Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv Request & Request 2


  • This topic is locked This topic is locked
44 replies to this topic

#1 Cgon

Cgon

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 18 April 2010 - 11:24 PM

I have ran multiple scans with different software but they seem to not find anything, my computer does not run slower or crash...at least not yet. I constantly get a message from Norton 360 saying "A recent attack to your computer was blocked" and it refers to the tidserv and tidserv 2 and whenever I get online to search anything I get redirected to websites not having anything to do with. Can someone please help me remove this infection? I have logs from DDS I have tried running Gmer but it seems to shut after its been running for a while and it gives me a blue screen and the computer turns off and restarts on a black screen..if you can help thanks....I am attaching the logs for further help..




DDS (Ver_10-03-17.01) - NTFSx86
Run by Carlos A. Gonzalez at 19:38:34.89 on Sun 04/18/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1377 [GMT -5:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Windows\SMINST\BLService.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\AVG\AVG9\avgcsrvx.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Carlos A. Gonzalez\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.1.0.32\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\carlos~1.gon\appdata\roaming\mozilla\firefox\profiles\jkjd44xi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2010-4-14 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-14 52872]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\symds.sys [2010-4-7 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\symefa.sys [2010-4-7 172592]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-4-14 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-14 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-14 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-14 242696]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-4-7 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100415.001\IDSvix86.sys [2010-4-16 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\ironx86.sys [2010-4-7 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0401000.020\symtdiv.sys [2010-4-7 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-14 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-14 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-14 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-14 5888008]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.1.0.32\ccsvchst.exe [2010-4-7 126392]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-4 361808]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2010-4-14 122376]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2010-4-14 30216]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2010-4-14 20488]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-15 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2008-6-3 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2008-7-17 269760]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-8 1343400]

=============== Created Last 30 ================

2010-04-19 00:30:32 0 ----a-w- c:\users\carlos a. gonzalez\defogger_reenable
2010-04-17 02:23:31 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-17 02:23:16 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\SUPERAntiSpyware.com
2010-04-17 02:23:16 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-17 02:21:53 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-16 13:22:40 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\AVG9
2010-04-14 12:31:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-14 12:31:39 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-14 12:31:19 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-14 12:30:41 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-14 12:26:18 25096 ----a-w- c:\windows\system32\drivers\AVGIDSwx.sys
2010-04-14 12:26:08 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-14 12:23:08 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-04-14 12:19:41 0 d-----w- c:\program files\AVG
2010-04-14 12:17:36 0 d-----w- c:\programdata\avg9
2010-04-14 08:02:27 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-04-13 19:15:46 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 19:15:44 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 19:15:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 19:15:29 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 19:15:29 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 19:15:29 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 19:13:27 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 19:13:26 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 12:38:18 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\Malwarebytes
2010-04-13 12:38:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 12:37:57 0 d-----w- c:\programdata\Malwarebytes
2010-04-13 12:37:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:08:30 0 d-----w- c:\windows\system32\Wat
2010-04-08 11:54:24 0 d-----w- c:\program files\iPod
2010-04-08 11:54:18 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-08 11:54:17 0 d-----w- c:\program files\iTunes
2010-04-08 11:46:55 0 d-----w- c:\program files\Bonjour
2010-04-08 11:34:45 0 d-----w- c:\windows\system32\appmgmt
2010-04-05 00:20:29 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-05 00:10:52 1328640 ----a-w- c:\windows\system32\quartz.dll
2010-04-02 11:35:38 0 d-----w- c:\windows\Panther
2010-04-02 11:20:10 0 d--h--w- C:\$WINDOWS.~Q
2010-04-02 11:07:08 0 d--h--w- C:\$INPLACE.~TR
2010-04-02 10:56:35 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-04-02 10:53:02 0 d-----w- c:\windows\system32\wbem\Performance
2010-04-02 10:52:04 20 --sh--w- c:\users\carlos a. gonzalez\ntuser.ini
2010-04-02 10:51:36 0 d-sh--w- C:\Recovery
2010-04-02 09:40:31 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-02 09:07:16 0 d-sh--w- C:\Boot
2010-04-02 08:43:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-04-02 08:43:23 0 d-----w- c:\program files\Synaptics
2010-04-02 08:42:37 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2010-04-02 08:42:37 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
2010-04-02 08:41:56 0 d-----w- c:\program files\CONEXANT
2010-04-02 08:41:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-02 08:41:33 485920 ----a-w- c:\windows\system32\nvuninst.exe
2010-04-02 08:41:22 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2010-04-02 08:41:22 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2010-04-01 21:54:38 383562 --sha-r- C:\bootmgr
2010-04-01 01:40:01 8192 --sha-r- C:\BOOTSECT.BAK
2010-04-01 00:10:30 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\Tific
2010-03-31 23:49:45 1890 ----a-w- c:\windows\diagwrn.xml
2010-03-31 23:49:45 1890 ----a-w- c:\windows\diagerr.xml
2010-03-27 06:47:55 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-03-22 06:48:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2010-03-21 20:47:38 0 d-----w- C:\AndroidSDK
2010-03-21 20:23:53 0 d-----w- C:\Superboot

