Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect resists all attempts to conquer it


  • This topic is locked This topic is locked
10 replies to this topic

#1 jcastro

jcastro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 20 April 2010 - 07:49 AM

Hello,

I have a browser redirect problem for Firefox and IE8 that I have not been able to resolve. I have tried MalwareBytes, SuperAntiSpyware, SpyBot, Ad-Aware, CWShredder and Stinger. Initially, many problems were found and fixed, but now those utilities all report a clean system.

But yet, every time I click a results link from a Bing query, I get redirected to an unrelated site. If I'm searching in google, a new tab will spontaneously appear with a redirected website.

Furthermore, I believe that some of the redirected pages cause additional malware to infect my computer. The AVE fake virus alert is a particularly nasty one that keeps coming back.

I am running Windows XP. I am connected to my router via cable (not wireless).
My virus software and software firewall is Panda Antivirus.

The DDS log is below.

I have been unsuccessful at acquiring a GMER log. My last attempt at running GMER crashed the PC after two hours of running. So I'm going to post without it and hope for the best.

I appreciate the help on this. I don't know what else to do.

- Jason


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 6:56:01.14 on Tue 04/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.350 [GMT -4:00]

AV: Panda Global Protection 2010 *On-access scanning disabled* (Updated) {8BF935E7-731F-4115-B7A5-789FF5087595}
FW: Panda Personal Firewall 2010 *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Security\Panda Global Protection 2010\TPSrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost -k Panda
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PsCtrls.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\pavsrv51.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\AVENGINE.EXE
c:\program files\panda security\panda global protection 2010\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Global Protection 2010\psimsvc.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PskSvc.exe
svchost.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PavBckPT.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\WebProxy.exe
C:\Documents and Settings\Owner.emachine\Desktop\FiXFIX\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Power2GoExpress] NA
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger .exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
mRun: [APVXDWIN] "c:\program files\panda security\panda global protection 2010\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda global protection 2010\Inicio.exe"
StartupFolder: c:\docume~1\owner~1.ema\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.ema\applic~1\mozilla\firefox\profiles\3yvuiun4.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-19 64288]
R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2009-12-29 28552]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2009-12-29 75016]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2009-12-29 53128]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2009-12-29 22072]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2009-12-29 193800]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2009-12-29 159112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2009-12-29 41144]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2009-12-29 46728]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-4-9 1858144]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k panda --> c:\windows\system32\svchost -k Panda [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda global protection 2010\PsCtrlS.exe [2009-12-29 173312]
R2 PAVDRV;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2009-12-29 84024]
R2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda global protection 2010\PavFnSvr.exe [2009-12-29 169216]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2009-12-29 163336]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda security\pavshld\PavPrSrv.exe [2009-12-29 62768]
R2 PAVSRV;Panda anti-virus service;c:\program files\panda security\panda global protection 2010\PAVSRV51.EXE [2009-12-29 291584]
R2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda global protection 2010\psksvc.exe [2009-12-29 28928]
R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [2010-4-15 13880]
R3 NETIMFLT01060039;PANDA NDIS IM Filter Miniport v1.6.0.39;c:\windows\system32\drivers\neti1639.sys [2009-12-29 199432]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S2 gupdate1ca4ffcd0de7ecc;Google Update Service (gupdate1ca4ffcd0de7ecc);c:\program files\google\update\GoogleUpdate.exe [2009-10-18 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]
S3 ndsdatamax;ndsdatamax;c:\windows\system32\drivers\ndsdatamax.sys [2008-6-30 29184]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\rkpavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 Steefer;Steefer;\??\c:\docume~1\owner~1.ema\locals~1\temp\steefer.sys --> c:\docume~1\owner~1.ema\locals~1\temp\Steefer.sys [?]

=============== Created Last 30 ================

2010-04-19 22:03:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-19 21:47:08 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-19 21:45:48 0 d-----w- c:\program files\Lavasoft
2010-04-19 01:46:28 0 d-----w- c:\program files\TrendMicro
2010-04-19 00:31:03 98816 ----a-w- c:\windows\sed.exe
2010-04-19 00:31:03 77312 ----a-w- c:\windows\MBR.exe
2010-04-19 00:31:03 261632 ----a-w- c:\windows\PEV.exe
2010-04-19 00:31:03 161792 ----a-w- c:\windows\SWREG.exe
2010-04-19 00:30:08 0 d-----w- C:\ComboFix
2010-04-18 18:24:23 642 ----a-w- c:\windows\wininit.ini
2010-04-16 23:13:40 0 d-----w- c:\program files\CCleaner
2010-04-16 23:12:30 0 d-----w- c:\docume~1\alluse~1\applic~1\ReviverSoft
2010-04-16 10:52:59 262 ----a-w- c:\windows\system32\PavCPL.dat
2010-04-15 11:05:46 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys
2010-04-15 10:57:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-13 01:26:31 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-13 01:26:23 0 d-----w- c:\program files\MSECACHE
2010-04-13 00:56:57 112 ----a-w- c:\docume~1\alluse~1\applic~1\QOL0iswi.dat
2010-04-12 21:58:47 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-12 21:58:00 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 21:57:59 0 d-----w- c:\docume~1\owner~1.ema\applic~1\SUPERAntiSpyware.com
2010-04-12 21:56:33 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-10 00:43:29 0 dc-h--w- c:\windows\ie8
2010-04-10 00:04:14 0 d-----w- c:\program files\a-squared Free
2010-04-09 23:56:36 74121968 ----a-w- c:\temp\a2FreeSetup.exe
2010-04-09 23:02:29 0 d-----w- c:\windows\pss
2010-04-09 09:22:12 0 d-----w- c:\docume~1\owner~1.ema\applic~1\Malwarebytes
2010-04-09 09:21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-09 09:21:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-09 09:21:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 09:21:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 23:21:55 0 d-----w- c:\windows\system32\appmgmt
2010-04-07 23:52:51 0 d-----w- c:\temp\ChrisColumbusReport
2010-04-07 23:21:32 360 ----a-w- c:\temp\removevirus.reg
2010-04-06 23:37:40 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-04-20 10:53:35 264336 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2010-04-20 10:53:35 264336 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2010-04-20 10:53:34 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2010-04-20 10:53:34 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2010-04-19 07:04:37 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-05 23:27:07 1526 ----a-w- c:\docume~1\owner~1.ema\applic~1\wklnhst.dat
2010-03-17 00:57:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:38 819120 ----a-w- c:\windows\system32\aseebxasu.dll
2010-02-25 06:24:38 2614892 ----a-w- c:\windows\system32\andgsheet.dll
2010-02-25 06:24:38 2440883 ----a-w- c:\windows\system32\poshegje.dll
2010-02-25 06:24:38 2323161 ----a-w- c:\windows\system32\ebxexapifo.dll
2010-02-25 06:24:38 1707346 ----a-w- c:\windows\system32\asasuloerr.dll
2010-02-25 06:24:38 1593349 ----a-w- c:\windows\system32\poarascra.dll
2010-02-25 06:24:38 1473030 ----a-w- c:\windows\system32\aspebxor.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-01-27 23:40:24 47360 ----a-w- c:\docume~1\owner~1.ema\applic~1\pcouffin.sys
2008-05-16 20:14:01 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-03-21 15:06:41 0 ----a-w- c:\program files\temp01
2008-09-13 01:41:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 6:58:03.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:57 AM

