Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

new "HijackThis" log


  • This topic is locked This topic is locked
29 replies to this topic

#1 wright0101

wright0101

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 27 April 2010 - 07:32 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:02 PM, on 4/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
C:\WINDOWS\system32\WGAwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mma-hd.com/torrents-today.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [LidPolicy] c:\Program Files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WGA Watchdog] C:\WINDOWS\system32\WGAwatchLauncher.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Wireless-G Notebook Adapter with SRX Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1260831343689
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1260831329208
O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6590 bytes

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 22:21:17.99 on Tue 04/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.120 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\WGAwatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Computer Help\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mma-hd.com/torrents-today.php
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [UnlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H
mRun: [eabconfg.cpl] c:\program files\compaq\eab\EABSERVR.EXE /Start
mRun: [LidPolicy] c:\program files\hewlett-packard\lidswitch policy\pwrschem.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [WGA Watchdog] c:\windows\system32\WGAwatchLauncher.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /QS
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter with srx utility\lcu.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260831343689
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260831329208
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Notify: Antiwpa - antiwpa.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\dq7jwt1i.default\
FF - prefs.js: browser.startup.homepage - hxxp://mma-hd.com/torrents-today.php
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\dq7jwt1i.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 93848]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-14 20824]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-3-9 40832]

=============== Created Last 30 ================

2010-04-28 03:03:49 204 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-04-27 03:14:07 97365950 ----a-w- c:\windows\file_3.exe
2010-04-25 21:21:21 4256 ----a-w- c:\windows\wininit.ini
2010-04-25 06:07:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-25 06:07:42 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 05:20:14 361600 ----a-w- c:\windows\system32\drivers\tcpip.copy
2010-04-24 21:00:16 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-24 21:00:16 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-24 21:00:15 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-24 21:00:15 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-24 21:00:15 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-24 20:59:03 0 d-----w- c:\program files\Trojan Remover
2010-04-24 20:59:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-04-24 20:59:03 0 d-----w- c:\docume~1\admini~1\applic~1\Simply Super Software
2010-04-14 19:39:02 178176 ------w- c:\windows\system32\dllcache\wintrust.dll
2010-04-14 19:37:50 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-14 19:37:49 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2010-04-14 19:37:12 86016 ------w- c:\windows\system32\dllcache\cabview.dll
2010-04-10 02:10:11 0 d-----w- c:\program files\Cardoza
2010-04-10 02:09:10 0 d-----w- c:\documents and settings\administrator\WINDOWS
2010-04-10 00:43:43 0 d-----w- c:\program files\Jackpot Capital
2010-04-04 20:42:47 0 d-----w- c:\docume~1\alluse~1\applic~1\TomTom
2010-04-04 20:34:39 0 d-----w- c:\docume~1\admini~1\applic~1\TomTom
2010-04-02 03:19:22 0 d-----w- c:\program files\Xvid
2010-04-02 02:29:27 0 d-----w- c:\program files\Phantom EFX
2010-03-31 14:16:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Masque
2010-03-31 14:16:11 0 d-----w- c:\docume~1\admini~1\applic~1\Masque
2010-03-31 14:10:05 0 d-----w- c:\program files\Masque IGT Slots Little Green Men
2010-03-31 01:35:07 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-25 05:20:29 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 21:50:32 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 16:10:20 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2010-03-09 16:10:15 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-03-09 15:49:47 25600 ----a-w- c:\documents and settings\administrator\usbsermptxp.sys
2010-03-09 15:49:41 22768 ----a-w- c:\documents and settings\administrator\usbsermpt.sys
2010-03-09 09:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 02:34:55 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2010-02-25 16:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 11:57:57 457216 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-16 12:52:12 2190080 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:52:12 2190080 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 12:50:36 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 12:12:52 2066944 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 12:12:52 2066944 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 12:12:52 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-16 04:50:23 64000 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-12 04:27:58 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 22:24:12.90 ===============

Merged topics then posts. ~ OB

Attached Files


Edited by Orange Blossom, 28 April 2010 - 09:17 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:00 AM

Posted 02 May 2010 - 08:23 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 wright0101

wright0101
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 02 May 2010 - 12:32 PM