==================== Find3M ====================

2010-03-22 06:42:45 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-03-22 06:42:44 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-03-16 18:46:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-16 18:46:51 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-16 18:46:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-24 15:16:06 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 19:42:39.13 ===============







Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:40 PM

Posted 24 April 2010 - 04:53 AM

Hi,

Try to run GMER by deselecting "files" first before clicking scan. Post a fresh dds log too.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Cgon

Cgon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 25 April 2010 - 03:10 AM

Here are the DDS logs you asked for..and I ran Gmer and it blue screened again...





DDS (Ver_10-03-17.01) - NTFSx86
Run by Carlos A. Gonzalez at 2:15:27.05 on Sun 04/25/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1388 [GMT -5:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Carlos A. Gonzalez\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.1.0.32\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\carlos~1.gon\appdata\roaming\mozilla\firefox\profiles\jkjd44xi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2010-4-14 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-14 52872]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\symds.sys [2010-4-7 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\symefa.sys [2010-4-7 172592]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-4-14 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-14 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-14 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-14 242896]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-4-7 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100415.001\IDSvix86.sys [2010-4-16 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\ironx86.sys [2010-4-7 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0401000.020\symtdiv.sys [2010-4-7 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-14 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-14 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-14 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-14 5888008]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.1.0.32\ccsvchst.exe [2010-4-7 126392]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-4 361808]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2010-4-14 122376]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2010-4-14 30216]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2010-4-14 20488]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-15 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2008-6-3 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2008-7-17 269760]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-8 1343400]

