Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Security 2010 Infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 Brent L

Brent L

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Georgia
  • Local time:08:30 AM

Posted 08 May 2010 - 09:19 PM

I turned off System Restore, ran rkill then Malwarebytes. Malwarebytes detected Desktop Security 2010 and removed it, but upon reboot, it reinstalls itself. I even tried running just Malwarebytes in safe mode, no success.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Tyler at 21:01:50.73 on Sat 05/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1451 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Tyler\Local Settings\Temp\m.29.tmp.exe
C:\Documents and Settings\Tyler\Application Data\Desktop Security 2010\Desktop Security 2010.exe
C:\Documents and Settings\Tyler\Application Data\Desktop Security 2010\securitycenter.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.showcase.ca/video/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 174.142.24.201:3128
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [vcdcq9usdd4u] c:\documents and settings\tyler\local settings\temp\m.29.tmp.exe
uRun: [Desktop Security 2010] "c:\documents and settings\tyler\application data\desktop security 2010\Desktop Security 2010.exe" /STARTUP
uRun: [SecurityCenter] c:\documents and settings\tyler\application data\desktop security 2010\securitycenter.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunServices: [sFAe] c:\docume~1\tyler\locals~1\temp\sFAe.exe
mRunServices: [resourceMobileMe] c:\program files\common files\apple\mobile device support\bin\syncuicore.resources\es.lproj\syncuicoremobileme.exe
mRunServices: [FormatterFormatter] c:\program files\common files\apple\mobile device support\bin\yahoosync.app\contents\resources\formatter.bundle\contents\windows\formatterformatter.exe
mRunServices: [NVIDIAWindow6.14.10.12537] c:\program files\nvidia corporation\nview\managernvidia.exe
mRunServices: [QuickTimeQuickTimeResources] c:\program files\quicktime\propertypanels\panelhelperbase.resources\pt_pt.lproj\q

Edited by Brent L, 08 May 2010 - 09:49 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:30 AM

Posted 08 May 2010 - 10:06 PM

Hello Brent L,



!!Most important!! Turn System Restore back on, please! As of this time you have nothing at all to go back to if you should need it. Better a dirty resore point than none at all. smile.gif

I'm going to delete all your other topics as well. I know there is a glitch sometimes, but I wanted to let you know. smile.gif

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Brent L

Brent L
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Georgia
  • Local time:08:30 AM

Posted 08 May 2010 - 11:15 PM

I noticed that my DDS log was cut off from my last post. Here is that same log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Tyler at 21:01:50.73 on Sat 05/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1451 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Tyler\Local Settings\Temp\m.29.tmp.exe
C:\Documents and Settings\Tyler\Application Data\Desktop Security 2010\Desktop Security 2010.exe
C:\Documents and Settings\Tyler\Application Data\Desktop Security 2010\securitycenter.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.showcase.ca/video/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 174.142.24.201:3128
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [vcdcq9usdd4u] c:\documents and settings\tyler\local settings\temp\m.29.tmp.exe
uRun: [Desktop Security 2010] "c:\documents and settings\tyler\application data\desktop security 2010\Desktop Security 2010.exe" /STARTUP
uRun: [SecurityCenter] c:\documents and settings\tyler\application data\desktop security 2010\securitycenter.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunServices: [sFAe] c:\docume~1\tyler\locals~1\temp\sFAe.exe
mRunServices: [resourceMobileMe] c:\program files\common files\apple\mobile device support\bin\syncuicore.resources\es.lproj\syncuicoremobileme.exe
mRunServices: [FormatterFormatter] c:\program files\common files\apple\mobile device support\bin\yahoosync.app\contents\resources\formatter.bundle\contents\windows\formatterformatter.exe
mRunServices: [NVIDIAWindow6.14.10.12537] c:\program files\nvidia corporation\nview\managernvidia.exe
mRunServices: [QuickTimeQuickTimeResources] c:\program files\quicktime\propertypanels\panelhelperbase.resources\pt_pt.lproj\quicktimequicktimeresources.exe
mRunServices: [PictureViewerQuickTime] c:\program files\quicktime\pictureviewer.resources\ja.lproj\pictureviewerquicktime7.6.51327.79.exe
mRunServices: [PhysXCookingFC5Link] c:\program files\ageia technologies\v2.5.1\librarynxcooking.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260155937890
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269393621578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {A19B63C4-33CC-4D32-9183-C11E2B47540F} = 192.168.254.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tyler\applic~1\mozilla\firefox\profiles\qdhgrb7b.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\tyler\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-18 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-18 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-18 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-18 60936]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-3-26 14424]

