Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor infection + multiple iexplore.exe running in background


  • This topic is locked This topic is locked
19 replies to this topic

#1 PolyOlefin

PolyOlefin

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 15 May 2010 - 08:33 PM

After being infected with "Antimalware Doctor", Java 6 started opening up and going crazy; I could not update Windows Defender, or access the task manager with CTRL+ALT+DEL. I tried many things to correct it, ending with an OS repair using the Vista Home Premium DVD. This seemingly fixed the issue, but now I have multiple instances of iexplore.exe opening in the background, accompanied by pop-up ads every 20 minutes. The "Antimalware Doctor" pop-ups no longer occur, however, and I can access the task manager again.

A scan with SpyBot S&D yielded a few adware fixes, none of which solved the problem. Malwarebytes' Anti-Malware, Windows Defender, and Microsoft Security Essentials detect no problems.

I have the DDS logs as per forum request, but GMER crashes to BSoD every time I scan. Trying to start the OS in Safe Mode also yields a BSoD every time, always crashing when Windows is loading "crcdisk.sys". About ready to pull my hair out! Any help would be greatly appreciated.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Young at 21:27:33.36 on Sat 05/15/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3325.2027 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
Executable.exe 4
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Young\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Young\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PodcastBHO Class: {65134fdf-f8a5-4b3d-91d9-cdf273cfd578} - c:\program files\common files\doubletwist\IEPodcastPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\young\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\users\young\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoi~1.lnk - c:\program files\logitech\setpoint ii\SetpointII.exe
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\young\appdata\roaming\mozilla\firefox\profiles\ynxk9vxs.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\young\appdata\roaming\mozilla\firefox\profiles\ynxk9vxs.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\common files\doubletwist\NPPodcast.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - plugin: c:\users\young\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\young\appdata\roaming\mozilla\firefox\profiles\ynxk9vxs.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\users\young\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-3-5 68136]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-3-10 6656]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-5-15 91456]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-3-9 38304]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S2 SessionLauncher;SessionLauncher;c:\users\young\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\young\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe --> c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
S4 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-14 30192]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-7-1 1153368]
SUnknown GVTDrv;GVTDrv; [x]

=============== Created Last 30 ================

2010-05-16 01:09:14 0 d-----w- c:\program files\common files\MSSoap
2010-05-16 01:07:47 0 d-----w- c:\temp\MotoConnectTemp
2010-05-15 15:48:57 0 d-----w- c:\programdata\Office Genuine Advantage
2010-05-15 02:50:22 0 d-----w- c:\users\young\appdata\roaming\NVIDIA
2010-05-15 01:39:20 0 d-----w- c:\program files\METRO 2033
2010-05-14 22:59:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
2010-05-14 18:34:36 0 d-----w- c:\program files\common files\Motorola Shared
2010-05-14 18:33:02 0 d-----w- c:\program files\Motorola
2010-05-14 15:31:25 0 d-----w- c:\program files\Trend Micro
2010-05-13 15:52:10 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-13 15:52:09 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-13 15:52:08 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-05-13 13:55:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 13:55:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-13 00:21:59 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-13 00:17:01 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-13 00:16:43 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-13 00:12:23 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-12 23:56:24 253193512 ----a-w- c:\windows\MEMORY.DMP
2010-05-12 23:35:09 0 d-----w- c:\users\young\appdata\roaming\Malwarebytes
2010-05-12 23:35:01 0 d-----w- c:\programdata\Malwarebytes
2010-05-12 23:35:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 22:39:34 0 d-----w- c:\users\young\appdata\roaming\ATManager
2010-05-06 04:29:19 0 d-----w- c:\programdata\2DBoy
2010-05-06 04:28:58 0 d-----w- c:\program files\WorldOfGoo
2010-05-05 16:50:01 0 d-----w- c:\users\young\appdata\roaming\Dropbox
2010-04-22 07:59:38 73728 ----a-w- c:\windows\system\vdremote.dll
2010-04-22 07:59:38 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
2010-04-19 16:05:17 0 d-----w- c:\users\young\appdata\roaming\FOG Downloader

==================== Find3M ====================

2010-05-16 01:10:17 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-16 01:10:17 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-16 01:10:17 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-16 00:37:29 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-05-16 00:37:14 16608 ----a-w- c:\windows\gdrv.sys
2010-05-16 00:37:10 52741 ----a-w- c:\programdata\nvModes.dat
2010-05-06 14:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 23:20:33 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-04 23:20:24 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-12 15:36:43 37222 ----a-w- c:\windows\DIIUnin.dat
2010-04-12 15:33:33 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-12 15:33:33 2829 ----a-w- c:\windows\DIIUnin.pif
2010-04-03 22:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 20:54:38 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 00:21:55 138056 ----a-w- c:\users\young\appdata\roaming\PnkBstrK.sys
2010-03-03 00:21:34 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-03 00:21:34 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-18 14:49:31 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:49:31 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:11:41 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2009-03-05 09:34:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-01-21 02:23:32 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
2008-01-21 02:23:32 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6002.18005_none_f343a6944cd6fe47\WinMail.exe

============= FINISH: 21:28:22.11 ===============

Attached Files


Edited by PolyOlefin, 15 May 2010 - 08:38 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 17 May 2010 - 03:55 AM

Hi,

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab, uncheck files option and then click scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 PolyOlefin

PolyOlefin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 17 May 2010 - 09:01 PM

Blade81,

I have tried running GMER again with the following unchecked:

IAT/EAT
Files
All other drives besides system drive (C:\)
Show All

It still ends with an app crash followed by the BSoD.

