Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mebroot/ google redirect issues


  • This topic is locked This topic is locked
10 replies to this topic

#1 Dunecat

Dunecat

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 25 June 2010 - 10:44 AM

Greetings,

I picked up this nasty bug and have been unable to remove it thus far. Some preliminary info. Initially fsecure and mbam were picking up loads of additional garbage that I managed to get rid of with the exception of mebroot. FS Blacklight was still detecting it, so I entered the recovery console and issued a fixmbr on the primary drive in question. Neither f secure nor malwarebytes seem to find it anymore. However, randomly named executables keep attempting to access the system from either my temp or application data folders. fsecure's deepguard prevents them from doing anything, but I can't seem to nip the root problem.

Per your suggestion, I have posted the GMER and DDS logs.

Word of note. The last two times I ran gmer, it took 8 hours to run and locked up my machine completely at the end. I got lucky enough to save the logfile this time.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/25/2008 7:53:17 AM
System Uptime: 6/24/2010 12:32:04 PM (1 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P35-DS3L
Processor: Intel® Pentium® D CPU 3.00GHz | Socket 775 | 3000/200mhz
Processor: Intel® Pentium® D CPU 3.00GHz | Socket 775 | 3000/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 276.706 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
AOL Instant Messenger
Auslogics Disk Defrag
Aveyond - Lord of Twilight (remove only)
Batman: Arkham Asylum
Batman: Arkham Asylum Demo
Battlefield Heroes
BioShock
Black & White® 2
Burger Shop 2 (remove only)
CCScore
Cinema Tycoon 2 - Movie Mania (remove only)
Cisco Packet Tracer 5.2
Command & Conquer 3
Command & Conquer Generals
Command & Conquer™ 3: Kane's Wrath
Command and ConquerTM Generals Zero Hour
Company of Heroes
Company of Heroes - FAKEMSI
Dawn of War - Dark Crusade
Dawn of War - Soulstorm
Diablo II
Dinos & Aliens (remove only)
East India Company Demo
Empire: Total War
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
EVGA Display Driver
F-Secure Anti-Virus 2010
F-Secure PSC Prerequisites
F.E.A.R. 2: Project Origin
Fallout Tactics
Fallout2
Google Chrome
Google Update Helper
Groove Games\Land Of The Dead
Heroes of Might and Magic V
Hitman Blood Money
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® PROSet
J2SE Runtime Environment 5.0 Update 6
Jetfighter IV
Jing
kgcbase
Kodak EasyShare software
Left 4 Dead 2
Left 4 Dead 2 Add-on Support
LEGO Star Wars
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Medal of Honor Allied Assault
Medal of Honor Pacific Assault™
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MechCommander 2
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.19)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
My Tribe (remove only)
Napoleon: Total War
netbrdg
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OfotoXMI
Panda ActiveScan 2.0
PGIII Scorched Earth
Plants vs. Zombies
PunkBuster Services
RealPlayer
Realtek High Definition Audio Driver
Rome: Total War Alexander
Rome: Total War Gold
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SFR
SHASTA
Sid Meier's Pirates!
SimTheme Park
skin0001
SKINXSDK
SPORE™ Creature Creator
Spybot - Search & Destroy
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
StarCraft
StarTopia (remove only)
staticcr
Steam
System Requirements Lab
Tasty Planet (remove only)
TechSkills TestPrep
The Battle for Middle-earth ™
The Battle for Middle-earth ™ II
The Lord of the Rings, The Rise of the Witch-king
Theme Park World Fix
tooltips
Trillian
Turbo Combo (remove only)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911164)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VDMSound
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
Warhammer 40,000: Dawn of War II
WebEx
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Sign-in Assistant
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WIRELESS
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.3 final uninstall
Yahoo! Messenger
Yahoo! Toolbar
Zombie Bowl-O-Rama (remove only)

