Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is slow, internet redirects or drops pages


  • This topic is locked This topic is locked
29 replies to this topic

#1 Kyle Evans

Kyle Evans

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 30 March 2010 - 10:35 PM

Hey guys, My computer (vista laptop 32 bit) has been extremely slow lately. It cannot connect to spy bot or trend micro to download updates for their various programs (spy bot and the trend micro online scan). It occasionally redirects me to somewhere random when i Google stuff. Sometimes the Google links do not even work, and other times it redirects me to face book. I have included my hijack this log file as a starting point. If anyone has any ideas can you please help me out!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:05 PM, on 30/03/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kyle\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C45EAE9-C132-418D-9E37-9081A5F81423}: NameServer = 93.188.163.40,93.188.166.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7CC9AD7-C4DC-47FF-AC64-56F5C83A936B}: NameServer = 93.188.163.40,93.188.166.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.40,93.188.166.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C45EAE9-C132-418D-9E37-9081A5F81423}: NameServer = 93.188.163.40,93.188.166.14
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.40,93.188.166.14
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5280 bytes


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:47 PM

Posted 04 April 2010 - 09:51 AM

Hello Kyle Evans smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt









  • If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



    Disable:


    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.



    Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running the following. Instructions can be found Here.



    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    If GMER does not want to run add the following to those that you unchecked and try it again:

    • Registry
    • Files












    Note: Please make only the Attach.txt from DDS an attachment, post the other logs directly into the reply window.



    Thanks,



    thewall



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #3 Kyle Evans

    Kyle Evans
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:47 PM

    Posted 04 April 2010 - 11:49 PM


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Kyle at 22:21:59.07 on 04/04/2010
    Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.2037.962 [GMT -6:00]

    SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\aestsrv.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Kyle\Downloads\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\kyle\appdata\roaming\mozilla\firefox\profiles\segrcm9u.default\
    FF - prefs.js: browser.startup.homepage - www.google.ca
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-18 11608]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2010-1-18 73728]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-18 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-18 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-18 56816]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-18 1153368]
    R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-18 111616]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-1 136176]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-18 38224]

    =============== Created Last 30 ================

    2010-04-01 00:36:38 0 d-sh--w- C:\$RECYCLE.BIN
    2010-04-01 00:26:23 0 d-----w- C:\ComboFix
    2010-03-31 03:49:48 77312 ----a-w- c:\windows\MBR.exe
    2010-03-31 03:49:48 261632 ----a-w- c:\windows\PEV.exe
    2010-03-31 03:49:48 161792 ----a-w- c:\windows\SWREG.exe
    2010-03-31 03:49:47 98816 ----a-w- c:\windows\sed.exe
    2010-03-28 21:57:01 0 d-----w- c:\users\kyle\appdata\roaming\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-03-28 21:46:42 0 d-----w- c:\users\kyle\appdata\roaming\CreeperMap.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-03-28 21:46:42 0 d-----w- c:\users\kyle\appdata\roaming\CreeperMap
    2010-03-22 02:08:18 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2010-03-10 03:11:07 0 ----a-w- c:\users\kyle\jagex__preferences3.dat
    2010-03-10 03:07:58 69 ----a-w- c:\users\kyle\jagex_runescape_preferences2.dat
    2010-03-10 03:07:01 41 ----a-w- c:\users\kyle\jagex_runescape_preferences.dat
    2010-03-10 03:06:46 0 d-----w- C:\.jagex_cache_32
    2010-03-08 01:55:18 0 d-----w- c:\programdata\NOS

    ==================== Find3M ====================

    2010-03-22 02:09:45 86016 ----a-w- c:\windows\inf\infstrng.dat
    2010-03-22 02:09:45 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-03-22 02:09:39 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-01 03:14:13 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-24 00:40:18 56 ---ha-w- c:\programdata\ezsidmv.dat
    2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-01-23 08:19:53 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-01-19 17:27:57 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2010-01-14 18:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
    2010-01-06 15:39:38 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-01-06 15:38:47 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-01-06 13:30:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 22:23:32.09 ===============



    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-04 22:48:45
    Windows 6.0.6002 Service Pack 2
    Running: ylc5637v.exe; Driver: C:\Users\Kyle\AppData\Local\Temp\kwlyrpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT A42D976C ZwCreateThread
    SSDT A42D9758 ZwOpenProcess
    SSDT A42D975D ZwOpenThread
    SSDT A42D9767 ZwTerminateProcess

    INT 0x01 ? A68072A4

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    Attached Files



    #4 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:11:47 PM

    Posted 05 April 2010 - 12:08 AM

    Your log shows you have installed ComboFix. I will need the log it produced which is located at C:\ComboFix.txt
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #5 Kyle Evans

    Kyle Evans
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:47 PM

    Posted 05 April 2010 - 07:27 AM

    Yeah, sorry I ran this a few days ago or so......