I'm not sure if this would help, but I was able to copy/paste the error log:

Problem signature:
Problem Event Name: APPCRASH
Application Name: 4kzq3izj.exe
Application Version: 1.0.15.15281
Application Timestamp: 4b2763f0
Fault Module Name: 4kzq3izj.exe
Fault Module Version: 1.0.15.15281
Fault Module Timestamp: 4b2763f0
Exception Code: c0000005
Exception Offset: 0000c4b1
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 1033
Additional Information 1: cc8b
Additional Information 2: 20229e9b2c02fae81873822924c31a41
Additional Information 3: 3ce7
Additional Information 4: ae2207411d1eec6ca64a6551eb8f4c62

Edited by PolyOlefin, 17 May 2010 - 09:09 PM.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 18 May 2010 - 12:43 AM

Please try to have sections checked only.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 PolyOlefin

PolyOlefin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 18 May 2010 - 01:04 AM

With "Sections" checked only, I was able to scan successfully. However, the instant I opened my browser (Google Chrome), Windows crashed to BSoD again.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-18 01:55:07
Windows 6.0.6001 Service Pack 1
Running: 4kzq3izj.exe; Driver: C:\Users\Young\AppData\Local\Temp\pgriqpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spvs.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8B14E46F 5 Bytes JMP 86DAF4E0
.text aatfjbnr.SYS 8AF80000 22 Bytes [26, 22, 5D, 82, 10, 21, 5D, ...]
.text aatfjbnr.SYS 8AF80017 181 Bytes [00, 32, 47, 79, 80, 3D, 45, ...]
.text aatfjbnr.SYS 8AF800CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text aatfjbnr.SYS 8AF800DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]
.text aatfjbnr.SYS 8AF800E7 714 Bytes [00, F0, 0E, 00, 00, 00, 00, ...]
.text ...
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9FEFB300, 0x3AF78, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9FF51300, 0x1BCE, 0xE8000020]

---- EOF - GMER 1.0.15 ----

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 18 May 2010 - 02:59 AM


uTorrent
DNA


Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 PolyOlefin

PolyOlefin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 18 May 2010 - 10:46 AM

Blade81,

I have uninstalled "uTorrent" and "DNA". After Combofix, I no longer see iexplore.exe in the task manager, but I still get random pop-ups asking me "Do you want to make Internet Explorer your default browser?", and now there is an Internet Explorer icon on my desktop.

Here are the Combofix and DDS logs:


ComboFix 10-05-16.05 - Young 05/18/2010 11:27:24.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3325.2108 [GMT -4:00]
Running from: c:\users\Young\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Young\AppData\Roaming\ATManager
c:\users\Young\AppData\Roaming\ATManager\metafiles\e7e2135bcdfc87179deacdb1cdac8b7a.torrent
c:\users\Young\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
c:\windows\system32\Config.ini