=============== Created Last 30 ================

2010-04-19 01:09:13 427194921 ----a-w- c:\windows\MEMORY.DMP
2010-04-19 00:30:32 0 ----a-w- c:\users\carlos a. gonzalez\defogger_reenable
2010-04-17 02:23:31 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-17 02:23:16 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\SUPERAntiSpyware.com
2010-04-17 02:23:16 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-17 02:21:53 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-16 13:22:40 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\AVG9
2010-04-14 12:31:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-14 12:31:39 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-14 12:31:19 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-14 12:30:41 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-14 12:26:18 25096 ----a-w- c:\windows\system32\drivers\AVGIDSwx.sys
2010-04-14 12:26:08 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-14 12:23:08 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-04-14 12:19:41 0 d-----w- c:\program files\AVG
2010-04-14 12:17:36 0 d-----w- c:\programdata\avg9
2010-04-14 08:02:27 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-04-13 19:15:46 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 19:15:44 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 19:15:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 19:15:29 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 19:15:29 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 19:15:29 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 19:13:27 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 19:13:26 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 12:38:18 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\Malwarebytes
2010-04-13 12:38:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 12:37:57 0 d-----w- c:\programdata\Malwarebytes
2010-04-13 12:37:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:08:30 0 d-----w- c:\windows\system32\Wat
2010-04-08 11:54:24 0 d-----w- c:\program files\iPod
2010-04-08 11:54:18 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-08 11:54:17 0 d-----w- c:\program files\iTunes
2010-04-08 11:46:55 0 d-----w- c:\program files\Bonjour
2010-04-08 11:34:45 0 d-----w- c:\windows\system32\appmgmt
2010-04-05 00:20:29 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-05 00:10:52 1328640 ----a-w- c:\windows\system32\quartz.dll
2010-04-02 11:35:38 0 d-----w- c:\windows\Panther
2010-04-02 11:20:10 0 d--h--w- C:\$WINDOWS.~Q
2010-04-02 11:07:08 0 d--h--w- C:\$INPLACE.~TR
2010-04-02 10:56:35 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-04-02 10:53:02 0 d-----w- c:\windows\system32\wbem\Performance
2010-04-02 10:52:04 20 --sh--w- c:\users\carlos a. gonzalez\ntuser.ini
2010-04-02 10:51:36 0 d-sh--w- C:\Recovery
2010-04-02 09:40:31 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-02 09:07:16 0 d-sh--w- C:\Boot
2010-04-02 08:43:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-04-02 08:43:23 0 d-----w- c:\program files\Synaptics
2010-04-02 08:42:37 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2010-04-02 08:42:37 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
2010-04-02 08:41:56 0 d-----w- c:\program files\CONEXANT
2010-04-02 08:41:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-02 08:41:33 485920 ----a-w- c:\windows\system32\nvuninst.exe
2010-04-02 08:41:22 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2010-04-02 08:41:22 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2010-04-01 21:54:38 383562 --sha-r- C:\bootmgr
2010-04-01 01:40:01 8192 --sha-r- C:\BOOTSECT.BAK
2010-04-01 00:10:30 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\Tific
2010-03-31 23:49:45 1890 ----a-w- c:\windows\diagwrn.xml
2010-03-31 23:49:45 1890 ----a-w- c:\windows\diagerr.xml
2010-03-27 06:47:55 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor

==================== Find3M ====================

2010-03-22 06:48:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2010-03-22 06:42:45 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-03-22 06:42:44 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-03-16 18:46:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-16 18:46:51 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-16 18:46:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-24 15:16:06 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 2:17:27.42 ===============

Attached Files


Edited by Cgon, 25 April 2010 - 03:31 AM.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:40 PM

Posted 25 April 2010 - 05:12 AM

Hi,

Give GMER one more try by having nothing else than sections checked.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Cgon

Cgon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 25 April 2010 - 05:03 PM

