Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

infected? Vista 64


  • This topic is locked This topic is locked
2 replies to this topic

#1 Guest_djchristian_*

Guest_djchristian_*

  • Guests
  • OFFLINE
  •  

Posted 30 May 2010 - 06:40 PM

QUOTE
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:40:00, on 2010-05-31
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\SysWOW64\conime.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Users\bajs2\AppData\Roaming\winelwske95\winelwske95.exe
C:\Users\bajs2\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Users\bajs2\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [DelReg] "C:\Program Files (x86)\MSI\DualCoreCenter\DelReg.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Acronis Toolbar Helper] rundll32.exe C:\Users\bajs2\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll, StartProt
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Users\bajs2\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [winelwske95] C:\Users\bajs2\AppData\Roaming\winelwske95\winelwske95.exe
O4 - HKCU\..\Run: [Desktop Cleanup Wizard] rundll32.exe "C:\Users\bajs2\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll", StartProt
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files (x86)\ColorVision\ColorVisionStartup\ColorVisionStartup.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\Windows\system32\syspol32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis System Backup (acrosysbackup_exUYdkiVzWuT) - Unknown owner - C:\Windows\system32\wirepots.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - C:\Program Files (x86)\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Windows System Backup Dumper (winbackupdumper-id19UYdkiVzWuT) - Unknown owner - C:\Windows\system32\mousenh32.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8372 bytes



