40B2424]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xF40B6CBC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xF40B30C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xF40B4F36]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xF40B3E8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xF40B25DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xF40B4E04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xF40B3792]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xF40B6C32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xF40B5068]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xF40B36B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xF40B301E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xF40B2C46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xF40B6FD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xF40B2896]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xF40B6922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xF40B2B0E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xF40B22B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xF40B53F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xF40B52B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xF40B639A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xF40B9E2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xF40B74AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xF40B2248]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xF40B465C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xF40B3CC8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xF40B5C4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xF40B6786]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xF40B7114]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xF40B271E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xF40B71F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xF40B7320]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xF40B6526]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xF40B390A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xF40B3860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xF40B6E8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xF40B39EA]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP F40A84DC \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP F40A88B6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2C98 80504534 16 Bytes [4E, 33, 0B, F4, C6, 4F, 0B, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D54 805045F0 12 Bytes [8C, 66, 0B, F4, 12, 24, 0B, ...] {MOV WORD [ESI+0xb], FS; HLT ; ADC AH, [EBX+ECX]; HLT ; AND AL, 0x24; OR ESI, ESP}
.text ntkrnlpa.exe!ZwCallbackReturn + 2ED0 8050476C 16 Bytes [0E, 2B, 0B, F4, B0, 22, 0B, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FC4 80504860 12 Bytes [F8, 71, 0B, F4, 20, 73, 0B, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 3024 805048C0 4 Bytes JMP F4F40B39
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6666360, 0x212B5D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 00346DCE C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003472BA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 00345BBB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 0034737D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0034724D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 00345AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003473E3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00346C79 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 0034595F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 003461DA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 003465B6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 00346AEA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 0034633F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 00346261 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 003462BB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00346035 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 003466AD C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 00346A54 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 003459B9 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 003464E4 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 00346EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 00346F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00346725 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00347202 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 00345C61 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 00345BDA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 0034718A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 00346BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 0034644C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 003469D0 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00346135 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00347001 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 00346D63 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 00345E5A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 00346E31 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 00345F4C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 00345A83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 00347108 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 00347236 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2820] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 003471E7 C:\WINDOWS\system32\wxvault.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F3B66820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F3B66820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


Thank you!!

Julie

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:35 PM

Posted 27 March 2010 - 06:39 AM

It looks like the scans have slowly removed, quarantined and deleted the threats.

Vundo is present and that's a stubborn infection so please run the following scans

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.

Let's see if anything is staying put. Also, please let me know if there are any problems that you can identify on the PC now.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#5 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 27 March 2010 - 05:26 PM

Hello,
Malwarebytes didn't find anything, but here's the log anyway.

Malwarebytes' Anti-Malware 1.44
Database version: 3921
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/27/2010 11:24:40 AM
mbam-log-2010-03-27 (11-24-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 267207
Time elapsed: 1 hour(s), 24 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*************************************************************

Eset found one thing. Here's the log:

C:\Documents and Settings\Julie Pickett\Desktop\My Documents3\Julie\Genealogy\Sattelberg\Photos from Stanley\SetupPlaySushi.exe probably a variant of Win32/Adware.Gamevance.AE application cleaned by deleting - quarantined

*************************************************************

As far as noticing anything - before my scans last week I was having some sort of window pop up for a nanosecond a short time after booting up my computer, like something was launching. But I could never tell what it was as it never fully appeared on my screen - just blipped quickly. Since all of the scans and cleaning, that hasn't happened the last few days (that I've noticed). So maybe I'm clean now???

I was also having problems with being redirected when clicking a result link after using a search engine, but that ONLY happens when I use a dial up connection at work, not on my wireless connection at home. I won't know if that's better until I go to the office on Monday.

What do you think? Is the item that Eset found a real threat?

Thanks for your help!

Julie




#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:35 PM

Posted 27 March 2010 - 07:48 PM

QUOTE
I was also having problems with being redirected when clicking a result link after using a search engine, but that ONLY happens when I use a dial up connection at work, not on my wireless connection at home. I won't know if that's better until I go to the office on Monday.


Is the work PC networked to your home PC?

If not, then you must have an infected PC at work - a separate problem.


The ESET found an executable file which it's flagged as adware. This isn't a massive threat at all and this computer looks ready to roll.

