Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constand Search Re-Direction & Problems With Windows Update.


  • This topic is locked This topic is locked
13 replies to this topic

#1 intarest

intarest

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 01 May 2010 - 09:23 AM

A few days ago I got "hit" by one of the dreaded "download anti-virus software bugs" which are unfortunately doing the rounds at present. I got that sorted / removed, and to the very best of my knowledge, no traces remain.
However, since that time I have started to suffer constant difficulties with search-engine re-direction (Google & Bing), whilst using Firefox, and appear to have picked up another problem (quite possibly unrelated & caused by Microsoft) which prevents me from checking for updates on Windows Update - when you check, it returns the error no' 80072EFE, and offer absolutely no direct help / guidance as to how it may be overcome.
I am fully covered by an Eset Smart Security license, and so I contacted their UK technical support team for a resolution. I have a long-standing IT background, and suffice to say I was extremely disappointed by their efforts. I was watching the remote-controlled session, and to be honest it appeared that they hadn't got a clue, as they proceeded to conduct an entirely hit & miss / sporadic series of efforts to employ a range of freeware utilities to identify & correct the problems. I had tried most of these myself, but it was clear that they became increasingly frustrated with their repeated failures, and ended up mistakenly deleting registry keys & reference to legitimate secure applications, ie Nero Media Home etc, and removing my fixed IP address (it is there for a very good reason), because they simply did not know what to do next !! After over 6 hours activity, they actually gave up, and suggested that I should consider re-building my machine environment from scratch - what a bunch of numpties !!!
I have followed all of the (extremely helpful) advice on this site, it terms of running applications / utilities to remove temp files & check for malware using both Malwarebytes & SuperAntispywear, but although they both found & deleted some errors, the re-direction errors still continue unabated, and Windows Update remains almost totally inaccessible - odd condition, it will work immediately following a fresh re-boot, but them stops again a few minutes later !?!
I am therefore attaching the output files from both Gmer & HiJackThis, as it seems that there are some helpful & knowledgeable people out there who can interpret the results, and offer advice & guidance. I note that there is a reference on the Gmer output to "suspicious" modifications on 2 system files. However, the nvstor32.sys file was submitted to Eset for checking, and they said it was a false-positive which did not require attention. I have also submitted the mousewear driver to them for further analysis, but currently await any conclusion / feedback.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:50:05, on 01/05/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\OO Software\Defrag\oodtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\Program Files\OO Software\Defrag\oodtray.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Nero MediaHome 4] "C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Nero MediaHome 4] "C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN
O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: http://*.mcafee.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC920E49-3E13-4AC8-BC58-6ED7D142691F}: NameServer = 194.72.9.34,194.72.0.114
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero MediaHome 4 Service (NeroMediaHomeService.4) - Nero AG - C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Program Files\OO Software\Defrag\oodag.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: NEWTScanner Service (SvcNEWTScanner) - Komodo Laboratories LLC - C:\Windows\System32\NEWTScannerSvc.exe
O23 - Service: Watch Dog for BT Common Client - British Telecommunications Plc. - C:\Program Files\BT Common Client\btomodog.exe

--
End of file - 9685 bytes

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-01 12:35:44
Windows 6.0.6002 Service Pack 2
Running: q7m6dz78.exe; Driver: C:\Users\chrisr\AppData\Local\Temp\fwdyruod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x9064AD92]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x9064B49E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x9064B5EA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x9064ED58]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x9064ED8A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x9064B54E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x9064AED6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x9064B0C8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x9064B1FA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x9064EE62]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x9064EDCC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x9064EDFE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x9064EE30]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x9064AD40]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x9064B64A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x9064ECF0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x9064ACE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0x9064AC40]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x9064AC88]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 191 82AF68F4 4 Bytes [92, AD, 64, 90]
.text ntkrnlpa.exe!KeSetEvent + 1D9 82AF693C 4 Bytes [9E, B4, 64, 90] {SAHF ; MOV AH, 0x64; NOP }
.text ntkrnlpa.exe!KeSetEvent + 2D1 82AF6A34 8 Bytes JMP 589064B5
.text ntkrnlpa.exe!KeSetEvent + 2E1 82AF6A44 4 Bytes [8A, ED, 64, 90]
.text ntkrnlpa.exe!KeSetEvent + 3D1 82AF6B34 4 Bytes [4E, B5, 64, 90] {DEC ESI; MOV CH, 0x64; NOP }
.text ...
.rsrc C:\Windows\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0x8AB74014]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1624] ntdll.dll!KiUserApcDispatcher 77115D18 5 Bytes JMP 00412220 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1624] USER32.dll!InSendMessageEx + 3B1 76B9E6B0 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1624] WS2_32.dll!getaddrinfo 7586418A 5 Bytes JMP 71640022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1624] WS2_32.dll!gethostbyname 758762D4 5 Bytes JMP 71670022
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtProtectVirtualMemory 77114D34 5 Bytes JMP 0014000A
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtWriteVirtualMemory 77115674 5 Bytes JMP 0015000A
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!KiUserExceptionDispatcher 77115DC8 5 Bytes JMP 0013000A
.text C:\Windows\system32\svchost.exe[1800] ole32.dll!CoCreateInstance 76D59EA6 5 Bytes JMP 020F000A
.text C:\Windows\system32\svchost.exe[1800] USER32.dll!GetCursorPos 76BB0B88 5 Bytes JMP 0212000A
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[2412] kernel32.dll!SetUnhandledExceptionFilter 75B5A84F 4 Bytes [C2, 04, 00, 00]
.text C:\Windows\Explorer.EXE[3988] ntdll.dll!NtProtectVirtualMemory 77114D34 5 Bytes JMP 016D000A
.text C:\Windows\Explorer.EXE[3988] ntdll.dll!NtWriteVirtualMemory 77115674 5 Bytes JMP 016E000A
.text C:\Windows\Explorer.EXE[3988] ntdll.dll!KiUserExceptionDispatcher 77115DC8 5 Bytes JMP 016C000A
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[4084] ntdll.dll!KiUserApcDispatcher 77115D18 5 Bytes JMP 00439530 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[4084] WS2_32.dll!getaddrinfo 7586418A 5 Bytes JMP 71670022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[4084] WS2_32.dll!gethostbyname 758762D4 5 Bytes JMP 716E0022