    ComboFix 10-03-29.04 - Kyle 31/03/2010 18:27:41.2.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.2037.1184 [GMT -6:00]
    Running from: c:\users\Kyle\Desktop\ComboFix.exe
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
    .

    2010-04-01 00:34 . 2010-04-01 00:34 -------- d-----w- c:\users\Kyle\AppData\Local\temp
    2010-04-01 00:34 . 2010-04-01 00:34 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-04-01 00:34 . 2010-04-01 00:34 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-01 00:25 . 2010-04-01 00:26 -------- d-----w- C:\32788R22FWJFW
    2010-03-31 04:06 . 2010-03-31 04:06 -------- d-----w- c:\windows\Sun
    2010-03-28 21:57 . 2010-03-28 21:57 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-03-28 21:46 . 2010-03-28 21:46 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperMap
    2010-03-28 21:46 . 2010-03-28 21:46 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperMap.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-03-22 02:08 . 2009-06-05 00:43 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2010-03-10 03:11 . 2010-03-10 03:11 0 ----a-w- c:\users\Kyle\jagex__preferences3.dat
    2010-03-10 03:07 . 2010-03-17 12:40 69 ----a-w- c:\users\Kyle\jagex_runescape_preferences2.dat
    2010-03-10 03:07 . 2010-03-17 12:38 41 ----a-w- c:\users\Kyle\jagex_runescape_preferences.dat
    2010-03-10 03:06 . 2010-03-10 05:04 -------- d-----w- C:\.jagex_cache_32
    2010-03-08 01:57 . 2010-03-08 01:57 -------- d-----w- c:\program files\Common Files\Adobe
    2010-03-08 01:55 . 2010-03-08 01:59 -------- d-----w- c:\users\Kyle\AppData\Local\Adobe
    2010-03-08 01:55 . 2010-03-08 01:55 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
    2010-03-08 01:55 . 2010-03-10 03:35 -------- d-----w- c:\programdata\NOS