==== Event Viewer Messages From Past Week ========

6/24/2010 9:58:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
6/24/2010 7:58:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
6/24/2010 6:58:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
6/24/2010 5:58:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
6/24/2010 4:58:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
6/24/2010 3:58:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
6/24/2010 2:58:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
6/24/2010 12:58:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
6/24/2010 12:58:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
6/24/2010 11:58:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
6/24/2010 10:58:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
6/24/2010 1:58:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
6/23/2010 9:58:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
6/23/2010 9:00:00 AM, error: Schedule [7901] - The At82.job command failed to start due to the following error: %%2147942402
6/23/2010 9:00:00 AM, error: Schedule [7901] - The At58.job command failed to start due to the following error: %%2147942402
6/23/2010 9:00:00 AM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402
6/23/2010 9:00:00 AM, error: Schedule [7901] - The At178.job command failed to start due to the following error: %%2147942402
6/23/2010 9:00:00 AM, error: Schedule [7901] - The At154.job command failed to start due to the following error: %%2147942402
6/23/2010 9:00:00 AM, error: Schedule [7901] - The At130.job command failed to start due to the following error: %%2147942402
6/23/2010 9:00:00 AM, error: Schedule [7901] - The At106.job command failed to start due to the following error: %%2147942402
6/23/2010 8:58:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
6/23/2010 8:00:00 AM, error: Schedule [7901] - The At81.job command failed to start due to the following error: %%2147942402
6/23/2010 8:00:00 AM, error: Schedule [7901] - The At57.job command failed to start due to the following error: %%2147942402
6/23/2010 8:00:00 AM, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402
6/23/2010 8:00:00 AM, error: Schedule [7901] - The At177.job command failed to start due to the following error: %%2147942402
6/23/2010 8:00:00 AM, error: Schedule [7901] - The At153.job command failed to start due to the following error: %%2147942402
6/23/2010 8:00:00 AM, error: Schedule [7901] - The At129.job command failed to start due to the following error: %%2147942402
6/23/2010 8:00:00 AM, error: Schedule [7901] - The At105.job command failed to start due to the following error: %%2147942402
6/23/2010 7:58:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
6/23/2010 7:00:00 AM, error: Schedule [7901] - The At80.job command failed to start due to the following error: %%2147942402
6/23/2010 7:00:00 AM, error: Schedule [7901] - The At56.job command failed to start due to the following error: %%2147942402
6/23/2010 7:00:00 AM, error: Schedule [7901] - The At32.job command failed to start due to the following error: %%2147942402
6/23/2010 7:00:00 AM, error: Schedule [7901] - The At176.job command failed to start due to the following error: %%2147942402
6/23/2010 7:00:00 AM, error: Schedule [7901] - The At152.job command failed to start due to the following error: %%2147942402
6/23/2010 7:00:00 AM, error: Schedule [7901] - The At128.job command failed to start due to the following error: %%2147942402
6/23/2010 7:00:00 AM, error: Schedule [7901] - The At104.job command failed to start due to the following error: %%2147942402
6/23/2010 6:58:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
6/23/2010 6:00:02 AM, error: Schedule [7901] - The At79.job command failed to start due to the following error: %%2147942402
6/23/2010 6:00:02 AM, error: Schedule [7901] - The At55.job command failed to start due to the following error: %%2147942402
6/23/2010 6:00:02 AM, error: Schedule [7901] - The At31.job command failed to start due to the following error: %%2147942402
6/23/2010 6:00:02 AM, error: Schedule [7901] - The At175.job command failed to start due to the following error: %%2147942402
6/23/2010 6:00:01 AM, error: Schedule [7901] - The At151.job command failed to start due to the following error: %%2147942402
6/23/2010 6:00:01 AM, error: Schedule [7901] - The At127.job command failed to start due to the following error: %%2147942402
6/23/2010 6:00:00 AM, error: Schedule [7901] - The At103.job command failed to start due to the following error: %%2147942402
6/23/2010 5:00:00 AM, error: Schedule [7901] - The At78.job command failed to start due to the following error: %%2147942402
6/23/2010 5:00:00 AM, error: Schedule [7901] - The At54.job command failed to start due to the following error: %%2147942402
6/23/2010 5:00:00 AM, error: Schedule [7901] - The At30.job command failed to start due to the following error: %%2147942402
6/23/2010 5:00:00 AM, error: Schedule [7901] - The At174.job command failed to start due to the following error: %%2147942402
6/23/2010 5:00:00 AM, error: Schedule [7901] - The At150.job command failed to start due to the following error: %%2147942402
6/23/2010 5:00:00 AM, error: Schedule [7901] - The At126.job command failed to start due to the following error: %%2147942402
6/23/2010 5:00:00 AM, error: Schedule [7901] - The At102.job command failed to start due to the following error: %%2147942402
6/23/2010 4:56:33 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
6/23/2010 4:00:00 PM, error: Schedule [7901] - The At89.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 PM, error: Schedule [7901] - The At65.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 PM, error: Schedule [7901] - The At185.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 PM, error: Schedule [7901] - The At161.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 PM, error: Schedule [7901] - The At137.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 PM, error: Schedule [7901] - The At113.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 AM, error: Schedule [7901] - The At77.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 AM, error: Schedule [7901] - The At53.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 AM, error: Schedule [7901] - The At29.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 AM, error: Schedule [7901] - The At173.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 AM, error: Schedule [7901] - The At149.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 AM, error: Schedule [7901] - The At125.job command failed to start due to the following error: %%2147942402
6/23/2010 4:00:00 AM, error: Schedule [7901] - The At101.job command failed to start due to the following error: %%2147942402
6/23/2010 3:00:00 PM, error: Schedule [7901] - The At184.job command failed to start due to the following error: %%2147942402
6/23/2010 3:00:00 PM, error: Schedule [7901] - The At160.job command failed to start due to the following error: %%2147942402
6/23/2010 3:00:00 AM, error: Schedule [7901] - The At76.job command failed to start due to the following error: %%2147942402
6/23/2010 3:00:00 AM, error: Schedule [7901] - The At52.job command failed to start due to the following error: %%2147942402
6/23/2010 3:00:00 AM, error: Schedule [7901] - The At28.job command failed to start due to the following error: %%2147942402
6/23/2010 3:00:00 AM, error: Schedule [7901] - The At172.job command failed to start due to the following error: %%2147942402
6/23/2010 3:00:00 AM, error: Schedule [7901] - The At148.job command failed to start due to the following error: %%2147942402
6/23/2010 3:00:00 AM, error: Schedule [7901] - The At124.job command failed to start due to the following error: %%2147942402
6/23/2010 3:00:00 AM, error: Schedule [7901] - The At100.job command failed to start due to the following error: %%2147942402
6/23/2010 2:00:00 PM, error: Schedule [7901] - The At183.job command failed to start due to the following error: %%2147942402
6/23/2010 2:00:00 PM, error: Schedule [7901] - The At159.job command failed to start due to the following error: %%2147942402
6/23/2010 2:00:00 AM, error: Schedule [7901] - The At99.job command failed to start due to the following error: %%2147942402
6/23/2010 2:00:00 AM, error: Schedule [7901] - The At75.job command failed to start due to the following error: %%2147942402
6/23/2010 2:00:00 AM, error: Schedule [7901] - The At51.job command failed to start due to the following error: %%2147942402
6/23/2010 2:00:00 AM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402
6/23/2010 2:00:00 AM, error: Schedule [7901] - The At171.job command failed to start due to the following error: %%2147942402
6/23/2010 2:00:00 AM, error: Schedule [7901] - The At147.job command failed to start due to the following error: %%2147942402
6/23/2010 2:00:00 AM, error: Schedule [7901] - The At123.job command failed to start due to the following error: %%2147942402
6/23/2010 12:53:00 AM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402
6/23/2010 12:52:00 AM, error: Schedule [7901] - The At49.job command failed to start due to the following error: %%2147942402
6/23/2010 12:48:00 AM, error: Schedule [7901] - The At73.job command failed to start due to the following error: %%2147942402
6/23/2010 12:47:00 AM, error: Schedule [7901] - The At169.job command failed to start due to the following error: %%2147942402
6/23/2010 12:34:00 AM, error: Schedule [7901] - The At97.job command failed to start due to the following error: %%2147942402
6/23/2010 12:34:00 AM, error: Schedule [7901] - The At121.job command failed to start due to the following error: %%2147942402
6/23/2010 12:28:00 AM, error: Schedule [7901] - The At145.job command failed to start due to the following error: %%2147942402
6/23/2010 12:00:00 PM, error: Schedule [7901] - The At85.job command failed to start due to the following error: %%2147942402
6/23/2010 12:00:00 PM, error: Schedule [7901] - The At61.job command failed to start due to the following error: %%2147942402
6/23/2010 12:00:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402
6/23/2010 12:00:00 PM, error: Schedule [7901] - The At181.job command failed to start due to the following error: %%2147942402
6/23/2010 12:00:00 PM, error: Schedule [7901] - The At157.job command failed to start due to the following error: %%2147942402
6/23/2010 12:00:00 PM, error: Schedule [7901] - The At133.job command failed to start due to the following error: %%2147942402