Okay I ran Gmer and it worked here's the log



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 16:59:41
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\CARLOS~1.GON\AppData\Local\Temp\kfxiapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!RtlPrefetchMemoryNonTemporal 82E47E88 1 Byte [90]
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E4B599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E6FF52 1 Byte [E0]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E6FF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KiDispatchInterrupt + 5B7 82E6FF67 1 Byte [D9]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5BF 82E6FF6F 1 Byte [00]
.text ntkrnlpa.exe!RtlSidHashLookup + 224 82E77734 8 Bytes [68, 5D, 39, 86, A8, 70, 89, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82E7774C 4 Bytes [98, 4D, 98, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82E77758 4 Bytes [98, 95, 37, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 82E777AC 4 Bytes [C0, 16, 3A, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 82E77828 4 Bytes [D0, 57, 39, 86]
.text ...
.text peauth.sys AAE06C9D 28 Bytes [55, 89, FF, F7, AE, 49, 7C, ...]
.text peauth.sys AAE06CC1 28 Bytes [55, 89, FF, F7, AE, 49, 7C, ...]
PAGE peauth.sys AAE0CB9B 8 Bytes [CE, D0, D7, 03, 5A, 80, F1, ...]
PAGE peauth.sys AAE0CBA4 63 Bytes [B9, 72, 23, 4A, C1, 5D, 01, ...]
PAGE peauth.sys AAE0CBEC 111 Bytes [A7, B8, E3, 36, 6D, 54, AD, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\taskhost.exe[736] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] ntdll.dll!NtProtectVirtualMemory 77685360 5 Bytes JMP 004A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] ntdll.dll!NtWriteVirtualMemory 77685EE0 5 Bytes JMP 004B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] ntdll.dll!KiUserExceptionDispatcher 77686448 5 Bytes JMP 0048000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] ntdll.dll!LdrLoadDll 7769F585 5 Bytes JMP 00E1003A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] urlmon.dll!FaultInIEFeature + CB7 76F2D2DA 7 Bytes JMP 00E10198
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] urlmon.dll!URLOpenPullStreamW + 45 76F847C9 7 Bytes JMP 00E10242
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] urlmon.dll!URLOpenPullStreamA + 98 76F849A3 7 Bytes JMP 00E100EE
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] urlmon.dll!URLDownloadToFileA + 116 76F84ABE 7 Bytes JMP 00E102EC
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] mswsock.DLL!s_perror + FFFE1320 74ED2BBC 5 Bytes JMP 0070000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] mswsock.DLL!s_perror + FFFE2C15 74ED44B1 5 Bytes JMP 005E000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1412] mswsock.DLL!s_perror + FFFE2E1B 74ED46B7 5 Bytes JMP 005F000C
.text C:\Windows\Explorer.EXE[1516] ntdll.dll!NtProtectVirtualMemory 77685360 5 Bytes JMP 001B000A
.text C:\Windows\Explorer.EXE[1516] ntdll.dll!NtWriteVirtualMemory 77685EE0 5 Bytes JMP 001C000A
.text C:\Windows\Explorer.EXE[1516] ntdll.dll!KiUserExceptionDispatcher 77686448 5 Bytes JMP 001A000A
.text C:\Windows\Explorer.EXE[1516] mswsock.DLL!s_perror + FFFE1320 74ED2BBC 5 Bytes JMP 0194000A
.text C:\Windows\Explorer.EXE[1516] mswsock.DLL!s_perror + FFFE2C15 74ED44B1 5 Bytes JMP 0079000C
.text C:\Windows\Explorer.EXE[1516] mswsock.DLL!s_perror + FFFE2E1B 74ED46B7 5 Bytes JMP 0193000C
.text C:\Windows\Explorer.EXE[1516] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Windows\Explorer.EXE[1516] msohevi.dll!DllGetClassObject + FFFFE4AB 704E2FF8 4 Bytes [81, 59, 78, F4]
.itext C:\Windows\Explorer.EXE[1516] C:\PROGRA~1\SPYBOT~1\SDHelper.dll entry point in ".itext" section [0x06E135E0]
.text C:\Windows\system32\svchost.exe[1596] ntdll.dll!NtProtectVirtualMemory 77685360 5 Bytes JMP 0014000A
.text C:\Windows\system32\svchost.exe[1596] ntdll.dll!NtWriteVirtualMemory 77685EE0 5 Bytes JMP 0026000A
.text C:\Windows\system32\svchost.exe[1596] ntdll.dll!KiUserExceptionDispatcher 77686448 5 Bytes JMP 0013000A