QUOTE
DDS (Ver_10-03-17.01) - NTFSX64
Run by bajs2 at 1:41:55,86 on 2010-05-31
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vistaāā€˛¢ Ultimate 6.0.6002.2.1252.46.1033.18.8190.6419 [GMT 2:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\conime.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Gene6 FTP Server\G6FTPSERVER.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\JulaPAN.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Users\bajs2\AppData\Roaming\winelwske95\winelwske95.exe
C:\Windows\System32\rundll32.exe
C:\Users\bajs2\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\bajs2\Downloads\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Users\bajs2\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\bajs2\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [winelwske95] c:\users\bajs2\appdata\roaming\winelwske95\winelwske95.exe
uRun: [Desktop Cleanup Wizard] rundll32.exe "c:\users\bajs2\local settings\application data\desktop cleanup wizard\dskclean.dll", StartProt
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
mRun: [TrueImageMonitor.exe] c:\program files (x86)\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files (x86)\acronis\trueimagehome\TimounterMonitor.exe
mRun: [DelReg] "c:\program files (x86)\msi\dualcorecenter\DelReg.exe"
mRun: [avgnt] "c:\program files (x86)\avira\antivir desktop\avgnt.exe" /min
mRun: [Acronis Toolbar Helper] rundll32.exe c:\users\bajs2\local settings\application data\desktop cleanup wizard\dskclean.dll, StartProt
StartupFolder: c:\users\bajs2\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files (x86)\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\colorv~1.lnk - c:\program files (x86)\colorvision\colorvisionstartup\ColorVisionStartup.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files (x86)\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\syspol32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files (x86)\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun-x64: [JulaPAN.exe] JulaPAN.exe
mRun-x64: [Acronis Scheduler2 Service] "c:\program files (x86)\common files\acronis\schedule2\schedhlp.exe"
mRun-x64: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\bajs2\appdata\roaming\mozilla\firefox\profiles\kw948bf5.default\
FF - prefs.js: browser.startup.homepage - google.se
FF - plugin: c:\program files (x86)\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\users\bajs2\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 Jula.sys;Service for Juli@ Audio Driver EWDM;c:\windows\system32\drivers\Jula.sys [2009-12-17 58400]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\avira\antivir desktop\sched.exe [2010-5-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files (x86)\avira\antivir desktop\avguard.exe [2010-5-30 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-30 81072]
R2 G6FTPServer;Gene6 FTP Server;c:\program files (x86)\gene6 ftp server\G6FTPServer.exe [2007-10-22 470016]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]
R3 JulaWDM.sys;Service for Juli@ WDM;c:\windows\system32\drivers\JulaWDM.sys [2009-12-17 43552]
R3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclk64.sys [2009-9-15 42088]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\drivers\point64k.sys [2009-11-11 34160]
S1 SASDIFSV;SASDIFSV;c:\program files (x86)\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
S1 SASKUTIL;SASKUTIL;c:\program files (x86)\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
S2 acrosysbackup_exUYdkiVzWuT;Acronis System Backup;c:\windows\system32\wirepots.exe --> c:\windows\system32\wirepots.exe [?]
S2 winbackupdumper-id19UYdkiVzWuT;Windows System Backup Dumper;c:\windows\system32\mousenh32.exe --> c:\windows\system32\mousenh32.exe [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-10-10 89920]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 27648]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-21 19968]
S3 SASENUM;SASENUM;c:\program files (x86)\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2009-3-11 15360]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-05-30 23:33:30 0 d-----w- c:\program files (x86)\Trend Micro
2010-05-30 23:29:39 0 ----a-w- c:\users\bajs2\defogger_reenable
2010-05-30 20:41:26 0 d-----w- c:\users\bajs2\appdata\roaming\Avira
2010-05-30 20:40:20 81072 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-30 20:40:20 0 d-----w- c:\programdata\Avira
2010-05-30 20:40:20 0 d-----w- c:\program files (x86)\Avira
2010-05-29 10:30:59 38912 ----a-w- c:\windows\syswow64\b_syspol32.dll
2010-05-29 10:30:59 140288 ----a-w- c:\windows\syswow64\pcre3.dll
2010-05-29 10:30:58 8704 ----a-w- c:\windows\syswow64\wirepots.exe
2010-05-29 10:30:58 38912 ----a-w- c:\windows\syswow64\wirepots.dll
2010-05-29 10:30:58 38912 ----a-w- c:\windows\syswow64\syspol32.dll
2010-05-29 10:30:58 11776 ----a-w- c:\windows\syswow64\mousenh32.exe
2010-05-28 09:13:42 0 d-----w- c:\users\bajs2\appdata\roaming\TypingMaster7
2010-05-28 09:12:48 0 d-----r- c:\program files (x86)\TypingMaster
2010-05-28 09:12:33 2 ----a-w- c:\users\bajs2\tenmy.ini
2010-05-28 09:12:33 0 d-----w- c:\users\bajs2\appdata\roaming\winelwske95
2010-05-28 09:12:32 371999 ----a-w- c:\users\bajs2\winelwske95.exe
2010-05-28 09:12:32 138752 ----a-w- c:\users\bajs2\pod952.exe
2010-05-26 01:57:31 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-05-26 01:57:31 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 20:35:58 0 d-----w- c:\program files (x86)\VideoLAN
2010-05-21 18:11:28 0 d-----w- c:\users\bajs2\appdata\roaming\dBpoweramp
2010-05-21 17:16:25 0 d-----w- c:\users\bajs2\appdata\roaming\CUE Tools
2010-05-20 14:54:17 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-05-20 14:54:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_point64k_01009.Wdf
2010-05-20 14:54:13 654928 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2010-05-20 14:54:13 42064 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2010-05-20 14:54:13 4052 ----a-w- c:\windows\system32\wbem\Wdf01000.mof
2010-05-20 14:54:13 3 ----a-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
2010-05-20 14:54:13 118 ----a-w- c:\windows\system32\wbem\Wdf01000Uninstall.mof
2010-05-20 14:54:06 0 d-----w- c:\program files\Microsoft IntelliPoint
2010-05-20 14:50:57 53248 ----a-w- c:\windows\syswow64\CSVer.dll
2010-05-18 11:07:46 0 d-----w- c:\program files (x86)\Iometer.org
2010-05-16 14:35:58 0 d-----w- c:\program files (x86)\Stardock
2010-05-16 10:40:26 0 d-----w- c:\program files (x86)\ColorHCFR
2010-05-15 14:23:26 0 d-----w- c:\program files (x86)\Devolver Digital
2010-05-13 10:40:39 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2010-05-13 10:40:39 0 d-----w- c:\program files (x86)\MagicDisc
2010-05-12 17:57:47 974848 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 17:57:47 738816 ----a-w- c:\windows\syswow64\inetcomm.dll
2010-05-10 15:56:23 45 ----a-w- c:\windows\syswow64\initdebug.nfo
2010-05-09 21:09:40 0 d-----w- c:\program files (x86)\MixMeister Fusion
2010-05-09 17:30:06 0 d-----w- c:\programdata\Sun
2010-05-09 17:29:53 411368 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-05-08 13:07:47 8960 ----a-w- c:\windows\system32\drivers\oxusb.sys
2010-05-08 13:07:47 8064 ----a-w- c:\windows\system32\drivers\OxUSBLF.sys
2010-05-08 13:07:47 303104 ----a-w- c:\windows\system32\1394_api.dll
2010-05-08 13:07:47 17792 ----a-w- c:\windows\system32\drivers\OXUDIDRV_X32.sys
2010-05-08 13:07:47 12672 ----a-w- c:\windows\system32\drivers\OxFWLF.sys
2010-05-07 23:44:49 0 d-----w- c:\program files (x86)\Microsoft Games
2010-05-05 07:21:22 2823960 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-05-05 07:21:22 1024 ----a-w- c:\windows\system32\AutoPartNt.let
2010-05-04 21:11:50 11264 ----a-w- c:\windows\system32\relog_ap.dll
2010-05-04 21:11:45 235552 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-05-04 19:52:37 0 d-----w- c:\program files (x86)\Microsoft
2010-05-04 19:52:17 0 d-----w- c:\windows\PCHEALTH
2010-05-01 14:46:06 0 d-----w- c:\program files (x86)\Croteam