.
((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-18 03:08 . 2010-05-18 03:31 -------- d-----w- c:\users\Young\AppData\Roaming\Anvil Studio
2010-05-18 03:08 . 2010-05-18 03:08 -------- d-----w- c:\program files\Anvil Studio
2010-05-15 15:48 . 2010-05-15 15:48 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-05-15 05:12 . 2010-05-15 05:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-15 04:54 . 2010-05-15 04:54 84992 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00000ea9.dll
2010-05-15 02:50 . 2010-05-15 02:50 -------- d-----w- c:\users\Young\AppData\Local\4A Games
2010-05-15 02:50 . 2010-05-15 02:50 -------- d-----w- c:\users\Young\AppData\Roaming\NVIDIA
2010-05-15 01:39 . 2010-05-15 01:47 -------- d-----w- c:\program files\METRO 2033
2010-05-14 18:34 . 2010-05-14 18:34 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-05-14 18:33 . 2010-05-14 18:34 -------- d-----w- c:\program files\Motorola
2010-05-14 15:31 . 2010-05-14 15:31 388096 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-14 15:31 . 2010-05-14 15:31 -------- d-----w- c:\program files\Trend Micro
2010-05-13 15:52 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-13 15:52 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-13 15:52 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-05-13 13:55 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 13:55 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-13 00:21 . 2010-01-23 09:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-13 00:17 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-13 00:16 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-13 00:12 . 2010-05-13 00:12 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-12 23:35 . 2010-05-12 23:35 -------- d-----w- c:\users\Young\AppData\Roaming\Malwarebytes
2010-05-12 23:35 . 2010-05-12 23:35 -------- d-----w- c:\programdata\Malwarebytes
2010-05-12 23:35 . 2010-05-13 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 16:44 . 2010-05-12 16:44 -------- d-----w- c:\users\Young\AppData\Local\Gas Powered Games
2010-05-07 20:08 . 2010-05-07 20:08 -------- d-----w- c:\users\Young\AppData\Local\storage
2010-05-06 04:29 . 2010-05-06 04:29 -------- d-----w- c:\users\Young\AppData\Local\2DBoy
2010-05-06 04:29 . 2010-05-06 04:29 -------- d-----w- c:\programdata\2DBoy
2010-05-06 04:28 . 2010-05-06 04:29 -------- d-----w- c:\program files\WorldOfGoo
2010-05-05 16:50 . 2010-05-05 16:50 89831 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\Uninstall.exe
2010-05-05 16:50 . 2010-05-08 23:06 -------- d-----w- c:\users\Young\AppData\Roaming\Dropbox
2010-04-27 17:59 . 2010-04-27 17:59 -------- d-----w- c:\users\Young\AppData\Local\LogiShrd
2010-04-27 17:59 . 2010-04-27 17:59 -------- d-----w- c:\users\Young\AppData\Roaming\Leadertech
2010-04-27 17:57 . 2010-04-27 17:57 -------- d-----w- c:\program files\Logitech
2010-04-24 22:50 . 2010-04-24 22:50 -------- d-----w- c:\users\Young\AppData\Local\The Lord of the Rings Online
2010-04-22 07:59 . 2010-04-09 18:35 73728 ----a-w- c:\windows\system\vdremote.dll
2010-04-22 07:59 . 2010-04-09 18:34 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
2010-04-19 16:05 . 2010-04-19 16:05 -------- d-----w- c:\users\Young\AppData\Roaming\FOG Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 15:23 . 2009-03-06 01:04 16608 ----a-w- c:\windows\gdrv.sys
2010-05-18 15:20 . 2009-03-05 09:03 -------- d-----w- c:\users\Young\AppData\Roaming\uTorrent
2010-05-18 14:53 . 2009-03-06 01:22 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-05-18 14:53 . 2009-05-28 12:37 52741 ----a-w- c:\programdata\nvModes.dat
2010-05-18 01:01 . 2009-03-05 07:21 -------- d-----w- c:\programdata\NVIDIA
2010-05-17 14:51 . 2009-04-02 14:13 -------- d-----w- c:\programdata\Soulseek
2010-05-16 21:35 . 2009-03-24 15:30 -------- d-----w- c:\program files\Steam
2010-05-15 02:43 . 2009-09-01 17:55 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-15 02:42 . 2009-03-11 00:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-14 22:59 . 2010-05-14 22:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
2010-05-14 15:58 . 2009-07-02 02:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-14 15:56 . 2009-07-02 02:53 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-14 15:27 . 2009-09-12 00:00 -------- d-----w- c:\program files\Bethesda Softworks
2010-05-14 14:51 . 2009-03-05 09:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-14 14:34 . 2010-03-01 00:52 -------- d-----w- c:\users\Young\AppData\Roaming\DiskSpaceFan
2010-05-13 16:03 . 2009-03-05 07:06 72184 ----a-w- c:\users\Young\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-13 15:58 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-08 23:11 . 2009-03-14 15:53 -------- d-----w- c:\program files\Google
2010-05-07 20:07 . 2009-03-24 19:30 -------- d-----w- c:\programdata\Ubisoft
2010-05-07 20:06 . 2009-03-06 05:37 -------- d-----w- c:\program files\Ubisoft
2010-05-06 14:36 . 2009-10-05 18:58 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 23:20 . 2009-05-28 12:05 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-04 23:20 . 2009-05-28 12:04 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-01 22:37 . 2009-03-05 20:20 -------- d-----w- c:\program files\Rainmeter
2010-04-27 17:59 . 2009-03-05 09:40 -------- d-----w- c:\program files\Common Files\Logishrd
2010-04-27 17:56 . 2009-03-05 09:41 -------- d-----w- c:\programdata\LogiShrd
2010-04-25 19:34 . 2010-04-12 01:14 -------- d-----w- c:\program files\Pando Networks
2010-04-24 19:48 . 2010-04-12 12:48 -------- d-----w- c:\program files\Turbine
2010-04-16 23:48 . 2009-03-05 10:19 -------- d-----w- c:\program files\Common Files\BioWare
2010-04-16 23:47 . 2009-03-05 10:19 -------- d-----w- c:\programdata\Media Center Programs
2010-04-12 15:46 . 2010-04-12 15:31 -------- d-----w- c:\program files\Diablo II
2010-04-12 15:36 . 2010-04-12 15:33 37222 ----a-w- c:\windows\DIIUnin.dat
2010-04-12 15:33 . 2010-04-12 15:33 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-12 15:33 . 2010-04-12 15:33 2829 ----a-w- c:\windows\DIIUnin.pif
2010-04-12 14:33 . 2010-04-12 14:33 -------- d-----w- c:\users\Young\AppData\Roaming\Turbine
2010-04-11 23:40 . 2010-04-11 23:40 82726 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{1013BBD9-890E-4762-A7FE-9B6E75D5FC45}\_D4518B449D542EE4D07FC1.exe
2010-04-11 23:40 . 2010-04-11 23:40 -------- d-----w- c:\program files\Participatory Culture Foundation
2010-04-09 00:47 . 2009-03-08 07:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-06 06:50 . 2010-04-06 06:50 12862 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe
2010-04-06 06:50 . 2010-04-06 06:50 -------- d-----w- c:\program files\Pcsx2
2010-04-06 06:42 . 2010-04-06 06:42 -------- d-----w- c:\users\Young\AppData\Roaming\PlayFirst
2010-04-06 06:42 . 2010-04-06 06:42 -------- d-----w- c:\programdata\PlayFirst
2010-04-05 03:05 . 2010-04-05 03:05 8854 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\UNINST_Uninstall_Sam_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax106.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax105.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax104.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax103.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax102.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax101.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 10134 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\ARPPRODUCTICON.exe
2010-04-05 03:02 . 2010-04-05 03:02 -------- d-----w- c:\program files\Telltale
2010-04-03 22:27 . 2010-04-03 22:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27 . 2010-04-03 22:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27 . 2010-04-03 22:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27 . 2010-04-03 22:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 20:54 . 2009-03-10 23:26 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-02 03:02 . 2010-04-02 03:02 -------- d-----w- c:\program files\Common Files\doubleTwist
2010-04-02 03:02 . 2010-01-20 05:51 -------- d-----w- c:\program files\doubleTwist 2.0
2010-03-20 03:51 . 2010-03-20 03:51 -------- d-----w- c:\program files\MediaMonkey
2010-03-10 04:00 . 2010-03-10 04:00 6656 ----a-w- c:\windows\system32\drivers\iPodDrv.sys
2010-03-05 14:01 . 2010-05-13 00:22 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 00:21 . 2009-05-28 12:05 138056 ----a-w- c:\users\Young\AppData\Roaming\PnkBstrK.sys
2010-03-03 00:21 . 2009-05-28 12:05 138056 ----a-w- c:\users\Young\AppData\Roaming\PnkBstrK.sys
2010-03-03 00:21 . 2010-03-03 00:21 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-03-03 00:21 . 2009-05-28 12:04 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\Dropbox.exe
2010-02-23 11:32 . 2010-05-13 00:22 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:32 . 2010-05-13 00:22 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:32 . 2010-05-13 00:22 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-05-13 00:22 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-05-13 00:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-05-13 00:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-05-13 00:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-18 14:49 . 2010-05-13 00:21 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 14:49 . 2010-05-13 00:22 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:49 . 2010-05-13 00:22 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:11 . 2010-05-13 00:21 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 11:52 . 2010-05-13 00:21 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2009-03-14 15:53 . 2009-03-14 15:53 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-03-05 08:20 . 2009-03-05 07:48 24 --sh--w- c:\windows\S2EF6A7AA.tmp
2008-01-21 02:23 . 2008-01-21 02:23 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
2008-01-21 02:23 . 2008-01-21 02:23 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6002.18005_none_f343a6944cd6fe47\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65134FDF-F8A5-4B3D-91D9-CDF273CFD578}]
2010-03-31 01:45 68392 ----a-w- c:\program files\Common Files\doubleTwist\IEPodcastPlugin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Google Update"="c:\users\Young\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-03-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-18 7711264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\users\Young\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2009-7-21 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVGAPrecision]
2009-04-28 01:19 44048 ----a-w- c:\program files\EVGA Precision\EVGAPrecisionWrapper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-03-14 15:53 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-03-22 06:10 133104 ----atw- c:\users\Young\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-17 12:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 08:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1277856495-3008290337-3124170282-1000]
"EnableNotificationsRef"=dword:00000001