Posted 25 April 2010 - 04:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 jcastro

jcastro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 26 April 2010 - 06:46 AM

Hello and thanks for the help.

The issue has not yet been resolved.

The requested logs are below. Note that I could not get a GMER full-scan log, as even in safe mode, the GMER scan process would crash hard enough to cause the computer to restart. I did provide the GMER quick-scan log, though.

DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 15:10:29.86 on Sun 04/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.417 [GMT -4:00]

AV: Panda Global Protection 2010 *On-access scanning disabled* (Updated) {8BF935E7-731F-4115-B7A5-789FF5087595}
FW: Panda Personal Firewall 2010 *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Security\Panda Global Protection 2010\TPSrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost -k Panda
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PsCtrls.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\pavsrv51.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\AVENGINE.EXE
c:\program files\panda security\panda global protection 2010\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Global Protection 2010\psimsvc.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PskSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PavBckPT.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\WebProxy.exe
C:\Documents and Settings\Owner.emachine\Desktop\FiXFIX\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Power2GoExpress] NA
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger .exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
mRun: [APVXDWIN] "c:\program files\panda security\panda global protection 2010\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda global protection 2010\Inicio.exe"
StartupFolder: c:\docume~1\owner~1.ema\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.ema\applic~1\mozilla\firefox\profiles\3yvuiun4.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2009-12-29 28552]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2009-12-29 75016]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2009-12-29 53128]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2009-12-29 22072]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2009-12-29 193800]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2009-12-29 159112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2009-12-29 41144]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2009-12-29 46728]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-4-9 1858144]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k panda --> c:\windows\system32\svchost -k Panda [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda global protection 2010\PsCtrlS.exe [2009-12-29 173312]
R2 PAVDRV;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2009-12-29 84024]
R2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda global protection 2010\PavFnSvr.exe [2009-12-29 169216]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2009-12-29 163336]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda security\pavshld\PavPrSrv.exe [2009-12-29 62768]
R2 PAVSRV;Panda anti-virus service;c:\program files\panda security\panda global protection 2010\PAVSRV51.EXE [2009-12-29 291584]
R2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda global protection 2010\psksvc.exe [2009-12-29 28928]
R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [2010-4-15 13880]
R3 NETIMFLT01060039;PANDA NDIS IM Filter Miniport v1.6.0.39;c:\windows\system32\drivers\neti1639.sys [2009-12-29 199432]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S2 gupdate1ca4ffcd0de7ecc;Google Update Service (gupdate1ca4ffcd0de7ecc);c:\program files\google\update\GoogleUpdate.exe [2009-10-18 133104]
S3 ndsdatamax;ndsdatamax;c:\windows\system32\drivers\ndsdatamax.sys [2008-6-30 29184]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\rkpavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 Steefer;Steefer;\??\c:\docume~1\owner~1.ema\locals~1\temp\steefer.sys --> c:\docume~1\owner~1.ema\locals~1\temp\Steefer.sys [?]

=============== Created Last 30 ================

2010-04-25 16:27:54 0 d-----w- c:\program files\DVDFab 7
2010-04-23 05:18:37 43520 ----a-w- c:\windows\system32\o.dat
2010-04-22 22:08:23 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-19 21:45:48 0 d-----w- c:\program files\Lavasoft
2010-04-19 01:46:28 0 d-----w- c:\program files\TrendMicro
2010-04-19 00:31:03 98816 ----a-w- c:\windows\sed.exe
2010-04-19 00:31:03 77312 ----a-w- c:\windows\MBR.exe
2010-04-19 00:31:03 261632 ----a-w- c:\windows\PEV.exe
2010-04-19 00:31:03 161792 ----a-w- c:\windows\SWREG.exe
2010-04-19 00:30:08 0 d-----w- C:\ComboFix
2010-04-18 18:24:23 642 ----a-w- c:\windows\wininit.ini
2010-04-16 23:13:40 0 d-----w- c:\program files\CCleaner
2010-04-16 23:12:30 0 d-----w- c:\docume~1\alluse~1\applic~1\ReviverSoft
2010-04-16 10:52:59 262 ----a-w- c:\windows\system32\PavCPL.dat
2010-04-15 11:05:46 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys
2010-04-15 10:57:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-13 01:26:31 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-13 01:26:23 0 d-----w- c:\program files\MSECACHE
2010-04-13 00:56:57 112 ----a-w- c:\docume~1\alluse~1\applic~1\QOL0iswi.dat
2010-04-12 21:58:47 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-12 21:58:00 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 21:57:59 0 d-----w- c:\docume~1\owner~1.ema\applic~1\SUPERAntiSpyware.com
2010-04-12 21:56:33 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-10 00:43:29 0 dc-h--w- c:\windows\ie8
2010-04-10 00:04:14 0 d-----w- c:\program files\a-squared Free
2010-04-09 23:56:36 74121968 ----a-w- c:\temp\a2FreeSetup.exe
2010-04-09 23:02:29 0 d-----w- c:\windows\pss
2010-04-09 09:22:12 0 d-----w- c:\docume~1\owner~1.ema\applic~1\Malwarebytes
2010-04-09 09:21:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-09 09:21:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 23:21:55 0 d-----w- c:\windows\system32\appmgmt
2010-04-07 23:52:51 0 d-----w- c:\temp\ChrisColumbusReport
2010-04-07 23:21:32 360 ----a-w- c:\temp\removevirus.reg
2010-04-06 23:37:40 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-04-25 15:05:58 266508 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2010-04-25 15:05:58 266508 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2010-04-25 15:05:57 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2010-04-25 15:05:57 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2010-04-22 19:58:42 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-05 23:27:07 1526 ----a-w- c:\docume~1\owner~1.ema\applic~1\wklnhst.dat
2010-03-17 00:57:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-01-27 23:40:24 47360 ----a-w- c:\docume~1\owner~1.ema\applic~1\pcouffin.sys
2008-05-16 20:14:01 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-03-21 15:06:41 0 ----a-w- c:\program files\temp01
2008-09-13 01:41:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 15:12:29.54 ===============




