Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pwtyapob.sys infection


  • This topic is locked This topic is locked
41 replies to this topic

#1 jigglestick

jigglestick

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 16 April 2010 - 12:55 PM

this is where i will start the new thread

Edited by elise025, 16 April 2010 - 02:04 PM.
Please leave this thread in log forum ~ Elise


BC AdBot (Login to Remove)

 


#2 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 16 April 2010 - 01:05 PM

as asked in the other thread,
what do they mean "disable script blocking programs"?

I just want to make sure I don't make any mistakes that will screw up the process.

#3 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 16 April 2010 - 02:53 PM

the ddsDDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 14:35:28.89 on Fri 04/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.424 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Arima Hotkey\arima_hotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX100X
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Pardo] rundll32.exe "c:\documents and settings\administrator\application data\adobe\update\widwnd.dat""
uRun: [Getdo] rundll32.exe "c:\documents and settings\administrator\application data\adobe\update\flacor.dat""
uRun: [Helper] c:\documents and settings\administrator\application data\helper\bin\liveu.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; IEMB3; IEMB3)" -"http://media.pearsoncmg.com/aw/bc_marieb_humananphy_5/hap_place_media/chapter28/medialib/learning/ch28ae1.html"
mRun: [<NO NAME>]
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [arima hotkey] c:\program files\arima hotkey\arima_hotkey.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-3 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-3 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-3 40384]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\SymcPCCULaunchSvc.exe [2010-1-2 103280]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\ccSvcHst.exe [2010-1-2 126392]
R3 ArHotKey;ArHotKey;c:\windows\system32\drivers\ArHotKey.SYS [2006-9-25 5632]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-3 40384]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-3 40384]

=============== Created Last 30 ================

2010-04-16 18:44:32 0 d-----w- c:\windows\system32\appmgmt
2010-04-16 17:19:33 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-04-05 18:24:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-05 18:24:00 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 18:24:00 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-04-05 18:23:15 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-04 16:46:39 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-04-04 16:46:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:46:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-04 16:46:10 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 16:46:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 04:41:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-04 04:00:18 0 d-----w- c:\docume~1\admini~1\applic~1\Helper

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-01 21:55:02 578560 ----a-w- c:\windows\system32\user32.DLL
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 22:08:23 28846 ----a-w- c:\docume~1\admini~1\applic~1\wklnhst.dat
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-09-23 23:35:07 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat

============= FINISH: 14:36:36.51 ===============
log



#4 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 16 April 2010 - 02:55 PM

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/28/2006 2:49:14 PM
System Uptime: 4/16/2010 12:04:19 PM (2 hours ago)

Motherboard: Gateway | |
Processor: Genuine Intel® CPU U1400 @ 1.20GHz | U2E1 | 1196/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 59.719 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 2.728 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP320: 1/17/2010 1:08:37 PM - System Checkpoint
RP321: 1/18/2010 6:47:50 PM - System Checkpoint
RP322: 1/19/2010 9:07:22 PM - System Checkpoint
RP323: 1/20/2010 9:50:01 PM - System Checkpoint
RP324: 1/21/2010 10:17:06 PM - Software Distribution Service 3.0
RP325: 1/23/2010 1:33:51 PM - System Checkpoint
RP326: 1/25/2010 11:24:01 AM - System Checkpoint
RP327: 1/27/2010 9:06:08 AM - System Checkpoint
RP328: 1/28/2010 3:56:36 PM - System Checkpoint
RP329: 1/29/2010 5:58:24 PM - System Checkpoint
RP330: 2/4/2010 7:24:35 PM - System Checkpoint
RP331: 2/7/2010 11:27:38 AM - System Checkpoint
RP332: 2/9/2010 1:17:19 PM - System Checkpoint
RP333: 2/9/2010 5:44:31 PM - Software Distribution Service 3.0
RP334: 2/10/2010 8:21:05 PM - System Checkpoint
RP335: 2/15/2010 1:03:33 PM - System Checkpoint
RP336: 2/16/2010 1:36:01 PM - System Checkpoint
RP337: 2/17/2010 7:51:49 PM - System Checkpoint
RP338: 2/19/2010 5:43:09 PM - System Checkpoint
RP339: 2/20/2010 6:40:37 PM - System Checkpoint
RP340: 2/22/2010 7:57:27 PM - System Checkpoint
RP341: 2/24/2010 9:27:34 PM - Software Distribution Service 3.0
RP342: 2/27/2010 6:00:59 PM - System Checkpoint
RP343: 2/28/2010 6:56:58 PM - System Checkpoint
RP344: 3/1/2010 6:52:41 PM - Removed Adobe Reader 8.1.2
RP345: 3/1/2010 6:53:16 PM - Installed Adobe Reader 9.3.
RP346: 3/4/2010 6:36:11 PM - System Checkpoint
RP347: 3/5/2010 7:55:57 PM - System Checkpoint
RP348: 3/7/2010 8:10:30 PM - System Checkpoint
RP349: 4/3/2010 11:41:59 PM - avast! Free Antivirus Setup
RP350: 4/4/2010 9:35:06 AM - Software Distribution Service 3.0
RP351: 4/4/2010 4:55:32 PM - Restore Operation
RP352: 4/5/2010 1:24:00 PM - Installed SUPERAntiSpyware Free Edition
RP353: 4/14/2010 3:06:30 PM - System Checkpoint
RP354: 4/15/2010 11:07:06 AM - Software Distribution Service 3.0
RP355: 4/16/2010 12:49:59 PM - System Checkpoint