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745A7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [745FA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [745ABB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7459F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [745A75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7459E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [745D8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [745ADA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7459FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7459FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [745971CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7462CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [745CC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7459D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74596853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7459687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [745A2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [00407650] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegOpenKeyExW] [00408DE0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCreateKeyExW] [00408AD0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [00407650] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [00407650] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\RPCRT4.dll [ADVAPI32.dll!RegCreateKeyExA] [004088F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExA] [00408C40] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\RPCRT4.dll [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExW] [00408DE0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [00407650] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExW] [00408DE0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyExW] [00408AD0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExA] [00408C40] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [00407650] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExA] [004088F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExA] [00408C40] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExW] [00408AD0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExW] [00408DE0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [00407650] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegOpenUserClassesRoot] [00408590] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExW] [00408DE0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] [00408AD0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExA] [00408C40] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegCreateKeyExW] [00408AD0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegOpenKeyExW] [00408DE0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegCreateKeyExA] [004088F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegOpenKeyExA] [00408C40] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [00407650] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\IPHLPAPI.DLL [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\IPHLPAPI.DLL [ADVAPI32.dll!RegOpenKeyExA] [00408C40] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\IPHLPAPI.DLL [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!RegCreateKeyExA] [004088F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!RegOpenKeyExA] [00408C40] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [00407650] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [00407850] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\Secur32.dll [ADVAPI32.dll!RegCreateKeyExW] [00408AD0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\Secur32.dll [ADVAPI32.dll!RegOpenKeyExW] [00408DE0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\Secur32.dll [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [00407870] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USERENV.dll [ADVAPI32.dll!RegCreateKeyExW] [00408AD0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USERENV.dll [ADVAPI32.dll!RegOpenKeyExW] [00408DE0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[4128] @ C:\Windows\system32\USERENV.dll [ADVAPI32.dll!RegCloseKey] [004087F0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy6 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy7 snapman.sys (Acronis Snapshot API/Acronis)

Device usbhub.sys (Default Hub Driver for USB/Microsoft Corporation)

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy8 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy9 snapman.sys (Acronis Snapshot API/Acronis)

Device volmgr.sys (Volume Manager Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy10 snapman.sys (Acronis Snapshot API/Acronis)

Device USBSTOR.SYS (USB Mass Storage Class Driver/Microsoft Corporation)

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy11 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy12 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy13 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy14 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy15 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy16 snapman.sys (Acronis Snapshot API/Acronis)

Device -> \Driver\nvstor32 \Device\Harddisk0\DR0 87A1BEE4

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 3396C0C106C956479D9FCE8C6BC8B4D25570C37ABBA7E892A47E4DFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808C038D530D6EB3452A2D97226D213B555536B006368D82D11FD6ADC41F9FE8A743EF8A4D78B7BE80AC84E424AFB4FFC27571CEF6095475912974D1B5AFE2299882984549BCD751B8A2DF1D4A20FEACC7E64778B5376D284235C9FC68C95786ACAAD5CE1929AD6F5EECD2309C5AF8CF314EBCB8CADDA30A8F2DDC74150F8E571FE1E257658C2D104B35EE2F3935F52B936A2189134930B65467165546D6F41C5FD113AA45C988C77E25569103F24CE854502119DFDF5827EF233C82982BB572434E2295F60759DA69F71A23BD1850666B9461F16F8DB2958650177D000ACE66DA1333601FB3414871F312EB42610738E9DF15F46E6A287011BFBAA3D2E8D26235A635543983470B929D85E23EBD306548DC922DB5BAC17252A0BD1C72532BBED861CB4C8F6D8A6FC9DF1BB8FA6E79D30BC56ECE93FDEC69737588DAAD2F1431BE2C72F95288A21356B468267AF629142726475674F23F9D0FE513285F8274E19BF165A9114B53C6D9868A07D31E0AC490886AA2D1D6809EA5028CA5B2EAFDF7C81F87A0973C8C9513FAABA05AC04AAAEEB91ADFA8C1E3D250FD39393DBEE6F7D1F298B2D583
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL 001915D51C00FA7F18865490422F91A0ED7CFAAC60B91EE5A5878E86FC2541C6BC6A0879C0627303EC8493943BF8EF67D9D121FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5CA6A0AC4980AC7933D7232FEB5798D349C66F24886914F78D8F6D4FEDEFA39D5F7B6B63BB60D16620319EA0F65DACB7E67A6F8BE903F13B198F08AC62B40A66C4763CE2370DD51457EE3AC8204BCDB119F393A461E169F5FE4B8E6B4486DCB04C9ECBD258DCABA002AEBBF618ABFADF2013DE06C5A1C6DD3502E08C2C30596C403577BDA1EC98545E559ADC640BA807CF7A072EC0E2CAD2443812760C04A931FD3ECE12E6DF59213F078694607FBD10909176FBD2C82C544AB7E8F1A5D572B8F80517A2D15A1D980E2DDF18B79D9605DF82CC344DFA12067789E12D937E48DF379547A45D0705F044F73D476D8004974B3EDB7ED7A51A3312002D38BE5AB52AD2C00EB25C93A905715867E4D646C91A7AF52A68EBF6D447F22F2D0AE8CA38BCF91C4B4D733015D439845B179E921F06A322F1625A24C8D387EF797A25B4C360EF0012D31A92C703D176CA6D410B3076927EA24044E3ED8DCF5C5E48DB7F3D84090B2C8E1D773356096D1C53925B9E2A2988DD3BA172324DE3D4DA934897FCBAB11D17289E1

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\DRIVERS\mouclass.sys suspicious modification
File C:\Windows\system32\nvstor32.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Many thanks in the hope of some informed advice & information.

Best Regards,

Intarest.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 01 May 2010 - 10:28 AM

Hello intarest,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy


2.
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O4 - Global Startup: AutorunsDisabled
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)


Then close all windows except HijackThis and click Fix Checked.

Restart

3.
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.


4.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

5.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply:
HiJackThis log
Uninstall-list.txt
Combofix.txt
How is your machine runnning now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 intarest

intarest
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 01 May 2010 - 11:24 AM

Many, many thanks for such a quick reply, and so much great information.