6/23/2010 12:00:00 PM, error: Schedule [7901] - The At109.job command failed to start due to the following error: %%2147942402
6/23/2010 11:58:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
6/23/2010 11:00:00 AM, error: Schedule [7901] - The At84.job command failed to start due to the following error: %%2147942402
6/23/2010 11:00:00 AM, error: Schedule [7901] - The At60.job command failed to start due to the following error: %%2147942402
6/23/2010 11:00:00 AM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402
6/23/2010 11:00:00 AM, error: Schedule [7901] - The At180.job command failed to start due to the following error: %%2147942402
6/23/2010 11:00:00 AM, error: Schedule [7901] - The At156.job command failed to start due to the following error: %%2147942402
6/23/2010 11:00:00 AM, error: Schedule [7901] - The At132.job command failed to start due to the following error: %%2147942402
6/23/2010 11:00:00 AM, error: Schedule [7901] - The At108.job command failed to start due to the following error: %%2147942402
6/23/2010 10:58:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
6/23/2010 10:00:00 AM, error: Schedule [7901] - The At83.job command failed to start due to the following error: %%2147942402
6/23/2010 10:00:00 AM, error: Schedule [7901] - The At59.job command failed to start due to the following error: %%2147942402
6/23/2010 10:00:00 AM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402
6/23/2010 10:00:00 AM, error: Schedule [7901] - The At179.job command failed to start due to the following error: %%2147942402
6/23/2010 10:00:00 AM, error: Schedule [7901] - The At155.job command failed to start due to the following error: %%2147942402
6/23/2010 10:00:00 AM, error: Schedule [7901] - The At131.job command failed to start due to the following error: %%2147942402
6/23/2010 10:00:00 AM, error: Schedule [7901] - The At107.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 PM, error: Schedule [7901] - The At86.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 PM, error: Schedule [7901] - The At62.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 PM, error: Schedule [7901] - The At182.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 PM, error: Schedule [7901] - The At158.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 PM, error: Schedule [7901] - The At134.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 PM, error: Schedule [7901] - The At110.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 AM, error: Schedule [7901] - The At98.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 AM, error: Schedule [7901] - The At74.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 AM, error: Schedule [7901] - The At50.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 AM, error: Schedule [7901] - The At26.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 AM, error: Schedule [7901] - The At170.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 AM, error: Schedule [7901] - The At146.job command failed to start due to the following error: %%2147942402
6/23/2010 1:00:00 AM, error: Schedule [7901] - The At122.job command failed to start due to the following error: %%2147942402
6/22/2010 9:00:00 PM, error: Schedule [7901] - The At94.job command failed to start due to the following error: %%2147942402
6/22/2010 9:00:00 PM, error: Schedule [7901] - The At70.job command failed to start due to the following error: %%2147942402
6/22/2010 9:00:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
6/22/2010 9:00:00 PM, error: Schedule [7901] - The At190.job command failed to start due to the following error: %%2147942402
6/22/2010 9:00:00 PM, error: Schedule [7901] - The At166.job command failed to start due to the following error: %%2147942402
6/22/2010 9:00:00 PM, error: Schedule [7901] - The At142.job command failed to start due to the following error: %%2147942402
6/22/2010 9:00:00 PM, error: Schedule [7901] - The At118.job command failed to start due to the following error: %%2147942402
6/22/2010 8:00:03 PM, error: Schedule [7901] - The At93.job command failed to start due to the following error: %%2147942402
6/22/2010 8:00:03 PM, error: Schedule [7901] - The At69.job command failed to start due to the following error: %%2147942402
6/22/2010 8:00:03 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
6/22/2010 8:00:03 PM, error: Schedule [7901] - The At189.job command failed to start due to the following error: %%2147942402
6/22/2010 8:00:01 PM, error: Schedule [7901] - The At165.job command failed to start due to the following error: %%2147942402
6/22/2010 8:00:01 PM, error: Schedule [7901] - The At141.job command failed to start due to the following error: %%2147942402
6/22/2010 8:00:00 PM, error: Schedule [7901] - The At117.job command failed to start due to the following error: %%2147942402
6/22/2010 7:39:17 PM, error: Service Control Manager [7001] - The ClipBook service depends on the Network DDE service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/22/2010 7:39:17 PM, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the file specified.
6/22/2010 7:00:00 PM, error: Schedule [7901] - The At92.job command failed to start due to the following error: %%2147942402
6/22/2010 7:00:00 PM, error: Schedule [7901] - The At68.job command failed to start due to the following error: %%2147942402
6/22/2010 7:00:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
6/22/2010 7:00:00 PM, error: Schedule [7901] - The At188.job command failed to start due to the following error: %%2147942402
6/22/2010 7:00:00 PM, error: Schedule [7901] - The At164.job command failed to start due to the following error: %%2147942402
6/22/2010 7:00:00 PM, error: Schedule [7901] - The At140.job command failed to start due to the following error: %%2147942402
6/22/2010 7:00:00 PM, error: Schedule [7901] - The At116.job command failed to start due to the following error: %%2147942402
6/22/2010 6:00:00 PM, error: Schedule [7901] - The At91.job command failed to start due to the following error: %%2147942402
6/22/2010 6:00:00 PM, error: Schedule [7901] - The At67.job command failed to start due to the following error: %%2147942402
6/22/2010 6:00:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
6/22/2010 6:00:00 PM, error: Schedule [7901] - The At187.job command failed to start due to the following error: %%2147942402
6/22/2010 6:00:00 PM, error: Schedule [7901] - The At163.job command failed to start due to the following error: %%2147942402
6/22/2010 6:00:00 PM, error: Schedule [7901] - The At139.job command failed to start due to the following error: %%2147942402
6/22/2010 6:00:00 PM, error: Schedule [7901] - The At115.job command failed to start due to the following error: %%2147942402
6/22/2010 5:51:28 PM, error: Service Control Manager [7034] - The Telnet service terminated unexpectedly. It has done this 1 time(s).
6/22/2010 5:50:27 PM, error: nv [14] - Unknown error on CMDre 00000000 00000640 00000102 00000004 00000084
6/22/2010 5:50:27 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
6/22/2010 5:50:27 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
6/22/2010 5:49:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/22/2010 5:37:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/22/2010 5:29:04 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm pavboot
6/22/2010 3:29:56 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/22/2010 3:14:56 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/22/2010 3:04:23 AM, error: N100 [27] - Adapter Compaq NC3121 Fast Ethernet NIC: Adapter Link Down
6/22/2010 3:00:00 PM, error: Schedule [7901] - The At88.job command failed to start due to the following error: %%2147942402
6/22/2010 3:00:00 PM, error: Schedule [7901] - The At64.job command failed to start due to the following error: %%2147942402
6/22/2010 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
6/22/2010 3:00:00 PM, error: Schedule [7901] - The At136.job command failed to start due to the following error: %%2147942402
6/22/2010 3:00:00 PM, error: Schedule [7901] - The At112.job command failed to start due to the following error: %%2147942402
6/22/2010 2:00:00 PM, error: Schedule [7901] - The At87.job command failed to start due to the following error: %%2147942402
6/22/2010 2:00:00 PM, error: Schedule [7901] - The At63.job command failed to start due to the following error: %%2147942402
6/22/2010 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
6/22/2010 2:00:00 PM, error: Schedule [7901] - The At135.job command failed to start due to the following error: %%2147942402
6/22/2010 2:00:00 PM, error: Schedule [7901] - The At111.job command failed to start due to the following error: %%2147942402
6/22/2010 11:00:00 PM, error: Schedule [7901] - The At96.job command failed to start due to the following error: %%2147942402
6/22/2010 11:00:00 PM, error: Schedule [7901] - The At72.job command failed to start due to the following error: %%2147942402
6/22/2010 11:00:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
6/22/2010 11:00:00 PM, error: Schedule [7901] - The At192.job command failed to start due to the following error: %%2147942402
6/22/2010 11:00:00 PM, error: Schedule [7901] - The At168.job command failed to start due to the following error: %%2147942402
6/22/2010 11:00:00 PM, error: Schedule [7901] - The At144.job command failed to start due to the following error: %%2147942402
6/22/2010 11:00:00 PM, error: Schedule [7901] - The At120.job command failed to start due to the following error: %%2147942402
6/22/2010 10:00:01 PM, error: Schedule [7901] - The At95.job command failed to start due to the following error: %%2147942402
6/22/2010 10:00:01 PM, error: Schedule [7901] - The At71.job command failed to start due to the following error: %%2147942402
6/22/2010 10:00:01 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
6/22/2010 10:00:00 PM, error: Schedule [7901] - The At191.job command failed to start due to the following error: %%2147942402
6/22/2010 10:00:00 PM, error: Schedule [7901] - The At167.job command failed to start due to the following error: %%2147942402
6/22/2010 10:00:00 PM, error: Schedule [7901] - The At143.job command failed to start due to the following error: %%2147942402
6/22/2010 10:00:00 PM, error: Schedule [7901] - The At119.job command failed to start due to the following error: %%2147942402
6/21/2010 9:54:59 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