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-14 691696]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-18 136176]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]
R2 SessionLauncher;SessionLauncher;c:\users\Young\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 25856]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [x]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2009-05-08 42752]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
R4 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-03-14 30192]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2008-09-24 68136]
S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-03-10 6656]
S2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [2010-04-02 91456]
S3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclock.sys [2009-03-09 38304]

.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 11:08]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 11:08]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1277856495-3008290337-3124170282-1000Core.job
- c:\users\Young\AppData\Local\Google\Update\GoogleUpdate.exe [2009-03-22 06:10]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1277856495-3008290337-3124170282-1000UA.job
- c:\users\Young\AppData\Local\Google\Update\GoogleUpdate.exe [2009-03-22 06:10]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\Young\AppData\Roaming\Mozilla\Firefox\Profiles\ynxk9vxs.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Common Files\doubleTwist\NPPodcast.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Sony\Media Go\npmediago.dll
FF - plugin: c:\users\Young\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Young\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DMXLauncher - c:\program files\Roxio\CinePlayer\DMXLauncher.exe
MSConfigStartUp-RtHDVCpl - RtHDVCpl.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 11:33
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,31,72,98,4a,89,7a,4f,ad,48,aa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,31,72,98,4a,89,7a,4f,ad,48,aa,\

[HKEY_USERS\S-1-5-21-1277856495-3008290337-3124170282-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:16,38,6a,67,2c,97,72,4a,6e,75,ed,53,f0,a5,60,6e,b3,de,03,58,2b,6f,fb,
f7,84,ce,f5,be,08,9f,e8,4a,b1,47,95,db,18,57,22,b9,01,6e,13,c2,92,48,bb,bc,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1277856495-3008290337-3124170282-1000\Software\SecuROM\License information*]
"datasecu"=hex:74,12,44,6d,44,53,46,ad,34,0d,4f,3d,76,c1,4a,bc,38,41,93,a0,d6,
4a,84,a3,63,1c,18,b3,41,2a,9d,52,62,1c,7c,a1,c8,15,e6,2c,f3,b6,55,0a,c9,69,\
"rkeysecu"=hex:a7,a2,f8,d2,a5,39,c3,06,8a,48,9c,a5,6e,98,fd,d1

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:f9,7e,78,b7,71,e6,af,7b,19,4a,e2,ef,6b,f2,ac,8d,db,93,0f,79,1f,
37,59,53,19,cc,08,53,2a,25,93,1b,35,6d,13,c5,fe,3d,52,26,55,82,02,5a,fd,51,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:f9,7e,78,b7,71,e6,af,7b,19,4a,e2,ef,6b,f2,ac,8d,db,93,0f,79,1f,
37,59,53,19,cc,08,53,2a,25,93,1b,35,6d,13,c5,fe,3d,52,26,55,82,02,5a,fd,51,\
.
Completion time: 2010-05-18 11:35:44
ComboFix-quarantined-files.txt 2010-05-18 15:35

Pre-Run: 138,692,476,928 bytes free
Post-Run: 138,625,802,240 bytes free

- - End Of File - - ED716AFEC6453BA171FB970688A05C28







DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Young at 11:43:32.23 on Tue 05/18/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3325.2100 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
Executable.exe 4
C:\Windows\explorer.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\taskeng.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Young\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PodcastBHO Class: {65134fdf-f8a5-4b3d-91d9-cdf273cfd578} - c:\program files\common files\doubletwist\IEPodcastPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\young\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\users\young\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoi~1.lnk - c:\program files\logitech\setpoint ii\SetpointII.exe
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\young\appdata\roaming\mozilla\firefox\profiles\ynxk9vxs.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-3-5 68136]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-3-10 6656]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-5-15 91456]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-3-9 38304]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S2 SessionLauncher;SessionLauncher;c:\users\young\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\young\appdata\local\temp\dx9\SessionLauncher.exe [?]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvscpapisvr.exe --> c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [?]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe --> c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
S4 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-14 30192]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-7-1 1153368]

=============== Created Last 30 ================

2010-05-18 15:35:48 0 d-sh--w- C:\$RECYCLE.BIN
2010-05-18 15:23:49 98816 ----a-w- c:\windows\sed.exe
2010-05-18 15:23:49 77312 ----a-w- c:\windows\MBR.exe
2010-05-18 15:23:49 256512 ----a-w- c:\windows\PEV.exe
2010-05-18 15:23:49 161792 ----a-w- c:\windows\SWREG.exe
2010-05-18 15:21:59 0 d-----w- C:\ComboFix
2010-05-18 03:08:18 0 d-----w- c:\users\young\appdata\roaming\Anvil Studio
2010-05-18 03:08:07 0 d-----w- c:\program files\Anvil Studio
2010-05-16 01:09:14 0 d-----w- c:\program files\common files\MSSoap
2010-05-15 15:48:57 0 d-----w- c:\programdata\Office Genuine Advantage
2010-05-15 02:50:22 0 d-----w- c:\users\young\appdata\roaming\NVIDIA
2010-05-15 01:39:20 0 d-----w- c:\program files\METRO 2033
2010-05-14 22:59:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
2010-05-14 18:34:36 0 d-----w- c:\program files\common files\Motorola Shared
2010-05-14 18:33:02 0 d-----w- c:\program files\Motorola
2010-05-14 15:31:25 0 d-----w- c:\program files\Trend Micro
2010-05-13 15:52:10 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-13 15:52:09 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-13 15:52:08 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-05-13 13:55:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 13:55:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-13 00:21:59 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-13 00:17:01 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-13 00:16:43 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-13 00:12:23 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-12 23:56:24 178801960 ----a-w- c:\windows\MEMORY.DMP
2010-05-12 23:35:09 0 d-----w- c:\users\young\appdata\roaming\Malwarebytes
2010-05-12 23:35:01 0 d-----w- c:\programdata\Malwarebytes
2010-05-12 23:35:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 04:29:19 0 d-----w- c:\programdata\2DBoy
2010-05-06 04:28:58 0 d-----w- c:\program files\WorldOfGoo
2010-05-05 16:50:01 0 d-----w- c:\users\young\appdata\roaming\Dropbox
2010-04-22 07:59:38 73728 ----a-w- c:\windows\system\vdremote.dll
2010-04-22 07:59:38 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
2010-04-19 16:05:17 0 d-----w- c:\users\young\appdata\roaming\FOG Downloader