=============== Created Last 30 ================

2010-05-08 05:15:14 0 d-----w- c:\docume~1\tyler\applic~1\Desktop Security 2010
2010-05-07 01:27:16 0 d-----w- c:\windows\system32\NtmsData
2010-05-06 20:43:43 0 d-----w- c:\program files\Trend Micro
2010-05-03 07:29:19 0 d-----w- c:\program files\JungleFlasher v0.1.73 Beta (108)
2010-05-03 05:12:56 0 d-----w- c:\program files\360FW-Toolbox-v4.8
2010-04-09 04:02:56 34908 ----a-w- c:\windows\DIIUnin.dat
2010-04-09 04:02:53 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-09 04:02:53 2829 ----a-w- c:\windows\DIIUnin.pif
2010-04-09 03:55:51 0 d-----w- c:\program files\Diablo II

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 04:10:28 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-09 04:10:28 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-09 04:10:28 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-03-18 04:05:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-19 18:08:23 32738 ----a-w- c:\windows\scunin.dat
2010-02-19 18:08:22 94208 ----a-w- c:\windows\ScUnin.exe
2010-02-19 01:41:27 1885464 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 05:02:03 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 03:16:10 41872 ----a-w- c:\windows\system32\xfcodec.dll

============= FINISH: 21:02:49.73 ===============

I tried to prepare a Ark.txt log with the GMER program but the computer became unresponsive when I tried to save the log. The first time, however, I got a BSOD saying something like page fault in non paged area. The third time I tried it,with rkill, I got a BSOD but it was to quick to read what it was about, the computer restarted automatically.

ComboFix 10-05-08.02 - Tyler 05/08/2010 23:41:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1660 [GMT -4:00]
Running from: c:\documents and settings\Tyler\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tyler\Application Data\Desktop Security 2010
c:\documents and settings\Tyler\Application Data\Desktop Security 2010\Desktop Security 2010.exe
c:\documents and settings\Tyler\Application Data\Desktop Security 2010\mfc71.dll
c:\documents and settings\Tyler\Application Data\Desktop Security 2010\MFC71ENU.DLL
c:\documents and settings\Tyler\Application Data\Desktop Security 2010\msvcp71.dll
c:\documents and settings\Tyler\Application Data\Desktop Security 2010\msvcr71.dll
c:\documents and settings\Tyler\Application Data\Desktop Security 2010\securitycenter.exe
c:\documents and settings\Tyler\Application Data\Desktop Security 2010\securityhelper.exe
c:\documents and settings\Tyler\Application Data\Desktop Security 2010\taskmgr.dll
c:\documents and settings\Tyler\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Security 2010.lnk
c:\documents and settings\Tyler\Start Menu\Programs\Desktop Security 2010
c:\documents and settings\Tyler\Start Menu\Programs\Desktop Security 2010.lnk
c:\documents and settings\Tyler\Start Menu\Programs\Desktop Security 2010\Activate Desktop Security 2010.lnk
c:\documents and settings\Tyler\Start Menu\Programs\Desktop Security 2010\Desktop Security 2010.lnk
c:\documents and settings\Tyler\Start Menu\Programs\Desktop Security 2010\Help Desktop Security 2010.lnk
c:\documents and settings\Tyler\Start Menu\Programs\Desktop Security 2010\How to Activate Desktop Security 2010.lnk