==== End Of File ===========================









MER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-25 08:22:21
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\fwgiafow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB80F887E]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcess [0xB81EACD6]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcessEx [0xB81EACF0]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateThread [0xB81E9E8C]
SSDT sptd.sys ZwEnumerateKey [0xB7EC5E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xB7EC61BA]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwLoadDriver [0xB81EA1BC]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwMapViewOfSection [0xB81E9BCC]
SSDT sptd.sys ZwOpenKey [0xB7EC00B0]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwOpenSection [0xB81EA5EE]
SSDT sptd.sys ZwQueryKey [0xB7EC6292]
SSDT sptd.sys ZwQueryValueKey [0xB7EC6112]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwRenameKey [0xB81EB88C]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSetSystemInformation [0xB81EA43E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB80F8BFE]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendProcess [0xB81E9A4C]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendThread [0xB81E9EC0]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSystemDebugControl [0xB81EA042]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateProcess [0xB81E99A6]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateThread [0xB81E9B06]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwWriteVirtualMemory [0xB81E9F86]

Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F8C 80503D60 12 Bytes [4C, 9A, 1E, B8, C0, 9E, 1E, ...]
PAGE ntkrnlpa.exe!IoCreateDevice 8057476E 5 Bytes JMP B7D3FFFA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB70C7360, 0x3E57A5, 0xE8000020]
.text USBPORT.SYS!DllUnload B70A862C 5 Bytes JMP 8A50C1C8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\rundll32.exe[320] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B9000C
.text C:\WINDOWS\system32\rundll32.exe[320] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00B9100C
.text C:\WINDOWS\system32\rundll32.exe[320] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B9200C
.text C:\WINDOWS\system32\rundll32.exe[320] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 00B9300C
.text C:\WINDOWS\system32\rundll32.exe[320] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 00B9400C
.text C:\WINDOWS\system32\rundll32.exe[320] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 00B9A00C
.text C:\WINDOWS\system32\rundll32.exe[320] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 00B9700C
.text C:\WINDOWS\system32\rundll32.exe[320] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 00B9500C
.text C:\WINDOWS\system32\rundll32.exe[320] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 00B9600C
.text C:\WINDOWS\system32\rundll32.exe[320] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 00B9800C
.text C:\WINDOWS\system32\rundll32.exe[320] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 00B9900C
.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C0000C
.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00C0100C
.text C:\WINDOWS\Explorer.EXE[584] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C0200C
.text C:\WINDOWS\Explorer.EXE[584] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 00C0300C
.text C:\WINDOWS\Explorer.EXE[584] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 00C0700C
.text C:\WINDOWS\Explorer.EXE[584] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 00C0500C
.text C:\WINDOWS\Explorer.EXE[584] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 00C0600C
.text C:\WINDOWS\Explorer.EXE[584] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 00C0800C
.text C:\WINDOWS\Explorer.EXE[584] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 00C0400C
.text C:\WINDOWS\Explorer.EXE[584] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 00C0A00C
.text C:\WINDOWS\Explorer.EXE[584] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 00C0900C
.text C:\WINDOWS\RTHDCPL.EXE[932] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 05A4000C
.text C:\WINDOWS\RTHDCPL.EXE[932] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 05A4100C
.text C:\WINDOWS\RTHDCPL.EXE[932] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 05A4200C
.text C:\WINDOWS\RTHDCPL.EXE[932] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 05A4300C
.text C:\WINDOWS\RTHDCPL.EXE[932] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 05A4400C
.text C:\WINDOWS\RTHDCPL.EXE[932] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 05A4A00C
.text C:\WINDOWS\RTHDCPL.EXE[932] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 05A4700C
.text C:\WINDOWS\RTHDCPL.EXE[932] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 05A4500C
.text C:\WINDOWS\RTHDCPL.EXE[932] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 05A4600C
.text C:\WINDOWS\RTHDCPL.EXE[932] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 05A4800C
.text C:\WINDOWS\RTHDCPL.EXE[932] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 05A4900C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E000C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009E100C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009E200C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 009E300C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 009E400C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 009EA00C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 009E700C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 009E500C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 009E600C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 009E800C
.text C:\WINDOWS\system32\RUNDLL32.EXE[968] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 009E900C
.text C:\program files\steam\steam.exe[1028] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0241000C
.text C:\program files\steam\steam.exe[1028] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0241100C
.text C:\program files\steam\steam.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0241200C
.text C:\program files\steam\steam.exe[1028] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 0241300C
.text C:\program files\steam\steam.exe[1028] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 0241700C
.text C:\program files\steam\steam.exe[1028] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 0241500C
.text C:\program files\steam\steam.exe[1028] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 0241600C
.text C:\program files\steam\steam.exe[1028] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 0241800C
.text C:\program files\steam\steam.exe[1028] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 0241400C
.text C:\program files\steam\steam.exe[1028] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 0241A00C
.text C:\program files\steam\steam.exe[1028] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 0241900C
.text C:\WINDOWS\system32\winlogon.exe[1048] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 013F000C
.text C:\WINDOWS\system32\winlogon.exe[1048] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 013F100C
.text C:\WINDOWS\system32\winlogon.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 013F200C
.text C:\WINDOWS\system32\winlogon.exe[1048] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 013F300C
.text C:\WINDOWS\system32\winlogon.exe[1048] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 013F700C
.text C:\WINDOWS\system32\winlogon.exe[1048] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 013F500C
.text C:\WINDOWS\system32\winlogon.exe[1048] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 013F600C
.text C:\WINDOWS\system32\winlogon.exe[1048] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 013F800C
.text C:\WINDOWS\system32\winlogon.exe[1048] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 013F400C
.text C:\WINDOWS\system32\winlogon.exe[1048] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 013FA00C
.text C:\WINDOWS\system32\winlogon.exe[1048] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 013F900C
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01FD000C
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 01FD100C
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01FD200C
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 01FD300C
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 01FD700C
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 01FD500C
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 01FD600C
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 01FD800C
.text C:\WINDOWS\system32\lsass.exe[1104] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 01FD400C
.text C:\WINDOWS\system32\lsass.exe[1104] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 01FDA00C
.text C:\WINDOWS\system32\lsass.exe[1104] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 01FD900C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0069000C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0069100C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0069200C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 0069300C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 0069400C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 0069900C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 0069700C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 0069500C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 0069600C
.text C:\WINDOWS\system32\PnkBstrA.exe[1240] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 0069800C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02B1000C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 02B1100C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02B1200C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 02B1300C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 02B1400C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 02B1A00C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 02B1700C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 02B1500C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 02B1600C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 02B1800C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1244] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 02B1900C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008C000C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 008C100C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008C200C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 008C300C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 008C400C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 008CA00C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 008C700C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 008C500C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 008C600C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 008C800C
.text C:\WINDOWS\system32\nvsvc32.exe[1292] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 008C900C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03F3000C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 03F3100C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 03F3200C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 03F3300C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 03F3700C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 03F3500C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 03F3600C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 03F3800C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 03F3400C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 03F3A00C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1808] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 03F3900C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003F000C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 003F100C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 003F200C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 003F300C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 003F900C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 003F700C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 003F500C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 003F600C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 003F800C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 003F400C
.text C:\Program Files\Common Files\Real\Update_OB\realsched .exe[2156] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 003FA00C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CD000C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00CD100C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CD200C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 00CD300C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 00CD400C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 00CDA00C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 00CD700C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 00CD500C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 00CD600C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 00CD800C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe[2184] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 00CD900C
.text C:\WINDOWS\system32\wuauclt.exe[2612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A7000C
.text C:\WINDOWS\system32\wuauclt.exe[2612] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00A7100C
.text C:\WINDOWS\system32\wuauclt.exe[2612] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A7200C
.text C:\WINDOWS\system32\wuauclt.exe[2612] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 00A7300C
.text C:\WINDOWS\system32\wuauclt.exe[2612] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 00A7900C
.text C:\WINDOWS\system32\wuauclt.exe[2612] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 00A7700C
.text C:\WINDOWS\system32\wuauclt.exe[2612] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 00A7500C
.text C:\WINDOWS\system32\wuauclt.exe[2612] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 00A7600C
.text C:\WINDOWS\system32\wuauclt.exe[2612] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 00A7800C
.text C:\WINDOWS\system32\wuauclt.exe[2612] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 00A7400C
.text C:\WINDOWS\system32\wuauclt.exe[2612] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 00A7A00C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DC000C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00DC100C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DC200C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 00DC300C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 00DC700C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 00DC500C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 00DC600C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 00DC800C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 00DC400C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 00DCA00C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3196] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 00DC900C
.text C:\WINDOWS\System32\alg.exe[3688] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0086000C
.text C:\WINDOWS\System32\alg.exe[3688] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0086100C
.text C:\WINDOWS\System32\alg.exe[3688] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0086200C
.text C:\WINDOWS\System32\alg.exe[3688] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 0086300C
.text C:\WINDOWS\System32\alg.exe[3688] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 0086400C
.text C:\WINDOWS\System32\alg.exe[3688] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 0086A00C
.text C:\WINDOWS\System32\alg.exe[3688] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 0086700C
.text C:\WINDOWS\System32\alg.exe[3688] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 0086500C
.text C:\WINDOWS\System32\alg.exe[3688] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 0086600C
.text C:\WINDOWS\System32\alg.exe[3688] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 0086800C
.text C:\WINDOWS\System32\alg.exe[3688] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 0086900C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007D000C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 007D100C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007D200C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] kernel32.dll!TerminateThread 7C81CE13 5 Bytes JMP 007D300C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] ADVAPI32.dll!CloseServiceHandle 77DE5BED 5 Bytes JMP 007D700C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] ADVAPI32.dll!OpenServiceW 77DE5F05 5 Bytes JMP 007D500C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] ADVAPI32.dll!ControlService 77DEE055 5 Bytes JMP 007D600C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] ADVAPI32.dll!CreateServiceW 77E37251 5 Bytes JMP 007D800C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 007D400C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] USER32.dll!DdeConnect 7E457F93 5 Bytes JMP 007DA00C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3804] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 007D900C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7011E8
Device \FileSystem\Fastfat \FatCdrom 89F631E8
Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBPDO-0 8A4FE1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6931E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6931E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6931E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6931E8
Device \Driver\usbuhci \Device\USBPDO-1 8A4FE1E8
Device \Driver\usbuhci \Device\USBPDO-2 8A4FE1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A665FE68-C676-4FAB-8A1E-32DCFA06421A} 89E13498
Device \Driver\usbehci \Device\USBPDO-3 8A4691E8
Device \Driver\usbuhci \Device\USBPDO-4 8A4FE1E8
Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\usbuhci \Device\USBPDO-5 8A4FE1E8
Device \Driver\usbuhci \Device\USBPDO-6 8A4FE1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7031E8
Device \Driver\usbehci \Device\USBPDO-7 8A4691E8
Device \Driver\Cdrom \Device\CdRom0 8A451420
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A7021E8
Device \Driver\atapi \Device\Ide\IdePort0 8A7021E8
Device \Driver\atapi \Device\Ide\IdePort1 8A7021E8
Device \Driver\atapi \Device\Ide\IdePort2 8A7021E8
Device \Driver\atapi \Device\Ide\IdePort3 8A7021E8
Device \Driver\atapi \Device\Ide\IdePort4 8A7021E8
Device \Driver\atapi \Device\Ide\IdePort5 8A7021E8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-16 8A7021E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89E13498
Device \Driver\NetBT \Device\NetbiosSmb 89E13498
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 8A4FE1E8
Device \Driver\usbuhci \Device\USBFDO-1 8A4FE1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E3F5E8
Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBFDO-2 8A4FE1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89E3F5E8
Device \Driver\usbehci \Device\USBFDO-3 8A4691E8
Device \Driver\usbuhci \Device\USBFDO-4 8A4FE1E8
Device \Driver\Ftdisk \Device\FtControl 8A7031E8
Device \Driver\usbuhci \Device\USBFDO-5 8A4FE1E8
Device \Driver\usbuhci \Device\USBFDO-6 8A4FE1E8
Device \Driver\usbehci \Device\USBFDO-7 8A4691E8
Device \FileSystem\Fastfat \Fat 89F631E8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89DCB7A0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB1 0xFB 0xF5 0x5B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x46 0x2F 0x72 0xD2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x64 0x53 0x19 0xF6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB1 0xFB 0xF5 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x46 0x2F 0x72 0xD2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x64 0x53 0x19 0xF6 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x3a380d80 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Dunecat, 25 June 2010 - 10:48 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:09 PM