GMER quick-scan log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-25 21:29:43
Windows 5.1.2600 Service Pack 3
Running: gme_jay_r.exe; Driver: C:\DOCUME~1\OWNER~1.EMA\LOCALS~1\Temp\fxlyapob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \FileSystem\Ntfs \Ntfs pavboot.sys (Panda Boot Driver/Panda Security, S.L.)
AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys (Antivirus Filter Driver for Windows XP/2003 x86/Panda Security, S.L.)

Device \FileSystem\Fastfat \Fat ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \FileSystem\Fastfat \Fat pavdrv51.sys (Antivirus Filter Driver for Windows XP/2003 x86/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\Ip NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\Tcp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\Udp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\RawIp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 84E91AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



The attach.txt file is attached.

Thanks again for the help,
JCastro

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:57 AM

Posted 27 April 2010 - 03:05 PM

Hello, jcastro
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 jcastro

jcastro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 28 April 2010 - 06:47 AM

Hello Tom,

Thanks so much for taking the time to help me out on this.

I ran combo fix. I did have to restart once because it detected rootkit activity.


Thanks,
jcastro

The resulting log is below:

ComboFix 10-04-26.05 - Owner 04/27/2010 20:55:21.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.463 [GMT -4:00]
Running from: c:\documents and settings\Owner.emachine\Desktop\schlauber.exe
AV: Panda Global Protection 2010 *On-access scanning disabled* (Updated) {8BF935E7-731F-4115-B7A5-789FF5087595}
FW: Panda Personal Firewall 2010 *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\docume~1\OWNER~1.EMA\LOCALS~1\Temp\tmp2.tmp
c:\program files\Freeze.com Toolbar\basis.xml
c:\program files\Freeze.com Toolbar\freeze.bmp
c:\program files\Freeze.com Toolbar\freeze_us.crc
c:\program files\Freeze.com Toolbar\frzToolbar_logo.bmp
c:\program files\Freeze.com Toolbar\icons.bmp
c:\program files\Freeze.com Toolbar\info.txt
c:\program files\Freeze.com Toolbar\options.html
c:\program files\Freeze.com Toolbar\powered_yahoo_search.bmp
c:\program files\Freeze.com Toolbar\version.txt
c:\windows\jestertb.dll
c:\windows\MXOALDR .exe
H:\Autorun.inf
M:\install.exe

