Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tabletPC probs: URL hijack, Search results redirect, atapi, alureon, strange appinit dlls, phantom SSODLs, rootkit, tewetopi/ranusanu, sec update fail


  • This topic is locked This topic is locked
6 replies to this topic

#1 reflex on life

reflex on life

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 09 April 2010 - 05:42 PM

Hello,

Thanks in advance for your help. FYI I've written a bit abt myself in the "Introductions" forum. My tablet PC is an Acer TravelMate C310, purchased mid 2005. It runs Win XP v2002 SP3, Tablet PC Ed 2005. I mainly use FFox 3.6.3, which I've stripped to its barebones. But sometimes I run IE 8, though the Acer doesn't have enough RAM for IE8, which slows to a crawl and often seems to usher new viruses/trojans onto the machine. I auto-run Microsoft Security Essentials nightly, but I also have Malwarebytes Anti-Malware installed. Finally, I have 2 machines (this tabletpc and a shuttlepc) both hooked up via wireless router to a comcast broadband modem.

Here are some of the problems I typically experience:
- when I type in a URL, my browser often yields 2 tabs, 1 with the intended URL, the other an unwanted site.
- e.g. i typed in "bleepingcomputer.com" and I got your site in 1 tab and "registrydefender.com" in a 2nd tab.
- when I type in search criteria into the search box of the browser, regardless of whether it is set to use bing, google, or yahoo, if i click on a result in the search results page, it brings me an unwanted site instead.
- e.g. i typed in "bleeping computer", then clicked on the result link for wikipedia bleeping computer, and it yielded "consumerreview.com" instead.
- MS Security Essentials tells me 2-3x/day that I have "Virus:Win32/Alureon.B", and then it either disinfects or quarantines it.
- it also warns "rootkit:Alureon->c:\windows\system3\drivers\atapi.sys"
- often times MS Security Essentials fails to install updates, saying "Error code: 0x80070422: MSE can't start the update service because it's been disabled by the local admin or a result of a problem in the registry data."
- if I reenable it in the registry, the problem goes away for a while, but reoccurs in a day or two.
- in the past month, i can no longer use the letters q,t,u,p,j,1,3. i don't know if this is a software interrupt (virus) or a hardware issue. it also happened 1 year ago, lasted 1-2 months, and automagically cleared itself up. i've tried cleaning the computer internals and keyboard, so far to no avail.
- my hjt log shows suspicious app_init dlls: tewetopi and ranusanu dlls
- my hjt log also shows many random/suspicious SSODLs and sharetaskschedulers.

Below is my dds log, and attached are my ark/gmer and attach.txt. FWIW gmer took 2 hours to run.
Again, thank you for any help you can provide!


