Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects and System changes


  • Please log in to reply
6 replies to this topic

#1 Jlegion

Jlegion

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 07 June 2010 - 01:02 AM

For a week or two I have been getting redirected when I click on any search engine results, and I get new tabs that open up at random to random sites. It also started to change the themes my computer was running and took the "Vista" theme out of the list. I have bitdefender installed and up to date. I have ran CCleaner, Registry Mechanic, bitdefender, Malwarebytes, Hitman Pro 3.5 and all of them say clean. I used process explorer to do extensive examinations of the processes and programs running. I did find a dll file in my system32 folder running under rundll32.exe. The file name was jbwonjm.dll, after examining this file I knew to delete it. After doing so I was able to change my themes back to normal and "Vista" theme option returned on my account but not the other user accounts. I had copied the contents of the file into a text file and this is what it contained.
StartVersion=1
File=jbwonjm.dll
Name=jbwonjm.dll
Rating=266
Description=plf (Browser Extension)
Company_Product=-
Service={BB4BB6B0-B32A-407C-B97F-4796536F30BB}
Type=6
Visible=0
Win=0
M=1004
T=32
Ports=
DelDate=40334
DelDateTime=6/5/2010 6:44:03 AM
[Service]
Service=

I also get a windows pop-up all the time now saying a host process has stopped working and then the windows error reporting directions pop up after clicking ok. My display settings also change here and there. And sometimes only the admin account can log in, the other accounts say that a group policy won't let them log in or that it can't reach the server to log in or something like that, a reboot usually clears it up.Here is the dds log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 20:59:45.97 on Sun 06/06/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1049 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Windows\system32\consent.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Administrator\Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\rmtray.exe /H
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15109/CTPID.cab
AppInit_DLLs: acaptuser32.dll
mASetup: {31D9B4A9-6FCC-4698-A092-C4C28D017B36} - rundll32 jbwonjm.dll,laspi
IFEO: taskmgr.exe - "c:\users\administrator\documents\processexplorer\PROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\lxjkc682.default\
FF - prefs.js: browser.startup.homepage - www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://tmq.bingstart.com/s/?src=FF-Address&site=Bing&cfg=2-168-0-1dGRU&q=
FF - component: c:\program files\bitdefender\bitdefender 2010\bdaphffext\components\bdaphff2.dll
FF - component: c:\program files\bitdefender\bitdefender 2010\bdaphffext\components\bdaphff3.6.dll
FF - component: c:\program files\bitdefender\bitdefender 2010\bdaphffext\components\bdaphff3.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\administrator\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\windows\system32\drivers\BdfNdisf6.sys [2009-10-19 72784]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-9-22 85128]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-6-5 632792]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-12-7 153448]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]
S3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2009-1-10 1298944]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-9-22 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-9-22 79360]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-18 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);c:\windows\system32\drivers\MRVW24B.sys [2008-3-19 310016]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-06-05 17:46:32 0 d-----w- c:\programdata\Sun
2010-06-05 17:46:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-05 12:40:40 0 d-----w- c:\users\admini~1\appdata\roaming\Hermetic Systems
2010-06-05 12:40:40 0 d-----w- c:\program files\Hermetic Systems
2010-06-05 12:31:32 65536 --sha-w- c:\users\administrator\NTUSER.DAT{75f6fa63-705f-11df-841f-001e8ca42222}.TM.blf
2010-06-05 12:31:32 524288 --sha-w- c:\users\administrator\NTUSER.DAT{75f6fa63-705f-11df-841f-001e8ca42222}.TMContainer00000000000000000002.regtrans-ms
2010-06-05 12:31:32 524288 --sha-w- c:\users\administrator\NTUSER.DAT{75f6fa63-705f-11df-841f-001e8ca42222}.TMContainer00000000000000000001.regtrans-ms
2010-06-05 12:28:51 0 d-----w- c:\users\admini~1\appdata\roaming\Registry Mechanic
2010-06-05 12:28:40 262144 ---ha-w- c:\users\administrator\S-1-5-21-807732661-2489122625-1132618089-500.rrr.LOG1
2010-06-05 12:28:40 0 ---ha-w- c:\users\administrator\S-1-5-21-807732661-2489122625-1132618089-500.rrr.LOG2
2010-06-05 12:06:41 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-06-05 12:06:41 506368 ----a-w- c:\windows\system32\msxml.dll
2010-06-05 12:06:41 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-06-05 12:06:41 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-06-05 12:06:38 0 d-----w- c:\program files\common files\PC Tools
2010-06-05 11:52:11 0 d-----w- c:\program files\Perfect Optimizer
2010-06-05 11:39:45 0 d-----w- c:\programdata\SecTaskMan
2010-06-05 11:39:40 0 d-----w- c:\program files\Security Task Manager
2010-06-03 19:57:01 0 d-----w- c:\program files\NifTools
2010-06-03 19:54:40 0 d-----w- c:\users\admini~1\appdata\roaming\ScripterRon
2010-06-03 19:27:34 0 d-----w- c:\program files\GIMP-2.0
2010-06-03 19:12:10 0 d-----w- C:\Python26
2010-06-03 19:03:43 0 d-----w- c:\users\admini~1\appdata\roaming\Blender Foundation
2010-06-03 19:03:39 0 d-----w- c:\program files\Blender Foundation
2010-06-01 20:26:49 7106 ----a-w- c:\windows\system32\thqvmk
2010-06-01 20:26:49 64512 ----a-w- c:\windows\system32\klgd.bmp
2010-05-30 23:52:41 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-05-30 23:52:05 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-05-30 17:55:59 182272 ----a-w- c:\windows\patchw32.dll
2010-05-30 16:38:55 0 d-----w- c:\program files\Bethesda Softworks
2010-05-30 16:35:51 0 d-----w- c:\windows\system32\xlive
2010-05-30 04:21:08 0 d-----w- c:\program files\Lionhead Studios Ltd
2010-05-27 15:11:35 0 d-----w- c:\program files\Mind Quiz
2010-05-27 03:56:07 2810 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-05-26 16:07:59 0 d-----w- c:\program files\NVIDIA Corporation
2010-05-26 15:49:48 0 d-----w- c:\users\admini~1\appdata\roaming\Dark Sector
2010-05-25 17:51:35 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 03:26:27 0 d-----w- c:\users\admini~1\appdata\roaming\Plane9
2010-05-24 03:14:12 51745 ----a-w- c:\windows\system32\TTACodecs-uninstall.exe
2010-05-22 09:31:38 0 d-----w- c:\program files\UnH Solutions
2010-05-18 01:25:24 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2010-05-18 01:25:23 0 d-----w- c:\program files\MagicDisc
2010-05-17 21:07:19 0 d-----w- c:\program files\Shiny
2010-05-11 22:44:48 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-08 07:47:28 0 d-----w- c:\programdata\Real

