Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit or Spam Mailer - Help!?


  • This topic is locked This topic is locked
16 replies to this topic

#1 thm22

thm22

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 23 April 2010 - 08:42 PM

Hi,

My PC started to behave odd. Internet Connection dropping, shugish keyboard, mouse action, bluescreen. e.t.c.
I scanned with Malwarebytes and found a few problems. One of them a trojan, and removed it.
Then I increased the logging on the McAfee and I see these attempts to send e-mail to random SMTP server.

It looks/feels like a spam mailer or rootkit.

Here are some lines from the McAfee log:
4/23/2010 2:51:24 PM Blocked by port blocking rule C:\Windows\system32\services.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 194.179.124.229:25
4/23/2010 2:52:25 PM Blocked by port blocking rule C:\Windows\system32\services.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 216.104.161.4:25
4/23/2010 2:53:29 PM Blocked by port blocking rule C:\Windows\system32\services.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 200.185.119.149:25
4/23/2010 2:55:06 PM Blocked by port blocking rule C:\Windows\system32\services.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 69.17.26.163:25
4/23/2010 2:56:27 PM Blocked by port blocking rule C:\Windows\system32\services.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 74.216.237.227:25
4/23/2010 2:57:44 PM Blocked by port blocking rule C:\Windows\system32\services.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 219.118.231.11:25
4/23/2010 2:58:53 PM Blocked by port blocking rule C:\Windows\system32\services.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 163.21.249.141:25
4/2

Here is my DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by tmuehlherr at 16:13:03.55 on Fri 04/23/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3581.1865 [GMT -7:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: VirusScan Enterprise + AntiSpyware Enterprise *enabled* (Updated) {24E45799-D058-4314-AC5D-1B2EE5C3151F}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\System32\rpcnet.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Passlogix\v-GO SSO\ssoshell.exe
C:\Program Files\Passlogix\v-GO SSO\Helper\Moz\ssomozho.exe
C:\Program Files\Passlogix\v-GO SSO\Helper\IE\ssobho.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\V0470Mon.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\V0250Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Plaxo\3.23.0.18\PlaxoHelper_en.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\HidFind.exe
C:\Users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Archive-New\HiJack\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://my.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081231
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081231
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,"c:\program files\passlogix\v-go sso\wts\ssolauncher.exe" /startsso,
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: CDelHotkeys Object: {78875f5c-a685-4405-8dc5-d48dc65452b0} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Delicious Toolbar: {61d1c847-df80-423a-8c6d-dc03b97e6ebe} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [PlaxoUpdate] c:\program files\plaxo\3.23.0.18\PlaxoHelper_en.exe -a
uRun: [PlaxoSysTray] c:\program files\plaxo\3.23.0.18\PlaxoSysTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [<NO NAME>]
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [TrayServer] c:\program files\magix\video_deluxe_2007_2008_plus\TrayServer.exe
mRun: [V0470Mon.exe] c:\windows\V0470Mon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [AgentUiRunKey] "c:\program files\iron mountain\connected backuppc\Agent.exe" -ni -sss -e http://localhost:16386/
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [V0250Mon.exe] c:\windows\V0250Mon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\tmuehl~1.tho\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\tmuehlherr.thomasmd630\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\tmuehl~1.tho\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://groupintelligence.webex.com/client/T26L/training/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\skype\toolbars\shared\Skype4ComAPI.dll
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
LSA: Authentication Packages = msv1_0 wvauth
Hosts: 66.194.249.64 w.sharethis.com