Is there anything on the machine that is still concerning you?
Posted Image
m0le is a proud member of UNITE

#7 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 27 March 2010 - 08:59 PM

Sorry I wasn't more clear - this is a laptop that I use both at home and work. At home I use a wireless Internet connection. At work, I connect via modem and dial up. The redirecting happens only when I use this same laptop on the dial up connection.

If I have time tomorrow, I'll stop at the office and see if it still happens now that I appear to be clean and will report back here. If not tomorrow, then Monday.

Thanks,

Julie

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:35 PM

Posted 27 March 2010 - 09:09 PM

Oh right, got you.

I'll wait for your report thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 28 March 2010 - 03:41 PM

Okay, I stopped by the office and did some searches using Yahoo and Google. I kept getting hijacked/redirected while using the dial up connection, so something is still in my computer that shouldn't be. While on the dial up connection, I ran a 'Hijack This' scan and got a report. I hope this was okay as I wanted to get you some information to work with as I will not be back on the dial up until later tomorrow.

I had virus problems last year, and worked with somebody here on the forums and we got the major trojans dealt with, but I knew that I still had this redirecting problem. But then I went on an extended vacation and got busy, so I never finished dealing with this last nagging hijack problem. Before closing my topic last year, the person helping me said something about 'DNS' (I think). Perhaps that doesn't have anything to do with this, but I thought you might want this information.

Here's today's log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:03 PM, on 3/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070223
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Document Manager] "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [hpppta] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" /ICON
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.davidrumsey.com
O15 - Trusted Zone: http://*.mcafee.com (HKLM)
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.1)) - file://D:\Julie\Health\ltocx12n.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Super Mah Jong Solitaire\Images\stg_drm.ocx
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215548044421
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Super Mah Jong Solitaire\Images\armhelper.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3038A4F-26C2-4A1C-814E-59A98464F304}: NameServer = 85.255.115.157 85.255.112.14
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12314 bytes

Thanks again for your help.

Julie


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:35 PM

Posted 28 March 2010 - 03:51 PM

A clean PC and a redirection usually means that we need to flush the DNS and reset the Hosts file. The HijackThis log doesn't give me quite enough to work out which so please follow these instructions when you next connect to the dial-up.
  • Open Control Panel and navigate to "Network and Internet Connections"
  • Then click Network and Internet Connections
  • Now select your active Internet connection and right click on it. Suppose if you are using wireless connection right click on "Wireless Network Connection"
  • Select the TCP/IP service in the list and then click properties
  • Change DNS to "Obtain DNS server automatically

Please open the command prompt:
Start > Run > type cmd and then ‘OK’. Then type the following, into the black window:
CODE
C:\>ipconfig /flushdns

Then tap the enter button on your keyboard.
You should see the following confirmation:
QUOTE
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.


Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Now give it a try. If there is still an issue then please run DDS and post the log.
Posted Image
m0le is a proud member of UNITE

#11 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 29 March 2010 - 02:44 PM

thumbup.gif It seems to have worked. I followed all of your instructions and ran a dozen searches and never got redirected when I clicked on the results links.

Thought I should add - At first I didn't think it worked as I went right from your instructions to running a search and I got redirected right away. But then I thought that maybe I needed to disconnect and then reconnect for the changes to take effect. Sure enough, the problem was gone after I reconnected. Maybe that should be added to the instructions??

Thank you very much for all of your help! Bravo to m0le! clapping.gif

Have a fantastic week!!

Julie

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:35 PM

Posted 29 March 2010 - 03:49 PM

QUOTE
Sure enough, the problem was gone after I reconnected. Maybe that should be added to the instructions??


You may be right there. I shall check that out.

Thanks, glad that you are free of malware. Read and action the following instructions that follow to complete the fix


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Daddys_Jewel, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#13 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 29 March 2010 - 10:15 PM

Followed your final instructions to the letter. Thanks!

An unexpected bonus is that my Microsoft Office products load so much faster than before all of this cleaning. I always thought they took a bit long to open up and I might have to reinstall, but now they open very quickly. My computer boots up so much faster, too.

I'm very grateful for your help!

Julie



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:35 PM

Posted 30 March 2010 - 01:52 PM

You're welcome, I'm glad I could help smile.gif
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:35 PM

Posted 03 April 2010 - 07:48 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users