Posted 25 June 2010 - 06:15 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Dunecat

Dunecat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 26 June 2010 - 11:40 AM

Hi Gringo.


I ran combofix, it blue screened on me a couple of times, but it did eventually complete and run all the way through. So far so good. It sometimes has taken several hours for the infected files to repopulate with this, there isn't really any rhyme or reason to it. I will give it a few hours and report back. In the meantime, here is the combofix log.

ComboFix 10-06-25.04 - Michael Gates 06/26/2010 9:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2836 [GMT -7:00]
Running from: c:\documents and settings\Michael Gates\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\4wE7q447.exe
c:\documents and settings\LocalService\Application Data\Street-Ads
c:\documents and settings\Michael Gates\Favorites\Download programs.url
c:\documents and settings\Michael Gates\Favorites\Games.url
c:\documents and settings\Michael Gates\Favorites\Translator.url
c:\documents and settings\Michael Gates\Favorites\Videos.url
c:\documents and settings\Michael Gates\Recent\Thumbs.db
c:\documents and settings\Michael Gates\Start Menu\Programs\Download programs.url
c:\documents and settings\Michael Gates\Start Menu\Programs\Games.url
c:\documents and settings\Michael Gates\Start Menu\Programs\Translator.url
c:\documents and settings\Michael Gates\Start Menu\Programs\Videos.url
C:\Install.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Thumbs.db
c:\windows\system32\ctvisio.dll
c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\55yW5.dll
c:\windows\system32\spool\prtprocs\w32x86\EIQ9317m.dll
c:\windows\Tasks\At100.job
c:\windows\Tasks\At101.job
c:\windows\Tasks\At103.job

CODE
<pre>
c:\program files\Common Files\Real\Update_OB\realsched .exe ---^> c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\Intel\NCS\PROSet\PRONoMgr .exe ---^> c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
</pre>