==================== Find3M ====================

2010-05-18 15:35:55 52741 ----a-w- c:\programdata\nvModes.dat
2010-05-18 15:23:45 16608 ----a-w- c:\windows\gdrv.sys
2010-05-18 14:53:47 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-05-16 01:10:17 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-16 01:10:17 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-16 01:10:17 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-06 14:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 23:20:33 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-04 23:20:24 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-12 15:36:43 37222 ----a-w- c:\windows\DIIUnin.dat
2010-04-12 15:33:33 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-12 15:33:33 2829 ----a-w- c:\windows\DIIUnin.pif
2010-04-03 22:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 20:54:38 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 00:21:55 138056 ----a-w- c:\users\young\appdata\roaming\PnkBstrK.sys
2010-03-03 00:21:34 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-03 00:21:34 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-18 14:49:31 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:49:31 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:11:41 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2009-03-05 09:34:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-01-21 02:23:32 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
2008-01-21 02:23:32 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6002.18005_none_f343a6944cd6fe47\WinMail.exe

============= FINISH: 11:43:46.43 ===============

Attached Files


Edited by PolyOlefin, 18 May 2010 - 11:40 AM.


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 18 May 2010 - 12:46 PM

Hi,

Hello again,

QUOTE
I have uninstalled "uTorrent" and "DNA". After Combofix, I no longer see iexplore.exe in the task manager, but

I missed Soulseek on previous round. It's recommended to uninstall that too.

QUOTE
I still get random pop-ups asking me "Do you want to make Internet Explorer your default browser?", and now there is an Internet Explorer icon on my desktop.

That's ComboFix doings. Will be fixed in a bit.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report & a fresh dds.txt log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 PolyOlefin

PolyOlefin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 19 May 2010 - 09:49 AM

Blade81,

"Soulseek" has been uninstalled, Java has been uninstalled and updated, and ATF Cleaner has been used.

Here are the appropriate logs:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, May 19, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, May 18, 2010 18:32:34
Records in database: 4125896
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 346377
Threats found: 4
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 13:26:10


File name / Threat / Threats count
C:\Program Files\WinRAR\SFX-Tools\WinRAR351StandAlone.exe Infected: Trojan-Downloader.Win32.Exchanger.bar 1
C:\Windows\System32\config\systemprofile\AppData\Local\cykxlipid\jbltvfltssd.exe Infected: Trojan.Win32.FraudPack.awnn 1
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GY2O2MT8\b2a2ad[1].exe Infected: Trojan.Win32.FraudPack.awnn 1
C:\Windows\System32\config\systemprofile\AppData\Local\syssvc.exe Infected: Trojan.Win32.FraudPack.awns 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\508ce24c-34acf7bb Infected: Exploit.Java.Agent.f 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4b509ffd-18840ec8 Infected: Exploit.Java.Agent.f 1

Selected area has been scanned.






DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Young at 10:38:52.36 on Wed 05/19/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3325.2360 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
Executable.exe 4
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Young\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Young\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PodcastBHO Class: {65134fdf-f8a5-4b3d-91d9-cdf273cfd578} - c:\program files\common files\doubletwist\IEPodcastPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\young\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\young\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoi~1.lnk - c:\program files\logitech\setpoint ii\SetpointII.exe
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\young\appdata\roaming\mozilla\firefox\profiles\ynxk9vxs.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\common files\doubletwist\NPPodcast.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - plugin: c:\users\young\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\young\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-3-5 68136]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-3-10 6656]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-5-15 91456]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-3-9 38304]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S2 SessionLauncher;SessionLauncher;c:\users\young\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\young\appdata\local\temp\dx9\SessionLauncher.exe [?]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvscpapisvr.exe --> c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [?]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe --> c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
S4 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-14 30192]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-7-1 1153368]
SUnknown GVTDrv;GVTDrv; [x]

=============== Created Last 30 ================

2010-05-18 18:52:38 0 d-----w- c:\programdata\Sun
2010-05-18 18:51:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-18 15:35:48 0 d-sh--w- C:\$RECYCLE.BIN
2010-05-18 15:23:49 98816 ----a-w- c:\windows\sed.exe
2010-05-18 15:23:49 77312 ----a-w- c:\windows\MBR.exe
2010-05-18 15:23:49 256512 ----a-w- c:\windows\PEV.exe
2010-05-18 15:23:49 161792 ----a-w- c:\windows\SWREG.exe
2010-05-18 15:21:59 0 d-----w- C:\ComboFix
2010-05-18 03:08:18 0 d-----w- c:\users\young\appdata\roaming\Anvil Studio
2010-05-18 03:08:07 0 d-----w- c:\program files\Anvil Studio
2010-05-16 01:09:14 0 d-----w- c:\program files\common files\MSSoap
2010-05-15 15:48:57 0 d-----w- c:\programdata\Office Genuine Advantage
2010-05-15 02:50:22 0 d-----w- c:\users\young\appdata\roaming\NVIDIA
2010-05-15 01:39:20 0 d-----w- c:\program files\METRO 2033
2010-05-14 22:59:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
2010-05-14 18:34:36 0 d-----w- c:\program files\common files\Motorola Shared
2010-05-14 18:33:02 0 d-----w- c:\program files\Motorola
2010-05-14 15:31:25 0 d-----w- c:\program files\Trend Micro
2010-05-13 15:52:10 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-13 15:52:09 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-13 15:52:08 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-05-13 13:55:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 13:55:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-13 00:21:59 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-13 00:17:01 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-13 00:16:43 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-13 00:12:23 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-12 23:56:24 178801960 ----a-w- c:\windows\MEMORY.DMP
2010-05-12 23:35:09 0 d-----w- c:\users\young\appdata\roaming\Malwarebytes
2010-05-12 23:35:01 0 d-----w- c:\programdata\Malwarebytes
2010-05-12 23:35:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 04:29:19 0 d-----w- c:\programdata\2DBoy
2010-05-06 04:28:58 0 d-----w- c:\program files\WorldOfGoo
2010-05-05 16:50:01 0 d-----w- c:\users\young\appdata\roaming\Dropbox
2010-04-22 07:59:38 73728 ----a-w- c:\windows\system\vdremote.dll
2010-04-22 07:59:38 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
2010-04-19 16:05:17 0 d-----w- c:\users\young\appdata\roaming\FOG Downloader