OK, so I am working through the list of instructions, but thought it wise to check with you if something doesn't appear to have worked properly, before moving on to further steps.

Spybot fixed, no problem.

However, HijackThis doesn't seem to be doing everything it should do. I followed your instructions to the letter, but although it has successfully removed the 3 RO entries, it has not removed the remainder of the list, ie the 02's, 04 & 018. I did make sure that all other windows & applications were closed, & temporarily disabled Eset protection, but even after a re-start it still shows those entries when I re-scan my system.

Any clues / something to worry about ?

I will "hold my foot up" until I hear back further from you.

Very best regards,

Intarest.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 01 May 2010 - 01:04 PM

Hello,

QUOTE
Any clues / something to worry about ?

No need to worry, just go on to the next steps. whistling.gif

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 intarest

intarest
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 01 May 2010 - 03:12 PM

Hi again. Mixed fortunes I'm afraid, so I guess I will require some further suggestions.

I had another go at HijackThis, but this time with UAC turned off temporarily. This time it succeeded in deleting / correcting all but the last item on your original list.

The report from the uninstall manager follows :-

AC3Filter 1.63b
Acer ScreenSaver
Acronis True Image Home
Adobe AIR
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
Advertising Center
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo Music Studio 3 3.51
Audacity 1.3.7 (Unicode)
BBC iPlayer Desktop
BBC iPlayer Desktop
Belkin Network USB Hub Control Center
BlackBerry Desktop Software 5.0.1
BlackBerry Desktop Software 5.0.1
BT Connection Manager
CanoScan Toolbox Ver4.1
CCleaner
CleanMem
CleanMyPC - Registry Cleaner
ConvertXtoDVD 3.8.0.193f
CrackUtil
DHTML Editing Component
DirectVobSub (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DolbyFiles
DriverMax 5
Duplicate Cleaner 1.4.4
DVD Shrink 3.2
EASEUS Partition Master 3.5 Home Edition
ESET Online Scanner v3
Extension Renamer
ffdshow [rev 1723] [2007-12-24]
File Splitter and Joiner (FFSJ v3.3)
FlashGet 1.9.6.1073
GIMP 2.6.7
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ieSpell
ImageMixer for HDD Camcorder
Intel® Processor ID Utility
iTunes
Java™ 6 Update 20
Junk Mail filter update
Karen's Directory Printer
LAME v3.98.2 for Audacity
Macallan Convert Srt To Ssa
Malwarebytes' Anti-Malware
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Office Visio Standard 2003
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Movie Templates - Starter Kit
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9
Nero BurnRights
Nero ControlCenter
Nero ControlCenter
Nero CoverDesigner
Nero Disc Copy Gadget
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero MediaHome 4
Nero MediaHome 4
Nero MediaHome 4 Help
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
NeroLiveGadget
neroxml
NEWT Professional 2.5.154
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Display Control Panel
NVIDIA Drivers
O&O Defrag Professional
OGA Notifier 2.0.0048.0
PDFCreator
PhotoScape
PixiePack Codec Pack
PVSonyDll
QuickTime
QuickTime Alternative 3.0.1
Rapport
Rapport
Realtek High Definition Audio Driver
Revo Uninstaller 1.83
Roxio Media Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Some PDF Image Extractr 1.5
Sonic MyDVD-VR
SopCast 3.2.4
Sophos Anti-Rootkit 1.5.0
SoundTrax
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
System Requirements Lab
Tag&Rename 3.5.2
Tunebite
TVersity Codec Pack 1.2
TVUPlayer 2.5.0.1
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981433)
VC80CRTRedist - 8.0.50727.4053
Virus Effect Remover©
Windows Installer Clean Up
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WinRAR archiver
Xvid 1.2.1 final uninstall
ZSoft Uninstaller 2.4.1

RKill ran successfully. Output report attached.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as chrisr on 01/05/2010 at 19:44:59.


Processes terminated by Rkill or while it was running:


C:\Users\chrisr\Desktop\rkill.exe


Rkill completed on 01/05/2010 at 19:45:04.

However, despite following your complete directions, ComboFix just starts up and opens a blue command screen and then does absolutely nothing further. I left it for at least an hour, but checking via Task Manager I could easily confirm that it wasn't actually processing at all. I tried running it "normally" and as Administrator but unfortunately had the same result on both occasions.

Do you have any further advice please, as to how to get it running ?

Many thanks & best regards,

Intarest.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 01 May 2010 - 04:35 PM

Hello,

Delete the copy of Combofix you have on your desktop. Now download a fresh copy to your desktop and try and run it in Safemode with Networking

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 intarest

intarest
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 01 May 2010 - 06:28 PM

It took a little time to get the ComboFix utility working (said it needed an actual Admin to run it, although I was logged on with Admin privileges), but I eventually got it going. The first time it ran, it got so far & then said that it had identified rootkit activity & needed to reboot the machine. That seemed to work, but there was no report generated, so I downloaded it again and re-ran. This time it "chugged along" for quite a while, reached the end & I re-booted the machine.

The report generated follows (although it does not say anything about the rootkit - any idea where this information could be stored ?)

ComboFix 10-05-01.02 - chrisr 01/05/2010 23:45:26.1.4 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.2354 [GMT 1:00]
Running from: C:\Users\chrisr\Desktop\Malware & Security Tools\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\chrisr\AppData\Roaming\.#
C:\Users\chrisr\AppData\Roaming\inst.exe
C:\Windows\system32\gotomon.log

I'm not really sure what any of the above actually means, but at present it certainly seems that Windows Update is working again, and the search engine re-directs seem to have abated - breathes huge sigh of relief !!!!

Final question - how do I now remove the directories / installation which ComboFix appears to have created, as there does not appear to be any sign of an uninstaller routine ? Apart from CombiFix I seem to acquired a new directory called Qoobox ?

Anyway, many, many, many thanks, as you seem to have achieved everything that the idiots at Eset couldn't even begin to figure out.

Is there anything else that I need to do ?

Very best regards,

Intarest.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 01 May 2010 - 06:54 PM

Hello,

Just because your machine is running better doesn't mean it is clean.

QUOTE
Final question - how do I now remove the directories / installation which ComboFix appears to have created, as there does not appear to be any sign of an uninstaller routine ? Apart from CombiFix I seem to acquired a new directory called Qoobox ?