==================== Find3M ====================

2010-06-06 20:44:28 130471 ----a-w- c:\programdata\nvModes.dat
2010-05-27 15:00:03 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-18 01:25:59 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-18 01:25:59 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-18 01:25:58 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-04 10:17:35 72784 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys
2010-04-27 19:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 19:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-24 15:46:46 98304 ----a-w- c:\windows\system32\qttask.exe
2010-04-16 04:52:42 3082 ----a-w- c:\windows\system32\affv300053706p4now.sys
2010-04-08 19:00:42 87608 ----a-w- c:\users\admini~1\appdata\roaming\inst.exe
2010-04-08 19:00:42 47360 ----a-w- c:\users\admini~1\appdata\roaming\pcouffin.sys
2010-04-02 22:17:52 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 22:17:52 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-03-20 02:52:08 2145280 ----a-w- c:\windows\system32\python26.dll
2009-11-10 05:17:48 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 07:09:08 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-05-29 17:39:07 8 --sha-r- c:\windows\system32\5B02780D30.sys
2008-05-29 17:39:08 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 21:01:37.11 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jlegion

Jlegion
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 08 June 2010 - 06:00 PM

it has now started to try and make changes to my security and updating settings. It also made entries in my host file, which I corrected. I also cannot browse to any microsoft websites

Edited by Jlegion, 09 June 2010 - 08:33 AM.


#3 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:15 AM

Posted 10 June 2010 - 06:14 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#4 Jlegion

Jlegion
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 10 June 2010 - 06:08 PM