==== Installed Programs ======================

1400
1400_Help
1400Trb
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 9.3
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
Agere Systems HDA Modem
AiO_Scan
AiOSoftware
Ask Toolbar
avast! Free Antivirus
Browser Address Error Redirector
BufferChm
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
Digital Photo Navigator 1.5
DocProc
eSupportQFolder
Fax
Google Toolbar for Internet Explorer
Google Update Helper
gtw_logo
GWCares
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Product Assistant
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
Intel Matrix Storage Manager
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
Java 2 Runtime Environment, SE v1.4.2
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
McAfee SecurityCenter
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
mZConfig
Napster
Napster Burn Engine
NewCopy
Norton PC Checkup
PL-2303 USB-to-Serial
Power2Go 4.0
PowerDVD
ProductContext
QuickTime
Readme
RealPlayer Basic
Recovery Software Suite Gateway
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SigmaTel Audio
SolutionCenter
Status
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Weather Channel Desktop 6
TIPCI
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinPhlash
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer

==== End Of File ===========================


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 16 April 2010 - 02:56 PM


welcome.gif to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by elise025, 16 April 2010 - 02:58 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 16 April 2010 - 03:05 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 16:26:51
Windows 5.1.2600 Service Pack 3
Running: g8qj1bnr.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtyapoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA3255C56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA3255B12]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA32560C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA3255FF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA32556E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA3255BEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA3255628]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA325568C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA3255D0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA3256194]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA3255CCC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA3255E4C]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA3F12320]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA32624FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA3262322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA326245C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 247C 80501CB4 4 Bytes CALL 62F3420F
PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP A3262460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP A3262326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP A325E4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP A325F972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP A3262502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtyapob.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1720] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EE0000
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F20000
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00F00000
.text C:\WINDOWS\AGRSMMSG.exe[2320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01000000
.text C:\WINDOWS\AGRSMMSG.exe[2320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01040000
.text C:\WINDOWS\AGRSMMSG.exe[2320] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01020000
.text C:\WINDOWS\AGRSMMSG.exe[2320] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01650000
.text C:\WINDOWS\AGRSMMSG.exe[2320] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01610000
.text C:\WINDOWS\AGRSMMSG.exe[2320] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01630000
.text C:\WINDOWS\AGRSMMSG.exe[2320] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015D0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01550000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 01060000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 014F0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 01590000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 014D0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01530000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 015B0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01510000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01570000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 014B0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 01080000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01060000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010A0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01080000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01600000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 015C0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 015E0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01580000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01500000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 01420000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 014A0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 01540000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01480000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 014E0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 01560000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 014C0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01520000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 01460000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 01440000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00990000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 009B0000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 00B90000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 00B50000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 00B70000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009F0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01620000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01660000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01640000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017E0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01860000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01820000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01840000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01760000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01680000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01700000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 017A0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 016E0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01740000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 017C0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01720000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01780000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 016C0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 016A0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FA0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00FC0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01500000
.text C:\Program Files\Messenger\msmsgs.exe[2792] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01450000
.text C:\Program Files\Messenger\msmsgs.exe[2792] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01470000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01410000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01390000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 012B0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01330000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 013D0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01310000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01370000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 013F0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01350000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 013B0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 012F0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 012D0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01330000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01370000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01350000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01570000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01530000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01550000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014F0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01470000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01390000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01410000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 014B0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 013F0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01450000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 014D0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01430000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01490000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 013D0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 013B0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01820000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01860000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01840000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01A60000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01A20000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01A40000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019E0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01960000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 01880000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01900000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 019A0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 018E0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01940000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 019C0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01920000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01980000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 018C0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 018A0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 012B0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012F0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 012D0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01BA0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01B60000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01B80000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ws2_32.dll!send 71AB4C27 5 Bytes JMP 01B20000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01AA0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 019C0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01A40000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 01AE0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01A20000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01A80000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 01B00000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01A60000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01AC0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 01A00000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 019E0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01500000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 014E0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01700000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 016C0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 016E0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01680000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01600000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 01520000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 015A0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 01640000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01580000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 015E0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 01660000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 015C0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01620000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 01560000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 01540000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[996] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[996] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 16 April 2010 - 03:07 PM