When we are done I will give you instruction for the removal and clean up of our tools. Qoobox is Combofix's quarantine. Don't mess with it.

There should be more to the Combofix log. It should be located at C:\Combofix.txt. If there is one there please post it here.

If The is no log,please post a DDS log.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Things to include in your next reply:
Combofix.txt or DDS.txt
Is your machine still running ok?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 intarest

intarest
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 01 May 2010 - 07:08 PM

ComboFix did not post a file in the root directory as was originally suggested. It only seems to have created the file I copied into my last message in it's own (ComboFix) directory.

The DDS information is as follows :-

DDS (Ver_10-03-17.01) - NTFSx86
Run by chrisr at 1:01:56.48 on 02/05/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.1873 [GMT 1:00]

SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\OO Software\Defrag\oodag.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\NEWTScannerSvc.exe
C:\Program Files\BT Common Client\btomodog.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\System32\nvraidservice.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\OO Software\Defrag\oodtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\chrisr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Nero MediaHome 4] "c:\program files\nero\nero mediahome 4\NeroMediaHome.exe" /AUTORUN
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [OODefragTray] c:\program files\oo software\defrag\oodtray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Flashget] c:\program files\flashget\flashget.exe /min
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Nero MediaHome 4] "c:\program files\nero\nero mediahome 4\NeroMediaHome.exe" /AUTORUN
StartupFolder: c:\users\chrisr\appdata\roaming\micros~1\windows\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
uPolicies-explorer: NoFileUrl = 0 (0x0)
uPolicies-explorer: NoUpdateCheck = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {BC920E49-3E13-4AC8-BC58-6ED7D142691F} = 194.72.9.34,194.72.0.114
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\chrisr\appdata\roaming\mozilla\firefox\profiles\granpnki.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [2009-10-13 902432]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-24 114984]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-23 125160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 61440]
R2 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\drivers\btwsp50.sys [2007-4-20 24560]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-3-24 133512]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-3-24 810120]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-3-24 41312]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-23 779496]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-8-21 66592]
R3 PGR1394b;HS 3d Sensor IEEE 1394 Bus host controllers;c:\windows\system32\drivers\HS3dSensor1394.sys [2009-12-8 72704]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2009-5-4 58880]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2009-10-13 159168]
S3 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2009-10-13 2326920]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-5-3 75776]
S4 BT Common Client;BT Common Client;c:\program files\bt common client\btomosrv.exe [2007-7-3 61440]

=============== Created Last 30 ================

2010-05-01 22:54:15 0 d-sh--w- C:\$RECYCLE.BIN
2010-05-01 22:44:19 0 d-----w- C:\ComboFix
2010-05-01 22:24:00 98816 ----a-w- c:\windows\sed.exe
2010-05-01 22:24:00 77312 ----a-w- c:\windows\MBR.exe
2010-05-01 22:24:00 256512 ----a-w- c:\windows\PEV.exe
2010-05-01 22:24:00 161792 ----a-w- c:\windows\SWREG.exe
2010-05-01 00:09:01 213024 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-05-01 00:06:05 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-30 15:43:00 202784 ----a-w- c:\windows\system32\NvRaidServeresm.dll
2010-04-30 15:42:59 538 ----a-w- c:\windows\system32\RegRaidSedona.bat
2010-04-30 15:42:58 7052 ----a-w- c:\windows\system32\nvide.nvu
2010-04-30 15:42:58 62496 ----a-w- c:\windows\system32\NvRaidSvesm.dll
2010-04-30 15:42:58 173088 ----a-w- c:\windows\system32\NvRaidWizardesm.dll
2010-04-30 15:42:12 0 d-----w- c:\users\chrisr\{97576326-f2de-4910-be85-fc478036ec7f}
2010-04-30 15:41:58 0 d-----w- c:\users\chrisr\{8d7d0039-baa4-40f6-b71f-b6cb5c80e8fc}
2010-04-30 15:31:56 705536 ----a-w- c:\windows\system32\cohelper.dll
2010-04-30 15:31:56 6136 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-04-30 13:59:27 942832 ----a-w- c:\windows\system32\NEWT.dll
2010-04-30 13:59:17 82672 ----a-w- c:\windows\system32\NEWTScannerCOM.exe
2010-04-30 13:59:17 177904 ----a-w- c:\windows\system32\NEWTScan.exe
2010-04-30 13:59:16 78576 ----a-w- c:\windows\system32\NEWTScannerSvc.exe
2010-04-30 13:58:23 241664 ----a-w- c:\windows\system32\ThreadFactoryLib_RUNTIME.dll
2010-04-30 13:58:23 172032 ----a-w- c:\windows\system32\ThreadFactoryOCX_RUNTIME.ocx
2010-04-30 13:58:22 90112 ----a-w- c:\windows\system32\sGraph.ocx
2010-04-30 13:58:22 749568 ----a-w- c:\windows\system32\iGrid300_10Tec.ocx
2010-04-30 13:58:22 267080 ----a-w- c:\windows\system32\tssProgressBarXP.ocx
2010-04-30 13:58:22 143360 ----a-w- c:\windows\system32\vbalIml201_75B4A91C.ocx
2010-04-30 13:58:22 127808 ----a-w- c:\windows\system32\MSWINSCK.OCX
2010-04-30 13:58:21 0 d-----w- c:\program files\Komodo Labs
2010-04-30 13:49:07 140832 ----a-w- c:\windows\nvstor32.sys
2010-04-30 13:21:59 140832 ----a-w- c:\windows\system32\nvstor32.sys
2010-04-30 13:02:03 132128 ----a-w- C:\nvrd32.sys
2010-04-30 12:19:11 75728 ----a-w- c:\program files\isl_cad32.exe
2010-04-30 11:51:35 2 --shatr- c:\windows\winstart.bat
2010-04-30 11:50:55 0 d-----w- c:\program files\UnHackMe
2010-04-30 11:25:55 0 d-----w- c:\programdata\ISL Online Cache
2010-04-30 00:00:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 10:32:18 261094406 ----a-w- c:\windows\MEMORY.DMP
2010-04-29 09:18:57 0 d-----w- c:\program files\HiJack This
2010-04-28 23:59:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-28 23:59:18 0 d-----w- c:\programdata\Hitman Pro
2010-04-28 23:59:17 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-28 11:32:02 0 d-----w- c:\program files\ISL Online
2010-04-28 00:50:02 0 d-----w- c:\program files\Sophos
2010-04-27 15:12:34 0 d-----w- c:\programdata\ESET
2010-04-27 15:12:34 0 d-----w- c:\program files\ESET
2010-04-27 10:26:16 0 d-----w- c:\program files\Virus Secure Lab
2010-04-26 21:49:10 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-22 09:06:42 0 d-----w- c:\users\chrisr\appdata\roaming\Malwarebytes
2010-04-22 09:06:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-22 09:06:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 09:06:17 0 d-----w- c:\programdata\Malwarebytes
2010-04-22 09:06:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 02:27:30 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 02:27:29 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 02:27:28 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 02:27:21 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 02:27:20 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 02:27:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 02:27:13 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 02:27:13 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 02:27:03 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 02:27:02 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 02:27:01 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 17:56:34 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 17:56:31 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-12 11:14:48 215656 ----a-w- c:\windows\system32\nvcod1910.dll
2010-04-03 17:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 17:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 17:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 17:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 17:26:56 66714 ----a-w- c:\windows\system32\NvwsApps.xml
2010-04-03 17:26:56 276196 ----a-w- c:\windows\system32\NvApps.xml