.
Infected copy of c:\windows\system32\autoconv.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\autoconv.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-25 03:08 . 2006-11-30 15:56 74371580 ----a-w- C:\metfatigue.zip
2010-06-25 03:06 . 2010-06-25 03:23 -------- d-----w- C:\metfatigue
2010-06-24 19:57 . 2010-06-24 19:30 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-24 19:31 . 2010-06-24 19:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-24 19:30 . 2010-06-24 19:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-24 19:30 . 2010-06-24 19:30 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-24 19:26 . 2010-06-24 19:26 -------- d-----w- c:\documents and settings\Michael Gates\Local Settings\Application Data\Temp
2010-06-24 19:26 . 2010-06-24 19:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-06-24 19:26 . 2010-06-24 19:27 -------- d-----w- c:\program files\Google
2010-06-24 19:26 . 2010-06-24 19:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-24 19:26 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-24 19:25 . 2010-06-24 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-24 19:25 . 2010-06-24 19:26 -------- d-----w- c:\program files\Lavasoft
2010-06-24 16:53 . 2010-06-24 19:32 -------- d-----w- c:\documents and settings\Michael Gates\Local Settings\Application Data\Google
2010-06-24 16:53 . 2010-04-08 09:50 1496064 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-06-24 16:53 . 2010-04-08 09:50 43008 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-06-24 16:53 . 2010-04-08 09:50 338944 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-06-24 16:53 . 2010-04-08 09:50 346112 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-24 15:37 . 2010-06-26 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-24 15:37 . 2010-06-26 16:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-23 02:41 . 2010-06-23 02:41 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\F-Secure
2010-06-23 00:30 . 2010-06-23 00:30 363520 ----a-w- C:\rkill.com
2010-06-23 00:28 . 2010-06-23 00:28 50176 ----a-w- c:\documents and settings\Administrator\Application Data\b757f5e4.exe
2010-06-23 00:28 . 2010-06-23 00:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-06-22 17:02 . 2010-06-22 17:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-22 13:54 . 2010-06-22 13:54 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-06-07 05:36 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-06 22:37 . 2010-06-06 22:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2010-06-06 22:35 . 2010-06-26 16:12 -------- d-----w- c:\program files\F-Secure
2010-06-06 22:32 . 2010-06-06 22:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-06-06 22:32 . 2010-06-06 22:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-06-06 22:16 . 2010-06-06 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-06-06 22:14 . 2010-06-26 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2010-06-06 15:42 . 2010-06-06 15:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-06-04 22:25 . 2010-06-04 22:25 -------- d-----w- C:\ProcessExplorer
2010-06-03 20:36 . 2010-06-24 15:40 -------- d-----w- c:\program files\Spyware Doctor
2010-06-03 20:35 . 2010-06-24 15:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-03 16:37 . 2010-06-02 18:01 76040 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgtdix.sys
2010-06-03 16:37 . 2010-06-02 18:01 10520 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgrsstx.dll
2010-06-03 16:37 . 2010-06-02 18:01 97928 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgldx86.sys
2010-06-03 16:37 . 2010-06-02 18:01 26824 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgmfx86.sys
2010-06-03 16:37 . 2010-06-02 18:01 287000 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgrsx.exe
2010-06-03 16:36 . 2010-06-02 18:01 443672 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgiproxy.exe
2010-06-03 16:36 . 2010-06-02 18:01 641304 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.exe
2010-06-03 16:36 . 2010-06-02 18:01 1082624 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.dll
2010-06-03 16:36 . 2010-06-02 18:01 583960 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avginet.dll
2010-06-02 20:27 . 2010-06-02 20:27 10752 ----a-w- c:\windows\DCEBoot.exe
2010-06-02 18:04 . 2010-06-06 19:16 -------- d-----w- C:\$AVG8.VAULT$
2010-06-02 15:30 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-02 15:30 . 2010-06-02 15:30 -------- d-----w- c:\program files\Panda Security
2010-06-02 15:18 . 2010-06-02 15:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-02 15:09 . 2010-06-02 15:09 1870688 ----a-w- C:\HousecallLauncher.exe
2010-06-02 02:42 . 2010-06-02 02:42 85504 --sha-r- c:\windows\system32\mf3216C.dll
2010-06-02 02:41 . 2010-06-02 02:41 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\EA395D4F762F58DDE91F5E52333F7B2E

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 16:25 . 2009-02-14 01:15 -------- d-----w- c:\program files\Steam
2010-06-26 16:14 . 2010-06-24 20:29 112 ----a-w- c:\documents and settings\All Users\Application Data\HM3R6PI.dat
2010-06-24 10:27 . 2010-05-14 04:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-23 05:23 . 2008-05-25 15:17 -------- d-----w- c:\program files\City of Heroes
2010-06-23 00:11 . 2010-02-26 03:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 22:11 . 2009-05-24 04:37 63 ---h--w- c:\windows\popcreg.dat
2010-06-19 22:11 . 2009-05-24 03:34 25 ----a-w- c:\windows\popcinfot.dat
2010-06-06 22:32 . 2008-11-17 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2010-06-05 23:32 . 2010-03-10 16:42 439816 ----a-w- c:\documents and settings\Michael Gates\Application Data\Real\Update\setup3.10\setup.exe
2010-06-02 15:18 . 2010-05-09 20:11 -------- d-----w- c:\program files\McAfee Security Scan
2010-05-17 23:26 . 2009-01-30 22:26 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\webex
2010-05-09 20:11 . 2010-05-09 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-09 20:11 . 2010-05-09 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-05-09 20:11 . 2008-11-13 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-07 21:30 . 2008-11-13 19:14 -------- d-----w- c:\program files\NOS
2010-05-04 17:20 . 2007-07-27 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2007-07-27 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2007-07-27 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2007-07-27 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-02-26 03:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-02-26 03:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2007-07-27 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-09 16:01 . 2010-04-06 03:29 139456 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-09 16:01 . 2010-04-06 03:29 190160 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-06 03:29 . 2010-04-06 03:29 138056 ----a-w- c:\documents and settings\Michael Gates\Application Data\PnkBstrK.sys
2010-04-06 03:29 . 2010-04-06 03:29 138056 ----a-w- c:\documents and settings\Michael Gates\Application Data\PnkBstrK.sys
2010-04-06 03:29 . 2010-04-06 03:29 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-06 03:29 . 2010-04-06 03:29 2407792 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-03-29 15:53 . 2010-05-07 21:29 32576 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-29 15:53 . 2010-05-07 21:29 29984 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-05-13 16:09 . 2009-01-30 22:26 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-05-13 16:09 . 2009-01-30 22:26 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-05-13 16:09 . 2009-01-30 22:26 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-01-30 22:26 . 2009-01-30 22:26 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-09 4363504]
"Steam"="c:\program files\steam\steam.exe" [2010-05-07 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-24 185896]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 03:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fear2\\FEAR2.exe"=
"c:\\Program Files\\EA Games\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\EA Games\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Paradox Interactive\\East India Company Demo\\eastindia.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\rome total war gold\\RomeTW.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\rome total war gold\\RomeTW-BI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\napoleon total war\\Napoleon.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/24/2010 12:30 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/2/2010 8:30 AM 28552]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\drivers\n100325.sys [5/24/2008 12:11 PM 128000]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/24/2010 12:26 PM 135664]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/10/2009 3:01 PM 1684736]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2/21/2010 2:03 PM 588032]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/16/2008 7:26 PM 682232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 19:30]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 19:26]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 19:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sportsillustrated.cnn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
TCP: {A665FE68-C676-4FAB-8A1E-32DCFA06421A} = 4.2.2.2
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
FF - ProfilePath - c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedengine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
AddRemove-{8BCAFB73-49AE-4AC4-00A1-70E4EC38BD4E} - c:\program files\Electronic Arts\The Lord of the Rings