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-28 00:10 . 2010-04-28 00:11 -------- d-----w- C:\schauber
2010-04-27 04:19 . 2010-04-27 04:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-04-27 04:19 . 2010-04-27 04:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-25 19:14 . 2010-04-26 01:29 -------- d-----w- c:\temp\computerfix
2010-04-25 16:27 . 2010-04-25 16:28 -------- d-----w- c:\program files\DVDFab 7
2010-04-23 05:19 . 2010-04-23 05:19 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-04-23 05:18 . 2010-04-24 16:31 43520 ----a-w- c:\windows\system32\o.dat
2010-04-22 22:08 . 2010-04-22 22:08 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-19 22:03 . 2010-04-22 22:16 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-19 21:45 . 2010-04-22 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-19 21:45 . 2010-04-22 22:15 -------- d-----w- c:\program files\Lavasoft
2010-04-19 01:46 . 2010-04-19 01:46 388096 ----a-r- c:\documents and settings\Owner.emachine\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-19 01:46 . 2010-04-19 01:46 -------- d-----w- c:\program files\TrendMicro
2010-04-18 20:07 . 2010-04-18 20:07 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-04-18 20:03 . 2010-04-18 20:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-16 23:13 . 2010-04-16 23:13 -------- d-----w- c:\program files\CCleaner
2010-04-16 23:12 . 2010-04-16 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ReviverSoft
2010-04-16 10:52 . 2010-04-16 10:52 262 ----a-w- c:\windows\system32\PavCPL.dat
2010-04-15 11:05 . 2010-04-28 00:53 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys
2010-04-15 10:57 . 2010-04-15 10:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-15 00:51 . 2010-04-15 00:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-14 23:42 . 2010-04-14 23:42 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-14 23:42 . 2010-04-14 23:42 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-14 23:42 . 2010-04-14 23:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Panda Security
2010-04-14 23:40 . 2010-04-14 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-14 22:20 . 2010-04-14 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-14 09:17 . 2010-04-14 09:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-13 01:26 . 2010-04-13 01:26 3584 ----a-r- c:\documents and settings\Owner.emachine\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\program files\MSECACHE
2010-04-12 21:59 . 2010-04-12 21:59 52224 ----a-w- c:\documents and settings\Owner.emachine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-12 21:59 . 2010-04-22 10:28 117760 ----a-w- c:\documents and settings\Owner.emachine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-12 21:58 . 2010-04-12 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-12 21:58 . 2010-04-15 22:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 21:57 . 2010-04-12 21:58 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\SUPERAntiSpyware.com
2010-04-12 21:56 . 2010-04-12 21:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-10 00:43 . 2010-04-10 00:45 -------- dc-h--w- c:\windows\ie8
2010-04-10 00:04 . 2010-04-10 00:12 -------- d-----w- c:\program files\a-squared Free
2010-04-09 23:56 . 2010-04-09 23:52 74121968 ----a-w- c:\temp\a2FreeSetup.exe
2010-04-09 09:22 . 2010-04-09 09:22 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\Malwarebytes
2010-04-09 09:21 . 2010-04-09 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-09 09:21 . 2010-04-25 15:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 22:55 . 2010-04-14 09:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 23:52 . 2010-04-11 15:48 -------- d-----w- c:\temp\ChrisColumbusReport
2010-04-07 23:21 . 2010-04-07 23:21 360 ----a-w- c:\temp\removevirus.reg
2010-04-07 08:44 . 2010-04-23 05:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-06 23:37 . 2010-04-27 18:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-05 21:13 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Owner.emachine\Application Data\U3\temp\cleanup.exe
2010-04-05 21:13 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Owner.emachine\Application Data\U3\temp\Launchpad Removal.exe
2010-04-05 21:01 . 2010-04-05 21:13 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 00:54 . 2009-12-30 02:31 266508 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2010-04-28 00:54 . 2009-12-30 02:31 266508 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2010-04-28 00:54 . 2009-12-30 02:31 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2010-04-28 00:54 . 2009-12-30 02:31 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2010-04-28 00:25 . 2006-06-17 09:23 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-25 16:28 . 2010-01-27 23:40 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\Vso
2010-04-25 15:43 . 2007-02-17 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-04-20 10:32 . 2010-01-09 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-18 18:25 . 2009-07-19 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-18 16:57 . 2009-07-19 14:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-17 00:42 . 2009-12-30 03:08 -------- d-----w- c:\program files\QuickTime
2010-04-16 10:55 . 2006-08-01 00:29 -------- d-----w- c:\program files\Google
2010-04-15 22:42 . 2006-08-01 00:33 -------- d-----w- c:\program files\Digital Media Reader
2010-04-15 21:10 . 2007-06-23 00:54 -------- d-----w- c:\program files\iTunes
2010-04-13 07:25 . 2010-04-13 00:56 112 ----a-w- c:\documents and settings\All Users\Application Data\QOL0iswi.dat
2010-04-09 10:17 . 2008-03-20 12:26 -------- d-----w- c:\program files\Coupons
2010-04-08 23:14 . 2007-02-19 12:35 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\OpenOffice.org2
2010-04-05 23:27 . 2007-07-21 02:28 1526 ----a-w- c:\documents and settings\Owner.emachine\Application Data\wklnhst.dat
2010-03-17 00:57 . 2010-03-17 00:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-17 00:57 . 2006-08-01 00:34 -------- d-----w- c:\program files\Java
2010-03-17 00:56 . 2010-03-17 00:56 152576 ----a-w- c:\documents and settings\Owner.emachine\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-16 00:14 . 2010-04-09 09:59 203642 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-03-14 04:40 . 2010-01-15 20:29 -------- d-----w- c:\program files\Sallys Salon
2010-03-14 04:39 . 2008-02-12 21:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-10 06:15 . 2006-06-17 09:23 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-06-17 09:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-06-17 09:23 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-06-17 09:23 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-06-17 09:23 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-06-17 09:23 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-05-16 20:14 . 2008-05-16 20:14 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-03-21 15:06 . 2008-03-21 15:06 0 ----a-w- c:\program files\temp01
.
CODE
<pre>
c:\program files\Creative\Sync Manager Unicode\CTSyncU .exe
c:\program files\Digital Media Reader\readericon45G .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Maxtor\OneTouch\Utils\OneTouch .exe
c:\program files\Messenger\_msmsgs .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\Panda Security\Panda Global Protection 2010\APVXDWIN .exe
c:\program files\Panda Security\Panda Global Protection 2010\Inicio .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Yahoo!\Messenger\YahooMessenger  .exe
c:\windows\ehome\ehtray .exe
c:\windows\SMINST\RECGUARD .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger .exe -quiet" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [N/A]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-05 16120832]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [N/A]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"APVXDWIN"="c:\program files\Panda Security\Panda Global Protection 2010\APVXDWIN.EXE" [2009-09-25 906496]
"SCANINICIO"="c:\program files\Panda Security\Panda Global Protection 2010\Inicio.exe" [2009-08-12 56064]

c:\documents and settings\Owner.emachine\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 20:58 58672 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [12/29/2009 10:24 PM 28552]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [12/29/2009 10:31 PM 75016]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [12/29/2009 10:31 PM 53128]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [12/29/2009 10:31 PM 22072]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [12/29/2009 10:31 PM 193800]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [12/29/2009 10:31 PM 159112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [12/29/2009 10:22 PM 41144]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [12/29/2009 10:31 PM 46728]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [4/9/2010 8:04 PM 1858144]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda --> c:\windows\system32\svchost -k Panda [?]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [12/29/2009 10:22 PM 163336]
R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Global Protection 2010\psksvc.exe [12/29/2009 10:31 PM 28928]
R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [4/15/2010 7:05 AM 13880]
R3 NETIMFLT01060039;PANDA NDIS IM Filter Miniport v1.6.0.39;c:\windows\system32\drivers\neti1639.sys [12/29/2009 10:30 PM 199432]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]
S2 gupdate1ca4ffcd0de7ecc;Google Update Service (gupdate1ca4ffcd0de7ecc);c:\program files\Google\Update\GoogleUpdate.exe [10/18/2009 10:10 AM 133104]
S3 ndsdatamax;ndsdatamax;c:\windows\system32\drivers\ndsdatamax.sys [6/30/2008 5:55 PM 29184]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 Steefer;Steefer;\??\c:\docume~1\OWNER~1.EMA\LOCALS~1\Temp\Steefer.sys --> c:\docume~1\OWNER~1.EMA\LOCALS~1\Temp\Steefer.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
panda REG_MULTI_SZ Gwmsrv
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-23 c:\windows\Tasks\At75.job
- c:\program files\Panda Security\Panda Global Protection 2010\PAVJOBS.EXE [2009-12-30 16:51]