==================== Find3M ====================

2010-05-01 22:54:23 34997 ----a-w- c:\programdata\nvModes.dat
2010-05-01 13:18:47 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-01 13:18:47 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-01 13:18:47 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-03 17:55:32 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-03-24 19:33:54 41312 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2010-03-24 19:33:50 32584 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-03-24 19:33:46 134488 ----a-w- c:\windows\system32\drivers\epfw.sys
2010-03-24 19:31:06 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-24 19:23:54 133512 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-03-22 16:12:14 4156 ----a-w- c:\windows\unins000.dat
2010-03-22 16:11:51 794906 ----a-w- c:\windows\unins000.exe
2010-03-17 15:53:36 57888 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-03-17 15:53:36 371232 ----a-w- c:\windows\system32\RtkApoApi.dll
2010-03-17 15:53:36 2649120 ----a-w- c:\windows\system32\RtkAPO.dll
2010-03-17 15:53:30 1749536 ----a-w- c:\windows\system32\RtkPgExt.dll
2010-03-17 15:46:14 3041568 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2010-03-17 11:08:32 307616 ----a-w- c:\windows\system32\FMAPO.dll
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-12 10:32:56 293376 ----a-w- c:\windows\system32\browserchoice.exe
2009-10-28 12:20:02 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-03 18:29:05 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-03 18:29:05 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-03 18:29:05 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-05-03 18:29:05 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 1:03:07.84 ===============

Once again, many thanks (so far). Please let me know what I need to do next.

Very best regards,

Intarest.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 01 May 2010 - 07:14 PM

Hello,

Your logs look good! Lets do a little more checking to make sure.

1.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

2.
Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Things to include in your next reply:
MBAM log
ESet log
A new DDS log
How is your machine running?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 intarest

intarest
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 02 May 2010 - 06:17 AM

Good morning. I left my machine to run all it's over night routines, and there were no errors. I have tried Windows Update a couple of times today, and it runs through to completion without any difficulties. As regards the browser re-directs, Firefox hasn't encountered any at all so far - so fingers crossed, everything has been resolved.

The logs you requested are as follows :-

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4058

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

02/05/2010 11:59:11
mbam-log-2010-05-02 (11-59-11).txt

Scan type: Quick scan
Objects scanned: 158622
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

QuickScan Beta 32-bit v0.9.9.19
-------------------------------
Scan date: Sun May 02 12:01:31 2010
Machine ID: 58F66F2A



No infection found.
-------------------



Processes
---------
<unsigned> Belkin Network USB Hub Control Center 3104 C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
<unsigned> FlashGet 2652 C:\Program Files\FlashGet\flashget.exe
<unsigned> UT1.6.1.exe 5520 C:\Users\chrisr\Downloads\UT1.6.1.exe

<verified> Acronis Scheduler Helper 1628 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
<verified> Acronis True Image 1236 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
<verified> ESET Smart Security 1412 C:\Program Files\ESET\ESET Smart Security\egui.exe
<verified> Firefox 1268 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> iTunes 2328 C:\Program Files\iTunes\iTunesHelper.exe
<verified> Microsoft® Windows® Operating System 3140 C:\Windows\ehome\ehmsas.exe
<verified> Microsoft® Windows® Operating System 1920 C:\Windows\ehome\ehtray.exe
<verified> Microsoft® Windows® Operating System 1968 C:\Windows\Explorer.EXE
<verified> Microsoft® Windows® Operating System 3444 C:\Windows\system32\Dwm.exe
<verified> Microsoft® Windows® Operating System 3080 C:\Windows\system32\taskeng.exe
<verified> Microsoft® Windows® Operating System 3608 C:\Windows\system32\wbem\unsecapp.exe
<verified> Nero MediaHome 132 C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe
<verified> NVIDIA® NVRAID 1948 C:\Windows\System32\nvraidservice.exe
<verified> O&O Defrag 212 C:\Program Files\OO Software\Defrag\oodtray.exe


Network activity
----------------
Process firefox.exe (1268) connected on port 80 (HTTP) --> wy-in-f102.1e100.net
Process firefox.exe (1268) connected on port 80 (HTTP) --> *.112.2o7.net
Process firefox.exe (1268) connected on port 80 (HTTP) --> wy-in-f102.1e100.net
Process firefox.exe (1268) connected on port 80 (HTTP) --> a88-221-181-115.deploy.akamaitechnologies.com
Process UT1.6.1.exe (5520) connected on port 54920 --> d114-78-34-32.rdl801.qld.optusnet.com.au
Process UT1.6.1.exe (5520) connected on port 22423 --> cpc5-stkp8-2-0-cust575.know.cable.virginmedia.com

Process flashget.exe (2652) listens on ports: 24248
Process UT1.6.1.exe (5520) listens on ports: 55641


Autoruns and critical files
---------------------------
<unsigned> Belkin Network USB Hub Control Center C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
<unsigned> FlashGet C:\Program Files\FlashGet\flashget.exe
<unsigned> SuperAntiSpyware c:\program files\superantispyware\sasseh.dll
<unsigned> SUPERAntiSpyware WinLogon Processor C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