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-26 09:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-630328440-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:57,7c,b2,02,07,8e,33,8d,24,81,26,41,03,f4,6c,ee,eb,c1,3e,9f,87,d2,aa,
cf,4d,c4,b1,ec,74,4e,c1,3a,99,3b,27,9f,91,53,c7,4a,99,bd,80,ac,cf,51,df,8c,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1390067357-630328440-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:9a,75,2e,7e,28,48,5f,75,49,93,13,93,be,1a,f6,68,88,5e,86,8d,09,
63,af,94,f1,4e,4a,2d,13,98,7d,f8,36,fe,37,f6,25,17,7f,cb,19,76,9e,15,4d,5d,\
"rkeysecu"=hex:d0,08,4c,e9,47,3c,1d,68,2f,93,29,57,71,e5,34,71
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(784)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-06-26 09:32:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-26 16:32

Pre-Run: 297,349,242,880 bytes free
Post-Run: 297,419,780,096 bytes free

- - End Of File - - 583B4CA898468313A29CFB4176DDFB2E

Regards,

Mike



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:09 PM

Posted 26 June 2010 - 03:14 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\system32\mf3216C.dll


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Dunecat

Dunecat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 27 June 2010 - 10:48 AM

Done,

Here at the logs.

ComboFix 10-06-25.04 - Michael Gates 06/27/2010 8:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2557 [GMT -7:00]
Running from: c:\documents and settings\Michael Gates\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael Gates\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))
.

2010-06-25 03:08 . 2006-11-30 15:56 74371580 ----a-w- C:\metfatigue.zip
2010-06-25 03:06 . 2010-06-25 03:23 -------- d-----w- C:\metfatigue
2010-06-24 19:57 . 2010-06-24 19:30 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-24 19:31 . 2010-06-24 19:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-24 19:30 . 2010-06-24 19:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-24 19:30 . 2010-06-24 19:30 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-24 19:26 . 2010-06-24 19:26 -------- d-----w- c:\documents and settings\Michael Gates\Local Settings\Application Data\Temp
2010-06-24 19:26 . 2010-06-24 19:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-06-24 19:26 . 2010-06-24 19:27 -------- d-----w- c:\program files\Google
2010-06-24 19:26 . 2010-06-24 19:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-24 19:26 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-24 19:25 . 2010-06-24 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-24 19:25 . 2010-06-24 19:26 -------- d-----w- c:\program files\Lavasoft
2010-06-24 16:53 . 2010-06-24 19:32 -------- d-----w- c:\documents and settings\Michael Gates\Local Settings\Application Data\Google
2010-06-24 16:53 . 2010-04-08 09:50 1496064 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-06-24 16:53 . 2010-04-08 09:50 43008 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-06-24 16:53 . 2010-04-08 09:50 338944 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-06-24 16:53 . 2010-04-08 09:50 346112 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-24 15:37 . 2010-06-26 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-24 15:37 . 2010-06-26 16:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-23 02:41 . 2010-06-23 02:41 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\F-Secure
2010-06-23 00:30 . 2010-06-23 00:30 363520 ----a-w- C:\rkill.com
2010-06-23 00:28 . 2010-06-23 00:28 50176 ----a-w- c:\documents and settings\Administrator\Application Data\b757f5e4.exe
2010-06-23 00:28 . 2010-06-23 00:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-06-22 17:02 . 2010-06-22 17:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-22 13:54 . 2010-06-22 13:54 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-06-07 05:36 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-06 22:37 . 2010-06-06 22:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2010-06-06 22:35 . 2010-06-26 16:12 -------- d-----w- c:\program files\F-Secure
2010-06-06 22:32 . 2010-06-06 22:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-06-06 22:32 . 2010-06-06 22:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-06-06 22:16 . 2010-06-06 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-06-06 22:14 . 2010-06-26 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2010-06-06 15:42 . 2010-06-06 15:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-06-04 22:25 . 2010-06-04 22:25 -------- d-----w- C:\ProcessExplorer
2010-06-03 20:36 . 2010-06-24 15:40 -------- d-----w- c:\program files\Spyware Doctor
2010-06-03 20:35 . 2010-06-24 15:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-03 16:37 . 2010-06-02 18:01 76040 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgtdix.sys
2010-06-03 16:37 . 2010-06-02 18:01 10520 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgrsstx.dll
2010-06-03 16:37 . 2010-06-02 18:01 97928 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgldx86.sys
2010-06-03 16:37 . 2010-06-02 18:01 26824 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgmfx86.sys
2010-06-03 16:37 . 2010-06-02 18:01 287000 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgrsx.exe
2010-06-03 16:36 . 2010-06-02 18:01 443672 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgiproxy.exe
2010-06-03 16:36 . 2010-06-02 18:01 641304 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.exe
2010-06-03 16:36 . 2010-06-02 18:01 1082624 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.dll
2010-06-03 16:36 . 2010-06-02 18:01 583960 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avginet.dll
2010-06-02 20:27 . 2010-06-02 20:27 10752 ----a-w- c:\windows\DCEBoot.exe
2010-06-02 18:04 . 2010-06-06 19:16 -------- d-----w- C:\$AVG8.VAULT$
2010-06-02 15:30 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-02 15:30 . 2010-06-02 15:30 -------- d-----w- c:\program files\Panda Security
2010-06-02 15:18 . 2010-06-02 15:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-02 15:09 . 2010-06-02 15:09 1870688 ----a-w- C:\HousecallLauncher.exe
2010-06-02 02:42 . 2010-06-02 02:42 85504 --sha-r- c:\windows\system32\mf3216C.dll
2010-06-02 02:41 . 2010-06-02 02:41 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\EA395D4F762F58DDE91F5E52333F7B2E