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-19 340592]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2009-2-1 110304]
R2 AgentService;AgentService;c:\program files\iron mountain\connected backuppc\AgentService.exe [2008-11-9 6608192]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 BthFilterHelper;Bluetooth Feature Support;c:\program files\csr\vista profile pack\BthFilterHelper.exe [2006-11-7 127488]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2008-9-29 19456]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-9-29 143088]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-9-29 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-1-19 67904]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]
R2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter-a.exe [2009-4-17 428592]
R2 vmware-converter-server;VMware vCenter Converter Server;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2009-4-17 428592]
R2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\vmware\vmware vcenter converter standalone\vstor2-mntapi10.sys [2009-4-17 22448]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2006-11-2 7168]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-12-31 179712]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-19 90360]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-19 42424]
R3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2010-3-6 169696]
R3 V0250Vfx;V0250Vfx;c:\windows\system32\drivers\V0250Vfx.sys [2010-3-6 6272]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]
S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2009-4-17 27312]
S3 BroadCamService;BroadCam Video Streaming Server;c:\program files\nch software\broadcam\broadcam.exe [2009-8-6 684036]
S3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\drivers\BthFilt.sys [2008-12-31 13824]
S3 EyelineService;Eyeline Service;c:\program files\nch software\eyeline\eyeline.exe [2009-8-6 425988]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-31 30192]
S3 LV_Tracker;LV_Tracker;c:\windows\system32\drivers\LV_Tracker.sys [2008-11-9 45384]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-1-19 64432]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-2-1 544768]
S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\system32\drivers\V0470Vid.sys [2009-2-22 146720]

=============== Created Last 30 ================

2010-04-23 23:11:18 0 ----a-w- c:\users\tmuehlherr.thomasmd630\defogger_reenable
2010-04-23 22:41:50 2 --shatr- c:\windows\winstart.bat
2010-04-23 22:41:26 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-04-23 22:41:22 0 d-----w- c:\program files\UnHackMe
2010-04-23 16:09:24 0 d-----w- c:\program files\Trend Micro
2010-04-21 03:38:21 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-04-20 21:43:44 859648 ----a-w- c:\windows\system32\drivers\pwhxsivp.sys
2010-04-20 21:43:31 43520 ---ha-w- c:\windows\system32\MdReions.dll
2010-04-20 21:43:29 20 ----a-w- c:\users\tmuehl~1.tho\appdata\roaming\kcmdte.dat
2010-04-14 05:38:11 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 05:38:11 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 05:38:11 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 05:38:08 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 05:38:06 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 05:37:59 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 05:37:30 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 05:37:30 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 05:37:27 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 05:37:26 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 05:37:26 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 05:26:36 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 05:26:33 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 05:38:38 1315 ----a-w- C:\xcopybackup.cmd
2010-04-09 05:25:20 589 ----a-w- c:\users\tmuehlherr.thomasmd630\Application Data.lnk
2010-04-09 05:23:56 447 ----a-w- c:\users\tmuehlherr.thomasmd630\My Documents.lnk
2010-04-06 04:14:03 710 ----a-w- c:\windows\system32\notepad.exe - Shortcut.lnk
2010-04-05 18:03:01 0 d-----w- c:\temp\testexport
2010-04-05 07:26:40 0 d-----w- c:\users\tmuehlherr.thomasmd630\.thumbnails
2010-04-05 04:58:55 0 d-----w- c:\users\tmuehl~1.tho\appdata\roaming\.marble
2010-04-05 04:54:40 0 d-----w- c:\users\tmuehl~1.tho\appdata\roaming\.kde
2010-04-05 04:28:24 0 d-----w- c:\users\tmuehl~1.tho\appdata\roaming\KDE
2010-04-05 04:26:49 0 d-----w- c:\program files\KDE
2010-04-04 19:54:43 0 d-----w- c:\users\tmuehl~1.tho\appdata\roaming\BOXEE
2010-04-04 19:53:16 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-04-04 19:53:16 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-04-04 19:52:30 0 d-----w- c:\program files\Boxee
2010-04-04 19:36:07 0 d-----w- c:\program files\iPod
2010-04-04 19:35:56 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-04 19:35:56 0 d-----w- c:\program files\iTunes
2010-04-04 19:28:27 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-04-23 22:50:18 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-04-23 22:50:16 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-04-23 22:48:47 2140 ----a-w- c:\windows\bthservsdp.dat
2010-04-22 16:49:27 292274 ----a-w- c:\users\tmuehl~1.tho\appdata\roaming\nvModes.dat
2010-04-21 03:48:04 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-04-04 19:29:16 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-04 19:29:16 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-04 19:29:16 143360 ----a-w- c:\windows\inf\infstor.dat
2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 22:48:43 60744 ----a-w- c:\users\tmuehlherr.thomasmd630\g2mdlhlpx.exe
2010-03-22 18:38:00 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-13 05:17:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2009-11-17 11:17:49 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:58 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 16:32:40 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-16 20:14:36 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-09-14 14:26:09 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
2009-09-14 14:26:09 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\index.dat
2009-09-14 14:26:09 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\cookies\low\index.dat
2009-10-16 18:00:37 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-01-19 21:05:19 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-01-19 21:05:19 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-01-19 21:05:19 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-12-31 11:50:53 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 16:14:30.05 ===============