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-31 04:47 . 2010-01-19 04:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-03-31 04:15 . 2010-01-19 04:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-31 01:49 . 2010-01-19 23:15 -------- d-----w- c:\program files\CCleaner
    2010-03-31 01:48 . 2010-01-24 00:07 -------- d-----r- c:\program files\Skype
    2010-03-31 01:32 . 2010-02-25 05:42 -------- d-----w- c:\program files\KnuckleCracker
    2010-03-28 21:52 . 2010-02-25 05:42 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperWorld
    2010-03-24 09:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-03-22 02:07 . 2010-01-19 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-15 03:12 . 2010-01-19 04:15 -------- d-----w- c:\users\Kyle\AppData\Roaming\vlc
    2010-03-14 06:24 . 2010-01-20 04:46 -------- d-----w- c:\users\Kyle\AppData\Roaming\dvdcss
    2010-03-12 13:20 . 2010-01-19 01:18 680 ----a-w- c:\users\Kyle\AppData\Local\d3d9caps.dat
    2010-02-25 05:42 . 2010-02-25 05:42 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperWorldDEMO.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-02-25 05:40 . 2010-02-25 05:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-02-25 05:40 . 2010-02-25 05:41 38784 ----a-w- c:\users\Kyle\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-02-25 05:40 . 2010-02-25 05:40 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-02-24 10:20 . 2010-01-19 01:18 52272 ----a-w- c:\users\Kyle\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-24 05:07 . 2010-01-19 04:53 -------- d-----w- c:\users\Kyle\AppData\Roaming\Ventrilo
    2010-02-23 06:39 . 2010-03-31 04:41 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 06:33 . 2010-03-31 04:41 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-02-23 06:33 . 2010-03-31 04:41 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-02-23 04:55 . 2010-03-31 04:41 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-23 02:40 . 2010-01-24 00:08 -------- d-----w- c:\users\Kyle\AppData\Roaming\Skype
    2010-02-23 02:39 . 2010-01-24 00:40 -------- d-----w- c:\users\Kyle\AppData\Roaming\skypePM
    2010-02-01 03:15 . 2010-02-01 03:15 -------- d-----w- c:\program files\Common Files\Java
    2010-02-01 03:14 . 2010-02-01 03:14 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-02-01 03:14 . 2010-02-01 03:14 -------- d-----w- c:\program files\Java
    2010-01-25 12:00 . 2010-02-24 00:45 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00 . 2010-02-24 00:45 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00 . 2010-02-24 00:45 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00 . 2010-02-24 00:45 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58 . 2010-02-24 00:45 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21 . 2010-02-24 00:45 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21 . 2010-02-24 00:45 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21 . 2010-02-24 00:45 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21 . 2010-02-24 00:45 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-24 00:40 . 2010-01-24 00:40 56 ---ha-w- c:\programdata\ezsidmv.dat
    2010-01-23 09:26 . 2010-02-24 00:46 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-01-23 08:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-01-20 03:54 . 2010-01-19 03:54 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-01-19 01:20 . 2010-01-19 01:20 45056 ----a-r- c:\users\Kyle\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
    2010-01-19 01:20 . 2010-01-19 01:20 10134 ----a-r- c:\users\Kyle\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
    2010-01-14 18:12 . 2010-01-19 07:02 181120 ------w- c:\windows\system32\MpSigStub.exe
    2010-01-07 21:07 . 2010-01-19 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 21:07 . 2010-01-19 04:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-06 15:39 . 2010-02-24 00:44 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-01-06 15:38 . 2010-02-24 00:44 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-01-06 15:38 . 2010-02-24 00:44 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
    2010-01-06 15:38 . 2010-02-24 00:44 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
    2010-01-06 15:38 . 2010-02-24 00:44 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
    2010-01-06 15:38 . 2010-02-24 00:44 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
    2010-01-06 13:30 . 2010-02-24 00:44 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-03-31_03.58.34 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-03-31 04:41 . 2010-02-23 15:00 71680 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.22995_none_a8e727c18da89e3a\iesetup.dll
    + 2010-03-31 04:41 . 2010-02-23 15:00 55808 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.22995_none_a8e727c18da89e3a\iernonce.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 71680 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18904_none_a8bddbde7442e6c7\iesetup.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 55808 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18904_none_a8bddbde7442e6c7\iernonce.dll
    + 2010-03-31 04:41 . 2010-02-23 13:25 13312 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.22995_none_df6461a709f15891\msfeedssync.exe
    + 2010-03-31 04:41 . 2010-02-23 15:01 55296 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.22995_none_df6461a709f15891\msfeedsbs.dll
    + 2010-03-31 04:41 . 2010-02-23 04:54 13312 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18904_none_df3b15c3f08ba11e\msfeedssync.exe
    + 2010-03-31 04:41 . 2010-02-23 06:34 55296 c:\windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.6001.18904_none_df3b15c3f08ba11e\msfeedsbs.dll
    + 2010-03-31 04:41 . 2010-02-23 15:06 64512 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.22995_none_e4ff661ad10266b2\WininetPlugin.dll
    + 2010-03-31 04:41 . 2010-02-23 15:01 25600 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.22995_none_e4ff661ad10266b2\jsproxy.dll
    + 2010-03-31 04:41 . 2010-02-23 06:39 64512 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18904_none_e4d61a37b79caf3f\WininetPlugin.dll
    + 2010-03-31 04:41 . 2010-02-23 06:34 25600 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18904_none_e4d61a37b79caf3f\jsproxy.dll
    + 2008-01-21 01:58 . 2010-03-31 09:19 30364 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 13:02 . 2010-03-31 09:19 66286 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2010-01-23 03:28 . 2010-01-02 04:56 13312 c:\windows\System32\msfeedssync.exe
    + 2010-03-31 04:41 . 2010-02-23 04:54 13312 c:\windows\System32\msfeedssync.exe
    - 2010-01-23 03:28 . 2010-01-02 06:33 55296 c:\windows\System32\msfeedsbs.dll
    + 2010-03-31 04:41 . 2010-02-23 06:34 55296 c:\windows\System32\msfeedsbs.dll
    - 2010-01-23 03:28 . 2010-01-02 06:38 64512 c:\windows\System32\migration\WininetPlugin.dll
    + 2010-03-31 04:41 . 2010-02-23 06:39 64512 c:\windows\System32\migration\WininetPlugin.dll
    - 2010-01-23 03:28 . 2010-01-02 06:32 25600 c:\windows\System32\jsproxy.dll
    + 2010-03-31 04:41 . 2010-02-23 06:34 25600 c:\windows\System32\jsproxy.dll
    - 2010-01-23 03:28 . 2010-01-02 06:32 55808 c:\windows\System32\iernonce.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 55808 c:\windows\System32\iernonce.dll
    - 2010-01-19 01:18 . 2010-03-31 03:26 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-19 01:18 . 2010-03-31 09:00 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-19 01:18 . 2010-03-31 09:00 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-19 01:18 . 2010-03-31 03:26 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-19 01:18 . 2010-03-31 09:00 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-01-19 01:18 . 2010-03-31 03:26 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-01-19 01:20 . 2010-03-31 09:19 7058 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1038915227-125854108-3104878646-1000_UserData.bin