DDS (Ver_10-03-17.01) - NTFSx86
Run by yadams at 11:06:28.73 on Fri 04/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.76 [GMT -7:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Autoruns\Autoruns\autoruns.exe
C:\Documents and Settings\yadams\Desktop\dds.scr
svchost.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Shell=Explorer.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\yadams\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [LaunchAp] c:\program files\launch manager\LaunchAp.exe
mRun: [PowerKey] "c:\program files\launch manager\PowerKey.exe"
mRun: [LManager] c:\program files\launch manager\HotkeyApp.exe
mRun: [CtrlVol] c:\program files\launch manager\CtrlVol.exe
mRun: [LMgrOSD] c:\program files\launch manager\OSDCtrl.exe
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [EPM-DM] c:\acer\epm\epm-dm.exe
mRun: [ePowerManagement] c:\acer\epm\ePM.exe boot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\yadams\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179264270097
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179264218848
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
AppInit_DLLs: tewetopi.dll,ranusanu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: kayuwajor - {96f27034-05b0-4987-8b87-ad2e999597fe} - No File
SSODL: leyokuzaw - {e407f68b-7a71-4e7f-9bf7-5cb7a6db0c66} - No File
SSODL: rulozahir - {689abee0-4af4-4b65-b506-92311b28520c} - No File
SSODL: tigegonev - {d736b896-c674-4675-af16-e65fe0e369d0} - No File
SSODL: buzudones - {142b65b4-7439-47b5-b9b6-101b77591375} - No File
SSODL: patutayew - {6d80570b-5246-499b-b9c0-f87d5fff0523} - No File
SSODL: deyuvagid - {23aa2356-354f-4db3-a402-4d523998c32c} - No File
STS: {96f27034-05b0-4987-8b87-ad2e999597fe} - No File
STS: {e407f68b-7a71-4e7f-9bf7-5cb7a6db0c66} - No File
STS: {689abee0-4af4-4b65-b506-92311b28520c} - No File
STS: {d736b896-c674-4675-af16-e65fe0e369d0} - No File
STS: {142b65b4-7439-47b5-b9b6-101b77591375} - No File
STS: {6d80570b-5246-499b-b9c0-f87d5fff0523} - No File
STS: {23aa2356-354f-4db3-a402-4d523998c32c} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli mowukiwe.dll yenuhaja.dll husosaza.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yadams\applic~1\mozilla\firefox\profiles\mvrksxh5.default\
FF - plugin: c:\documents and settings\yadams\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\yadams\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 MpKsl032d080d;MpKsl032d080d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6a642a97-ae51-4eb7-9fba-cadc0d55312d}\MpKsl032d080d.sys [2010-4-9 28880]
R1 MpKsl646dedf8;MpKsl646dedf8;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6a642a97-ae51-4eb7-9fba-cadc0d55312d}\MpKsl646dedf8.sys [2010-4-7 28880]
R1 MpKslb3de5d0b;MpKslb3de5d0b;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6a642a97-ae51-4eb7-9fba-cadc0d55312d}\MpKslb3de5d0b.sys [2010-4-9 28880]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-5 55152]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-5-23 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-5-23 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-5-23 170408]
R3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2006-4-11 2343]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2006-4-10 14208]
S1 mailKmd;mailKmd; [x]
S1 MpKsl202d3b31;MpKsl202d3b31;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\mpksl202d3b31.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\MpKsl202d3b31.sys [?]
S1 MpKsl2779cf21;MpKsl2779cf21;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\mpksl2779cf21.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\MpKsl2779cf21.sys [?]
S1 MpKsl45c6e1a1;MpKsl45c6e1a1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1df01578-91f3-4a63-be86-3ccb3521b934}\mpksl45c6e1a1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1df01578-91f3-4a63-be86-3ccb3521b934}\MpKsl45c6e1a1.sys [?]
S1 MpKsl4ac37a0b;MpKsl4ac37a0b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\mpksl4ac37a0b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\MpKsl4ac37a0b.sys [?]
S1 MpKsl53276875;MpKsl53276875;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\mpksl53276875.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\MpKsl53276875.sys [?]
S1 MpKsl702e8767;MpKsl702e8767;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\mpksl702e8767.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\MpKsl702e8767.sys [?]
S1 MpKsla56dca0e;MpKsla56dca0e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\mpksla56dca0e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\MpKsla56dca0e.sys [?]
S1 MpKsldeecf9b5;MpKsldeecf9b5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\mpksldeecf9b5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\MpKsldeecf9b5.sys [?]