.text C:\Windows\system32\svchost.exe[1596] ole32.dll!CoCreateInstance 774B57FC 5 Bytes JMP 00E8000A
.text C:\Windows\system32\svchost.exe[1596] mswsock.DLL!s_perror + FFFE1320 74ED2BBC 5 Bytes JMP 00E7000A
.text C:\Windows\system32\svchost.exe[1596] mswsock.DLL!s_perror + FFFE2C15 74ED44B1 5 Bytes JMP 00E5000C
.text C:\Windows\system32\svchost.exe[1596] mswsock.DLL!s_perror + FFFE2E1B 74ED46B7 5 Bytes JMP 00E6000C
.text C:\Windows\system32\svchost.exe[1596] winmm.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Windows\system32\nvvsvc.exe[1828] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Windows\system32\svchost.exe[1844] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Windows\System32\spoolsv.exe[2000] msonpmon.dll!InitializePrintMonitor2 + FFFFF09C 70331418 4 Bytes [3F, C6, DB, 82]
.text C:\Windows\System32\spoolsv.exe[2000] msonpppr.dll!EnumPrintProcessorDatatypesW + FFFFCA40 6FE512FC 4 Bytes [6C, 8A, AA, 82]
.text C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe[2040] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.asdfas C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe[2436] C:\PROGRAM FILES\NORTON 360\ENGINE\4.1.0.32\CLTLMS.DLL entry point in ".asdfas" section [0x6C545000]
.asdfas C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe[2436] C:\PROGRAM FILES\NORTON 360\ENGINE\4.1.0.32\CLTLMS.DLL unknown last code section [0x6C545000, 0x1C000, 0xE0000020]
.text C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe[3888] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.asdfas C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe[3888] C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CLT\cltLMSx.dll entry point in ".asdfas" section [0x6C5D3000]
.asdfas C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe[3888] C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CLT\cltLMSx.dll unknown last code section [0x6C5D3000, 0x55000, 0xE0000020]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4184] TeaTimer.exe 0049CC14 4 Bytes [78, 7B, 61, 01]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4184] TeaTimer.exe 0049CC1C 4 Bytes [88, 7B, 61, 01]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4184] TeaTimer.exe 0049CC24 4 Bytes [98, 7B, 61, 01]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4184] TeaTimer.exe 0049CC2C 4 Bytes [50, E0, 61, 01]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4184] TeaTimer.exe 0049CC34 4 Bytes [E0, E0, 61, 01]
.text ...
.itext C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4184] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe entry point in ".itext" section [0x00564624]
.itext C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4184] C:\Program Files\Spybot - Search & Destroy\advcheck.dll entry point in ".itext" section [0x05E2E7A8]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[4236] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[4396] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Windows\system32\wuauclt.exe[4976] ntdll.dll!NtProtectVirtualMemory 77685360 5 Bytes JMP 0025000A
.text C:\Windows\system32\wuauclt.exe[4976] ntdll.dll!NtWriteVirtualMemory 77685EE0 5 Bytes JMP 0047000A
.text C:\Windows\system32\wuauclt.exe[4976] ntdll.dll!KiUserExceptionDispatcher 77686448 5 Bytes JMP 0024000A
.text C:\Windows\system32\wuauclt.exe[4976] mswsock.DLL!s_perror + FFFE1320 74ED2BBC 5 Bytes JMP 012F000A
.text C:\Windows\system32\wuauclt.exe[4976] mswsock.DLL!s_perror + FFFE2C15 74ED44B1 5 Bytes JMP 012D000C
.text C:\Windows\system32\wuauclt.exe[4976] mswsock.DLL!s_perror + FFFE2E1B 74ED46B7 5 Bytes JMP 012E000C
UPX1 C:\Users\Carlos A. Gonzalez\Desktop\gmer\gmer.exe[5160] C:\Users\Carlos A. Gonzalez\Desktop\gmer\gmer.exe entry point in "UPX1" section [0x004B3F40]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5728] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Program Files\iTunes\iTunesHelper.exe[5832] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}
.text C:\Program Files\AVG\AVG9\avgtray.exe[5952] WINMM.dll!waveOutOpen 748045A5 6 Bytes [33, C0, 40, C2, 18, 00] {XOR EAX, EAX; INC EAX; RET 0x18}