    - 2010-03-31 02:49 . 2010-03-31 03:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-03-31 09:17 . 2010-03-31 09:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-03-31 09:17 . 2010-03-31 09:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2010-03-31 02:49 . 2010-03-31 03:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-03-31 04:41 . 2010-02-23 15:00 164352 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.22995_none_47b8df3cdd4e5e15\ieui.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 164352 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.18904_none_478f9359c3e8a6a2\ieui.dll
    + 2010-03-31 04:41 . 2010-02-23 15:00 109056 c:\windows\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.22995_none_fea88c6de92bdaff\iesysprep.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 109056 c:\windows\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.6001.18904_none_fe7f408acfc6238c\iesysprep.dll
    + 2010-03-31 04:41 . 2010-02-23 13:25 173056 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.22995_none_a8e727c18da89e3a\ie4uinit.exe
    + 2010-03-31 04:41 . 2010-02-23 04:55 173056 c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.6001.18904_none_a8bddbde7442e6c7\ie4uinit.exe
    + 2010-03-31 04:41 . 2010-02-23 15:05 129536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.22995_none_2aba1cf6bbb3850f\sqmapi.dll
    + 2010-03-31 04:41 . 2010-02-23 06:38 129536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.18904_none_2a90d113a24dcd9c\sqmapi.dll
    + 2010-03-31 04:41 . 2010-02-23 15:04 206848 c:\windows\winsxs\x86_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.6001.22995_none_1a3cdac943526a7d\occache.dll
    + 2010-03-31 04:41 . 2010-02-23 06:37 206848 c:\windows\winsxs\x86_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.6001.18904_none_1a138ee629ecb30a\occache.dll
    + 2010-03-31 04:41 . 2010-02-23 15:06 638232 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22995_none_127872a6492dd595\iexplore.exe
    + 2010-03-31 04:41 . 2010-02-23 13:26 133632 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22995_none_127872a6492dd595\ieUnatt.exe
    + 2010-03-31 04:41 . 2010-02-23 06:39 638232 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18904_none_124f26c32fc81e22\iexplore.exe
    + 2010-03-31 04:41 . 2010-02-23 04:55 133632 c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18904_none_124f26c32fc81e22\ieUnatt.exe
    + 2010-03-31 04:41 . 2010-02-23 15:00 197632 c:\windows\winsxs\x86_microsoft-windows-ie-ieshims_31bf3856ad364e35_8.0.6001.22995_none_2aa3a292c968579f\IEShims.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 197632 c:\windows\winsxs\x86_microsoft-windows-ie-ieshims_31bf3856ad364e35_8.0.6001.18904_none_2a7a56afb002a02c\IEShims.dll
    + 2010-03-31 04:41 . 2010-02-23 15:00 247808 c:\windows\winsxs\x86_microsoft-windows-ie-ieproxy_31bf3856ad364e35_8.0.6001.22995_none_734556fc79bff131\ieproxy.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 247808 c:\windows\winsxs\x86_microsoft-windows-ie-ieproxy_31bf3856ad364e35_8.0.6001.18904_none_731c0b19605a39be\ieproxy.dll
    + 2010-03-31 04:41 . 2010-02-23 15:01 594432 c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.22995_none_42fcfce969a5b96a\msfeeds.dll
    + 2010-03-31 04:41 . 2010-02-23 06:34 594432 c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_8.0.6001.18904_none_42d3b106504001f7\msfeeds.dll
    + 2010-03-31 04:41 . 2010-02-23 15:00 184320 c:\windows\winsxs\x86_microsoft-windows-ie-behaviors_31bf3856ad364e35_8.0.6001.22995_none_1fd9f74c213d2f14\iepeers.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 184320 c:\windows\winsxs\x86_microsoft-windows-ie-behaviors_31bf3856ad364e35_8.0.6001.18904_none_1fb0ab6907d777a1\iepeers.dll
    + 2010-03-31 04:41 . 2010-02-23 15:00 387584 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.6001.22995_none_5766df1686ac8779\iedkcs32.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 387584 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.6001.18904_none_573d93336d46d006\iedkcs32.dll
    + 2010-03-31 04:41 . 2010-02-23 15:06 919040 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.22995_none_e4ff661ad10266b2\wininet.dll
    + 2010-03-31 04:41 . 2010-02-23 06:39 916480 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_8.0.6001.18904_none_e4d61a37b79caf3f\wininet.dll
    + 2010-03-31 04:41 . 2010-02-23 15:02 611840 c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_8.0.6001.22995_none_c3dc1941aba1ff8e\mstime.dll
    + 2010-03-31 04:41 . 2010-02-23 06:35 611840 c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_8.0.6001.18904_none_c3b2cd5e923c481b\mstime.dll
    + 2010-01-19 16:50 . 2010-04-01 00:19 240062 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2006-11-02 10:33 . 2010-04-01 00:20 600378 c:\windows\System32\perfh009.dat
    - 2006-11-02 10:33 . 2010-03-31 03:21 600378 c:\windows\System32\perfh009.dat
    - 2006-11-02 10:33 . 2010-03-31 03:21 105852 c:\windows\System32\perfc009.dat
    + 2006-11-02 10:33 . 2010-04-01 00:20 105852 c:\windows\System32\perfc009.dat
    - 2010-01-23 03:28 . 2010-01-02 06:36 206848 c:\windows\System32\occache.dll
    + 2010-03-31 04:41 . 2010-02-23 06:37 206848 c:\windows\System32\occache.dll
    + 2010-03-31 04:41 . 2010-02-23 06:35 611840 c:\windows\System32\mstime.dll
    - 2010-01-19 07:37 . 2009-03-08 11:32 611840 c:\windows\System32\mstime.dll
    - 2010-01-23 03:28 . 2010-01-02 06:33 594432 c:\windows\System32\msfeeds.dll
    + 2010-03-31 04:41 . 2010-02-23 06:34 594432 c:\windows\System32\msfeeds.dll
    - 2010-01-23 03:28 . 2010-01-02 06:32 164352 c:\windows\System32\ieui.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 164352 c:\windows\System32\ieui.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 184320 c:\windows\System32\iepeers.dll
    - 2010-01-23 03:28 . 2010-01-02 06:32 184320 c:\windows\System32\iepeers.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 387584 c:\windows\System32\iedkcs32.dll
    - 2010-01-23 03:28 . 2010-01-02 06:32 387584 c:\windows\System32\iedkcs32.dll
    - 2010-01-23 03:28 . 2010-01-02 04:56 173056 c:\windows\System32\ie4uinit.exe
    + 2010-03-31 04:41 . 2010-02-23 04:55 173056 c:\windows\System32\ie4uinit.exe
    + 2010-03-31 04:41 . 2010-02-23 15:00 1986048 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.22995_none_2aba1cf6bbb3850f\iertutil.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 1985536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.6001.18904_none_2a90d113a24dcd9c\iertutil.dll
    + 2010-03-31 04:41 . 2010-02-23 15:01 5946880 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22995_none_f65985395158cfe8\mshtml.dll
    + 2010-03-31 04:41 . 2010-02-23 06:34 5944832 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18904_none_f630395637f31875\mshtml.dll
    + 2010-03-31 04:41 . 2010-02-23 15:05 1209856 c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.22995_none_97f98a7905f9401f\urlmon.dll
    + 2010-03-31 04:41 . 2010-02-23 06:39 1209344 c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_8.0.6001.18904_none_97d03e95ec9388ac\urlmon.dll
    + 2010-03-31 04:41 . 2010-02-23 06:39 1209344 c:\windows\System32\urlmon.dll
    - 2006-11-02 10:22 . 2010-03-28 19:35 6291456 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
    + 2006-11-02 10:22 . 2010-03-31 09:16 6291456 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
    + 2010-03-31 04:41 . 2010-02-23 06:34 5944832 c:\windows\System32\mshtml.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 1985536 c:\windows\System32\iertutil.dll
    - 2010-01-23 03:28 . 2010-01-02 06:32 1985536 c:\windows\System32\iertutil.dll
    + 2010-03-31 04:41 . 2010-02-23 15:00 11073024 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.22995_none_47b8df3cdd4e5e15\ieframe.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 11070976 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_8.0.6001.18904_none_478f9359c3e8a6a2\ieframe.dll
    + 2010-03-31 04:41 . 2010-02-23 06:33 11070976 c:\windows\System32\ieframe.dll
    + 2010-01-19 16:53 . 2010-03-31 04:39 150521269 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 133656]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(cool.gif:7f,b2,c9,7e,2e,99,ca,01