Yes, I had seen the GMER log already in your previous topic, so I editted in new instructions smile.gif

Please see my last post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 16 April 2010 - 03:36 PM

ComboFix 10-04-15.05 - Administrator 04/16/2010 15:21:11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.533 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\23631764.nls
c:\documents and settings\Administrator\Application Data\Helper\bin\liveu.exe
c:\documents and settings\Administrator\Local Settings\Temp\23631764.nls
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-1519457148-2354007888-860844326-1006
c:\recycler\S-1-5-21-1519457148-2354007888-860844326-1007
c:\recycler\S-1-5-21-883442045-3819892516-1351318258-500
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\explorer(2).exe
c:\windows\system32\jjkzr
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-05 18:24 . 2010-04-05 18:24 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 18:24 . 2010-04-05 18:24 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-05 18:24 . 2010-04-05 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-05 18:24 . 2010-04-05 18:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 18:24 . 2010-04-05 18:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-05 18:23 . 2010-04-05 18:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-04 16:46 . 2010-04-04 16:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-04 16:46 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:46 . 2010-04-04 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 16:46 . 2010-04-04 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 16:46 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 04:42 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-04 04:42 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-04 04:42 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-04 04:42 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-04 04:42 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-04 04:42 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-04 04:42 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-04 04:42 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-04 04:42 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-04 04:41 . 2010-04-04 04:41 -------- d-----w- c:\program files\Alwil Software
2010-04-04 04:41 . 2010-04-04 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-04 04:00 . 2010-04-04 04:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Helper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 20:24 . 2006-06-01 03:17 578560 ----a-w- c:\windows\system32\user32.dll
2010-04-14 19:34 . 2007-01-06 20:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-04 22:00 . 2009-01-16 06:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-04 22:00 . 2009-01-16 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2006-06-01 03:17 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 01:25 . 2009-08-05 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-02 00:54 . 2006-09-25 21:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-02 00:50 . 2010-03-02 00:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-02 00:50 . 2010-03-02 00:51 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 00:49 . 2010-03-02 00:49 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-25 06:24 . 2006-06-01 03:17 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-06-01 03:16 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 22:08 . 2007-12-18 02:48 28846 ----a-w- c:\documents and settings\Administrator\Application Data\wklnhst.dat
2010-02-18 01:36 . 2006-09-25 22:00 -------- d-----w- c:\program files\McAfee
2010-02-17 14:10 . 2006-06-01 03:16 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-06-01 03:16 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-06-01 03:17 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-17 39408]
"Pardo"="c:\documents and settings\Administrator\Application Data\Adobe\Update\widwnd.dat" [2010-04-04 99840]
"Getdo"="c:\documents and settings\Administrator\Application Data\Adobe\Update\flacor.dat" [2010-04-04 99840]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 737370]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204]
"arima hotkey"="c:\program files\Arima Hotkey\arima_hotkey.exe" [2006-04-28 753664]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-25 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/3/2010 11:42 PM 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2010 11:42 PM 19024]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [1/2/2010 12:35 PM 103280]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [1/2/2010 12:35 PM 126392]
R3 ArHotKey;ArHotKey;c:\windows\system32\drivers\ArHotKey.SYS [9/25/2006 4:51 PM 5632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 10:25 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 03:25]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 03:25]