still an issue. Still getting redirects from search engine results, but now it is starting to effect other web links as well. I can no longer update windows. Sometimes when the non admin users try to log on it won't let them saying that a group policy service won't let them or failed to run, or that it was unable to connect to windows services. I am still getting host process crash errors, more and more frequently I might add. The virus has been making minor but annoying system changes which for the most part I have been able to fix or prevent future instances of something being changed. I have ran MalwareBytes, Bitdefender internet security 2010, Hitman Pro 3.5, CCleaner, Gmer, Hijack this, and Advanced System Optimizer, all of which come out clean. I have also used Process Explorer to examine as many of the programs and processes running. As I stated before, I did find a jbwonjm.dll file that proved to be malicious and removed it, which did fix the theme changes on the admin account. Here are the DDS logs. It said the gmer log was to big to fit so will attach to next responce.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 11:52:27.25 on Thu 06/10/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1131 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\nvvsvc.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\ASUS\AASP\1.00.33\aaCenter.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Administrator\Documents\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3Wcb8624-WWWW1216-WWWW9b47-WWWWWW7cWWWWWW3W-WWWWWW3aWWWWWW18WWWWWW3eWWWWWW7dWWWWWWeWWWWWWWc7} - No File
BHO: {8591f749-WWWW1154-WWWW84ca-WWWWWW99WWWWWWbd-WWWWWW95WWWWWWf1WWWWWW24WWWWWWe3WWWWWWWcWWWWWW1W} - No File
BHO: {8c68e98a-WWWW5ceb-WWWWe38c-WWWWWWd8WWWWWWfd-WWWWWWb4WWWWWW88WWWWWWdWWWWWWW9cWWWWWW81WWWWWW69} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: {ccfWd379-WWWW6f9W-WWWWacc1-WWWWWW37WWWWWWe4-WWWWWW6WWWWWWW19WWWWWW58WWWWWW8bWWWWWW91WWWWWW51} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15109/CTPID.cab
mASetup: {31D9B4A9-6FCC-4698-A092-C4C28D017B36} - rundll32 jbwonjm.dll,laspi