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-07 01:27 . 2010-05-07 17:37 -------- d-----w- c:\windows\system32\NtmsData
2010-05-06 20:43 . 2010-05-06 20:43 388096 ----a-r- c:\documents and settings\Tyler\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-06 20:43 . 2010-05-06 20:43 -------- d-----w- c:\program files\Trend Micro
2010-05-06 19:51 . 2010-05-06 19:51 -------- d-----w- c:\documents and settings\Tyler\Local Settings\Application Data\Threat Expert
2010-05-06 19:46 . 2010-05-06 19:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2010-05-06 19:26 . 2010-05-06 19:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-03 07:29 . 2010-05-03 07:30 -------- d-----w- c:\program files\JungleFlasher v0.1.73 Beta (108)
2010-05-03 05:12 . 2010-05-03 07:23 -------- d-----w- c:\program files\360FW-Toolbox-v4.8
2010-05-03 05:12 . 2010-05-09 01:14 -------- d-----w- c:\documents and settings\Tyler\Local Settings\Application Data\WinZip
2010-04-09 04:02 . 2010-04-09 04:11 34908 ----a-w- c:\windows\DIIUnin.dat
2010-04-09 04:02 . 2010-04-09 04:02 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-09 04:02 . 2010-04-09 04:02 2829 ----a-w- c:\windows\DIIUnin.pif
2010-04-09 03:55 . 2010-04-15 00:39 -------- d-----w- c:\program files\Diablo II

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 01:21 . 2009-12-03 07:00 -------- d-----w- c:\program files\CCleaner
2010-05-06 20:44 . 2010-03-26 18:35 -------- d-----w- c:\program files\PeerBlock
2010-05-06 19:08 . 2010-02-19 03:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 09:11 . 2010-02-23 17:28 -------- d-----w- c:\program files\Runes of Magic
2010-04-30 18:43 . 2010-03-27 14:04 439816 ----a-w- c:\documents and settings\Tyler\Application Data\Real\Update\setup3.10\setup.exe
2010-04-29 19:39 . 2010-02-19 03:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-19 03:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 17:11 . 2010-02-05 20:58 -------- d-----w- c:\program files\World of Warcraft
2010-04-09 04:10 . 2009-12-03 04:31 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-09 04:10 . 2009-12-03 04:31 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-09 04:10 . 2009-12-03 04:31 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-04-08 16:59 . 2010-02-19 18:06 -------- d-----w- c:\program files\Starcraft
2010-04-06 21:23 . 2010-04-06 20:41 -------- d-----w- c:\program files\RocketDock
2010-04-06 20:39 . 2010-04-06 20:39 -------- d-----w- c:\program files\Defraggler
2010-04-06 20:37 . 2010-04-06 19:25 -------- d-----w- c:\program files\Rainmeter
2010-03-26 20:40 . 2010-01-15 00:41 -------- d-----w- c:\documents and settings\Tyler\Application Data\uTorrent
2010-03-26 20:01 . 2010-03-26 20:01 -------- d-----w- c:\documents and settings\Tyler\Application Data\Avira
2010-03-26 18:33 . 2010-01-15 00:45 -------- d-----w- c:\program files\PeerGuardian2
2010-03-18 04:05 . 2010-03-18 04:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-18 04:05 . 2010-03-18 04:05 -------- d-----w- c:\program files\Java
2010-03-18 04:04 . 2010-03-18 04:04 152576 ----a-w- c:\documents and settings\Tyler\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-13 20:37 . 2010-01-11 05:42 -------- d-----w- c:\program files\Tribes
2010-03-10 06:15 . 2008-04-14 09:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-01 13:05 . 2010-02-19 02:25 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-25 06:24 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 04:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 18:08 . 2010-02-19 18:07 32738 ----a-w- c:\windows\scunin.dat
2010-02-19 18:08 . 2010-02-19 18:07 967 ----a-w- c:\windows\ScUnin.pif
2010-02-19 18:08 . 2010-02-19 18:07 94208 ----a-w- c:\windows\ScUnin.exe
2010-02-19 01:41 . 2010-02-19 01:41 1885464 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-02-19 01:30 . 2010-02-19 01:30 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-02-19 01:30 . 2010-02-19 01:30 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-02-19 01:30 . 2010-02-19 01:30 132480 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-02-19 01:30 . 2010-02-19 01:30 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2010-02-16 17:24 . 2010-02-19 02:25 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 14:08 . 2008-04-14 04:54 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 04:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 05:02 . 2010-02-15 05:02 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 04:33 . 2008-04-14 09:41 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 04:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-11 03:16 . 2010-02-11 03:16 41872 ----a-w- c:\windows\system32\xfcodec.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-03 2937528]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-31 198160]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-10 1326080]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-10 136472]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-18 149280]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58850:TCP"= 58850:TCP:*:Disabled:Pando Media Booster
"58850:UDP"= 58850:UDP:*:Disabled:Pando Media Booster