=============== Created Last 30 ================

2010-04-09 18:02:13 0 ----a-w- c:\documents and settings\yadams\defogger_reenable
2010-04-09 17:00:25 0 d-----w- c:\program files\Autoruns
2010-04-05 06:05:03 0 d-----w- c:\program files\Trend Micro
2010-04-05 04:04:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 04:04:17 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 04:04:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 03:44:47 0 d-----w- c:\program files\CCleaner
2010-03-28 15:04:53 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-28 15:04:53 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-28 15:02:09 0 d-----w- c:\program files\iPod
2010-03-28 15:01:00 0 d-----w- c:\program files\iTunes
2010-03-28 15:01:00 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-28 14:59:33 0 d-----w- c:\program files\Bonjour
2010-03-20 18:58:23 30784 ----a-w- c:\windows\system32\drivers\ikdephir.sys
2010-03-20 18:51:07 30784 ----a-w- c:\windows\system32\drivers\jyfnqfck.sys
2010-03-20 18:47:11 30784 ----a-w- c:\windows\system32\drivers\oummuzwd.sys
2010-03-20 18:40:35 30784 ----a-w- c:\windows\system32\drivers\kbugdfoq.sys
2010-03-20 18:34:21 30784 ----a-w- c:\windows\system32\drivers\zuscwydh.sys
2010-03-20 18:25:37 30784 ----a-w- c:\windows\system32\drivers\wbnbamwt.sys
2010-03-20 18:22:32 30784 ----a-w- c:\windows\system32\drivers\ewxpiopv.sys
2010-03-20 18:17:51 30784 ----a-w- c:\windows\system32\drivers\syoeawbt.sys
2010-03-20 18:14:53 30784 ----a-w- c:\windows\system32\drivers\cjmoxboa.sys
2010-03-20 17:59:52 30784 ----a-w- c:\windows\system32\drivers\xrsnaens.sys
2010-03-20 17:45:37 30784 ----a-w- c:\windows\system32\drivers\lawmuntt.sys
2010-03-20 17:30:38 30784 ----a-w- c:\windows\system32\drivers\bxjgjnnw.sys
2010-03-20 17:27:19 30784 ----a-w- c:\windows\system32\drivers\gkgljoed.sys
2010-03-20 17:24:56 30784 ----a-w- c:\windows\system32\drivers\vlyggztc.sys
2010-03-20 17:21:51 30784 ----a-w- c:\windows\system32\drivers\lylrfjdh.sys
2010-03-20 17:18:11 30784 ----a-w- c:\windows\system32\drivers\jypqmjwa.sys
2010-03-20 17:13:31 30784 ----a-w- c:\windows\system32\drivers\hbvfbhhd.sys
2010-03-20 17:12:44 30784 ----a-w- c:\windows\system32\drivers\qojfqnqs.sys
2010-03-20 17:10:04 30784 ----a-w- c:\windows\system32\drivers\knrlpzon.sys
2010-03-20 17:05:49 30784 ----a-w- c:\windows\system32\drivers\mwsonnqm.sys
2010-03-20 17:01:42 30784 ----a-w- c:\windows\system32\drivers\lbbvoncq.sys
2010-03-20 16:55:01 30784 ----a-w- c:\windows\system32\drivers\uzvdhphh.sys
2010-03-20 16:41:31 30784 ----a-w- c:\windows\system32\drivers\wyktdjgn.sys
2010-03-20 16:36:23 30784 ----a-w- c:\windows\system32\drivers\zayxuvvn.sys
2010-03-20 16:00:22 30784 ----a-w- c:\windows\system32\drivers\olvduecr.sys
2010-03-20 15:54:51 30784 ----a-w- c:\windows\system32\drivers\quazeess.sys
2010-03-20 15:48:19 30784 ----a-w- c:\windows\system32\drivers\iptjfspw.sys
2010-03-20 15:45:12 30784 ----a-w- c:\windows\system32\drivers\ggvoxloa.sys
2010-03-20 15:40:52 30784 ----a-w- c:\windows\system32\drivers\gqnhoflf.sys
2010-03-20 15:37:34 30784 ----a-w- c:\windows\system32\drivers\ccoleemq.sys
2010-03-20 15:23:31 30784 ----a-w- c:\windows\system32\drivers\exjbydlq.sys
2010-03-20 15:08:59 30784 ----a-w- c:\windows\system32\drivers\unabimde.sys
2010-03-20 14:53:50 30784 ----a-w- c:\windows\system32\drivers\szrgbqhd.sys
2010-03-20 14:29:52 30784 ----a-w- c:\windows\system32\drivers\orraedjv.sys
2010-03-20 10:15:17 30784 ----a-w- c:\windows\system32\drivers\yawlhhlg.sys
2010-03-20 10:00:03 30784 ----a-w- c:\windows\system32\drivers\iezukkqj.sys
2010-03-20 09:45:23 30784 ----a-w- c:\windows\system32\drivers\zxuptqcq.sys
2010-03-20 09:30:32 30784 ----a-w- c:\windows\system32\drivers\ejngavnd.sys
2010-03-20 09:14:55 30784 ----a-w- c:\windows\system32\drivers\qxlccldz.sys
2010-03-20 08:56:31 30784 ----a-w- c:\windows\system32\drivers\xrmywsmi.sys
2010-03-20 08:48:19 30784 ----a-w- c:\windows\system32\drivers\hiwddzfh.sys
2010-03-20 08:30:59 30784 ----a-w- c:\windows\system32\drivers\mqcjqfez.sys
2010-03-20 08:24:58 30784 ----a-w- c:\windows\system32\drivers\bwghpueg.sys
2010-03-20 08:21:51 30784 ----a-w- c:\windows\system32\drivers\gfxpxoeg.sys
2010-03-20 08:20:11 30784 ----a-w- c:\windows\system32\drivers\jtzgskqq.sys
2010-03-20 08:19:03 30784 ----a-w- c:\windows\system32\drivers\pletihjx.sys
2010-03-20 08:17:39 30784 ----a-w- c:\windows\system32\drivers\rjdwxphy.sys