==================== Find3M ====================

2010-05-18 21:52:41 52741 ----a-w- c:\programdata\nvModes.dat
2010-05-18 18:49:16 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-05-18 18:48:42 16608 ----a-w- c:\windows\gdrv.sys
2010-05-16 01:10:17 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-16 01:10:17 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-16 01:10:17 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-06 14:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 23:20:33 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-04 23:20:24 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-12 15:36:43 37222 ----a-w- c:\windows\DIIUnin.dat
2010-04-12 15:33:33 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-12 15:33:33 2829 ----a-w- c:\windows\DIIUnin.pif
2010-04-03 22:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 20:54:38 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 00:21:55 138056 ----a-w- c:\users\young\appdata\roaming\PnkBstrK.sys
2010-03-03 00:21:34 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-03 00:21:34 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-18 14:49:31 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:49:31 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-03-05 09:34:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-01-21 02:23:32 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
2008-01-21 02:23:32 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6002.18005_none_f343a6944cd6fe47\WinMail.exe

============= FINISH: 10:40:09.78 ===============

Attached Files



#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 19 May 2010 - 11:38 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

CODE
Folder::
C:\Windows\System32\config\systemprofile\AppData\Local\cykxlipid
File::
C:\Program Files\WinRAR\SFX-Tools\WinRAR351StandAlone.exe
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GY2O2MT8\b2a2ad[1].exe
C:\Windows\System32\config\systemprofile\AppData\Local\syssvc.exe
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\508ce24c-34acf7bb
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4b509ffd-18840ec8



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. How's the system running?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 PolyOlefin

PolyOlefin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 19 May 2010 - 01:27 PM

Blade81,

Unfortunately, I am still getting the pop-ups asking me to make Internet Explorer my default browser. Here is the Combofix log:


ComboFix 10-05-19.01 - Young 05/19/2010 13:01:37.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3325.2371 [GMT -4:00]
Running from: c:\users\Young\Desktop\ComboFix.exe
Command switches used :: c:\users\Young\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\program files\WinRAR\SFX-Tools\WinRAR351StandAlone.exe"
"c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GY2O2MT8\b2a2ad[1].exe"
"c:\windows\System32\config\systemprofile\AppData\Local\syssvc.exe"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\508ce24c-34acf7bb"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4b509ffd-18840ec8"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinRAR\SFX-Tools\WinRAR351StandAlone.exe
c:\system volume information\_restore{d5fffa500b1b}
c:\system volume information\_restore{d5fffa500b1b}\smss.exe
c:\system volume information\_restore{d5fffa500b1b}\svchost.exe
c:\windows\System32\config\systemprofile\AppData\Local\cykxlipid
c:\windows\System32\config\systemprofile\AppData\Local\cykxlipid\jbltvfltssd.exe
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GY2O2MT8\b2a2ad[1].exe
c:\windows\System32\config\systemprofile\AppData\Local\syssvc.exe
c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\508ce24c-34acf7bb
c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4b509ffd-18840ec8