DDS (Ver_10-03-17.01) - NTFSx86
first, thank you for taking the time to review my logs. i keep having multiple popups that open new browsers to my home page, and all my google search results link to new random search pages
Run by Administrator at 11:25:10.97 on Sun 05/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.163 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\Computer Help\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mma-hd.com/torrents-today.php
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\Wireless-G Notebook Adapter with SRX Utility.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Windows Search.lnk.disabled
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260831343689
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260831329208
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\dq7jwt1i.default\
FF - prefs.js: browser.startup.homepage - hxxp://mma-hd.com/torrents-today.php
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\dq7jwt1i.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 93848]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-12-14 303952]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-14 20824]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-3-9 40832]

=============== Created Last 30 ================

2010-05-01 07:11:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-28 18:05:29 0 d-----w- c:\program files\CCleaner
2010-04-28 03:03:49 204 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-04-27 03:14:07 97365950 ----a-w- c:\windows\file_3.exe
2010-04-25 21:21:21 4256 ----a-w- c:\windows\wininit.ini
2010-04-25 06:07:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-25 06:07:42 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 05:20:14 361600 ----a-w- c:\windows\system32\drivers\tcpip.copy
2010-04-24 21:00:16 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-24 21:00:16 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-24 21:00:15 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-24 21:00:15 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-24 21:00:15 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-24 20:59:03 0 d-----w- c:\program files\Trojan Remover
2010-04-24 20:59:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-04-24 20:59:03 0 d-----w- c:\docume~1\admini~1\applic~1\Simply Super Software
2010-04-14 19:39:02 178176 ------w- c:\windows\system32\dllcache\wintrust.dll
2010-04-14 19:37:50 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-14 19:37:49 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2010-04-14 19:37:12 86016 ------w- c:\windows\system32\dllcache\cabview.dll
2010-04-10 02:10:11 0 d-----w- c:\program files\Cardoza
2010-04-10 02:09:10 0 d-----w- c:\documents and settings\administrator\WINDOWS
2010-04-10 00:43:43 0 d-----w- c:\program files\Jackpot Capital
2010-04-04 20:42:47 0 d-----w- c:\docume~1\alluse~1\applic~1\TomTom
2010-04-04 20:34:39 0 d-----w- c:\docume~1\admini~1\applic~1\TomTom

==================== Find3M ====================

2010-04-25 05:20:29 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 21:50:32 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 16:10:20 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2010-03-09 16:10:15 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-03-09 15:49:47 25600 ----a-w- c:\documents and settings\administrator\usbsermptxp.sys
2010-03-09 15:49:41 22768 ----a-w- c:\documents and settings\administrator\usbsermpt.sys
2010-03-09 09:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 16:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 11:57:57 457216 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-16 12:52:12 2190080 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:52:12 2190080 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 12:50:36 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 12:12:52 2066944 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 12:12:52 2066944 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 12:12:52 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-16 04:50:23 64000 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-12 04:27:58 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 11:27:34.55 ===============
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-02 12:26:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fgtdqpod.sys


---- System - GMER 1.0.15 ----

SSDT 81CB2580 ZwAssignProcessToJobObject
SSDT 81CB3100 ZwDebugActiveProcess
SSDT 81CB2B30 ZwDuplicateObject
SSDT 81CB1CC0 ZwOpenProcess
SSDT 81CB1FC0 ZwOpenThread
SSDT 81CB29C0 ZwProtectVirtualMemory
SSDT 81CB2860 ZwSetContextThread
SSDT 81CB26E0 ZwSetInformationThread
SSDT 81CAF700 ZwSetSecurityObject
SSDT 81CB2420 ZwSuspendProcess
SSDT 81CB22C0 ZwSuspendThread
SSDT 81CB1E50 ZwTerminateProcess
SSDT 81CB2150 ZwTerminateThread
SSDT 81CB2F50 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 98 804E2704 1 Byte [80]
.rsrc C:\WINDOWS\system32\DRIVERS\ehdrv.sys entry point in ".rsrc" section [0xBAF5E014]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[144] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[144] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[144] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[144] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[144] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[144] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[144] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[144] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[144] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[144] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[144] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[144] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[516] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1196] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0338000A
.text C:\WINDOWS\System32\svchost.exe[1196] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 0337000A
.text C:\WINDOWS\system32\SearchIndexer.exe[1428] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1608] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1608] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1608] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4080] ole32.dll!OleLoadFromStream 775297D5 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[4080] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (EAB-II PS/2 Keyboard filter driver/Compaq Computer Corp.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (EAB-II PS/2 Keyboard filter driver/Compaq Computer Corp.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 81D80EE4