<verified> Acronis Scheduler Helper C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
<verified> Acronis True Image C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
<verified> Adobe Acrobat C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
<verified> Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
<verified> ESET Smart Security C:\Program Files\ESET\ESET Smart Security\egui.exe
<verified> iTunes C:\Program Files\iTunes\iTunesHelper.exe
<verified> Microsoft® Windows® Operating System C:\Windows\ehome\ehtray.exe
<verified> Microsoft® Windows® Operating System C:\Windows\System32\browseui.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> Nero MediaHome C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe
<verified> NVIDIA® NVRAID C:\Windows\System32\nvraidservice.exe
<verified> O&O Defrag C:\Program Files\OO Software\Defrag\oodtray.exe
<verified> Windows® Internet Explorer C:\Windows\System32\webcheck.dll


Browser plugins
---------------
<unsigned> DivX Player Netscape Plugin C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
<unsigned> FlashGet C:\Program Files\FlashGet\flashget.exe
<unsigned> getflash Module c:\program files\flashget\getflash.dll
<unsigned> JCCATCH Module c:\program files\flashget\jccatch.dll
<unsigned> McAfee Virtual Technician C:\Windows\Downloaded Program Files\Uploader.exe
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> Shockwave for Director C:\Windows\system32\Adobe\Director\np32dsw.dll

<verified> AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
<verified> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified> BitDefender QuickScan C:\Users\chrisr\AppData\Roaming\Mozilla\Firefox\Profiles\granpnki.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Users\chrisr\AppData\Roaming\Mozilla\Firefox\Profiles\granpnki.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> DivX Web Player C:\Program Files\DivX\DivX Web Player\npdivx32.dll
<verified> FlashGot.exe C:\Users\chrisr\AppData\Roaming\Mozilla\Firefox\Profiles\granpnki.default\FlashGot.exe
<verified> InstallShield Update Service C:\Windows\Downloaded Program Files\dwusplay.dll
<verified> InstallShield Update Service C:\Windows\Downloaded Program Files\dwusplay.exe
<verified> Java™ Platform SE 6 U20 c:\program files\java\jre6\bin\jp2ssv.dll
<verified> McAfee Virtual Technician C:\Windows\Downloaded Program Files\McContentMgr.dll
<verified> McAfee Virtual Technician C:\Windows\Downloaded Program Files\McHealthCheck.dll
<verified> McAfee Virtual Technician C:\Windows\Downloaded Program Files\McLogMgr.dll
<verified> McAfee Virtual Technician C:\Windows\Downloaded Program Files\McPlugins.dll
<verified> McAfee Virtual Technician C:\Windows\Downloaded Program Files\McProdMgr.dll
<verified> McAfee Virtual Technician C:\Windows\Downloaded Program Files\MVT.dll
<verified> Microsoft Office Live Plug-in for Firef C:\Program Files\Microsoft\Office Live\npOLW.dll
<verified> Microsoft Search Enhancement Pack c:\program files\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll
<verified> Microsoft® Windows Live Login Helper c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\NapiNSP.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\nlaapi.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\pnrpnsp.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<verified> NPSWF32.dll C:\Windows\system32\Macromed\Flash\NPSWF32.dll
<verified> NPWebSLLauncher.dll C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
<verified> Silverlight Plug-In C:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll
<verified> Software Manager C:\Windows\Downloaded Program Files\isusweb.dll
<verified> Windows Live Toolbar c:\program files\windows live\toolbar\wltcore.dll
<verified> Windows Live® Photo Gallery C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
<verified> Windows Presentation Foundation C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> Windows® Internet Explorer C:\Windows\System32\ieframe.dll


Missing files
-------------
File not found: C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
referenced in: HKLM\System\ControlSet001\services\stllssvr\"ImagePath"

File not found: C:\Users\chrisr\AppData\Local\Temp\catchme.sys
referenced in: HKLM\System\ControlSet001\services\catchme\"ImagePath"

File not found: C:\Windows\System32\appmgmts.dll
referenced in: HKLM\System\ControlSet001\services\AppMgmt\Parameters\"ServiceDll"

File not found: system32\DRIVERS\ipinip.sys
referenced in: HKLM\System\ControlSet001\services\IpInIp\"ImagePath"

File not found: system32\DRIVERS\nwlnkflt.sys
referenced in: HKLM\System\ControlSet001\services\NwlnkFlt\"ImagePath"

File not found: system32\DRIVERS\nwlnkfwd.sys
referenced in: HKLM\System\ControlSet001\services\NwlnkFwd\"ImagePath"