2010-04-16 c:\windows\Tasks\Basic clean-up.job
- c:\program files\Panda Security\Panda Global Protection 2010\PlaTasks.exe [2009-12-30 17:46]

2010-04-16 c:\windows\Tasks\Basic clean-up1.job
- c:\program files\Panda Security\Panda Global Protection 2010\PlaTasks.exe [2009-12-30 17:46]

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:10]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Owner.emachine\Application Data\Mozilla\Firefox\Profiles\3yvuiun4.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
JSEFile=c:\progra~1\PANDAS~1\PANDAG~1\PAVSCRIP.EXE "%1" %*
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Bugdom! - I:\Remove.exe
AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe
AddRemove-DVDFab Decrypter_is1 - c:\program files\DVDFab Decrypter 3\unins000.exe
AddRemove-Gateway Game Console - c:\program files\WildTangent\Apps\Gateway Game Console\Uninstall.exe
AddRemove-Scooby-Doo™, Activity Challenge™ - c:\program files\The Learning Company\Scooby-Doo™
AddRemove-Scooby-Doo™, Jinx At The Sphinx™ - c:\program files\The Learning Company\Scooby-Doo™
AddRemove-SearchLearnAdventures - c:\cwonders\MADTGD\CWRUN.EXE
AddRemove-Snap n Share - c:\program files\Snap n Share\uninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-27 21:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84E84AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76a6f28
\Driver\ACPI -> ACPI.sys @ 0xf7499cb8
\Driver\atapi -> atapi.sys @ 0xf73f5852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf72aabd4
PacketIndicateHandler -> NDIS.sys @ 0xf72b6a21
SendHandler -> NDIS.sys @ 0xf72aad44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\avldr.dll

- - - - - - - > 'lsass.exe'(968)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-27 21:21:26
ComboFix-quarantined-files.txt 2010-04-28 01:21

Pre-Run: 10,906,726,400 bytes free
Post-Run: 11,090,309,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - B08AD6244539959761DC961536908089


#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:57 AM

Posted 30 April 2010 - 11:47 AM

Hi,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\windows\system32\o.dat
c:\temp\removevirus.reg
c:\program files\temp01
c:\docume~1\OWNER~1.EMA\LOCALS~1\Temp\Steefer.sys
RenV::
c:\program files\Creative\Sync Manager Unicode\CTSyncU .exe
c:\program files\Digital Media Reader\readericon45G .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Maxtor\OneTouch\Utils\OneTouch .exe
c:\program files\Messenger\_msmsgs .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\Panda Security\Panda Global Protection 2010\APVXDWIN .exe
c:\program files\Panda Security\Panda Global Protection 2010\Inicio .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Yahoo!\Messenger\YahooMessenger  .exe
c:\windows\ehome\ehtray .exe
c:\windows\SMINST\RECGUARD .exe
Driver::
Steefer


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Also please post back with a fresh Gmer logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 jcastro

jcastro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 03 May 2010 - 05:50 AM

OK Tom,

I did as you instructed. The resulting combofix log follows. I was again unable to obtain a full gmer log, as a full scan crashes my system. Are there any options I can uncheck that may help me get a full scan?

Thanks much,
Jcastro

The combo fix log and gmer's rootkit quickscan log follow:

ComboFix 10-04-26.05 - Owner 04/30/2010 20:42:14.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.482 [GMT -4:00]
Running from: c:\documents and settings\Owner.emachine\Desktop\schlauber.exe
Command switches used :: c:\documents and settings\Owner.emachine\Desktop\CFScript.txt
AV: Panda Global Protection 2010 *On-access scanning disabled* (Updated) {8BF935E7-731F-4115-B7A5-789FF5087595}
FW: Panda Personal Firewall 2010 *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

FILE ::
"c:\docume~1\OWNER~1.EMA\LOCALS~1\Temp\Steefer.sys"
"c:\program files\temp01"
"c:\temp\removevirus.reg"
"c:\windows\system32\o.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp01
c:\temp\removevirus.reg
c:\windows\system32\o.dat

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_STEEFER
-------\Service_Steefer