Any help identifying the problem would be greatly appreciated.
Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 thm22

thm22
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 24 April 2010 - 03:15 PM

I think I detected and removed the virus
I ran McAfee with the newest DAT file and scanned everything, nothing found.
Then I ran GMER and scanned everything, and it did not show anything.
Also used UnhackMe and did not show anything.

I followed the instructions on bleepingcomputer (thank you Jason!) to prepare for a post and ran the GMER, Defroger, and DDS and posted the log files.
Then I ran GMER again and noticed a hidden service, running pwhxsivp.sys, but could not find any info on it or remove it.
Then the SuperAntiSpyware scanner and it detected MDREIONS.DLL and quarantined it. Supposedly a Trojan.Agent gen-fake Alert. At this point, SMTP servers were still contacted

Checking in the log again I saw three files all together installed at the same time!? So they need to be connected somehow.
2010-04-20 21:43:44 859648 ----a-w- c:\windows\system32\drivers\pwhxsivp.sys
2010-04-20 21:43:31 43520 ---ha-w- c:\windows\system32\MdReions.dll
2010-04-20 21:43:29 20 ----a-w- c:\users\tmuehl~1.tho\appdata\roaming\kcmdte.dat

So I renamed KCMDTE.dat, MDREIONS.DLL was already quarantined by SAS, but PWHXSIVP could not be delted or removed. Not even in Save Mode. However, GMER allowed me to delete the service entry. After rebooting, I was able to rename it, at which point, McAfee finally detected the thing as a generic.dx!rso Trojan and removed it.

Hm…
This took me the better part of Friday afternoon, night and Saturday morning!
Now I will spend a few hours changing password!

Hope it helps someon else.
Let me know if you find anything else that is suspicious or needs to be removed.

T.

Edited by thm22, 24 April 2010 - 03:19 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:17 PM

Posted 28 April 2010 - 03:34 PM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 thm22

thm22
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 02 May 2010 - 10:54 PM

Hi elise025,
Here is the OLT and Extra File.
T.

Attached Files



#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:17 PM

Posted 03 May 2010 - 02:11 AM

Could you please also run GMER smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 thm22

thm22
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 03 May 2010 - 05:38 PM

Hi,


So I ran that gmer.exe allready the second time and it takes a long time to scan my system. The it reboots my machine. Where does it store the log file? It'snot in the location where I start the exe.

T.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:17 PM

Posted 04 May 2010 - 03:16 AM

Hi, as you can see in my instructions, GMER has the save button when done. It does not auto save the log. However, rerun the scan with only the Sections option checked. This should make the scan a lot shorter (a few minutes most likely). Save the resulting log and post it in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 thm22

thm22
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 04 May 2010 - 11:57 AM

Hi,

This time it worked in safe mode. See attached.

T.

Attached Files



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:17 PM

Posted 04 May 2010 - 12:25 PM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 thm22

thm22
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 04 May 2010 - 10:57 PM

Hi,

I think according to the log it found one infected file and exchanged it.

T.