Scan
----
<unsigned> MD5: 59fccaf915ba89dd98cadf08da91afee C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
<unsigned> MD5: b54ac9ac20a049656656a9dae5f602ed C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
<unsigned> MD5: 02bc8a19f7d5861e88ac0d95d405867e C:\Program Files\BT Common Client\btomodog.exe
<unsigned> MD5: 9944c0be9f57c6a2a2b49b56ce7c909e C:\Program Files\BT Common Client\btomosrv.exe
<unsigned> MD5: 6f95324909b502e2651442c1548ab12f C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
<unsigned> MD5: 793ff718477345cd5d232c50bed1e452 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
<unsigned> MD5: e93467c5327c2760fcab2b4670847496 C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
<unsigned> MD5: 9b6e3839264be555239dcade39bad097 C:\Program Files\FlashGet\debugrpt.dll
<unsigned> MD5: 582c5124b58bca330a58a058f7654bca C:\Program Files\FlashGet\FGBTCORE.dll
<unsigned> MD5: 3c16f503b7fafdca583cbcc6a2e9e781 C:\Program Files\FlashGet\FGEMCORE.dll
<unsigned> MD5: 7afdc73df85cba039cfedb389b6c9ef6 C:\Program Files\FlashGet\fgmgr.dll
<unsigned> MD5: 464be3c739e8392655913a6916a63fb0 C:\Program Files\FlashGet\fgupdate.dll
<unsigned> MD5: ca19fcdf31b68abca046ac091143ce6b C:\Program Files\FlashGet\flashget.exe
<unsigned> MD5: 42cb9a71788338483537f36a00318d00 c:\program files\flashget\getflash.dll
<unsigned> MD5: f75511a4e8c213d088ba7e53ba0cc4da c:\program files\flashget\jccatch.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> MD5: da548872c3126b09d7832b4abeb54116 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> MD5: 26b018758226a5dc06de45496c394d40 C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: 9dfb30f203999a3ae0f258a33fa598f9 C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned> MD5: 1fd6c03c0001a5e1eaf61596c2502f0c C:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: 84f6b3ae2bbbfc146a27ede853eccb6b C:\Program Files\QuickTime Alternative\QTSystem\QTCF.dll
<unsigned> MD5: 86d32bb043c88fd79194ff7ab2ab3434 C:\Program Files\QuickTime Alternative\QTSystem\QuickTime.qts
<unsigned> MD5: eadfcaf6888b10183a0ef881453fa0ba C:\Program Files\QuickTime Alternative\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.dll
<unsigned> MD5: 239eadd6b5ab68051c3dad1e9403b33d C:\Program Files\QuickTime Alternative\QTSystem\QuickTime.Resources\QuickTime.dll
<unsigned> MD5: d617404d119b1db10366692447d8a648 C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
<unsigned> MD5: f81ea209a3e43c33f99ff89ebab82d93 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
<unsigned> MD5: ecd5517a6633826057d4f050927ddf56 c:\program files\superantispyware\sasseh.dll
<unsigned> MD5: 482e8f6fd557d5a0df7363f72df145fe C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
<unsigned> MD5: 323e124d88b48d60b92dfd0962a91398 C:\Program Files\WinRar\RarExt.dll
<unsigned> MD5: e3013175d75cb6abbb55f61fdfef7f50 C:\Users\chrisr\Downloads\UT1.6.1.exe
<unsigned> MD5: 9deb8c5bf6aeca9db194cace96ff0d71 C:\Windows\Downloaded Program Files\Uploader.exe
<unsigned> MD5: 8ddf0253e783e740bf053e0fe7d8b6fe C:\Windows\system32\Adobe\Director\np32dsw.dll
<unsigned> MD5: 7f1c1f78d709c4a54cbb46ede7e0b48d C:\Windows\system32\DRIVERS\NTIDrvr.sys
<unsigned> MD5: 0d0367919d12143739cd7ec67a65b6eb C:\Windows\system32\drivers\WSVD.sys
<unsigned> MD5: bb102f92a20d06f26f876c443c07e65b C:\Windows\System32\nvshext.dll
<unsigned> MD5: 3e9a33113d663d8bd5ed38858e669652 C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80.dll
<unsigned> MD5: 686b224b4987c22b153fbb545fee9657 C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80u.dll
<unsigned> MD5: d8584c7fb9a1ba8480f9000c1ca1b415 C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ENU.dll


No file uploaded.

Scan finished - communication took 6 sec
Total traffic - 0.07 MB sent, 2.66 KB recvd
Scanned 1064 files and modules - 104 seconds

DDS (Ver_10-03-17.01) - NTFSx86
Run by chrisr at 12:05:50.73 on 02/05/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.1984 [GMT 1:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\OO Software\Defrag\oodag.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\NEWTScannerSvc.exe
C:\Program Files\BT Common Client\btomodog.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\OO Software\Defrag\oodtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\chrisr\Downloads\UT1.6.1.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\chrisr\Desktop\Malware & Security Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Nero MediaHome 4] "c:\program files\nero\nero mediahome 4\NeroMediaHome.exe" /AUTORUN
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [OODefragTray] c:\program files\oo software\defrag\oodtray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Flashget] c:\program files\flashget\flashget.exe /min
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Nero MediaHome 4] "c:\program files\nero\nero mediahome 4\NeroMediaHome.exe" /AUTORUN
StartupFolder: c:\users\chrisr\appdata\roaming\micros~1\windows\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
uPolicies-explorer: NoFileUrl = 0 (0x0)
uPolicies-explorer: NoUpdateCheck = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {BC920E49-3E13-4AC8-BC58-6ED7D142691F} = 194.72.9.34,194.72.0.114
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\chrisr\appdata\roaming\mozilla\firefox\profiles\granpnki.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\users\chrisr\appdata\roaming\mozilla\firefox\profiles\granpnki.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\chrisr\appdata\roaming\mozilla\firefox\profiles\granpnki.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [2009-10-13 902432]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-24 114984]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-23 125160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 61440]
R2 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\drivers\btwsp50.sys [2007-4-20 24560]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-3-24 133512]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-3-24 810120]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-3-24 41312]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-23 779496]
R2 SvcNEWTScanner;NEWTScanner Service;c:\windows\system32\NEWTScannerSvc.exe [2010-4-30 78576]
R2 Watch Dog for BT Common Client;Watch Dog for BT Common Client;c:\program files\bt common client\btomodog.exe [2007-6-22 24576]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-8-21 66592]
R3 PGR1394b;HS 3d Sensor IEEE 1394 Bus host controllers;c:\windows\system32\drivers\HS3dSensor1394.sys [2009-12-8 72704]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2009-5-4 58880]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2009-10-13 159168]
S3 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2009-10-13 2326920]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-5-3 75776]
S4 BT Common Client;BT Common Client;c:\program files\bt common client\btomosrv.exe [2007-7-3 61440]