((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-04-30 21:58 . 2010-04-30 21:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-04-28 00:10 . 2010-04-28 00:11 -------- d-----w- C:\schauber
2010-04-27 04:19 . 2010-04-27 04:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-04-27 04:19 . 2010-04-27 04:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-25 19:14 . 2010-05-01 00:26 -------- d-----w- c:\temp\computerfix
2010-04-25 16:27 . 2010-04-25 16:28 -------- d-----w- c:\program files\DVDFab 7
2010-04-23 05:19 . 2010-04-23 05:19 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-04-22 22:08 . 2010-04-22 22:08 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-19 22:03 . 2010-04-22 22:16 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-19 21:45 . 2010-04-22 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-19 21:45 . 2010-04-22 22:15 -------- d-----w- c:\program files\Lavasoft
2010-04-19 01:46 . 2010-04-19 01:46 -------- d-----w- c:\program files\TrendMicro
2010-04-18 20:07 . 2010-04-18 20:07 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-04-18 20:03 . 2010-04-18 20:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-16 23:13 . 2010-04-16 23:13 -------- d-----w- c:\program files\CCleaner
2010-04-16 23:12 . 2010-04-16 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ReviverSoft
2010-04-16 10:52 . 2010-04-16 10:52 262 ----a-w- c:\windows\system32\PavCPL.dat
2010-04-15 11:05 . 2010-05-01 01:05 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys
2010-04-15 10:57 . 2010-04-15 10:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-15 00:51 . 2010-04-15 00:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-14 23:42 . 2010-04-14 23:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Panda Security
2010-04-14 23:40 . 2010-04-14 23:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-14 22:20 . 2010-04-14 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-14 09:17 . 2010-04-14 09:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\program files\MSECACHE
2010-04-12 21:58 . 2010-04-12 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-12 21:58 . 2010-05-01 00:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 21:57 . 2010-04-12 21:58 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\SUPERAntiSpyware.com
2010-04-12 21:56 . 2010-04-12 21:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-10 00:43 . 2010-04-10 00:45 -------- dc-h--w- c:\windows\ie8
2010-04-10 00:04 . 2010-04-10 00:12 -------- d-----w- c:\program files\a-squared Free
2010-04-09 23:56 . 2010-04-09 23:52 74121968 ----a-w- c:\temp\a2FreeSetup.exe
2010-04-09 09:22 . 2010-04-09 09:22 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\Malwarebytes
2010-04-09 09:21 . 2010-04-09 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-09 09:21 . 2010-05-01 00:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 22:55 . 2010-04-14 09:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 23:52 . 2010-04-11 15:48 -------- d-----w- c:\temp\ChrisColumbusReport
2010-04-07 08:44 . 2010-04-23 05:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-06 23:37 . 2010-04-29 11:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-05 21:01 . 2010-04-05 21:13 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 01:08 . 2009-12-30 02:31 264336 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2010-05-01 01:08 . 2009-12-30 02:31 264336 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2010-05-01 01:08 . 2009-12-30 02:31 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2010-05-01 01:08 . 2009-12-30 02:31 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2010-05-01 00:41 . 2007-06-23 00:54 -------- d-----w- c:\program files\iTunes
2010-05-01 00:41 . 2006-08-01 00:33 -------- d-----w- c:\program files\Digital Media Reader
2010-05-01 00:33 . 2006-06-17 09:23 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-28 23:45 . 2007-02-17 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-04-25 16:28 . 2010-01-27 23:40 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\Vso
2010-04-20 10:32 . 2010-01-09 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-18 18:25 . 2009-07-19 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-18 16:57 . 2009-07-19 14:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-17 00:42 . 2009-12-30 03:08 -------- d-----w- c:\program files\QuickTime
2010-04-16 10:55 . 2006-08-01 00:29 -------- d-----w- c:\program files\Google
2010-04-13 07:25 . 2010-04-13 00:56 112 ----a-w- c:\documents and settings\All Users\Application Data\QOL0iswi.dat
2010-04-09 10:17 . 2008-03-20 12:26 -------- d-----w- c:\program files\Coupons
2010-04-08 23:14 . 2007-02-19 12:35 -------- d-----w- c:\documents and settings\Owner.emachine\Application Data\OpenOffice.org2
2010-04-05 23:27 . 2007-07-21 02:28 1526 ----a-w- c:\documents and settings\Owner.emachine\Application Data\wklnhst.dat
2010-03-17 00:57 . 2010-03-17 00:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-17 00:57 . 2006-08-01 00:34 -------- d-----w- c:\program files\Java
2010-03-16 00:14 . 2010-04-09 09:59 203642 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-03-14 04:40 . 2010-01-15 20:29 -------- d-----w- c:\program files\Sallys Salon
2010-03-14 04:39 . 2008-02-12 21:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-10 06:15 . 2006-06-17 09:23 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-06-17 09:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-06-17 09:23 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-06-17 09:23 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-06-17 09:23 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-06-17 09:23 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-05-16 20:14 . 2008-05-16 20:14 774144 ----a-w- c:\program files\RngInterstitial.dll
.
CODE
<pre>
c:\program files\Panda Security\Panda Global Protection 2010\APVXDWIN .exe
c:\program files\Panda Security\Panda Global Protection 2010\Inicio .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger .exe -quiet" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 68856]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-05 16120832]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"APVXDWIN"="c:\program files\Panda Security\Panda Global Protection 2010\APVXDWIN.EXE" [2009-09-25 906496]
"SCANINICIO"="c:\program files\Panda Security\Panda Global Protection 2010\Inicio.exe" [2009-08-12 56064]

c:\documents and settings\Owner.emachine\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 20:58 58672 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [12/29/2009 10:24 PM 28552]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [12/29/2009 10:31 PM 75016]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [12/29/2009 10:31 PM 53128]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [12/29/2009 10:31 PM 22072]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [12/29/2009 10:31 PM 193800]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [12/29/2009 10:31 PM 159112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [12/29/2009 10:22 PM 41144]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [12/29/2009 10:31 PM 46728]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [4/9/2010 8:04 PM 1858144]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda --> c:\windows\system32\svchost -k Panda [?]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [12/29/2009 10:22 PM 163336]
R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Global Protection 2010\psksvc.exe [12/29/2009 10:31 PM 28928]
R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [4/15/2010 7:05 AM 13880]
R3 NETIMFLT01060039;PANDA NDIS IM Filter Miniport v1.6.0.39;c:\windows\system32\drivers\neti1639.sys [12/29/2009 10:30 PM 199432]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]
S2 gupdate1ca4ffcd0de7ecc;Google Update Service (gupdate1ca4ffcd0de7ecc);c:\program files\Google\Update\GoogleUpdate.exe [10/18/2009 10:10 AM 133104]
S3 ndsdatamax;ndsdatamax;c:\windows\system32\drivers\ndsdatamax.sys [6/30/2008 5:55 PM 29184]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
panda REG_MULTI_SZ Gwmsrv
.
Contents of the 'Scheduled Tasks' folder

2010-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-30 c:\windows\Tasks\At1.job
- c:\program files\Panda Security\Panda Global Protection 2010\PAVJOBS.EXE [2009-12-30 16:51]