    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-31 c:\windows\Tasks\User_Feed_Synchronization-{91AD4971-AF2C-4735-89D6-0A74757D0C0B}.job
    - c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\segrcm9u.default\
    FF - prefs.js: browser.startup.homepage - www.google.ca
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-31 18:34
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-03-31 18:38:02
    ComboFix-quarantined-files.txt 2010-04-01 00:37
    ComboFix2.txt 2010-03-31 04:02

    Pre-Run: 116,046,008,320 bytes free
    Post-Run: 116,064,763,904 bytes free

    - - End Of File - - AF8C033F24D3CA79CFE5EB7121810F14


    #6 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:11:47 PM

    Posted 05 April 2010 - 09:24 AM

    First let's delete the version of ComboFix you have on your desktop and then download another one from the link below. Run CF again. Be sure to disable Windows Defender on this run along with Avira. Instructions can be found HERE.


    Post the log it produces.




    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
    • Double click on ComboFix.exe & follow the prompts.


    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #7 Kyle Evans

    Kyle Evans
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:47 PM

    Posted 05 April 2010 - 07:30 PM

    Here is the new ComboFix Log

    ComboFix 10-04-04.01 - Kyle 05/04/2010 18:19:39.3.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.2037.1260 [GMT -6:00]
    Running from: c:\users\Kyle\Desktop\ComboFix.exe
    SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
    .