==================== Find3M ====================

2010-01-14 19:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-17 11:55:02 2713 --sh--w- c:\windows\system32\pagifali.exe
2009-12-14 18:24:02 2713 --sh--w- c:\windows\system32\ronigofu.exe
2009-12-19 11:00:29 2713 --sh--w- c:\windows\system32\tobuvuzi.exe
2009-12-17 11:55:02 2713 --sh--w- c:\windows\system32\zorotahi.exe
2009-12-19 11:00:29 2713 --sh--w- c:\windows\system32\zuragiwu.exe
2010-01-05 08:36:11 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2010-01-03 19:37:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009121420091221\index.dat
2010-01-04 16:04:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122820100104\index.dat
2010-01-04 16:04:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010420100105\index.dat
2010-01-05 16:01:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010520100106\index.dat
2010-01-08 06:06:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010720100108\index.dat

============= FINISH: 11:09:49.89 ===============

Attached Files


-- Reflections On Life

Cya in anotha lifetime, Brotha!


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:04 PM

Posted 12 April 2010 - 11:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 reflex on life

reflex on life
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 13 April 2010 - 01:17 PM

Hi Schrauber,

Thanks for your reply. Since my original submission 5 days ago, I installed and ran
1) F-Secure Blacklight Rootkit Eliminator
- yielded no obvious results
2) Spyware Doctor
- caught & removed 5 items, including Virtuomode.A & .B

I have rerun DDS and GMER. See log for DDS below, attach.txt.zip attached, and gmer rootkit quickscan log (from before pressing SCAN button). GMER Scan is currently running, so once it is finished I will reply with that log.