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/18/2010 10:25 PM 135336]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [3/26/2010 2:35 PM 14424]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.showcase.ca/video/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 174.142.24.201:3128
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
TCP: {A19B63C4-33CC-4D32-9183-C11E2B47540F} = 192.168.254.254
FF - ProfilePath - c:\documents and settings\Tyler\Application Data\Mozilla\Firefox\Profiles\qdhgrb7b.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Tyler\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SecurityCenter - c:\documents and settings\Tyler\Application Data\Desktop Security 2010\securitycenter.exe
HKLM-Run-nwiz - nwiz.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 23:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-05-08 23:46:04
ComboFix-quarantined-files.txt 2010-05-09 03:46

Pre-Run: 276,957,224,960 bytes free
Post-Run: 277,178,478,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7ACE8D6C1E733455D310F72FFA757952

ComboFix told me my computer needed to be restarted because there was rootkit activity. Well, I had my Avira Guard Disabled at the moment, but when my computer was restarted, I heard Avira beep twice (it sounds like detected virus). So here is another ComboFix log with Avira disabled again. This time, it didn't detect any rootkit activity so it went through without no restart needed.

ComboFix 10-05-08.02 - Tyler 05/08/2010 23:55:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1661 [GMT -4:00]
Running from: c:\documents and settings\Tyler\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-07 01:27 . 2010-05-07 17:37 -------- d-----w- c:\windows\system32\NtmsData
2010-05-06 20:43 . 2010-05-06 20:43 388096 ----a-r- c:\documents and settings\Tyler\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-06 20:43 . 2010-05-06 20:43 -------- d-----w- c:\program files\Trend Micro
2010-05-06 19:51 . 2010-05-06 19:51 -------- d-----w- c:\documents and settings\Tyler\Local Settings\Application Data\Threat Expert
2010-05-06 19:46 . 2010-05-06 19:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2010-05-06 19:26 . 2010-05-06 19:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-03 07:29 . 2010-05-03 07:30 -------- d-----w- c:\program files\JungleFlasher v0.1.73 Beta (108)
2010-05-03 05:12 . 2010-05-03 07:23 -------- d-----w- c:\program files\360FW-Toolbox-v4.8
2010-05-03 05:12 . 2010-05-09 01:14 -------- d-----w- c:\documents and settings\Tyler\Local Settings\Application Data\WinZip
2010-04-09 04:02 . 2010-04-09 04:11 34908 ----a-w- c:\windows\DIIUnin.dat
2010-04-09 04:02 . 2010-04-09 04:02 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-09 04:02 . 2010-04-09 04:02 2829 ----a-w- c:\windows\DIIUnin.pif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 01:21 . 2009-12-03 07:00 -------- d-----w- c:\program files\CCleaner
2010-05-06 20:44 . 2010-03-26 18:35 -------- d-----w- c:\program files\PeerBlock
2010-05-06 19:08 . 2010-02-19 03:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 09:11 . 2010-02-23 17:28 -------- d-----w- c:\program files\Runes of Magic
2010-04-30 18:43 . 2010-03-27 14:04 439816 ----a-w- c:\documents and settings\Tyler\Application Data\Real\Update\setup3.10\setup.exe
2010-04-29 19:39 . 2010-02-19 03:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-19 03:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 17:11 . 2010-02-05 20:58 -------- d-----w- c:\program files\World of Warcraft
2010-04-15 00:39 . 2010-04-09 03:55 -------- d-----w- c:\program files\Diablo II
2010-04-09 04:10 . 2009-12-03 04:31 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-09 04:10 . 2009-12-03 04:31 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-09 04:10 . 2009-12-03 04:31 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-04-08 16:59 . 2010-02-19 18:06 -------- d-----w- c:\program files\Starcraft
2010-04-06 21:23 . 2010-04-06 20:41 -------- d-----w- c:\program files\RocketDock
2010-04-06 20:39 . 2010-04-06 20:39 -------- d-----w- c:\program files\Defraggler
2010-04-06 20:37 . 2010-04-06 19:25 -------- d-----w- c:\program files\Rainmeter
2010-03-26 20:40 . 2010-01-15 00:41 -------- d-----w- c:\documents and settings\Tyler\Application Data\uTorrent
2010-03-26 20:01 . 2010-03-26 20:01 -------- d-----w- c:\documents and settings\Tyler\Application Data\Avira
2010-03-26 18:33 . 2010-01-15 00:45 -------- d-----w- c:\program files\PeerGuardian2
2010-03-18 04:05 . 2010-03-18 04:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-18 04:05 . 2010-03-18 04:05 -------- d-----w- c:\program files\Java
2010-03-18 04:04 . 2010-03-18 04:04 152576 ----a-w- c:\documents and settings\Tyler\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-13 20:37 . 2010-01-11 05:42 -------- d-----w- c:\program files\Tribes
2010-03-10 06:15 . 2008-04-14 09:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-01 13:05 . 2010-02-19 02:25 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-25 06:24 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 04:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 18:08 . 2010-02-19 18:07 32738 ----a-w- c:\windows\scunin.dat
2010-02-19 18:08 . 2010-02-19 18:07 967 ----a-w- c:\windows\ScUnin.pif
2010-02-19 18:08 . 2010-02-19 18:07 94208 ----a-w- c:\windows\ScUnin.exe
2010-02-19 01:41 . 2010-02-19 01:41 1885464 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-02-19 01:30 . 2010-02-19 01:30 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-02-19 01:30 . 2010-02-19 01:30 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-02-19 01:30 . 2010-02-19 01:30 132480 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-02-19 01:30 . 2010-02-19 01:30 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2010-02-16 17:24 . 2010-02-19 02:25 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 14:08 . 2008-04-14 04:54 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 04:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 05:02 . 2010-02-15 05:02 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 04:33 . 2008-04-14 09:41 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 04:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-11 03:16 . 2010-02-11 03:16 41872 ----a-w- c:\windows\system32\xfcodec.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-09_03.45.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-09 03:48 . 2010-05-09 03:48 16384 c:\windows\Temp\Perflib_Perfdata_768.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-03 2937528]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-31 198160]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-10 1326080]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-10 136472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-18 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-03-02 14:28 282792 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58850:TCP"= 58850:TCP:*:Disabled:Pando Media Booster
"58850:UDP"= 58850:UDP:*:Disabled:Pando Media Booster