    2010-04-06 00:26 . 2010-04-06 00:26 -------- d-----w- c:\users\Kyle\AppData\Local\temp
    2010-04-06 00:26 . 2010-04-06 00:26 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-04-06 00:26 . 2010-04-06 00:26 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-01 23:37 . 2010-04-01 23:39 -------- d-----w- c:\program files\Google
    2010-04-01 23:37 . 2010-04-01 23:40 -------- d-----w- c:\users\Kyle\AppData\Local\Google
    2010-03-31 04:06 . 2010-03-31 04:06 -------- d-----w- c:\windows\Sun
    2010-03-28 21:57 . 2010-03-28 21:57 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-03-28 21:46 . 2010-03-28 21:46 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperMap
    2010-03-28 21:46 . 2010-03-28 21:46 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperMap.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-03-22 02:08 . 2009-06-05 00:43 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2010-03-10 03:11 . 2010-03-10 03:11 0 ----a-w- c:\users\Kyle\jagex__preferences3.dat
    2010-03-10 03:07 . 2010-03-17 12:40 69 ----a-w- c:\users\Kyle\jagex_runescape_preferences2.dat
    2010-03-10 03:07 . 2010-03-17 12:38 41 ----a-w- c:\users\Kyle\jagex_runescape_preferences.dat
    2010-03-10 03:06 . 2010-03-10 05:04 -------- d-----w- C:\.jagex_cache_32
    2010-03-08 01:57 . 2010-03-08 01:57 -------- d-----w- c:\program files\Common Files\Adobe
    2010-03-08 01:55 . 2010-03-08 01:59 -------- d-----w- c:\users\Kyle\AppData\Local\Adobe
    2010-03-08 01:55 . 2010-03-08 01:55 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
    2010-03-08 01:55 . 2010-03-10 03:35 -------- d-----w- c:\programdata\NOS

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-05 02:54 . 2010-01-19 04:15 -------- d-----w- c:\users\Kyle\AppData\Roaming\vlc
    2010-04-04 22:58 . 2010-01-19 01:18 680 ----a-w- c:\users\Kyle\AppData\Local\d3d9caps.dat
    2010-04-04 04:42 . 2010-01-20 04:46 -------- d-----w- c:\users\Kyle\AppData\Roaming\dvdcss
    2010-04-02 00:21 . 2010-01-19 04:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-03-31 04:15 . 2010-01-19 04:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-31 01:49 . 2010-01-19 23:15 -------- d-----w- c:\program files\CCleaner
    2010-03-31 01:48 . 2010-01-24 00:07 -------- d-----r- c:\program files\Skype
    2010-03-31 01:32 . 2010-02-25 05:42 -------- d-----w- c:\program files\KnuckleCracker
    2010-03-28 21:52 . 2010-02-25 05:42 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperWorld
    2010-03-24 09:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-03-22 02:07 . 2010-01-19 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-02-25 05:42 . 2010-02-25 05:42 -------- d-----w- c:\users\Kyle\AppData\Roaming\CreeperWorldDEMO.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-02-25 05:40 . 2010-02-25 05:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-02-25 05:40 . 2010-02-25 05:41 38784 ----a-w- c:\users\Kyle\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-02-25 05:40 . 2010-02-25 05:40 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-02-24 10:20 . 2010-01-19 01:18 52272 ----a-w- c:\users\Kyle\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-24 05:07 . 2010-01-19 04:53 -------- d-----w- c:\users\Kyle\AppData\Roaming\Ventrilo
    2010-02-23 06:39 . 2010-03-31 04:41 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 06:33 . 2010-03-31 04:41 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-02-23 06:33 . 2010-03-31 04:41 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-02-23 04:55 . 2010-03-31 04:41 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-23 02:40 . 2010-01-24 00:08 -------- d-----w- c:\users\Kyle\AppData\Roaming\Skype
    2010-02-23 02:39 . 2010-01-24 00:40 -------- d-----w- c:\users\Kyle\AppData\Roaming\skypePM
    2010-02-01 03:14 . 2010-02-01 03:14 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-25 12:00 . 2010-02-24 00:45 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00 . 2010-02-24 00:45 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00 . 2010-02-24 00:45 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00 . 2010-02-24 00:45 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58 . 2010-02-24 00:45 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21 . 2010-02-24 00:45 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21 . 2010-02-24 00:45 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21 . 2010-02-24 00:45 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21 . 2010-02-24 00:45 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-24 00:40 . 2010-01-24 00:40 56 ---ha-w- c:\programdata\ezsidmv.dat
    2010-01-23 09:26 . 2010-02-24 00:46 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-01-23 08:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-01-20 03:54 . 2010-01-19 03:54 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-01-19 01:20 . 2010-01-19 01:20 45056 ----a-r- c:\users\Kyle\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
    2010-01-19 01:20 . 2010-01-19 01:20 10134 ----a-r- c:\users\Kyle\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
    2010-01-14 18:12 . 2010-01-19 07:02 181120 ------w- c:\windows\system32\MpSigStub.exe
    2010-01-07 21:07 . 2010-01-19 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 21:07 . 2010-01-19 04:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-06 15:39 . 2010-02-24 00:44 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-01-06 15:38 . 2010-02-24 00:44 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-01-06 15:38 . 2010-02-24 00:44 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
    2010-01-06 15:38 . 2010-02-24 00:44 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
    2010-01-06 15:38 . 2010-02-24 00:44 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
    2010-01-06 15:38 . 2010-02-24 00:44 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
    2010-01-06 13:30 . 2010-02-24 00:44 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-04-01_00.34.37 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2010-01-19 01:18 . 2010-03-31 09:00 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-19 01:18 . 2010-04-06 00:11 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-19 01:18 . 2010-04-06 00:11 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-19 01:18 . 2010-03-31 09:00 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-19 01:18 . 2010-04-06 00:11 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-01-19 01:18 . 2010-03-31 09:00 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-04-01 23:38 . 2010-04-01 23:38 22528 c:\windows\Installer\83acba7.msi
    + 2010-04-01 23:40 . 2010-04-01 23:40 25214 c:\windows\Installer\{656C0E21-331E-11DF-81CE-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
    + 2010-04-01 23:40 . 2010-04-01 23:40 25214 c:\windows\Installer\{656C0E21-331E-11DF-81CE-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
    + 2010-04-01 23:40 . 2010-04-01 23:40 25214 c:\windows\Installer\{656C0E21-331E-11DF-81CE-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
    + 2010-04-01 23:40 . 2010-04-01 23:40 25214 c:\windows\Installer\{656C0E21-331E-11DF-81CE-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
    + 2010-04-01 23:40 . 2010-04-01 23:40 25214 c:\windows\Installer\{656C0E21-331E-11DF-81CE-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
    + 2010-04-01 23:40 . 2010-04-01 23:40 25214 c:\windows\Installer\{656C0E21-331E-11DF-81CE-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
    + 2010-04-01 23:40 . 2010-04-01 23:40 25214 c:\windows\Installer\{656C0E21-331E-11DF-81CE-005056806466}\ARPPRODUCTICON.exe
    - 2010-01-19 01:20 . 2010-03-31 09:19 7058 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1038915227-125854108-3104878646-1000_UserData.bin
    + 2010-01-19 01:20 . 2010-04-06 00:09 7058 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1038915227-125854108-3104878646-1000_UserData.bin
    + 2010-03-31 09:17 . 2010-04-06 00:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-03-31 09:17 . 2010-03-31 09:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-03-31 09:17 . 2010-03-31 09:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-03-31 09:17 . 2010-04-06 00:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-01-19 16:50 . 2010-04-05 12:21 244164 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2010-04-01 23:40 . 2010-04-01 23:40 1234944 c:\windows\Installer\83acbae.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 133656]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(cool.gif:7f,b2,c9,7e,2e,99,ca,01