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\lxjkc682.default\
FF - prefs.js: browser.startup.homepage - www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://tmq.bingstart.com/s/?src=FF-Address&site=Bing&cfg=2-168-0-1dGRU&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\windows\system32\drivers\BdfNdisf6.sys [2009-10-19 72784]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-9-22 85128]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R3 ADASPROT;SYSTWEAKASO;c:\program files\advanced system optimizer 3\adasprot32.sys [2010-6-9 6656]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-12-7 153448]
S2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\advanced system optimizer 3\ASO3DefragSrv.exe [2010-6-9 238824]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]
S3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2009-1-10 1298944]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-9-22 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-9-22 79360]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-18 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);c:\windows\system32\drivers\MRVW24B.sys [2008-3-19 310016]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-06-09 17:26:24 524288 --sha-w- c:\users\administrator\NTUSER.DAT{6ec9225a-73eb-11df-9849-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms
2010-06-09 17:26:23 65536 --sha-w- c:\users\administrator\NTUSER.DAT{6ec9225a-73eb-11df-9849-806e6f6e6963}.TM.blf
2010-06-09 17:26:23 524288 --sha-w- c:\users\administrator\NTUSER.DAT{6ec9225a-73eb-11df-9849-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
2010-06-09 17:23:53 0 ---ha-w- c:\users\administrator\NTUSER.DAT.sav.LOG2
2010-06-09 17:23:53 0 ---ha-w- c:\users\administrator\NTUSER.DAT.sav.LOG1
2010-06-09 15:05:51 0 d-----w- c:\programdata\Systweak
2010-06-09 15:05:31 1856 ----a-w- c:\windows\system32\ASOROSet.bin
2010-06-09 15:05:31 15080 ----a-w- c:\windows\system32\ROBoot.exe
2010-06-09 14:07:02 0 d-----w- c:\windows\Repair
2010-06-09 14:06:50 17136 ----a-w- c:\windows\system32\sasnative32.exe
2010-06-09 14:06:42 0 d-----w- c:\program files\Advanced System Optimizer 3
2010-06-09 14:05:44 0 d-----w- c:\users\admini~1\appdata\roaming\Systweak
2010-06-09 08:53:20 0 d-----w- c:\windows\system32\catroot2
2010-06-08 20:49:45 0 d-----w- c:\program files\Lionhead Studios
2010-06-08 06:25:05 1506 ----a-w- c:\windows\system32\.crusader
2010-06-07 18:15:44 0 d-----r- c:\program files\TypingMaster2
2010-06-07 17:40:21 0 ---ha-w- c:\windows\system32\xauzarupqx.tmp
2010-06-07 17:15:10 0 d-----w- C:\CPKHOME
2010-06-07 17:15:10 0 d-----w- C:\CPKDATA
2010-06-07 10:07:15 65143 ----a-w- c:\programdata\nvModes.dat
2010-06-07 02:36:25 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-07 02:35:31 0 d-----w- c:\programdata\Hitman Pro
2010-06-07 02:35:31 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-07 02:02:57 20 ----a-w- c:\users\administrator\defogger_reenable
2010-06-05 17:46:32 0 d-----w- c:\programdata\Sun
2010-06-05 17:46:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-05 12:40:40 0 d-----w- c:\users\admini~1\appdata\roaming\Hermetic Systems
2010-06-05 12:40:40 0 d-----w- c:\program files\Hermetic Systems
2010-06-05 12:31:32 65536 --sha-w- c:\users\administrator\NTUSER.DAT{75f6fa63-705f-11df-841f-001e8ca42222}.TM.blf
2010-06-05 12:31:32 524288 --sha-w- c:\users\administrator\NTUSER.DAT{75f6fa63-705f-11df-841f-001e8ca42222}.TMContainer00000000000000000002.regtrans-ms
2010-06-05 12:31:32 524288 --sha-w- c:\users\administrator\NTUSER.DAT{75f6fa63-705f-11df-841f-001e8ca42222}.TMContainer00000000000000000001.regtrans-ms
2010-06-05 12:28:51 0 d-----w- c:\users\admini~1\appdata\roaming\Registry Mechanic
2010-06-05 12:28:40 262144 ---ha-w- c:\users\administrator\S-1-5-21-807732661-2489122625-1132618089-500.rrr.LOG1
2010-06-05 12:28:40 0 ---ha-w- c:\users\administrator\S-1-5-21-807732661-2489122625-1132618089-500.rrr.LOG2
2010-06-05 11:52:11 0 d-----w- c:\program files\Perfect Optimizer
2010-06-05 11:39:45 0 d-----w- c:\programdata\SecTaskMan
2010-06-05 11:39:40 0 d-----w- c:\program files\Security Task Manager
2010-06-03 19:57:01 0 d-----w- c:\program files\NifTools
2010-06-03 19:54:40 0 d-----w- c:\users\admini~1\appdata\roaming\ScripterRon
2010-06-03 19:27:34 0 d-----w- c:\program files\GIMP-2.0
2010-06-03 19:12:10 0 d-----w- C:\Python26
2010-06-03 19:03:43 0 d-----w- c:\users\admini~1\appdata\roaming\Blender Foundation
2010-06-03 19:03:39 0 d-----w- c:\program files\Blender Foundation
2010-06-01 20:26:49 7106 ----a-w- c:\windows\system32\thqvmk
2010-06-01 20:26:49 64512 ----a-w- c:\windows\system32\klgd.bmp
2010-05-30 23:52:41 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-05-30 23:52:05 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-05-30 17:55:59 182272 ----a-w- c:\windows\patchw32.dll
2010-05-30 16:38:55 0 d-----w- c:\program files\Bethesda Softworks
2010-05-30 16:35:51 0 d-----w- c:\windows\system32\xlive
2010-05-30 04:21:08 0 d-----w- c:\program files\Lionhead Studios Ltd
2010-05-27 15:11:35 0 d-----w- c:\program files\Mind Quiz
2010-05-27 03:56:07 2810 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-05-26 16:07:59 0 d-----w- c:\program files\NVIDIA Corporation
2010-05-26 15:49:48 0 d-----w- c:\users\admini~1\appdata\roaming\Dark Sector
2010-05-25 17:51:35 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 03:26:27 0 d-----w- c:\users\admini~1\appdata\roaming\Plane9
2010-05-22 09:31:38 0 d-----w- c:\program files\UnH Solutions
2010-05-18 01:25:24 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2010-05-18 01:25:23 0 d-----w- c:\program files\MagicDisc
2010-05-17 21:07:19 0 d-----w- c:\program files\Shiny
2010-05-11 22:44:48 738816 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-05-27 15:00:03 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-18 01:25:59 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-18 01:25:59 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-18 01:25:58 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-04 10:17:35 72784 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys
2010-04-27 19:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 19:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-16 04:52:42 3082 ----a-w- c:\windows\system32\affv300053706p4now.sys
2010-04-08 19:00:42 87608 ----a-w- c:\users\admini~1\appdata\roaming\inst.exe
2010-04-08 19:00:42 47360 ----a-w- c:\users\admini~1\appdata\roaming\pcouffin.sys
2010-04-02 22:17:52 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 22:17:52 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-03-20 02:52:08 2145280 ----a-w- c:\windows\system32\python26.dll
2009-11-10 05:17:48 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 07:09:08 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-05-29 17:39:07 8 --sha-r- c:\windows\system32\5B02780D30.sys
2008-05-29 17:39:08 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 11:53:41.48 ===============


Here is the gmer log

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 11 June 2010 - 05:05 PM

Hello there,

I'm Extremeboy, and I will continue to help you here.

Let's get one more scan done.

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Jlegion

Jlegion
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 17 June 2010 - 12:05 AM

I am no longer having problems because my boot management and a few other things got screwed up some how so I had to get a recovery disc from my vendor and do a system recovery but I thank your for the help.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 17 June 2010 - 08:40 PM

Glad you solved it.

Below are some prevention tips, now assuming you're clean.

Now that you are clean, please follow and read some of the prevention tips >over here<. Is your system a bit slow? If so, try some of the points and things suggested here.

If you would like, visit my http://computermalwaresecurity.blogspot.com/ and Subscribe/Follow along.


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users