---- EOF - GMER 1.0.15 ----


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:40 PM

Posted 25 April 2010 - 11:54 PM

Hello again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Cgon

Cgon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 26 April 2010 - 05:53 AM

So I have been running combofix for the past hour and well it found root kit and it rebooted and it past the 50 stages but afterwards it rebooted again and its been on a please wait for over 50 minutes should I continue to wait? BTW I am on my phones internet so I could post this.

Edited by Cgon, 26 April 2010 - 06:05 AM.


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:40 PM

Posted 26 April 2010 - 08:43 AM

Hi,

If it hasn't progressed by now please reboot.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Cgon

Cgon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 26 April 2010 - 01:04 PM

So I rebooted should I continue with the dds logs?

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:40 PM

Posted 26 April 2010 - 01:40 PM

Please do. Did ComboFix generate a log?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Cgon

Cgon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 26 April 2010 - 07:59 PM

No it did not generate a log what should I do? Here are the DDS logs you asked for




DDS (Ver_10-03-17.01) - NTFSx86
Run by Carlos A. Gonzalez at 23:40:23.07 on Mon 04/26/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1768 [GMT -5:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Windows\SMINST\BLService.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Carlos A. Gonzalez\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.1.0.32\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\carlos~1.gon\appdata\roaming\mozilla\firefox\profiles\jkjd44xi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2010-4-14 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-14 52872]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\symds.sys [2010-4-7 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\symefa.sys [2010-4-7 172592]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-4-14 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-14 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-14 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-14 242896]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-4-7 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100415.001\IDSvix86.sys [2010-4-16 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\ironx86.sys [2010-4-7 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0401000.020\symtdiv.sys [2010-4-7 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-14 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-14 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-14 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-14 5888008]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.1.0.32\ccsvchst.exe [2010-4-7 126392]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-4 361808]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2010-4-14 122376]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2010-4-14 30216]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2010-4-14 20488]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-15 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2008-6-3 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2008-7-17 269760]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-8 1343400]

=============== Created Last 30 ================

2010-04-26 11:44:16 0 d-s---w- C:\ComboFix
2010-04-26 09:33:11 98816 ----a-w- c:\windows\sed.exe
2010-04-26 09:33:11 77312 ----a-w- c:\windows\MBR.exe
2010-04-26 09:33:11 261632 ----a-w- c:\windows\PEV.exe
2010-04-26 09:33:11 161792 ----a-w- c:\windows\SWREG.exe
2010-04-19 01:09:13 383793572 ----a-w- c:\windows\MEMORY.DMP
2010-04-19 00:30:32 0 ----a-w- c:\users\carlos a. gonzalez\defogger_reenable
2010-04-17 02:23:31 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-17 02:23:16 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\SUPERAntiSpyware.com
2010-04-17 02:23:16 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-17 02:21:53 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-16 13:22:40 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\AVG9
2010-04-14 12:31:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-14 12:31:39 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-14 12:31:19 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-14 12:30:41 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-14 12:26:18 25096 ----a-w- c:\windows\system32\drivers\AVGIDSwx.sys
2010-04-14 12:26:08 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-14 12:23:08 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-04-14 12:19:41 0 d-----w- c:\program files\AVG
2010-04-14 12:17:36 0 d-----w- c:\programdata\avg9
2010-04-13 19:15:46 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 19:15:44 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 19:15:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 19:15:29 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 19:15:29 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 19:15:29 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 19:13:27 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 19:13:26 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 12:38:18 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\Malwarebytes
2010-04-13 12:38:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 12:37:57 0 d-----w- c:\programdata\Malwarebytes
2010-04-13 12:37:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:08:30 0 d-----w- c:\windows\system32\Wat
2010-04-08 11:54:24 0 d-----w- c:\program files\iPod
2010-04-08 11:54:18 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-08 11:54:17 0 d-----w- c:\program files\iTunes
2010-04-08 11:46:55 0 d-----w- c:\program files\Bonjour
2010-04-08 11:34:45 0 d-----w- c:\windows\system32\appmgmt
2010-04-07 05:54:32 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-04-07 05:54:32 340016 ----a-r- c:\windows\system32\drivers\symtdiv.sys
2010-04-07 05:54:32 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-04-07 05:54:32 172592 ----a-r- c:\windows\system32\drivers\symefa.sys
2010-04-07 05:54:32 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-04-07 05:54:31 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-04-05 00:20:29 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-05 00:10:52 1328640 ----a-w- c:\windows\system32\quartz.dll
2010-04-02 11:35:38 0 d-----w- c:\windows\Panther
2010-04-02 11:20:10 0 d--h--w- C:\$WINDOWS.~Q
2010-04-02 11:07:08 0 d--h--w- C:\$INPLACE.~TR
2010-04-02 10:56:35 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-04-02 10:53:02 0 d-----w- c:\windows\system32\wbem\Performance
2010-04-02 10:52:04 20 --sh--w- c:\users\carlos a. gonzalez\ntuser.ini
2010-04-02 10:51:36 0 d-sh--w- C:\Recovery
2010-04-02 09:40:31 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-02 09:07:16 0 d-sh--w- C:\Boot
2010-04-02 08:43:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-04-02 08:43:23 0 d-----w- c:\program files\Synaptics
2010-04-02 08:42:37 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2010-04-02 08:42:37 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
2010-04-02 08:41:56 0 d-----w- c:\program files\CONEXANT
2010-04-02 08:41:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-02 08:41:33 485920 ----a-w- c:\windows\system32\nvuninst.exe
2010-04-02 08:41:22 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2010-04-02 08:41:22 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2010-04-01 21:54:38 383562 --sha-r- C:\bootmgr
2010-04-01 01:40:01 8192 --sha-r- C:\BOOTSECT.BAK
2010-04-01 00:10:30 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\Tific
2010-03-31 23:49:45 1890 ----a-w- c:\windows\diagwrn.xml
2010-03-31 23:49:45 1890 ----a-w- c:\windows\diagerr.xml