===== DDS =============


DDS (Ver_10-03-17.01) - NTFSx86
Run by yadams at 10:29:05.75 on Tue 04/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.131 [GMT -7:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\yadams\Desktop\dds.scr
C:\Documents and Settings\yadams\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = about:blank
mCustomizeSearch = about:blank
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Shell=Explorer.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\yadams\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [LaunchAp] c:\program files\launch manager\LaunchAp.exe
mRun: [PowerKey] "c:\program files\launch manager\PowerKey.exe"
mRun: [LManager] c:\program files\launch manager\HotkeyApp.exe
mRun: [CtrlVol] c:\program files\launch manager\CtrlVol.exe
mRun: [LMgrOSD] c:\program files\launch manager\OSDCtrl.exe
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [EPM-DM] c:\acer\epm\epm-dm.exe
mRun: [ePowerManagement] c:\acer\epm\ePM.exe boot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\yadams\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179264270097
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179264218848
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
AppInit_DLLs: tewetopi.dll,ranusanu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: kayuwajor - {96f27034-05b0-4987-8b87-ad2e999597fe} - No File
SSODL: leyokuzaw - {e407f68b-7a71-4e7f-9bf7-5cb7a6db0c66} - No File
SSODL: rulozahir - {689abee0-4af4-4b65-b506-92311b28520c} - No File
SSODL: tigegonev - {d736b896-c674-4675-af16-e65fe0e369d0} - No File
SSODL: buzudones - {142b65b4-7439-47b5-b9b6-101b77591375} - No File
SSODL: patutayew - {6d80570b-5246-499b-b9c0-f87d5fff0523} - No File
SSODL: deyuvagid - {23aa2356-354f-4db3-a402-4d523998c32c} - No File
STS: {96f27034-05b0-4987-8b87-ad2e999597fe} - No File
STS: {e407f68b-7a71-4e7f-9bf7-5cb7a6db0c66} - No File
STS: {689abee0-4af4-4b65-b506-92311b28520c} - No File
STS: {d736b896-c674-4675-af16-e65fe0e369d0} - No File
STS: {142b65b4-7439-47b5-b9b6-101b77591375} - No File
STS: {6d80570b-5246-499b-b9c0-f87d5fff0523} - No File
STS: {23aa2356-354f-4db3-a402-4d523998c32c} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli mowukiwe.dll yenuhaja.dll husosaza.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yadams\applic~1\mozilla\firefox\profiles\mvrksxh5.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\yadams\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\yadams\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-5 55152]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-5-30 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-5-23 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-5-23 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-5-23 170408]
R3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2006-4-11 2343]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2006-4-10 14208]
S1 mailKmd;mailKmd; [x]
S1 MpKsl202d3b31;MpKsl202d3b31;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\mpksl202d3b31.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\MpKsl202d3b31.sys [?]
S1 MpKsl2779cf21;MpKsl2779cf21;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\mpksl2779cf21.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\MpKsl2779cf21.sys [?]
S1 MpKsl45c6e1a1;MpKsl45c6e1a1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1df01578-91f3-4a63-be86-3ccb3521b934}\mpksl45c6e1a1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1df01578-91f3-4a63-be86-3ccb3521b934}\MpKsl45c6e1a1.sys [?]
S1 MpKsl4ac37a0b;MpKsl4ac37a0b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\mpksl4ac37a0b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\MpKsl4ac37a0b.sys [?]
S1 MpKsl53276875;MpKsl53276875;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\mpksl53276875.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\MpKsl53276875.sys [?]
S1 MpKsl702e8767;MpKsl702e8767;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\mpksl702e8767.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\MpKsl702e8767.sys [?]
S1 MpKsla56dca0e;MpKsla56dca0e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\mpksla56dca0e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1ea2a8e7-d3fc-4c32-817f-06c313af383a}\MpKsla56dca0e.sys [?]
S1 MpKsldeecf9b5;MpKsldeecf9b5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\mpksldeecf9b5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1dd6b198-006f-4e5a-9105-3f7edc7cac38}\MpKsldeecf9b5.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-4 38224]