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 136176]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 23:37]

    2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 23:37]

    2010-04-05 c:\windows\Tasks\User_Feed_Synchronization-{91AD4971-AF2C-4735-89D6-0A74757D0C0B}.job
    - c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\segrcm9u.default\
    FF - prefs.js: browser.startup.homepage - www.google.ca
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-HijackThis - c:\users\Kyle\Downloads\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-05 18:26
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-04-05 18:29:37
    ComboFix-quarantined-files.txt 2010-04-06 00:29
    ComboFix2.txt 2010-04-01 00:38
    ComboFix3.txt 2010-03-31 04:02

    Pre-Run: 113,390,915,584 bytes free
    Post-Run: 113,353,793,536 bytes free

    - - End Of File - - 779FAC71DDF734CB12B74AA77E7517D1


    #8 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:11:47 PM

    Posted 05 April 2010 - 09:16 PM

    Run HijackThis.
    Click on Do a system scan only.
    Place a checkmark next to these lines (if still present).

    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C45EAE9-C132-418D-9E37-9081A5F81423}: NameServer = 93.188.163.40,93.188.166.14
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B7CC9AD7-C4DC-47FF-AC64-56F5C83A936B}: NameServer = 93.188.163.40,93.188.166.14
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.40,93.188.166.14
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1C45EAE9-C132-418D-9E37-9081A5F81423}: NameServer = 93.188.163.40,93.188.166.14
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.40,93.188.166.14


    Then close all windows except HijackThis and click Fix Checked.

    Restart your computer





    Let me know is the redirection problem is still there.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #9 Kyle Evans

    Kyle Evans
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:47 PM

    Posted 06 April 2010 - 08:01 AM

    Hey there, none of the O17 items were in the HiJack this window, so I assume all is good with that. The internet browser no longer re-directs, and actually does load pages now. Spybot/Trend Micro (ect). The computer is still quite slow at booting, and if I am playing a game that is basically the only program I can run. I used to be able to do 2 games and firefox windows (ect)

    If that was all, thank you very much, but if you have any more ideas I would be more then happy to try them.

    Thanks! thumbup.gif

    #10 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:11:47 PM

    Posted 06 April 2010 - 10:58 AM

    When you open your Task Manager do you see any processes that seem to be using a lot of system resources. Things like FireFox will always be high but I would look at others to see if something doesn't look right. If you don't see anything go ahead and run another DDS log so we can take a look at it.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #11 Kyle Evans

    Kyle Evans
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:47 PM

    Posted 06 April 2010 - 07:20 PM

    Yeah, I did not notice anything too out of the ordinary, except one svchost.exe taking up quite a chunk of memory, around 70k, but that is about it. Here are the DDS new Logfiles.