==================== Find3M ====================

2010-05-30 23:36:16 110529 ----a-w- c:\programdata\nvModes.dat
2010-05-22 01:19:33 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-22 01:19:33 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-22 01:19:33 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-21 18:11:51 3494576 ----a-w- c:\windows\syswow64\SpoonUninstall.exe
2010-05-12 14:06:20 136704 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-04 21:11:50 81952 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-05-04 21:11:50 711712 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-05-04 21:11:45 593952 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2010-04-29 13:39:28 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 15:29:27 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-04-12 15:29:26 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-04-12 15:29:25 145184 ----a-w- c:\windows\syswow64\java.exe
2010-04-03 16:42:00 159336 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 16:42:00 14828648 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 16:42:00 116328 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 16:42:00 1067624 ----a-w- c:\windows\system32\nvsvc64.dll
2010-04-02 14:54:44 658536 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-31 06:00:46 86016 ----a-w- c:\windows\syswow64\frapsvid.dll
2010-03-31 06:00:44 84992 ----a-w- c:\windows\system32\frapsv64.dll
2010-03-10 08:37:40 368640 ----a-w- c:\windows\syswow64\ReWire.dll
2010-03-05 14:32:42 612864 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 14:01:02 420352 ----a-w- c:\windows\syswow64\vbscript.dll
2009-10-28 00:32:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:14 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:14 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-17 10:02:36 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-30 20:51:44 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-19 22:48:48 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-04-10 00:57:02 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 1:42:07,16 ===============




Very suspicious about this file

C:\Users\bajs2\AppData\Roaming\winelwske95\winelwske95.exe

Also

O20 - AppInit_DLLs: C:\Windows\system32\syspol32.dll is very suspicious
I am running Vista 64-bit

Thanks in advance!

Edited by djchristian, 30 May 2010 - 07:48 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK

Posted 02 June 2010 - 03:13 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:37 AM

Posted 07 June 2010 - 05:32 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users