==================== Find3M ====================

2010-04-26 09:35:58 6656 ----a-w- c:\windows\system32\drivers\RDPCDD.sys
2010-03-22 06:48:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2010-03-22 06:42:45 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-03-22 06:42:44 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-03-16 18:46:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-16 18:46:51 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-16 18:46:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-24 15:16:06 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 23:41:36.02 ===============

Attached Files


Edited by Cgon, 26 April 2010 - 11:51 PM.


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:40 PM

Posted 26 April 2010 - 11:56 PM

Please run ComboFix again after disabling protection first.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Cgon

Cgon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 27 April 2010 - 02:42 AM

Okay so I ran Combofix and here is the log also as I was on the internet I got a message from Norton 360 telling me that it had detected that file "rdpcdd.sys.vir" contains threat Backdoor.Tidserv.I!inf and all it did was quarantine it and told me to manually remove it. Just keeping you informed Thanks.

Attached Files



#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:40 PM

Posted 27 April 2010 - 10:17 AM

Thanks for the log & description.


Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report & a fresh dds.txt log.


Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Cgon

Cgon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 28 April 2010 - 06:20 PM

Okay here is the DDS logs and the Kaspersky report. I started seeing Norton 360 start telling me " A recent attempt to attack your computer was blocked and its no longer the Tidserv Request that comes up but something called a "portscan."



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, April 28, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 28, 2010 09:17:25
Records in database: 3994739
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 131843
Threats found: 1
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:49:23


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\RDPCDD.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\RDPCDD.sys.vir_ Infected: Rootkit.Win32.TDSS.ap 1
C:\Windows\winsxs\x86_microsoft-windows-t..niportdisplaydriver_31bf3856ad364e35_6.1.7600.16385_none_d4b17a3e9f928d55\RDPCDD.sys Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.





DDS (Ver_10-03-17.01) - NTFSx86
Run by Carlos A. Gonzalez at 18:07:10.78 on Wed 04/28/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1423 [GMT -5:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Windows\SMINST\BLService.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Carlos A. Gonzalez\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.1.0.32\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\carlos~1.gon\appdata\roaming\mozilla\firefox\profiles\jkjd44xi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2010-4-14 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-14 52872]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\symds.sys [2010-4-7 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\symefa.sys [2010-4-7 172592]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-4-14 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-14 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-14 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-14 242896]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-4-7 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100422.002\IDSvix86.sys [2010-4-26 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\ironx86.sys [2010-4-7 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0401000.020\symtdiv.sys [2010-4-7 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-14 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-14 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-14 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-14 5888008]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.1.0.32\ccsvchst.exe [2010-4-7 126392]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-4 361808]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2010-4-14 122376]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2010-4-14 30216]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2010-4-14 20488]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-15 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2008-6-3 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2008-7-17 269760]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-8 1343400]