S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [3/26/2010 2:35 PM 14424]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/18/2010 10:25 PM 135336]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.showcase.ca/video/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 174.142.24.201:3128
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
TCP: {A19B63C4-33CC-4D32-9183-C11E2B47540F} = 192.168.254.254
FF - ProfilePath - c:\documents and settings\Tyler\Application Data\Mozilla\Firefox\Profiles\qdhgrb7b.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 23:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-08 23:59:18
ComboFix-quarantined-files.txt 2010-05-09 03:59

Pre-Run: 277,323,018,240 bytes free
Post-Run: 277,290,012,672 bytes free

- - End Of File - - 406AD391310537C66DDFB43BDEF5CB64


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:30 AM

Posted 08 May 2010 - 11:47 PM

Hi there,

ComboFix removed a lot of the Desktop Security 2010 muck....how is it running now please? See if you can have a scan with MBAM in normal mode and post the report, please. Don't worry about gmer. This malware tends to mess with it. If we need to get a log we'll have to change the settings a bit and try it. thumbup2.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Brent L

Brent L
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Georgia
  • Local time:08:30 AM

Posted 09 May 2010 - 10:00 PM

It doesn't reinstall itself. Thank you. During the scan of Malwarebytes, Avira reported two infections: redbook.sys.vir in ComboFix quarantine and a .sys file in the System Volume Information folder. Everything appeared fine, so I deleted that ComboFix backup folder in the root of drive C: and those dirty system restore points with a clean restore point.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4084

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/9/2010 10:41:58 PM
mbam-log-2010-05-09 (22-41-58).txt

Scan type: Full scan (C:\|)
Objects scanned: 150491
Time elapsed: 20 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:30 AM

Posted 09 May 2010 - 11:35 PM

Great! You're most welcome. thumbup2.gif Go ahead and delete ComboFix and it's folder Qoobox as well. Looks like you already did the housekeeping part. laugh.gif

If everything seems to be in order I think we're done here. smile.gif

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:30 AM

Posted 16 May 2010 - 02:24 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users