2006-09-28 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 00:12]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-13 17:22]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-13 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX100X
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Helper - c:\documents and settings\Administrator\Application Data\Helper\bin\liveu.exe
HKLM-Run-McENUI - c:\progra~1\McAfee\MHN\McENUI.exe
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 15:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1519457148-2354007888-860844326-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,08,6e,18,1a,96,5c,44,4d,83,e4,84,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,08,6e,18,1a,96,5c,44,4d,83,e4,84,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-04-16 15:33:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-16 20:33

Pre-Run: 64,039,690,240 bytes free
Post-Run: 64,024,875,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 63A7CFC1B3F7EFC50567D56891AB5D42


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 16 April 2010 - 03:41 PM

Hello again,

UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.

    Ask Toolbar
If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or Avast.


UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 16 April 2010 - 09:11 PM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3999

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/16/2010 8:58:43 PM
mbam-log-2010-04-16 (20-58-43).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 176420
Time elapsed: 31 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getdo (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Application Data\Adobe\Update\flacor.dat (Trojan.Agent) -> Quarantined and deleted successfully.






#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 17 April 2010 - 01:48 AM

Can you please let me know how things are running now?

Please post me also a new DDS log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 17 April 2010 - 09:43 AM

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 9:16:04.10 on Sat 04/17/2010

the system seems to be working ok, but I have to spend a little more time starting up and browsing to see that it's not doing the things it was doing before.

I still get a warning box at start up with a RUNDLL header that says "Error in c:\Documents and settings\Administrator\Application Data\Adobe\Update\widwnd.dat missing entry.

I still can not remove McAffee. I get a pop up that says "Legacy Programs must be removed first".
what to do about that?

Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.608 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Arima Hotkey\arima_hotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX100X
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Power2GoExpress] NA
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Pardo] rundll32.exe "c:\documents and settings\administrator\application data\adobe\update\widwnd.dat""
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Getdo] rundll32.exe "c:\documents and settings\administrator\application data\adobe\update\flacor.dat""
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; IEMB3; IEMB3)" -"http://media.pearsoncmg.com/aw/bc_marieb_humananphy_5/hap_place_media/chapter28/medialib/learning/ch28ae1.html"
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [arima hotkey] c:\program files\arima hotkey\arima_hotkey.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-3 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-3 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-3 40384]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\SymcPCCULaunchSvc.exe [2010-1-2 103280]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\ccSvcHst.exe [2010-1-2 126392]
R3 ArHotKey;ArHotKey;c:\windows\system32\drivers\ArHotKey.SYS [2006-9-25 5632]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-3 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-3 40384]

=============== Created Last 30 ================

2010-04-16 22:25:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-16 22:25:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-16 20:20:15 0 d-sha-r- C:\cmdcons
2010-04-16 20:18:51 98816 ----a-w- c:\windows\sed.exe
2010-04-16 20:18:51 77312 ----a-w- c:\windows\MBR.exe
2010-04-16 20:18:51 261632 ----a-w- c:\windows\PEV.exe
2010-04-16 20:18:51 161792 ----a-w- c:\windows\SWREG.exe
2010-04-16 18:44:32 0 d-----w- c:\windows\system32\appmgmt
2010-04-16 17:19:33 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-04-05 18:24:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-05 18:24:00 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 18:24:00 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-04-05 18:23:15 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-04 16:46:39 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-04-04 16:46:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:46:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-04 16:46:10 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 16:46:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 04:41:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-04 04:00:18 0 d-----w- c:\docume~1\admini~1\applic~1\Helper

==================== Find3M ====================

2010-04-16 20:24:05 578560 ----a-w- c:\windows\system32\user32.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 22:08:23 28846 ----a-w- c:\docume~1\admini~1\applic~1\wklnhst.dat
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-09-23 23:35:07 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat

============= FINISH: 9:16:48.85 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/28/2006 2:49:14 PM
System Uptime: 4/17/2010 8:54:03 AM (1 hours ago)