.
((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-19 17:07 . 2010-05-19 17:09 -------- d-----w- c:\users\Young\AppData\Local\temp
2010-05-19 17:07 . 2010-05-19 17:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-18 23:56 . 2010-05-18 23:56 -------- d-----w- c:\users\Young\AppData\Local\Apple
2010-05-18 23:56 . 2010-05-18 23:56 -------- d-----w- c:\users\Young\AppData\Local\Apple Computer
2010-05-18 18:52 . 2010-05-18 18:52 -------- d-----w- c:\program files\Common Files\Java
2010-05-18 18:51 . 2010-05-18 18:51 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-18 03:08 . 2010-05-18 03:31 -------- d-----w- c:\users\Young\AppData\Roaming\Anvil Studio
2010-05-18 03:08 . 2010-05-18 03:08 -------- d-----w- c:\program files\Anvil Studio
2010-05-15 15:48 . 2010-05-15 15:48 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-05-15 05:12 . 2010-05-15 05:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-15 04:54 . 2010-05-15 04:54 84992 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00000ea9.dll
2010-05-15 02:50 . 2010-05-15 02:50 -------- d-----w- c:\users\Young\AppData\Roaming\NVIDIA
2010-05-15 01:39 . 2010-05-15 01:47 -------- d-----w- c:\program files\METRO 2033
2010-05-14 18:34 . 2010-05-14 18:34 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-05-14 18:33 . 2010-05-14 18:34 -------- d-----w- c:\program files\Motorola
2010-05-14 15:31 . 2010-05-14 15:31 -------- d-----w- c:\program files\Trend Micro
2010-05-13 15:52 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-13 15:52 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-13 15:52 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-05-13 13:55 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-13 13:55 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-13 00:21 . 2010-01-23 09:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-13 00:17 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-13 00:16 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-13 00:12 . 2010-05-13 00:12 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-12 23:35 . 2010-05-12 23:35 -------- d-----w- c:\users\Young\AppData\Roaming\Malwarebytes
2010-05-12 23:35 . 2010-05-12 23:35 -------- d-----w- c:\programdata\Malwarebytes
2010-05-12 23:35 . 2010-05-13 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 16:44 . 2010-05-12 16:44 -------- d-----w- c:\users\Young\AppData\Local\Gas Powered Games
2010-05-07 20:08 . 2010-05-07 20:08 -------- d-----w- c:\users\Young\AppData\Local\storage
2010-05-06 04:29 . 2010-05-06 04:29 -------- d-----w- c:\programdata\2DBoy
2010-05-06 04:28 . 2010-05-06 04:29 -------- d-----w- c:\program files\WorldOfGoo
2010-05-05 16:50 . 2010-05-08 23:06 -------- d-----w- c:\users\Young\AppData\Roaming\Dropbox
2010-04-27 17:59 . 2010-04-27 17:59 -------- d-----w- c:\users\Young\AppData\Local\LogiShrd
2010-04-27 17:59 . 2010-04-27 17:59 -------- d-----w- c:\users\Young\AppData\Roaming\Leadertech
2010-04-27 17:57 . 2010-04-27 17:57 -------- d-----w- c:\program files\Logitech
2010-04-24 22:50 . 2010-04-24 22:50 -------- d-----w- c:\users\Young\AppData\Local\The Lord of the Rings Online
2010-04-22 07:59 . 2010-04-09 18:35 73728 ----a-w- c:\windows\system\vdremote.dll
2010-04-22 07:59 . 2010-04-09 18:34 65536 ----a-w- c:\windows\system\vdsvrlnk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 17:09 . 2009-03-06 01:22 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-05-19 17:09 . 2009-05-28 12:37 52741 ----a-w- c:\programdata\nvModes.dat
2010-05-19 17:09 . 2009-03-06 01:04 16608 ----a-w- c:\windows\gdrv.sys
2010-05-18 21:51 . 2009-03-24 15:30 -------- d-----w- c:\program files\Steam
2010-05-18 15:20 . 2009-03-05 09:03 -------- d-----w- c:\users\Young\AppData\Roaming\uTorrent
2010-05-18 01:01 . 2009-03-05 07:21 -------- d-----w- c:\programdata\NVIDIA
2010-05-17 14:51 . 2009-04-02 14:13 -------- d-----w- c:\programdata\Soulseek
2010-05-15 02:43 . 2009-09-01 17:55 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-15 02:42 . 2009-03-11 00:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-14 22:59 . 2010-05-14 22:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
2010-05-14 15:58 . 2009-07-02 02:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-14 15:56 . 2009-07-02 02:53 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-14 15:31 . 2010-05-14 15:31 388096 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-14 15:27 . 2009-09-12 00:00 -------- d-----w- c:\program files\Bethesda Softworks
2010-05-14 14:51 . 2009-03-05 09:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-14 14:34 . 2010-03-01 00:52 -------- d-----w- c:\users\Young\AppData\Roaming\DiskSpaceFan
2010-05-13 16:03 . 2009-03-05 07:06 72184 ----a-w- c:\users\Young\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-13 15:58 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 15:21 . 2009-10-05 18:58 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-08 23:11 . 2009-03-14 15:53 -------- d-----w- c:\program files\Google
2010-05-07 20:07 . 2009-03-24 19:30 -------- d-----w- c:\programdata\Ubisoft
2010-05-07 20:06 . 2009-03-06 05:37 -------- d-----w- c:\program files\Ubisoft
2010-05-05 16:50 . 2010-05-05 16:50 89831 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\Uninstall.exe
2010-05-04 23:20 . 2009-05-28 12:05 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-04 23:20 . 2009-05-28 12:04 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-01 22:37 . 2009-03-05 20:20 -------- d-----w- c:\program files\Rainmeter
2010-04-27 17:59 . 2009-03-05 09:40 -------- d-----w- c:\program files\Common Files\Logishrd
2010-04-27 17:56 . 2009-03-05 09:41 -------- d-----w- c:\programdata\LogiShrd
2010-04-25 19:34 . 2010-04-12 01:14 -------- d-----w- c:\program files\Pando Networks
2010-04-24 19:48 . 2010-04-12 12:48 -------- d-----w- c:\program files\Turbine
2010-04-19 16:05 . 2010-04-19 16:05 -------- d-----w- c:\users\Young\AppData\Roaming\FOG Downloader
2010-04-16 23:48 . 2009-03-05 10:19 -------- d-----w- c:\program files\Common Files\BioWare
2010-04-16 23:47 . 2009-03-05 10:19 -------- d-----w- c:\programdata\Media Center Programs
2010-04-12 15:46 . 2010-04-12 15:31 -------- d-----w- c:\program files\Diablo II
2010-04-12 15:36 . 2010-04-12 15:33 37222 ----a-w- c:\windows\DIIUnin.dat
2010-04-12 15:33 . 2010-04-12 15:33 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-12 15:33 . 2010-04-12 15:33 2829 ----a-w- c:\windows\DIIUnin.pif
2010-04-12 14:33 . 2010-04-12 14:33 -------- d-----w- c:\users\Young\AppData\Roaming\Turbine
2010-04-11 23:40 . 2010-04-11 23:40 82726 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{1013BBD9-890E-4762-A7FE-9B6E75D5FC45}\_D4518B449D542EE4D07FC1.exe
2010-04-11 23:40 . 2010-04-11 23:40 -------- d-----w- c:\program files\Participatory Culture Foundation
2010-04-09 00:47 . 2009-03-08 07:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-06 06:50 . 2010-04-06 06:50 12862 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe
2010-04-06 06:50 . 2010-04-06 06:50 -------- d-----w- c:\program files\Pcsx2
2010-04-06 06:42 . 2010-04-06 06:42 -------- d-----w- c:\users\Young\AppData\Roaming\PlayFirst
2010-04-06 06:42 . 2010-04-06 06:42 -------- d-----w- c:\programdata\PlayFirst
2010-04-05 03:05 . 2010-04-05 03:05 8854 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\UNINST_Uninstall_Sam_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax106.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax105.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax104.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax103.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax102.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 331776 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\sammax101.exe_F20AE04A3FDC4A14A90B85DEE2812030.exe
2010-04-05 03:05 . 2010-04-05 03:05 10134 ----a-r- c:\users\Young\AppData\Roaming\Microsoft\Installer\{F20AE04A-3FDC-4A14-A90B-85DEE2812030}\ARPPRODUCTICON.exe
2010-04-05 03:02 . 2010-04-05 03:02 -------- d-----w- c:\program files\Telltale
2010-04-03 22:27 . 2010-04-03 22:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27 . 2010-04-03 22:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27 . 2010-04-03 22:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27 . 2010-04-03 22:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 20:54 . 2009-03-10 23:26 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-02 03:02 . 2010-04-02 03:02 -------- d-----w- c:\program files\Common Files\doubleTwist
2010-04-02 03:02 . 2010-01-20 05:51 -------- d-----w- c:\program files\doubleTwist 2.0
2010-03-10 04:00 . 2010-03-10 04:00 6656 ----a-w- c:\windows\system32\drivers\iPodDrv.sys
2010-03-05 14:01 . 2010-05-13 00:22 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 00:21 . 2009-05-28 12:05 138056 ----a-w- c:\users\Young\AppData\Roaming\PnkBstrK.sys
2010-03-03 00:21 . 2009-05-28 12:05 138056 ----a-w- c:\users\Young\AppData\Roaming\PnkBstrK.sys
2010-03-03 00:21 . 2010-03-03 00:21 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-03-03 00:21 . 2009-05-28 12:04 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\Dropbox.exe
2010-02-23 11:32 . 2010-05-13 00:22 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:32 . 2010-05-13 00:22 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:32 . 2010-05-13 00:22 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-05-13 00:22 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-05-13 00:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-05-13 00:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-05-13 00:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2009-03-14 15:53 . 2009-03-14 15:53 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-03-05 08:20 . 2009-03-05 07:48 24 --sh--w- c:\windows\S2EF6A7AA.tmp
2008-01-21 02:23 . 2008-01-21 02:23 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
2008-01-21 02:23 . 2008-01-21 02:23 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6002.18005_none_f343a6944cd6fe47\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65134FDF-F8A5-4B3D-91D9-CDF273CFD578}]
2010-03-31 01:45 68392 ----a-w- c:\program files\Common Files\doubleTwist\IEPodcastPlugin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Young\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Google Update"="c:\users\Young\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-03-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-18 7711264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\users\Young\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 110592]
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2009-7-21 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVGAPrecision]
2009-04-28 01:19 44048 ----a-w- c:\program files\EVGA Precision\EVGAPrecisionWrapper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-03-14 15:53 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-03-22 06:10 133104 ----atw- c:\users\Young\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-17 12:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 08:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1277856495-3008290337-3124170282-1000]
"EnableNotificationsRef"=dword:00000001