    Thanks


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Kyle at 18:17:28.41 on 06/04/2010
    Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.2037.1070 [GMT -6:00]

    SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\aestsrv.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\STacSV.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\Explorer.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Kyle\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\kyle\appdata\roaming\mozilla\firefox\profiles\segrcm9u.default\
    FF - prefs.js: browser.startup.homepage - www.google.ca
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-18 11608]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2010-1-18 73728]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-18 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-18 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-18 56816]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-18 1153368]
    R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-18 111616]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-1 136176]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-18 38224]

    =============== Created Last 30 ================

    2010-04-06 00:28:24 0 d-sh--w- C:\$RECYCLE.BIN
    2010-04-06 00:18:13 0 d-----w- C:\ComboFix
    2010-03-31 03:49:48 77312 ----a-w- c:\windows\MBR.exe
    2010-03-31 03:49:48 261632 ----a-w- c:\windows\PEV.exe
    2010-03-31 03:49:48 161792 ----a-w- c:\windows\SWREG.exe
    2010-03-31 03:49:47 98816 ----a-w- c:\windows\sed.exe
    2010-03-28 21:57:01 0 d-----w- c:\users\kyle\appdata\roaming\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-03-28 21:46:42 0 d-----w- c:\users\kyle\appdata\roaming\CreeperMap.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
    2010-03-28 21:46:42 0 d-----w- c:\users\kyle\appdata\roaming\CreeperMap
    2010-03-22 02:08:18 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2010-03-10 03:11:07 0 ----a-w- c:\users\kyle\jagex__preferences3.dat
    2010-03-10 03:07:58 69 ----a-w- c:\users\kyle\jagex_runescape_preferences2.dat
    2010-03-10 03:07:01 41 ----a-w- c:\users\kyle\jagex_runescape_preferences.dat
    2010-03-10 03:06:46 0 d-----w- C:\.jagex_cache_32
    2010-03-08 01:55:18 0 d-----w- c:\programdata\NOS

    ==================== Find3M ====================

    2010-03-22 02:09:45 86016 ----a-w- c:\windows\inf\infstrng.dat
    2010-03-22 02:09:45 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-03-22 02:09:39 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-01 03:14:13 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-24 00:40:18 56 ---ha-w- c:\programdata\ezsidmv.dat
    2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-01-23 08:19:53 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-01-19 17:27:57 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2010-01-14 18:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
    2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 18:18:29.60 ===============

    Attached Files



    #12 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:11:47 PM

    Posted 06 April 2010 - 09:07 PM

    I am going to look this over some more but in the meantime I would think about removing Spybot. It is showing up as outdated in your log and at times I have saw conflicts between TeaTimer which is part of Spybot and Windows Defender. You can always reinstall a newer updated version if you choose to a later date.

    Edited by thewall, 06 April 2010 - 09:07 PM.

    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #13 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:11:47 PM

    Posted 08 April 2010 - 11:29 AM

    Sorry for not getting back Kyle, are you still with me?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #14 Kyle Evans

    Kyle Evans
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:11:47 PM

    Posted 08 April 2010 - 04:13 PM

    10-4 man, still here, and still some random slowness but the redirect is gond crazy.gif Bootup, games, ect ph34r.gif

    Edited by Kyle Evans, 08 April 2010 - 04:14 PM.


    #15 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:11:47 PM

    Posted 08 April 2010 - 05:26 PM

    Good that it's running OK. I am not seeing anything else that would cause you troubles but I am going to give you a like below to our Startup Programs forum. If you go to the first topic that is pinned it will explain how to use Autoruns which is a program you can use to control various programs and how they start. Often through the use of this you can help the performance of your computer by changing the startup nature of things you have which don't necessarily need to run right off the bat.

    http://www.bleepingcomputer.com/forums/f/85/windows-startup-programs-database/


    Other than that we should be finished.




    Uninstall Combofix
    • Press the Windows Key + R on your keyboard.
    • Now copy & paste the green bolded text in the run-box and click OK.

      ComboFix /Uninstall

      x" and "/".>

    • The following will implement some very important cleanup procedures as well as reset System Restore points.




    You can go ahead and delete GMER and DDS now if they are still on your desktop.





    Below are some steps to follow in order to dramatically lower the chances of reinfection
    You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
      Go here to check for & install updates to Microsoft applications
      Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
    2. Keep your non-Microsoft applications updated as well
      Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
    3. Make Internet Explorer more secure
      Click Start > Run
      Type Inetcpl.cpl & click OK
      Click on the Security tab
      Click Reset all zones to default level
      Make sure the Internet Zone is selected & Click Custom level
      In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
      Next Click OK, then Apply button and then OK to exit the Internet Properties page.
    4. Install SpywareBlaster & make sure to update it regularly
      SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
      If you don't know what activex controls are, see here
      You can download SpywareBlaster from here
    5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date




    If you have any other questions or issues feel free to ask as I will be checking back on this topic.



    I wish you good luck in the future and thank you for using our forum. smile.gif


    thewall
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users