=============== Created Last 30 ================

2010-04-10 13:38:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-10 13:38:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-10 12:35:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-09 18:02:13 0 ----a-w- c:\documents and settings\yadams\defogger_reenable
2010-04-09 17:59:52 4194379 ----a-w- c:\windows\pfirewall.log.old
2010-04-09 17:00:25 0 d-----w- c:\program files\Autoruns
2010-04-05 06:05:03 0 d-----w- c:\program files\Trend Micro
2010-04-05 04:04:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 04:04:17 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 04:04:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 03:44:47 0 d-----w- c:\program files\CCleaner
2010-03-28 15:04:53 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-28 15:04:53 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-28 15:02:09 0 d-----w- c:\program files\iPod
2010-03-28 15:01:00 0 d-----w- c:\program files\iTunes
2010-03-28 15:01:00 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-28 14:59:33 0 d-----w- c:\program files\Bonjour
2010-03-20 18:58:23 30784 ----a-w- c:\windows\system32\drivers\ikdephir.sys
2010-03-20 18:51:07 30784 ----a-w- c:\windows\system32\drivers\jyfnqfck.sys
2010-03-20 18:47:11 30784 ----a-w- c:\windows\system32\drivers\oummuzwd.sys
2010-03-20 18:40:35 30784 ----a-w- c:\windows\system32\drivers\kbugdfoq.sys
2010-03-20 18:34:21 30784 ----a-w- c:\windows\system32\drivers\zuscwydh.sys
2010-03-20 18:25:37 30784 ----a-w- c:\windows\system32\drivers\wbnbamwt.sys
2010-03-20 18:22:32 30784 ----a-w- c:\windows\system32\drivers\ewxpiopv.sys
2010-03-20 18:17:51 30784 ----a-w- c:\windows\system32\drivers\syoeawbt.sys
2010-03-20 18:14:53 30784 ----a-w- c:\windows\system32\drivers\cjmoxboa.sys
2010-03-20 17:59:52 30784 ----a-w- c:\windows\system32\drivers\xrsnaens.sys
2010-03-20 17:45:37 30784 ----a-w- c:\windows\system32\drivers\lawmuntt.sys
2010-03-20 17:30:38 30784 ----a-w- c:\windows\system32\drivers\bxjgjnnw.sys
2010-03-20 17:27:19 30784 ----a-w- c:\windows\system32\drivers\gkgljoed.sys
2010-03-20 17:24:56 30784 ----a-w- c:\windows\system32\drivers\vlyggztc.sys
2010-03-20 17:21:51 30784 ----a-w- c:\windows\system32\drivers\lylrfjdh.sys
2010-03-20 17:18:11 30784 ----a-w- c:\windows\system32\drivers\jypqmjwa.sys
2010-03-20 17:13:31 30784 ----a-w- c:\windows\system32\drivers\hbvfbhhd.sys
2010-03-20 17:12:44 30784 ----a-w- c:\windows\system32\drivers\qojfqnqs.sys
2010-03-20 17:10:04 30784 ----a-w- c:\windows\system32\drivers\knrlpzon.sys
2010-03-20 17:05:49 30784 ----a-w- c:\windows\system32\drivers\mwsonnqm.sys
2010-03-20 17:01:42 30784 ----a-w- c:\windows\system32\drivers\lbbvoncq.sys
2010-03-20 16:55:01 30784 ----a-w- c:\windows\system32\drivers\uzvdhphh.sys
2010-03-20 16:41:31 30784 ----a-w- c:\windows\system32\drivers\wyktdjgn.sys
2010-03-20 16:36:23 30784 ----a-w- c:\windows\system32\drivers\zayxuvvn.sys
2010-03-20 16:00:22 30784 ----a-w- c:\windows\system32\drivers\olvduecr.sys
2010-03-20 15:54:51 30784 ----a-w- c:\windows\system32\drivers\quazeess.sys
2010-03-20 15:48:19 30784 ----a-w- c:\windows\system32\drivers\iptjfspw.sys
2010-03-20 15:45:12 30784 ----a-w- c:\windows\system32\drivers\ggvoxloa.sys
2010-03-20 15:40:52 30784 ----a-w- c:\windows\system32\drivers\gqnhoflf.sys
2010-03-20 15:37:34 30784 ----a-w- c:\windows\system32\drivers\ccoleemq.sys
2010-03-20 15:23:31 30784 ----a-w- c:\windows\system32\drivers\exjbydlq.sys
2010-03-20 15:08:59 30784 ----a-w- c:\windows\system32\drivers\unabimde.sys
2010-03-20 14:53:50 30784 ----a-w- c:\windows\system32\drivers\szrgbqhd.sys
2010-03-20 14:29:52 30784 ----a-w- c:\windows\system32\drivers\orraedjv.sys
2010-03-20 10:15:17 30784 ----a-w- c:\windows\system32\drivers\yawlhhlg.sys
2010-03-20 10:00:03 30784 ----a-w- c:\windows\system32\drivers\iezukkqj.sys
2010-03-20 09:45:23 30784 ----a-w- c:\windows\system32\drivers\zxuptqcq.sys
2010-03-20 09:30:32 30784 ----a-w- c:\windows\system32\drivers\ejngavnd.sys
2010-03-20 09:14:55 30784 ----a-w- c:\windows\system32\drivers\qxlccldz.sys
2010-03-20 08:56:31 30784 ----a-w- c:\windows\system32\drivers\xrmywsmi.sys
2010-03-20 08:48:19 30784 ----a-w- c:\windows\system32\drivers\hiwddzfh.sys
2010-03-20 08:30:59 30784 ----a-w- c:\windows\system32\drivers\mqcjqfez.sys
2010-03-20 08:24:58 30784 ----a-w- c:\windows\system32\drivers\bwghpueg.sys
2010-03-20 08:21:51 30784 ----a-w- c:\windows\system32\drivers\gfxpxoeg.sys
2010-03-20 08:20:11 30784 ----a-w- c:\windows\system32\drivers\jtzgskqq.sys
2010-03-20 08:19:03 30784 ----a-w- c:\windows\system32\drivers\pletihjx.sys
2010-03-20 08:17:39 30784 ----a-w- c:\windows\system32\drivers\rjdwxphy.sys