=============== Created Last 30 ================

2010-04-28 01:00:27 0 d-----w- c:\programdata\Sun
2010-04-28 00:59:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-27 07:17:03 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-26 09:33:11 98816 ----a-w- c:\windows\sed.exe
2010-04-26 09:33:11 77312 ----a-w- c:\windows\MBR.exe
2010-04-26 09:33:11 261632 ----a-w- c:\windows\PEV.exe
2010-04-26 09:33:11 161792 ----a-w- c:\windows\SWREG.exe
2010-04-19 01:09:13 383793572 ----a-w- c:\windows\MEMORY.DMP
2010-04-19 00:30:32 0 ----a-w- c:\users\carlos a. gonzalez\defogger_reenable
2010-04-17 02:23:31 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-17 02:23:16 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\SUPERAntiSpyware.com
2010-04-17 02:23:16 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-17 02:21:53 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-16 13:22:40 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\AVG9
2010-04-14 12:31:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-14 12:31:39 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-14 12:31:19 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-14 12:30:41 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-14 12:26:18 25096 ----a-w- c:\windows\system32\drivers\AVGIDSwx.sys
2010-04-14 12:26:08 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-14 12:23:08 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-04-14 12:19:41 0 d-----w- c:\program files\AVG
2010-04-14 12:17:36 0 d-----w- c:\programdata\avg9
2010-04-13 19:15:46 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 19:15:44 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 19:15:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 19:15:29 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 19:15:29 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 19:15:29 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 19:13:27 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 19:13:26 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 12:38:18 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\Malwarebytes
2010-04-13 12:38:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 12:37:57 0 d-----w- c:\programdata\Malwarebytes
2010-04-13 12:37:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:08:30 0 d-----w- c:\windows\system32\Wat
2010-04-08 11:54:24 0 d-----w- c:\program files\iPod
2010-04-08 11:54:18 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-08 11:54:17 0 d-----w- c:\program files\iTunes
2010-04-08 11:46:55 0 d-----w- c:\program files\Bonjour
2010-04-08 11:34:45 0 d-----w- c:\windows\system32\appmgmt
2010-04-07 05:54:32 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-04-07 05:54:32 340016 ----a-r- c:\windows\system32\drivers\symtdiv.sys
2010-04-07 05:54:32 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-04-07 05:54:32 172592 ----a-r- c:\windows\system32\drivers\symefa.sys
2010-04-07 05:54:32 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-04-07 05:54:31 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-04-05 00:20:29 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-05 00:10:52 1328640 ----a-w- c:\windows\system32\quartz.dll
2010-04-02 11:35:38 0 d-----w- c:\windows\Panther
2010-04-02 11:20:10 0 d-----w- C:\$WINDOWS.~Q
2010-04-02 11:07:08 0 d-----w- C:\$INPLACE.~TR
2010-04-02 10:56:35 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-04-02 10:53:02 0 d-----w- c:\windows\system32\wbem\Performance
2010-04-02 10:52:04 20 --sh--w- c:\users\carlos a. gonzalez\ntuser.ini
2010-04-02 10:51:36 0 d-----w- C:\Recovery
2010-04-02 09:40:31 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-02 09:07:16 0 d-----w- C:\Boot
2010-04-02 08:43:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-04-02 08:43:23 0 d-----w- c:\program files\Synaptics
2010-04-02 08:42:37 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2010-04-02 08:42:37 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
2010-04-02 08:41:56 0 d-----w- c:\program files\CONEXANT
2010-04-02 08:41:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-02 08:41:33 485920 ----a-w- c:\windows\system32\nvuninst.exe
2010-04-02 08:41:22 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2010-04-02 08:41:22 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2010-04-01 21:54:38 383562 --sha-r- C:\bootmgr
2010-04-01 01:40:01 8192 --sha-r- C:\BOOTSECT.BAK
2010-04-01 00:10:30 0 d-----w- c:\users\carlos~1.gon\appdata\roaming\Tific
2010-03-31 23:49:45 1890 ----a-w- c:\windows\diagwrn.xml
2010-03-31 23:49:45 1890 ----a-w- c:\windows\diagerr.xml

==================== Find3M ====================

2010-04-26 09:35:58 6656 ----a-w- c:\windows\system32\drivers\RDPCDD.sys
2010-03-22 06:48:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2010-03-22 06:42:45 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-03-22 06:42:44 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-03-16 18:46:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-16 18:46:51 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-16 18:46:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-24 15:16:06 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:08:06.66 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users