R0 GVTDrv;GVTDrv; [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-18 136176]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]
R2 SessionLauncher;SessionLauncher;c:\users\Young\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 25856]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [x]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2009-05-08 42752]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
R4 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-03-14 30192]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-14 691696]
S2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2008-09-24 68136]
S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-03-10 6656]
S2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [2010-04-02 91456]
S3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclock.sys [2009-03-09 38304]

.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 11:08]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 11:08]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1277856495-3008290337-3124170282-1000Core.job
- c:\users\Young\AppData\Local\Google\Update\GoogleUpdate.exe [2009-03-22 06:10]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1277856495-3008290337-3124170282-1000UA.job
- c:\users\Young\AppData\Local\Google\Update\GoogleUpdate.exe [2009-03-22 06:10]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\Young\AppData\Roaming\Mozilla\Firefox\Profiles\ynxk9vxs.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Common Files\doubleTwist\NPPodcast.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Sony\Media Go\npmediago.dll
FF - plugin: c:\users\Young\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Young\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-19 13:09
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x856E91F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8b3aa322
\Driver\ACPI -> acpi.sys @ 0x807bad4c
\Driver\atapi -> 0x856e91f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,31,72,98,4a,89,7a,4f,ad,48,aa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,31,72,98,4a,89,7a,4f,ad,48,aa,\

[HKEY_USERS\S-1-5-21-1277856495-3008290337-3124170282-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:16,38,6a,67,2c,97,72,4a,6e,75,ed,53,f0,a5,60,6e,b3,de,03,58,2b,6f,fb,
f7,84,ce,f5,be,08,9f,e8,4a,b1,47,95,db,18,57,22,b9,01,6e,13,c2,92,48,bb,bc,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1277856495-3008290337-3124170282-1000\Software\SecuROM\License information*]
"datasecu"=hex:74,12,44,6d,44,53,46,ad,34,0d,4f,3d,76,c1,4a,bc,38,41,93,a0,d6,
4a,84,a3,63,1c,18,b3,41,2a,9d,52,62,1c,7c,a1,c8,15,e6,2c,f3,b6,55,0a,c9,69,\
"rkeysecu"=hex:a7,a2,f8,d2,a5,39,c3,06,8a,48,9c,a5,6e,98,fd,d1

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:f9,7e,78,b7,71,e6,af,7b,19,4a,e2,ef,6b,f2,ac,8d,db,93,0f,79,1f,
37,59,53,19,cc,08,53,2a,25,93,1b,35,6d,13,c5,fe,3d,52,26,55,82,02,5a,fd,51,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:f9,7e,78,b7,71,e6,af,7b,19,4a,e2,ef,6b,f2,ac,8d,db,93,0f,79,1f,
37,59,53,19,cc,08,53,2a,25,93,1b,35,6d,13,c5,fe,3d,52,26,55,82,02,5a,fd,51,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1432)
c:\users\Young\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\system volume information\_restore{d5fffa500b1b}\svchost.exe
c:\windows\system32\nvvsvc.exe
c:\system volume information\_restore{d5fffa500b1b}\smss.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-19 13:16:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-19 17:16
ComboFix2.txt 2010-05-18 15:35

Pre-Run: 139,974,103,040 bytes free
Post-Run: 140,044,611,584 bytes free

- - End Of File - - 11BD3E6605300287F110AA4179B9F8B4

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 20 May 2010 - 12:14 AM

QUOTE
Unfortunately, I am still getting the pop-ups asking me to make Internet Explorer my default browser.

Yes, since we're not done with ComboFix yet (we'll uninstall it in the final phase). Any other problems?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 PolyOlefin

PolyOlefin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 20 May 2010 - 12:55 AM

Nope, other than the "default browser" pop-ups, everything else seems normal.

It might be my imagination, but those pop-ups occur less frequently now.

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:08 AM

Posted 20 May 2010 - 02:45 AM

Ok, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.


B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK


Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok
  • Run Secunia vulnerability check here and fix its findings.


  • Just a final reminder for you. I am trying to stress these two points.
    UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
    Make sure all of your security programs are up to date.
    Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


    Once again, please post and tell me how things are going with your system... problems etc.

    Have a great day,
    Blade cool.gif

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #15 PolyOlefin

    PolyOlefin
    • Topic Starter

    • Members
    • 12 posts
    • OFFLINE
    •  
    • Local time:03:08 AM

    Posted 20 May 2010 - 09:59 AM

    Hello again,

    Thank you for all your help so far! I really appreciate your service.

    I have reset System Restore, uninstalled Combofix, and used OTC. I ran Secunia security check and followed its recommendations. The only thing I haven't done yet is install Vista Service Pack 2 (as requested by Windows Update).

    However, I am still getting the pop-ups asking me to make Internet Explorer my default browser. Is this a function of malware, or have I missed a step?




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users