Motherboard: Gateway | |
Processor: Genuine Intel® CPU U1400 @ 1.20GHz | U2E1 | 1197/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 59.525 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 2.728 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP320: 1/17/2010 1:08:37 PM - System Checkpoint
RP321: 1/18/2010 6:47:50 PM - System Checkpoint
RP322: 1/19/2010 9:07:22 PM - System Checkpoint
RP323: 1/20/2010 9:50:01 PM - System Checkpoint
RP324: 1/21/2010 10:17:06 PM - Software Distribution Service 3.0
RP325: 1/23/2010 1:33:51 PM - System Checkpoint
RP326: 1/25/2010 11:24:01 AM - System Checkpoint
RP327: 1/27/2010 9:06:08 AM - System Checkpoint
RP328: 1/28/2010 3:56:36 PM - System Checkpoint
RP329: 1/29/2010 5:58:24 PM - System Checkpoint
RP330: 2/4/2010 7:24:35 PM - System Checkpoint
RP331: 2/7/2010 11:27:38 AM - System Checkpoint
RP332: 2/9/2010 1:17:19 PM - System Checkpoint
RP333: 2/9/2010 5:44:31 PM - Software Distribution Service 3.0
RP334: 2/10/2010 8:21:05 PM - System Checkpoint
RP335: 2/15/2010 1:03:33 PM - System Checkpoint
RP336: 2/16/2010 1:36:01 PM - System Checkpoint
RP337: 2/17/2010 7:51:49 PM - System Checkpoint
RP338: 2/19/2010 5:43:09 PM - System Checkpoint
RP339: 2/20/2010 6:40:37 PM - System Checkpoint
RP340: 2/22/2010 7:57:27 PM - System Checkpoint
RP341: 2/24/2010 9:27:34 PM - Software Distribution Service 3.0
RP342: 2/27/2010 6:00:59 PM - System Checkpoint
RP343: 2/28/2010 6:56:58 PM - System Checkpoint
RP344: 3/1/2010 6:52:41 PM - Removed Adobe Reader 8.1.2
RP345: 3/1/2010 6:53:16 PM - Installed Adobe Reader 9.3.
RP346: 3/4/2010 6:36:11 PM - System Checkpoint
RP347: 3/5/2010 7:55:57 PM - System Checkpoint
RP348: 3/7/2010 8:10:30 PM - System Checkpoint
RP349: 4/3/2010 11:41:59 PM - avast! Free Antivirus Setup
RP350: 4/4/2010 9:35:06 AM - Software Distribution Service 3.0
RP351: 4/4/2010 4:55:32 PM - Restore Operation
RP352: 4/5/2010 1:24:00 PM - Installed SUPERAntiSpyware Free Edition
RP353: 4/14/2010 3:06:30 PM - System Checkpoint
RP354: 4/15/2010 11:07:06 AM - Software Distribution Service 3.0
RP355: 4/16/2010 12:49:59 PM - System Checkpoint
RP356: 4/16/2010 5:21:07 PM - Removed Java 2 Runtime Environment, SE v1.4.2
RP357: 4/16/2010 5:25:28 PM - Installed Java™ 6 Update 20

==== Installed Programs ======================

1400
1400_Help
1400Trb
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 9.3
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
Agere Systems HDA Modem
AiO_Scan
AiOSoftware
avast! Free Antivirus
Browser Address Error Redirector
BufferChm
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
Digital Photo Navigator 1.5
DocProc
eSupportQFolder
Fax
Google Toolbar for Internet Explorer
Google Update Helper
gtw_logo
GWCares
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Product Assistant
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
Intel Matrix Storage Manager
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
Java Auto Updater
Java™ 6 Update 20
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
McAfee SecurityCenter
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
mZConfig
Napster
Napster Burn Engine
NewCopy
Norton PC Checkup
PL-2303 USB-to-Serial
Power2Go 4.0
PowerDVD
ProductContext
QuickTime
Readme
RealPlayer Basic
Recovery Software Suite Gateway
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SigmaTel Audio
SolutionCenter
Status
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Weather Channel Desktop 6
TIPCI
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinPhlash
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer

==== Event Viewer Messages From Past Week ========

4/16/2010 9:04:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 atapi cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x PCIIde perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
4/16/2010 9:04:15 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

==== End Of File ===========================


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 17 April 2010 - 11:10 AM

Hello again,

The simplest thing to resolve the Adobe problem is, reinstall the application (you can download it from the adobe site).

As for McAfee, lets get rid of that first.
Dowload and save McAfee Removal Tool to your desktop.

Run it to remove McAfee. After this, please restart your computer.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 17 April 2010 - 09:41 PM

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeatr1.zip Win32/Bagle.gen.zip worm

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 18 April 2010 - 03:38 AM

How are the other problems now (with Adobe and McAfee)?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users