==================== Find3M ====================

2010-01-14 19:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-17 11:55:02 2713 --sh--w- c:\windows\system32\pagifali.exe
2009-12-14 18:24:02 2713 --sh--w- c:\windows\system32\ronigofu.exe
2009-12-19 11:00:29 2713 --sh--w- c:\windows\system32\tobuvuzi.exe
2009-12-17 11:55:02 2713 --sh--w- c:\windows\system32\zorotahi.exe
2009-12-19 11:00:29 2713 --sh--w- c:\windows\system32\zuragiwu.exe
2010-01-05 08:36:11 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2010-01-10 11:35:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\internet explorer\domstore\index.dat
2010-01-03 19:37:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009121420091221\index.dat
2010-01-04 16:04:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122820100104\index.dat
2010-01-04 16:04:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010420100105\index.dat
2010-01-05 16:01:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010520100106\index.dat
2010-01-08 06:06:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010720100108\index.dat
2010-01-10 00:53:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010920100110\index.dat

============= FINISH: 10:31:20.15 ===============

===== GMER rootkit quick-scan =========

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-13 10:45:06
Windows 5.1.2600 Service Pack 3
Running: l4cdnm1o.exe; Driver: C:\DOCUME~1\yadams\LOCALS~1\Temp\pwddqpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF16CF4FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF16CF50F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF16CF53B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF16CF4E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF16CF525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF16CF551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF16CF567]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\00001363 -> \Driver\atapi \Device\Harddisk0\DR0 830A450C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

===== end gmer ============

Attached Files


-- Reflections On Life

Cya in anotha lifetime, Brotha!


#4 reflex on life

reflex on life
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 13 April 2010 - 02:08 PM

GMER after full scan =====

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 11:56:04
Windows 5.1.2600 Service Pack 3
Running: l4cdnm1o.exe; Driver: C:\DOCUME~1\yadams\LOCALS~1\Temp\pwddqpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF16CF4FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF16CF50F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF16CF53B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF16CF4E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF16CF525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF16CF551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF16CF567]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB8 5 Bytes JMP F16CF56B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B8 7 Bytes JMP F16CF555 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D54 7 Bytes JMP F16CF529 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A332 5 Bytes JMP F16CF4FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7C2 7 Bytes JMP F16CF513 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A992 7 Bytes JMP F16CF53F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B704 5 Bytes JMP F16CF4EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF84C17AC]
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF71FDDBF]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1336] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0070000A
.text C:\WINDOWS\System32\svchost.exe[1336] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006E000C
.text C:\WINDOWS\System32\svchost.exe[1336] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0283000A
.text C:\WINDOWS\System32\svchost.exe[1336] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0282000A
.text C:\WINDOWS\Explorer.exe[2436] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.exe[2436] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.exe[2436] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\00001363 -> \Driver\atapi \Device\Harddisk0\DR0 830A450C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b6b5c3ac6
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b6b5c3ac6 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000b6b5c3ac6 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files


-- Reflections On Life

Cya in anotha lifetime, Brotha!


#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:04 PM

Posted 14 April 2010 - 01:02 PM

Hello, reflex on life
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 reflex on life

reflex on life
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 15 April 2010 - 12:01 PM

Hello,

It's been an entire week since I first posted my request for help. During that time my problems with it have gone from bad to worse. Now it will no longer boot up at all, nor will it read its CD/DVD drive so I cannot boot from windows externally.

I have since donated the computer to charity, so you can close this topic.

Thank you.
-- Reflections On Life

Cya in anotha lifetime, Brotha!


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:04 PM

Posted 17 April 2010 - 02:21 AM

Thanks for letting me know.

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users