2010-04-28 c:\windows\Tasks\Basic clean-up.job
- c:\program files\Panda Security\Panda Global Protection 2010\PlaTasks.exe [2009-12-30 17:46]

2010-04-16 c:\windows\Tasks\Basic clean-up1.job
- c:\program files\Panda Security\Panda Global Protection 2010\PlaTasks.exe [2009-12-30 17:46]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:10]

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 14:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Owner.emachine\Application Data\Mozilla\Firefox\Profiles\3yvuiun4.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 21:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84E7AAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76c4f28
\Driver\ACPI -> ACPI.sys @ 0xf74b7cb8
\Driver\atapi -> atapi.sys @ 0xf7413852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf72c8bd4
PacketIndicateHandler -> NDIS.sys @ 0xf72d4a21
SendHandler -> NDIS.sys @ 0xf72c8d44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\avldr.dll

- - - - - - - > 'lsass.exe'(972)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(416)
c:\windows\system32\WININET.dll
c:\program files\Panda Security\Panda Global Protection 2010\pavoepl.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\Panda Security\Panda Global Protection 2010\PavOLE.dll
c:\progra~1\Creative\SHARED~1\CtCmeCtx.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\program files\Haali\MatroskaSplitter\mmfinfo.dll
c:\program files\Haali\MatroskaSplitter\mkunicode.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Panda Security\Panda Global Protection 2010\TPSrv.exe
c:\program files\PANDA SECURITY\PANDA GLOBAL PROTECTION 2010\WebProxy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Panda Security\Panda Global Protection 2010\PsCtrls.exe
c:\program files\Panda Security\Panda Global Protection 2010\PavFnSvr.exe
c:\program files\Common Files\Panda Security\PavShld\pavprsrv.exe
c:\program files\Panda Security\Panda Global Protection 2010\pavsrv51.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Panda Security\Panda Global Protection 2010\AVENGINE.EXE
c:\program files\panda security\panda global protection 2010\firewall\PSHOST.EXE
c:\program files\Panda Security\Panda Global Protection 2010\psimsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\RTHDCPL.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\Panda Security\Panda Global Protection 2010\SRVLOAD.EXE
c:\program files\Panda Security\Panda Global Protection 2010\PavBckPT.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-04-30 21:25:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-01 01:25
ComboFix2.txt 2010-04-28 01:21

Pre-Run: 10,920,402,944 bytes free
Post-Run: 11,018,305,536 bytes free

- - End Of File - - 1691D5CF554B99354437814BFE23A814












rootkit quickscan gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-03 06:16:36
Windows 5.1.2600 Service Pack 3
Running: gme_jay_r.exe; Driver: C:\DOCUME~1\OWNER~1.EMA\LOCALS~1\Temp\fxlyapob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \FileSystem\Ntfs \Ntfs pavboot.sys (Panda Boot Driver/Panda Security, S.L.)
AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys (Antivirus Filter Driver for Windows XP/2003 x86/Panda Security, S.L.)

Device \FileSystem\Fastfat \Fat ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \FileSystem\Fastfat \Fat pavdrv51.sys (Antivirus Filter Driver for Windows XP/2003 x86/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\Ip NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\Tcp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\Udp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\RawIp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 84E63AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:57 AM

Posted 04 May 2010 - 11:54 AM

Hi,

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

You will see many files copied then return to the x:\windows> prompt.
Type Exit then restart your computer and logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

NEXT:

Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.

maxlook -sig


Post the log in your next reply
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 jcastro

jcastro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 05 May 2010 - 06:08 AM

OK, here is log 1:

Run from C:\Documents and Settings\Owner.emachine\Desktop\FiXFIX\maxlook.exe on Tue 05/04/2010 at 21:40:34.12

No infected file found




And log 2:

CODE
Run from C:\Documents and Settings\Owner.emachine\Desktop\FiXFIX\maxlook.exe on Tue 05/04/2010 at 21:43:28.42

--------- maxlook unsigned files ---------

c:\windows\maxdriver\asctrm.sys:
    Verified:    Unsigned
    File date:    8:41 PM 7/31/2006
    Publisher:    Windows (R) 2000 DDK provider
    Description:    TR Manager
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\maxdriver\cdr4_xp.sys:
    Verified:    Unsigned
    File date:    3:00 AM 8/19/2005
    Publisher:    Sonic Solutions
    Description:    CDR4 CD and DVD Place Holder Driver (see PxHelp)
    Product:    Drag-to-Disc
    Version:    8.0.0.212
    File version:    8.0.0.212
c:\windows\maxdriver\cdralw2k.sys:
    Verified:    Unsigned
    File date:    3:00 AM 8/19/2005
    Publisher:    Sonic Solutions
    Description:    CDRAL Place Holder Driver (see PxHelp)
    Product:    Drag-to-Disc
    Version:    8.0.0.212
    File version:    8.0.0.212
c:\windows\maxdriver\jl2005c.sys:
    Verified:    Unsigned
    File date:    5:01 PM 5/25/2009
    Publisher:    Windows (R) 2000 DDK provider
    Description:    Universal Serial Bus Camera Driver
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\maxdriver\mhndrv.sys:
    Verified:    Unsigned
    File date:    1:45 PM 8/10/2004
    Publisher:    Microsoft Corporation
    Description:    Microsoft Multimedia Home Network (MHN) Support Driver
    Product:    Microsoft® Windows® Operating System
    Version:    5.1.2600.2180
    File version:    5.1.2600.2180 (private/xpsp_mce.040810-0205)
c:\windows\maxdriver\ndsdatamax.sys:
    Verified:    Unsigned
    File date:    8:45 AM 2/8/2007
    Publisher:    Thesycon GmbH, Germany
    Description:    USBIO Driver
    Product:    Universal USB Device Driver
    Version:    2.40
    File version:    2.40.0.1315
c:\windows\maxdriver\Pclepci.sys:
    Verified:    Unsigned
    File date:    3:37 PM 8/7/2001
    Publisher:    Pinnacle Systems GmbH
    Description:    PCLEPCI
    Product:    PCLEPCI
    Version:    1.05
    File version:    1.05
c:\windows\maxdriver\pcouffin.sys:
    Verified:    Unsigned
    File date:    7:40 PM 1/27/2010
    Publisher:    VSO Software
    Description:    low level access layer for CD/DVD/BD devices
    Product:    Patin couffin engine
    Version:    1.37
    File version:    1.37
c:\windows\maxdriver\pxhelp20.sys:
    Verified:    Unsigned
    File date:    3:00 AM 8/19/2005
    Publisher:    Sonic Solutions
    Description:    Px Engine Device Driver for Windows 2000/XP
    Product:    PxHelp20
    Version:    n/a
    File version:    3.00.09a
c:\windows\maxdriver\rdpcdd.sys:
    Verified:    Unsigned
    File date:    5:47 PM 5/4/2010
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a
c:\windows\maxdriver\StMp3Rec.sys:
    Verified:    Unsigned
    File date:    9:32 PM 12/18/2004
    Publisher:    Generic
    Description:    Generic MP3 Player USB Driver
    Product:    Generic MP3 Player
    Version:    139, 0, 551, 1
    File version:    1, 551, 0, 139
c:\windows\maxdriver\vulfnth.sys:
    Verified:    Unsigned
    File date:    6:02 AM 1/5/2005
    Publisher:    VIA Technologies, Inc.
    Description:    VIA USB Host Controller Lower Filter Driver
    Product:    VIA USB Host Controller Lower Filter Driver
    Version:    2.60
    File version:    2.60
c:\windows\maxdriver\vulfntr.sys:
    Verified:    Unsigned
    File date:    5:51 AM 6/6/2005
    Publisher:    VIA Technologies, Inc.
    Description:    VIA USB Roothub Lower Filter Driver
    Product:    VIA USB Roothub Lower Filter Driver
    Version:    2.64
    File version:    2.64