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x48 0x68 0x1D 0xA3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7E 0x8B 0x92 0xDC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8E 0xC1 0x82 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x48 0x68 0x1D 0xA3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7E 0x8B 0x92 0xDC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8E 0xC1 0x82 0x55 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\ehdrv.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:00 AM

Posted 03 May 2010 - 11:04 PM

Hello, wright0101
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.






Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 wright0101

wright0101
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 04 May 2010 - 07:02 PM

Thank you again for reviewing my logs Tom. Is it ok to enable my antivirus software now?
ComboFix 10-05-04.01 - Administrator 05/04/2010 18:09:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.237 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\schrauber.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\chrtmp
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\program files\WindowsUpdate
c:\windows\file_3.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-01 07:11 . 2010-05-01 23:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-28 18:05 . 2010-04-28 18:06 -------- d-----w- c:\program files\CCleaner
2010-04-28 02:46 . 2010-04-28 03:00 -------- d-----w- c:\windows\BDOSCAN8
2010-04-25 20:07 . 2009-08-02 22:49 3036024 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\cfq36BB.exe
2010-04-25 06:07 . 2010-04-29 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-25 06:07 . 2010-04-27 11:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-24 21:01 . 2010-04-24 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 21:00 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-24 21:00 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-24 21:00 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-24 21:00 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-24 21:00 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-24 20:59 . 2010-04-24 21:00 -------- d-----w- c:\program files\Trojan Remover
2010-04-24 20:59 . 2010-04-24 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-04-24 20:59 . 2010-04-24 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2010-04-23 20:18 . 2010-04-23 20:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-14 19:39 . 2009-12-24 06:42 178176 ------w- c:\windows\system32\dllcache\wintrust.dll
2010-04-14 19:37 . 2010-02-12 04:27 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-14 19:37 . 2010-02-11 11:36 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2010-04-14 19:37 . 2010-01-13 14:01 86016 ------w- c:\windows\system32\dllcache\cabview.dll
2010-04-10 02:10 . 2010-04-10 02:10 -------- d-----w- c:\program files\Cardoza
2010-04-10 02:09 . 2010-04-10 02:09 -------- d-----w- c:\documents and settings\Administrator\WINDOWS
2010-04-10 00:43 . 2010-04-25 07:18 -------- d-----w- c:\program files\Jackpot Capital