-----------------------

ComboFix 10-05-04.04 - tmuehlherr 05/04/2010 20:24:34.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3581.1959 [GMT -7:00]
Running from: c:\archive-new\Otl\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: VirusScan Enterprise + AntiSpyware Enterprise *disabled* (Outdated) {24E45799-D058-4314-AC5D-1B2EE5C3151F}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1926026124-797753282-3819704201-500
C:\Install.exe
c:\users\tmuehlherr.thomasmd630\AppData\Local\{28373ED6-68C7-4EAA-B77C-18336E5C14D7}
c:\users\tmuehlherr.thomasmd630\AppData\Local\{28373ED6-68C7-4EAA-B77C-18336E5C14D7}\chrome.manifest
c:\users\tmuehlherr.thomasmd630\AppData\Local\{28373ED6-68C7-4EAA-B77C-18336E5C14D7}\chrome\content\_cfg.js
c:\users\tmuehlherr.thomasmd630\AppData\Local\{28373ED6-68C7-4EAA-B77C-18336E5C14D7}\chrome\content\overlay.xul
c:\users\tmuehlherr.thomasmd630\AppData\Local\{28373ED6-68C7-4EAA-B77C-18336E5C14D7}\install.rdf
c:\users\tmuehlherr.thomasmd630\Documents\Backups\Windows\Windows_security_backup files
c:\users\tmuehlherr.thomasmd630\Documents\Backups\Windows\Windows_security_backup files\Log_tmuehlherr_THOMASMD630.txt
c:\users\tmuehlherr.thomasmd630\Documents\runningdog.txt
c:\windows\system32\vmnat.exe