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\asctrm.sys:
    Verified:    Unsigned
    File date:    8:41 PM 7/31/2006
    Publisher:    Windows (R) 2000 DDK provider
    Description:    TR Manager
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\system32\drivers\cdr4_xp.sys:
    Verified:    Unsigned
    File date:    3:00 AM 8/19/2005
    Publisher:    Sonic Solutions
    Description:    CDR4 CD and DVD Place Holder Driver (see PxHelp)
    Product:    Drag-to-Disc
    Version:    8.0.0.212
    File version:    8.0.0.212
c:\windows\system32\drivers\cdralw2k.sys:
    Verified:    Unsigned
    File date:    3:00 AM 8/19/2005
    Publisher:    Sonic Solutions
    Description:    CDRAL Place Holder Driver (see PxHelp)
    Product:    Drag-to-Disc
    Version:    8.0.0.212
    File version:    8.0.0.212
c:\windows\system32\drivers\jl2005c.sys:
    Verified:    Unsigned
    File date:    5:01 PM 5/25/2009
    Publisher:    Windows (R) 2000 DDK provider
    Description:    Universal Serial Bus Camera Driver
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\system32\drivers\mhndrv.sys:
    Verified:    Unsigned
    File date:    1:45 PM 8/10/2004
    Publisher:    Microsoft Corporation
    Description:    Microsoft Multimedia Home Network (MHN) Support Driver
    Product:    Microsoft® Windows® Operating System
    Version:    5.1.2600.2180
    File version:    5.1.2600.2180 (private/xpsp_mce.040810-0205)
c:\windows\system32\drivers\ndsdatamax.sys:
    Verified:    Unsigned
    File date:    8:45 AM 2/8/2007
    Publisher:    Thesycon GmbH, Germany
    Description:    USBIO Driver
    Product:    Universal USB Device Driver
    Version:    2.40
    File version:    2.40.0.1315
c:\windows\system32\drivers\Pclepci.sys:
    Verified:    Unsigned
    File date:    3:37 PM 8/7/2001
    Publisher:    Pinnacle Systems GmbH
    Description:    PCLEPCI
    Product:    PCLEPCI
    Version:    1.05
    File version:    1.05
c:\windows\system32\drivers\pcouffin.sys:
    Verified:    Unsigned
    File date:    7:40 PM 1/27/2010
    Publisher:    VSO Software
    Description:    low level access layer for CD/DVD/BD devices
    Product:    Patin couffin engine
    Version:    1.37
    File version:    1.37
c:\windows\system32\drivers\pxhelp20.sys:
    Verified:    Unsigned
    File date:    3:00 AM 8/19/2005
    Publisher:    Sonic Solutions
    Description:    Px Engine Device Driver for Windows 2000/XP
    Product:    PxHelp20
    Version:    n/a
    File version:    3.00.09a
c:\windows\system32\drivers\StMp3Rec.sys:
    Verified:    Unsigned
    File date:    9:32 PM 12/18/2004
    Publisher:    Generic
    Description:    Generic MP3 Player USB Driver
    Product:    Generic MP3 Player
    Version:    139, 0, 551, 1
    File version:    1, 551, 0, 139
c:\windows\system32\drivers\vulfnth.sys:
    Verified:    Unsigned
    File date:    6:02 AM 1/5/2005
    Publisher:    VIA Technologies, Inc.
    Description:    VIA USB Host Controller Lower Filter Driver
    Product:    VIA USB Host Controller Lower Filter Driver
    Version:    2.60
    File version:    2.60
c:\windows\system32\drivers\vulfntr.sys:
    Verified:    Unsigned
    File date:    5:51 AM 6/6/2005
    Publisher:    VIA Technologies, Inc.
    Description:    VIA USB Roothub Lower Filter Driver
    Product:    VIA USB Roothub Lower Filter Driver
    Version:    2.64
    File version:    2.64



thanks,
JCastro

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:57 AM

Posted 06 May 2010 - 01:49 PM

Hi,



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    rdpcdd*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:57 AM

Posted 09 May 2010 - 11:20 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users