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 22:46 . 2009-12-14 22:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-05-04 02:33 . 2010-02-19 16:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-28 03:57 . 2009-12-14 22:51 -------- d-----w- c:\program files\PeerGuardian2
2010-04-25 08:47 . 2010-01-25 04:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2010-04-25 05:23 . 2009-12-14 22:39 -------- d-----w- c:\program files\uTorrent
2010-04-25 05:20 . 2008-12-30 04:52 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-24 20:55 . 2009-12-14 21:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-24 10:41 . 2009-12-15 04:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-24 10:39 . 2009-12-15 04:08 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-22 03:10 . 2010-02-21 02:58 -------- d-----w- c:\program files\Minilyrics
2010-04-04 20:42 . 2010-04-04 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2010-04-04 20:34 . 2010-04-04 20:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\TomTom
2010-04-03 00:07 . 2010-04-03 00:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2010-04-02 21:13 . 2009-12-14 21:27 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-02 03:20 . 2010-04-02 03:19 -------- d-----w- c:\program files\Xvid
2010-04-02 02:29 . 2010-04-02 02:29 -------- d-----w- c:\program files\Phantom EFX
2010-03-31 14:22 . 2010-03-31 14:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Masque
2010-03-31 14:16 . 2010-03-31 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Masque
2010-03-31 14:12 . 2010-03-31 14:10 -------- d-----w- c:\program files\Masque IGT Slots Little Green Men
2010-03-31 01:38 . 2010-03-31 01:38 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 01:35 . 2010-03-31 01:35 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5d249730-n\msvcp71.dll
2010-03-31 01:35 . 2010-03-31 01:35 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5d249730-n\jmc.dll
2010-03-31 01:35 . 2010-03-31 01:35 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5d249730-n\msvcr71.dll
2010-03-31 01:35 . 2010-03-31 01:35 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7ea1b9c2-n\decora-sse.dll
2010-03-31 01:35 . 2010-03-31 01:35 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7ea1b9c2-n\decora-d3d.dll
2010-03-31 01:33 . 2009-12-15 01:14 -------- d-----w- c:\program files\Java
2010-03-30 05:46 . 2009-12-15 04:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2009-12-15 04:05 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 22:01 . 2010-03-28 22:01 -------- d-----w- c:\program files\Alcohol Soft
2010-03-28 21:50 . 2010-03-28 21:50 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-28 05:13 . 2010-03-28 05:13 -------- d-----w- c:\program files\Loaris
2010-03-23 14:55 . 2009-12-31 19:59 -------- d-----w- c:\program files\Winamp Remote
2010-03-14 03:12 . 2010-03-14 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2010-03-14 03:12 . 2009-12-19 20:55 13664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 03:12 . 2009-12-19 20:55 -------- d-----w- c:\program files\TVUPlayer
2010-03-13 04:32 . 2010-03-13 04:32 0 ----a-w- c:\windows\nsreg.dat
2010-03-10 06:15 . 2008-05-09 08:45 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 16:10 . 2010-03-09 16:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2010-03-09 16:10 . 2010-03-09 16:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-03-09 16:06 . 2010-03-09 16:06 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-03-09 15:49 . 2010-02-28 02:34 25600 ----a-w- c:\documents and settings\Administrator\usbsermptxp.sys
2010-03-09 15:49 . 2010-02-28 02:34 22768 ----a-w- c:\documents and settings\Administrator\usbsermpt.sys
2010-03-09 09:28 . 2009-12-15 01:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-06 16:35 . 2009-12-19 21:35 -------- d-----w- c:\program files\Winamp
2010-03-06 16:34 . 2009-12-19 21:36 -------- d-----w- c:\program files\Winamp Detect
2010-02-28 02:34 . 2010-02-28 02:34 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2010-02-25 06:24 . 2008-10-15 23:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 11:57 . 2008-10-24 09:41 457216 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 12:52 . 2008-08-14 18:11 2190080 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:12 . 2008-08-14 21:39 2066944 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:27 . 2008-04-14 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:36 . 2008-07-28 08:35 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-11 10:09 . 2010-02-11 10:09 2627384 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dq7jwt1i.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

------- Sigcheck -------

[-] 2010-04-25 . 038CA45522FE9B756EFB90DBFA9141EA . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[-] 2009-12-15 . A02BF7E8C036A2A8587F70A038922449 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\dllcache\TCPIP.SYS


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter with SRX Utility.lnk.disabled [2009-12-14 1995]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk.disabled [2010-2-6 1787]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PeerGuardian"=c:\program files\PeerGuardian2\pg2.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"eabconfg.cpl"=c:\program files\Compaq\EAB\EABSERVR.EXE /Start
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"LidPolicy"=c:\program files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
"LTWinModem1"=ltmsg.exe 9
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
"RegistryMechanic"=c:\program files\Registry Mechanic\RegMech.exe /QS
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"TrojanScanner"=c:\program files\Trojan Remover\Trjscan.exe /boot
"UnlockerAssistant"=c:\program files\Unlocker\UnlockerAssistant.exe -H
"WGA Watchdog"=c:\windows\system32\WGAwatchLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Phantom EFX\\OnlineCasino\\Bin\\Prelauncher.exe"=
"c:\\Program Files\\Phantom EFX\\OnlineCasino\\Launcher\\OLCLauncher.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/19/2009 12:44 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/19/2009 12:45 PM 93848]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/19/2009 12:44 PM 731840]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/14/2009 11:05 PM 303952]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/14/2009 11:05 PM 20824]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [3/9/2010 11:08 AM 40832]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/28/2010 4:50 PM 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mma-hd.com/torrents-today.php
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dq7jwt1i.default\
FF - prefs.js: browser.startup.homepage - hxxp://mma-hd.com/torrents-today.php
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dq7jwt1i.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-SopCast - c:\program files\SopCast\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 18:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81D3BEE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857af28
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> atapi.sys @ 0xf8487852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0626
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0626
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8393bb0
PacketIndicateHandler -> NDIS.sys @ 0xf8382a0d
SendHandler -> NDIS.sys @ 0xf8396b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-484763869-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,61,fd,26,bb,ca,14,45,80,75,34,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,61,fd,26,bb,ca,14,45,80,75,34,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-04 18:35:38
ComboFix-quarantined-files.txt 2010-05-04 23:35