Infected copy of c:\windows\System32\autochk.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-05 03:34 . 2010-05-05 03:34 -------- d-----w- c:\users\tmuehlherr\AppData\Local\temp
2010-05-05 03:34 . 2010-05-05 03:34 -------- d-----w- c:\users\kking\AppData\Local\temp
2010-05-05 03:34 . 2010-05-05 03:34 -------- d-----w- c:\users\iriseuser\AppData\Local\temp
2010-05-05 03:34 . 2010-05-05 03:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-05 03:34 . 2010-05-05 03:34 -------- d-----w- c:\users\administrator\AppData\Local\temp
2010-05-05 03:34 . 2010-05-05 03:34 -------- d-----w- c:\users\Administrator.thomasmd630\AppData\Local\temp
2010-05-04 15:25 . 2010-05-04 15:25 -------- d-----w- c:\programdata\Cobian
2010-05-04 15:25 . 2010-05-04 15:27 -------- d-----w- c:\program files\Cobian Backup 9
2010-05-02 03:42 . 2010-05-02 03:42 -------- d-----w- c:\program files\iPod
2010-05-02 03:42 . 2010-05-02 03:42 -------- d-----w- c:\program files\iTunes
2010-05-02 03:39 . 2010-05-02 03:39 -------- d-----w- c:\program files\Bonjour
2010-04-24 19:29 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-24 02:34 . 2010-04-24 02:34 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-24 02:34 . 2010-04-24 02:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-24 02:34 . 2010-04-24 02:34 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\SUPERAntiSpyware.com
2010-04-23 22:41 . 2010-04-23 22:41 2 --shatr- c:\windows\winstart.bat
2010-04-23 16:09 . 2010-04-23 16:09 -------- d-----w- c:\program files\Trend Micro
2010-04-21 03:38 . 2009-08-20 06:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-04-20 21:45 . 2010-04-22 14:48 120 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Local\Skafequ.dat
2010-04-20 21:45 . 2010-04-22 14:48 0 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Local\Imifidaci.bin
2010-04-14 05:38 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 05:38 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 05:38 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 05:38 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 05:38 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 05:37 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 05:37 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 05:37 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 05:37 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 05:26 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 05:26 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 05:38 . 2010-04-11 23:59 1315 ----a-w- C:\xcopybackup.cmd
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 18:03 . 2010-04-05 19:22 -------- d-----w- c:\temp\testexport
2010-04-05 07:26 . 2010-04-05 07:26 -------- d-----w- c:\users\tmuehlherr.thomasmd630\.thumbnails
2010-04-05 04:58 . 2010-04-05 04:58 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\.marble
2010-04-05 04:54 . 2010-04-05 18:14 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\.kde
2010-04-05 04:28 . 2010-04-05 04:28 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\KDE
2010-04-05 04:26 . 2010-04-05 04:51 -------- d-----w- c:\program files\KDE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 03:42 . 2010-01-09 20:03 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox
2010-05-05 03:41 . 2009-10-13 14:44 -------- d-----w- c:\program files\Plaxo
2010-05-05 03:41 . 2009-01-20 03:25 0 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Local\WavXMapDrive.bat
2010-05-05 03:35 . 2009-05-08 19:27 -------- d-----w- c:\programdata\VMware
2010-05-05 03:35 . 2009-01-26 20:38 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-05-05 03:35 . 2009-01-19 21:05 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-05-05 03:34 . 2008-12-31 10:29 2140 ----a-w- c:\windows\bthservsdp.dat
2010-05-05 02:31 . 2009-01-26 20:39 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-05-04 01:21 . 2009-01-20 18:30 -------- d-----w- c:\program files\Trillian
2010-05-03 02:02 . 2009-01-26 20:50 292274 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\nvModes.dat
2010-05-02 03:42 . 2009-01-20 05:59 -------- d-----w- c:\program files\Common Files\Apple
2010-05-02 03:36 . 2010-05-02 03:36 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-24 19:31 . 2008-12-31 10:18 -------- d-----w- c:\program files\Common Files\Java
2010-04-24 19:29 . 2008-12-31 10:18 -------- d-----w- c:\program files\Java
2010-04-24 02:36 . 2010-04-24 02:36 52224 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-24 02:36 . 2010-04-24 02:36 117760 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-24 02:33 . 2009-06-02 17:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-23 21:57 . 2009-05-04 17:26 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Delicious IE Extension
2010-04-22 18:15 . 2008-12-31 10:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 04:51 . 2009-10-05 21:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-19 15:31 . 2009-01-26 20:49 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Skype
2010-04-19 15:09 . 2009-02-04 04:21 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\skypePM
2010-04-14 10:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-14 10:04 . 2008-12-31 10:41 -------- d-----w- c:\programdata\Microsoft Help
2010-04-13 17:14 . 2009-02-02 17:53 1356 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Local\d3d9caps.dat
2010-04-04 19:54 . 2010-04-04 19:54 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\BOXEE
2010-04-04 19:52 . 2010-04-04 19:52 -------- d-----w- c:\program files\Boxee
2010-04-04 19:36 . 2010-04-04 19:35 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-04 19:32 . 2010-04-04 19:32 -------- d-----w- c:\program files\QuickTime
2010-03-31 22:31 . 2009-01-27 06:26 -------- d-----w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Passlogix
2010-03-30 07:46 . 2009-10-05 21:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-10-05 21:26 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 22:48 . 2009-01-20 18:49 60744 ----a-w- c:\users\tmuehlherr.thomasmd630\g2mdlhlpx.exe
2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-02 17:00 . 2010-01-09 20:03 91696 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox\bin\Uninstall.exe
2010-03-02 17:00 . 2010-03-02 17:00 13264416 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox\cache\Dropbox-update-0.7.110.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox\bin\Dropbox.exe
2010-02-24 17:16 . 2009-10-03 01:47 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 16:17 . 2009-01-20 03:25 114952 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 06:39 . 2010-03-30 20:48 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 20:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-30 20:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-30 20:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 18:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 18:06 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 18:06 411648 ----a-w- c:\windows\system32\drivers\http.sys
2008-12-31 11:50 . 2008-12-31 11:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-31 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"PlaxoUpdate"="c:\program files\Plaxo\3.23.0.18\PlaxoHelper_en.exe" [2009-12-23 403015]
"PlaxoSysTray"="c:\program files\Plaxo\3.23.0.18\PlaxoSysTray.exe" [2009-12-23 25928]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-26 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 85504]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-04-03 640440]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-10-05 86016]
"V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-06-04 32768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"AgentUiRunKey"="c:\program files\Iron Mountain\Connected BackupPC\Agent.exe" [2008-11-10 244536]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-03 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-10-22 64048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"V0250Mon.exe"="c:\windows\V0250Mon.exe" [2006-06-08 32768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Cobian Backup 9"="c:\program files\Cobian Backup 9\Cobian.exe" [2009-01-22 579584]