=============== Created Last 30 ================

2010-05-02 11:01:18 0 d-----w- c:\users\chrisr\appdata\roaming\QuickScan
2010-05-01 22:54:15 0 d-sh--w- C:\$RECYCLE.BIN
2010-05-01 22:44:19 0 d-----w- C:\ComboFix
2010-05-01 22:24:00 98816 ----a-w- c:\windows\sed.exe
2010-05-01 22:24:00 77312 ----a-w- c:\windows\MBR.exe
2010-05-01 22:24:00 256512 ----a-w- c:\windows\PEV.exe
2010-05-01 22:24:00 161792 ----a-w- c:\windows\SWREG.exe
2010-05-01 00:09:01 213024 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-05-01 00:06:05 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-30 15:43:00 202784 ----a-w- c:\windows\system32\NvRaidServeresm.dll
2010-04-30 15:42:59 538 ----a-w- c:\windows\system32\RegRaidSedona.bat
2010-04-30 15:42:58 7052 ----a-w- c:\windows\system32\nvide.nvu
2010-04-30 15:42:58 62496 ----a-w- c:\windows\system32\NvRaidSvesm.dll
2010-04-30 15:42:58 173088 ----a-w- c:\windows\system32\NvRaidWizardesm.dll
2010-04-30 15:42:12 0 d-----w- c:\users\chrisr\{97576326-f2de-4910-be85-fc478036ec7f}
2010-04-30 15:41:58 0 d-----w- c:\users\chrisr\{8d7d0039-baa4-40f6-b71f-b6cb5c80e8fc}
2010-04-30 15:31:56 705536 ----a-w- c:\windows\system32\cohelper.dll
2010-04-30 15:31:56 6136 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-04-30 13:59:27 942832 ----a-w- c:\windows\system32\NEWT.dll
2010-04-30 13:59:17 82672 ----a-w- c:\windows\system32\NEWTScannerCOM.exe
2010-04-30 13:59:17 177904 ----a-w- c:\windows\system32\NEWTScan.exe
2010-04-30 13:59:16 78576 ----a-w- c:\windows\system32\NEWTScannerSvc.exe
2010-04-30 13:58:23 241664 ----a-w- c:\windows\system32\ThreadFactoryLib_RUNTIME.dll
2010-04-30 13:58:23 172032 ----a-w- c:\windows\system32\ThreadFactoryOCX_RUNTIME.ocx
2010-04-30 13:58:22 90112 ----a-w- c:\windows\system32\sGraph.ocx
2010-04-30 13:58:22 749568 ----a-w- c:\windows\system32\iGrid300_10Tec.ocx
2010-04-30 13:58:22 267080 ----a-w- c:\windows\system32\tssProgressBarXP.ocx
2010-04-30 13:58:22 143360 ----a-w- c:\windows\system32\vbalIml201_75B4A91C.ocx
2010-04-30 13:58:22 127808 ----a-w- c:\windows\system32\MSWINSCK.OCX
2010-04-30 13:58:21 0 d-----w- c:\program files\Komodo Labs
2010-04-30 13:49:07 140832 ----a-w- c:\windows\nvstor32.sys
2010-04-30 13:21:59 140832 ----a-w- c:\windows\system32\nvstor32.sys
2010-04-30 13:02:03 132128 ----a-w- C:\nvrd32.sys
2010-04-30 12:19:11 75728 ----a-w- c:\program files\isl_cad32.exe
2010-04-30 11:51:35 2 --shatr- c:\windows\winstart.bat
2010-04-30 11:50:55 0 d-----w- c:\program files\UnHackMe
2010-04-30 11:25:55 0 d-----w- c:\programdata\ISL Online Cache
2010-04-30 00:00:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 10:32:18 261094406 ----a-w- c:\windows\MEMORY.DMP
2010-04-29 09:18:57 0 d-----w- c:\program files\HiJack This
2010-04-28 23:59:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-28 23:59:18 0 d-----w- c:\programdata\Hitman Pro
2010-04-28 23:59:17 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-28 11:32:02 0 d-----w- c:\program files\ISL Online
2010-04-28 00:50:02 0 d-----w- c:\program files\Sophos
2010-04-27 15:12:34 0 d-----w- c:\programdata\ESET
2010-04-27 15:12:34 0 d-----w- c:\program files\ESET
2010-04-27 10:26:16 0 d-----w- c:\program files\Virus Secure Lab
2010-04-26 21:49:10 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-22 09:06:42 0 d-----w- c:\users\chrisr\appdata\roaming\Malwarebytes
2010-04-22 09:06:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-22 09:06:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 09:06:17 0 d-----w- c:\programdata\Malwarebytes
2010-04-22 09:06:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 02:27:30 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 02:27:29 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 02:27:28 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 02:27:21 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 02:27:20 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 02:27:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 02:27:13 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 02:27:13 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 02:27:03 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 02:27:02 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 02:27:01 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 17:56:34 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 17:56:31 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-12 11:14:48 215656 ----a-w- c:\windows\system32\nvcod1910.dll
2010-04-03 17:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 17:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 17:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 17:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 17:26:56 66714 ----a-w- c:\windows\system32\NvwsApps.xml
2010-04-03 17:26:56 276196 ----a-w- c:\windows\system32\NvApps.xml

==================== Find3M ====================

2010-05-02 00:13:40 34997 ----a-w- c:\programdata\nvModes.dat
2010-05-01 13:18:47 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-01 13:18:47 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-01 13:18:47 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-03 17:55:32 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-03-24 19:33:54 41312 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2010-03-24 19:33:50 32584 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-03-24 19:33:46 134488 ----a-w- c:\windows\system32\drivers\epfw.sys
2010-03-24 19:31:06 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-24 19:23:54 133512 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-03-22 16:12:14 4156 ----a-w- c:\windows\unins000.dat
2010-03-22 16:11:51 794906 ----a-w- c:\windows\unins000.exe
2010-03-17 15:53:36 57888 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-03-17 15:53:36 371232 ----a-w- c:\windows\system32\RtkApoApi.dll
2010-03-17 15:53:36 2649120 ----a-w- c:\windows\system32\RtkAPO.dll
2010-03-17 15:53:30 1749536 ----a-w- c:\windows\system32\RtkPgExt.dll
2010-03-17 15:46:14 3041568 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2010-03-17 11:08:32 307616 ----a-w- c:\windows\system32\FMAPO.dll
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-12 10:32:56 293376 ----a-w- c:\windows\system32\browserchoice.exe
2009-10-28 12:20:02 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-03 18:29:05 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-03 18:29:05 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-03 18:29:05 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-05-03 18:29:05 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 12:06:30.36 ===============

I hope everything looks good to you, and I will await your conclusions.

Many thanks & very best regards,

Intarest.

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 02 May 2010 - 11:08 AM

Hello, intarest.
Congratulations! You now appear clean! specool.gif

Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  4. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  5. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  6. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  7. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 intarest

intarest
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 02 May 2010 - 01:04 PM

Very many thanks for all your help & assistance. All of the uninstallation routines worked correctly, & my machine seems "happy" once again. I have also followed all of the additional advice you offered at the end of your last message.

Very best regards,

Intarest.

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 02 May 2010 - 03:29 PM

You are most welcome! clapping.gif



This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users