Pre-Run: 2,287,702,016 bytes free
Post-Run: 2,570,235,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

- - End Of File - - 59276271589DB004C1D151E8780E95B8


#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:00 AM

Posted 06 May 2010 - 12:25 PM

Hi,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
TDL::
C:\WINDOWS\system32\DRIVERS\ehdrv.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 wright0101

wright0101
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 06 May 2010 - 06:41 PM

ComboFix 10-05-04.01 - Administrator 05/06/2010 18:07:04.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.232 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\ehdrv.sys was found and disinfected
Restored copy from - c:\windows\system32\drivers\ehdrv.sys
.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-05 19:21 . 2010-05-05 19:21 -------- d-----w- c:\program files\Seagate
2010-05-05 19:21 . 2010-05-05 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-05 19:19 . 2010-05-06 04:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2010-05-05 19:19 . 2010-05-05 19:19 -------- d-sh--w- c:\windows\ftpcache
2010-05-05 19:15 . 2010-05-05 19:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leadertech
2010-05-04 23:56 . 2010-05-04 23:56 -------- d-----w- c:\windows\system32\wbem\snmp
2010-05-04 23:56 . 2010-05-04 23:56 -------- d-----w- c:\windows\system32\xircom
2010-05-04 23:56 . 2010-05-04 23:56 -------- d-----w- c:\program files\microsoft frontpage
2010-05-01 07:11 . 2010-05-01 23:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-28 18:05 . 2010-04-28 18:06 -------- d-----w- c:\program files\CCleaner
2010-04-28 02:46 . 2010-04-28 03:00 -------- d-----w- c:\windows\BDOSCAN8
2010-04-25 20:07 . 2009-08-02 22:49 3036024 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\cfq36BB.exe
2010-04-25 06:07 . 2010-04-29 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-25 06:07 . 2010-04-27 11:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-24 21:01 . 2010-04-24 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 21:00 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-24 21:00 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-24 21:00 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-24 21:00 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-24 21:00 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-24 20:59 . 2010-04-24 21:00 -------- d-----w- c:\program files\Trojan Remover
2010-04-24 20:59 . 2010-04-24 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-04-24 20:59 . 2010-04-24 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2010-04-23 20:18 . 2010-04-23 20:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-14 19:39 . 2009-12-24 06:42 178176 ------w- c:\windows\system32\dllcache\wintrust.dll
2010-04-14 19:37 . 2010-02-12 04:27 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-14 19:37 . 2010-02-11 11:36 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2010-04-14 19:37 . 2010-01-13 14:01 86016 ------w- c:\windows\system32\dllcache\cabview.dll
2010-04-10 02:10 . 2010-04-10 02:10 -------- d-----w- c:\program files\Cardoza
2010-04-10 02:09 . 2010-04-10 02:09 -------- d-----w- c:\documents and settings\Administrator\WINDOWS
2010-04-10 00:43 . 2010-04-25 07:18 -------- d-----w- c:\program files\Jackpot Capital