c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-31 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-6-12 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 21:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
iscsinst REG_SZ c:\windows\system32\MdReions.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:e8,19,f9,0c,05,43,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 135664]
R3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2009-04-18 27312]
R3 BroadCamService;BroadCam Video Streaming Server;c:\program files\NCH Software\BroadCam\broadcam.exe [2009-08-06 684036]
R3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\DRIVERS\BthFilt.sys [2007-05-05 13824]
R3 EyelineService;Eyeline Service;c:\program files\NCH Software\Eyeline\eyeline.exe [2009-08-06 425988]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-11-20 30192]
R3 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [2008-11-10 45384]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-15 544768]
R3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\system32\DRIVERS\V0470Vid.sys [2007-05-09 146720]
R4 pwhxsivp;pwhxsivp; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2009-02-02 110304]
S2 AgentService;AgentService;c:\program files\Iron Mountain\Connected BackupPC\AgentService.exe [2008-11-10 6608192]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
S2 BthFilterHelper;Bluetooth Feature Support;c:\program files\CSR\Vista Profile Pack\BthFilterHelper.exe [2006-11-08 127488]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2009-10-22 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]
S2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2009-04-18 428592]
S2 vmware-converter-server;VMware vCenter Converter Server;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2009-04-18 428592]
S2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\VMware\VMware vCenter Converter Standalone\vstor2-mntapi10.sys [2009-04-18 22448]
S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2006-11-02 7168]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-03-13 179712]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\DRIVERS\V0250Dev.sys [2007-08-30 169696]
S3 V0250Vfx;V0250Vfx;c:\windows\system32\DRIVERS\V0250Vfx.sys [2006-03-25 6272]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 00:49]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 00:49]

2010-05-04 c:\windows\Tasks\User_Feed_Synchronization-{7F76D3C9-69B8-4462-B962-6890B1EBCF0A}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-TrayServer - c:\program files\MAGIX\Video_deluxe_2007_2008_PLUS\TrayServer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 20:42
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP000000616A3BE5AD98D3A7E1 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(644)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'Explorer.exe'(4888)
c:\users\tmuehlherr.thomasmd630\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
c:\program files\Plaxo\3.23.0.18\plx_hook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\System32\rpcnet.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\System32\msdtc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Apoint\HidFind.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-04 20:50:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 03:50

Pre-Run: 953,982,976 bytes free
Post-Run: 4,026,208,256 bytes free

- - End Of File - - A7541484308FEA4537EFFB1561C0FA4A


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:17 PM

Posted 05 May 2010 - 05:30 AM

Hello again,

Could you please let me know how things are running now? What problems do you still have left?

Also, please launch Malwarebytes Antimalware, update it first and run a full scan. Post me the log when done.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 thm22

thm22
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 09 May 2010 - 11:57 AM

Hi,

It seems to be running fine now. The system appears to be much faster.
Thank you so much!

To mee it seems it was that file that was removed (autochk.exe).
Do you know that it was?

Thanks,
T.





Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/8/2010 11:34:46 PM
mbam-log-2010-05-08 (23-34-46).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 519929
Time elapsed: 3 hour(s), 25 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:17 PM

Posted 10 May 2010 - 01:39 AM

Hello again, looks fine indeed smile.gif

Its hard to say what that autochk.exe copy did; it was patched by malware most likely and replaced by Combofix with a clean copy. Beside that you also had a Firefox/Google Chrome add on that could cause trouble.



ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 thm22

thm22
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 AM

Posted 12 May 2010 - 09:39 AM

Elise,

ESET found another one. Some trojan.
Here is the log. The file got quaranteined.

C:\Users\tmuehlherr.thomasmd630\Desktop\fjhdyfhsn.bat BAT/KillFiles.NCB trojan cleaned by deleting - quarantined

T.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,080 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:17 PM

Posted 12 May 2010 - 09:50 AM

Hello again!

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and OTL.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users