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 23:01 . 2009-12-14 22:51 -------- d-----w- c:\program files\PeerGuardian2
2010-05-06 22:42 . 2009-12-14 22:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-05-06 04:56 . 2009-12-14 21:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 01:19 . 2010-02-19 16:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-25 08:47 . 2010-01-25 04:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2010-04-25 05:23 . 2009-12-14 22:39 -------- d-----w- c:\program files\uTorrent
2010-04-25 05:20 . 2008-12-30 04:52 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-24 10:41 . 2009-12-15 04:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-24 10:39 . 2009-12-15 04:08 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-22 03:10 . 2010-02-21 02:58 -------- d-----w- c:\program files\Minilyrics
2010-04-04 20:42 . 2010-04-04 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2010-04-04 20:34 . 2010-04-04 20:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\TomTom
2010-04-03 00:07 . 2010-04-03 00:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2010-04-02 21:13 . 2009-12-14 21:27 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-02 03:20 . 2010-04-02 03:19 -------- d-----w- c:\program files\Xvid
2010-04-02 02:29 . 2010-04-02 02:29 -------- d-----w- c:\program files\Phantom EFX
2010-03-31 14:22 . 2010-03-31 14:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Masque
2010-03-31 14:16 . 2010-03-31 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Masque
2010-03-31 14:12 . 2010-03-31 14:10 -------- d-----w- c:\program files\Masque IGT Slots Little Green Men
2010-03-31 01:38 . 2010-03-31 01:38 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 01:35 . 2010-03-31 01:35 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5d249730-n\msvcp71.dll
2010-03-31 01:35 . 2010-03-31 01:35 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5d249730-n\jmc.dll
2010-03-31 01:35 . 2010-03-31 01:35 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5d249730-n\msvcr71.dll
2010-03-31 01:35 . 2010-03-31 01:35 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7ea1b9c2-n\decora-sse.dll
2010-03-31 01:35 . 2010-03-31 01:35 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7ea1b9c2-n\decora-d3d.dll
2010-03-31 01:33 . 2009-12-15 01:14 -------- d-----w- c:\program files\Java
2010-03-30 05:46 . 2009-12-15 04:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2009-12-15 04:05 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 22:01 . 2010-03-28 22:01 -------- d-----w- c:\program files\Alcohol Soft
2010-03-28 21:50 . 2010-03-28 21:50 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-28 05:13 . 2010-03-28 05:13 -------- d-----w- c:\program files\Loaris
2010-03-23 14:55 . 2009-12-31 19:59 -------- d-----w- c:\program files\Winamp Remote
2010-03-14 03:12 . 2010-03-14 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2010-03-14 03:12 . 2009-12-19 20:55 13664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 03:12 . 2009-12-19 20:55 -------- d-----w- c:\program files\TVUPlayer
2010-03-13 04:32 . 2010-03-13 04:32 0 ----a-w- c:\windows\nsreg.dat
2010-03-10 06:15 . 2008-05-09 08:45 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 16:10 . 2010-03-09 16:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2010-03-09 16:10 . 2010-03-09 16:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-03-09 16:06 . 2010-03-09 16:06 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-03-09 15:49 . 2010-02-28 02:34 25600 ----a-w- c:\documents and settings\Administrator\usbsermptxp.sys
2010-03-09 15:49 . 2010-02-28 02:34 22768 ----a-w- c:\documents and settings\Administrator\usbsermpt.sys
2010-03-09 09:28 . 2009-12-15 01:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 02:34 . 2010-02-28 02:34 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2010-02-25 06:24 . 2008-10-15 23:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 11:57 . 2008-10-24 09:41 457216 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 12:52 . 2008-08-14 18:11 2190080 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:12 . 2008-08-14 21:39 2066944 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:27 . 2008-04-14 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:36 . 2008-07-28 08:35 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-11 10:09 . 2010-02-11 10:09 2627384 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dq7jwt1i.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

------- Sigcheck -------

[-] 2010-04-25 . 038CA45522FE9B756EFB90DBFA9141EA . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[-] 2009-12-15 . A02BF7E8C036A2A8587F70A038922449 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\dllcache\TCPIP.SYS


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-05-04_23.27.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-02 05:46 . 2006-12-02 05:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 05:26 . 2006-12-02 05:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 03:56 . 2006-12-02 03:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2010-05-06 23:19 . 2010-05-06 23:19 16384 c:\windows\Temp\Perflib_Perfdata_768.dat
+ 2010-05-06 04:55 . 2010-05-06 04:55 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut3_3AA20A2C6BEF43A6A3B4F09C5D78D1D4.exe
+ 2010-05-06 04:55 . 2010-05-06 04:55 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut2_B7AA0888E8864144BA725EAA61DC15D5.exe
+ 2010-05-06 04:55 . 2010-05-06 04:55 50512 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut1_68F918D3F91F411B8936985CC2BD4192.exe
+ 2010-05-06 04:55 . 2010-05-06 04:55 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\ARPPRODUCTICON.exe
+ 2006-12-02 03:54 . 2006-12-02 03:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 03:54 . 2006-12-02 03:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54 . 2006-12-02 03:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2010-05-06 04:42 . 2010-05-06 04:42 331264 c:\windows\Installer\62c24eb.msi
+ 2006-12-02 05:25 . 2006-12-02 05:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2010-05-06 04:55 . 2010-05-06 04:55 3668992 c:\windows\Installer\62c2746.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter with SRX Utility.lnk.disabled [2009-12-14 1995]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk.disabled [2010-2-6 1787]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PeerGuardian"=c:\program files\PeerGuardian2\pg2.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"eabconfg.cpl"=c:\program files\Compaq\EAB\EABSERVR.EXE /Start
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"LidPolicy"=c:\program files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
"LTWinModem1"=ltmsg.exe 9
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
"RegistryMechanic"=c:\program files\Registry Mechanic\RegMech.exe /QS
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"TrojanScanner"=c:\program files\Trojan Remover\Trjscan.exe /boot
"UnlockerAssistant"=c:\program files\Unlocker\UnlockerAssistant.exe -H
"WGA Watchdog"=c:\windows\system32\WGAwatchLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Phantom EFX\\OnlineCasino\\Bin\\Prelauncher.exe"=
"c:\\Program Files\\Phantom EFX\\OnlineCasino\\Launcher\\OLCLauncher.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/19/2009 12:45 PM 93848]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/19/2009 12:44 PM 731840]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/14/2009 11:05 PM 303952]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/14/2009 11:05 PM 20824]
S1 ehdrv;ehdrv;c:\windows\system32\Drivers\ehdrv.svs --> c:\windows\system32\Drivers\ehdrv.svs [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [3/9/2010 11:08 AM 40832]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/28/2010 4:50 PM 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mma-hd.com/torrents-today.php
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dq7jwt1i.default\
FF - prefs.js: browser.startup.homepage - hxxp://mma-hd.com/torrents-today.php
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dq7jwt1i.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 18:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ehdrv]
"ImagePath"="System32\Drivers\ehdrv.svs"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-484763869-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,61,fd,26,bb,ca,14,45,80,75,34,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,61,fd,26,bb,ca,14,45,80,75,34,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(628)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\SearchIndexer.exe
.
**************************************************************************
.
Completion time: 2010-05-06 18:27:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 23:27
ComboFix2.txt 2010-05-04 23:35

Pre-Run: 4,133,380,096 bytes free
Post-Run: 4,370,800,640 bytes free

- - End Of File - - EDF000CA5BE83B8D64D0A1F30F579EC4


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:00 AM

Posted 08 May 2010 - 06:03 AM

Hi,



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    wscntfy*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 wright0101

wright0101
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 08 May 2010 - 12:58 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:53 on 08/05/2010 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "wscntfy*"
No files found.

-=End Of File=-

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:00 AM

Posted 08 May 2010 - 11:22 PM

Hi,

Do you have your windows cd handy?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 wright0101

wright0101
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 08 May 2010 - 11:44 PM

no, can probably get tomorrow

#12 wright0101

wright0101
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 09 May 2010 - 05:43 PM

no luck finding xp disk, any other options available

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:00 AM

Posted 11 May 2010 - 02:39 PM

Not really. Can you borrow one?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:00 AM

Posted 15 May 2010 - 04:08 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:00 AM

Posted 20 May 2010 - 02:24 AM

Reopened by user request.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users