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 00:39 . 2010-03-10 16:42 439816 ----a-w- c:\documents and settings\Michael Gates\Application Data\Real\Update\setup3.10\setup.exe
2010-06-26 18:39 . 2009-02-14 01:15 -------- d-----w- c:\program files\Steam
2010-06-26 16:14 . 2010-06-24 20:29 112 ----a-w- c:\documents and settings\All Users\Application Data\HM3R6PI.dat
2010-06-24 10:27 . 2010-05-14 04:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-23 05:23 . 2008-05-25 15:17 -------- d-----w- c:\program files\City of Heroes
2010-06-23 00:11 . 2010-02-26 03:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 22:11 . 2009-05-24 04:37 63 ---h--w- c:\windows\popcreg.dat
2010-06-19 22:11 . 2009-05-24 03:34 25 ----a-w- c:\windows\popcinfot.dat
2010-06-06 22:32 . 2008-11-17 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2010-06-02 15:18 . 2010-05-09 20:11 -------- d-----w- c:\program files\McAfee Security Scan
2010-05-17 23:26 . 2009-01-30 22:26 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\webex
2010-05-09 20:11 . 2010-05-09 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-09 20:11 . 2010-05-09 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-05-09 20:11 . 2008-11-13 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-07 21:30 . 2008-11-13 19:14 -------- d-----w- c:\program files\NOS
2010-05-04 17:20 . 2007-07-27 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2007-07-27 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2007-07-27 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2007-07-27 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-02-26 03:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-02-26 03:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2007-07-27 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-09 16:01 . 2010-04-06 03:29 139456 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-09 16:01 . 2010-04-06 03:29 190160 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-06 03:29 . 2010-04-06 03:29 138056 ----a-w- c:\documents and settings\Michael Gates\Application Data\PnkBstrK.sys
2010-04-06 03:29 . 2010-04-06 03:29 138056 ----a-w- c:\documents and settings\Michael Gates\Application Data\PnkBstrK.sys
2010-04-06 03:29 . 2010-04-06 03:29 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-06 03:29 . 2010-04-06 03:29 2407792 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-03-29 15:53 . 2010-05-07 21:29 32576 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-29 15:53 . 2010-05-07 21:29 29984 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-05-13 16:09 . 2009-01-30 22:26 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-05-13 16:09 . 2009-01-30 22:26 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-05-13 16:09 . 2009-01-30 22:26 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-01-30 22:26 . 2009-01-30 22:26 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-09 4363504]
"Steam"="c:\program files\steam\steam.exe" [2010-05-07 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-24 185896]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 03:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fear2\\FEAR2.exe"=
"c:\\Program Files\\EA Games\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\EA Games\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Paradox Interactive\\East India Company Demo\\eastindia.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\rome total war gold\\RomeTW.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\rome total war gold\\RomeTW-BI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\napoleon total war\\Napoleon.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/24/2010 12:30 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/2/2010 8:30 AM 28552]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\drivers\n100325.sys [5/24/2008 12:11 PM 128000]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/16/2008 7:26 PM 682232]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/24/2010 12:26 PM 135664]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/10/2009 3:01 PM 1684736]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2/21/2010 2:03 PM 588032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 19:30]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 19:26]

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 19:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sportsillustrated.cnn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
TCP: {A665FE68-C676-4FAB-8A1E-32DCFA06421A} = 4.2.2.2
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
FF - ProfilePath - c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedengine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-27 08:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-630328440-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:57,7c,b2,02,07,8e,33,8d,24,81,26,41,03,f4,6c,ee,eb,c1,3e,9f,87,d2,aa,
cf,4d,c4,b1,ec,74,4e,c1,3a,99,3b,27,9f,91,53,c7,4a,99,bd,80,ac,cf,51,df,8c,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1390067357-630328440-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:9a,75,2e,7e,28,48,5f,75,49,93,13,93,be,1a,f6,68,88,5e,86,8d,09,
63,af,94,f1,4e,4a,2d,13,98,7d,f8,36,fe,37,f6,25,17,7f,cb,19,76,9e,15,4d,5d,\
"rkeysecu"=hex:d0,08,4c,e9,47,3c,1d,68,2f,93,29,57,71,e5,34,71
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(1160)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-06-27 08:24:47
ComboFix-quarantined-files.txt 2010-06-27 15:24
ComboFix2.txt 2010-06-26 16:32

Pre-Run: 297,396,850,688 bytes free
Post-Run: 297,386,688,512 bytes free

- - End Of File - - 340F69519021FD43B84C5762359C9FB6


Mike

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:09 PM

Posted 27 June 2010 - 06:01 PM

Greetings Dunecat

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
Folder::
c:\documents and settings\Michael Gates\Application Data\EA395D4F762F58DDE91F5E52333F7B2E

File::
c:\windows\system32\mf3216C.dll


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Dunecat

Dunecat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 29 June 2010 - 11:43 AM

Here is the new log.


ComboFix 10-06-25.04 - Michael Gates 06/29/2010 1:35.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2598 [GMT -7:00]
Running from: c:\documents and settings\Michael Gates\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael Gates\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\mf3216C.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mf3216C.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2010-06-25 03:08 . 2006-11-30 15:56 74371580 ----a-w- C:\metfatigue.zip
2010-06-25 03:06 . 2010-06-25 03:23 -------- d-----w- C:\metfatigue
2010-06-24 19:57 . 2010-06-24 19:30 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-24 19:31 . 2010-06-24 19:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-24 19:30 . 2010-06-24 19:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-24 19:30 . 2010-06-24 19:30 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-24 19:26 . 2010-06-24 19:26 -------- d-----w- c:\documents and settings\Michael Gates\Local Settings\Application Data\Temp
2010-06-24 19:26 . 2010-06-24 19:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-06-24 19:26 . 2010-06-24 19:27 -------- d-----w- c:\program files\Google
2010-06-24 19:26 . 2010-06-24 19:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-24 19:26 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-24 19:25 . 2010-06-24 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-24 19:25 . 2010-06-24 19:26 -------- d-----w- c:\program files\Lavasoft
2010-06-24 16:53 . 2010-06-24 19:32 -------- d-----w- c:\documents and settings\Michael Gates\Local Settings\Application Data\Google
2010-06-24 16:53 . 2010-04-08 09:50 1496064 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-06-24 16:53 . 2010-04-08 09:50 43008 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-06-24 16:53 . 2010-04-08 09:50 338944 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-06-24 16:53 . 2010-04-08 09:50 346112 ----a-w- c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-24 15:37 . 2010-06-26 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-24 15:37 . 2010-06-26 16:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-23 02:41 . 2010-06-23 02:41 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\F-Secure
2010-06-23 00:30 . 2010-06-23 00:30 363520 ----a-w- C:\rkill.com
2010-06-23 00:28 . 2010-06-23 00:28 50176 ----a-w- c:\documents and settings\Administrator\Application Data\b757f5e4.exe
2010-06-23 00:28 . 2010-06-23 00:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-06-22 17:02 . 2010-06-22 17:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-22 13:54 . 2010-06-22 13:54 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-06-07 05:36 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-06 22:37 . 2010-06-06 22:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2010-06-06 22:35 . 2010-06-26 16:12 -------- d-----w- c:\program files\F-Secure
2010-06-06 22:32 . 2010-06-06 22:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-06-06 22:32 . 2010-06-06 22:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-06-06 22:16 . 2010-06-06 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-06-06 22:14 . 2010-06-26 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2010-06-06 15:42 . 2010-06-06 15:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-06-04 22:25 . 2010-06-04 22:25 -------- d-----w- C:\ProcessExplorer
2010-06-03 20:36 . 2010-06-24 15:40 -------- d-----w- c:\program files\Spyware Doctor
2010-06-03 20:35 . 2010-06-24 15:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-03 16:37 . 2010-06-02 18:01 76040 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgtdix.sys
2010-06-03 16:37 . 2010-06-02 18:01 10520 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgrsstx.dll
2010-06-03 16:37 . 2010-06-02 18:01 97928 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgldx86.sys
2010-06-03 16:37 . 2010-06-02 18:01 26824 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgmfx86.sys
2010-06-03 16:37 . 2010-06-02 18:01 287000 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgrsx.exe
2010-06-03 16:36 . 2010-06-02 18:01 443672 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgiproxy.exe
2010-06-03 16:36 . 2010-06-02 18:01 641304 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.exe
2010-06-03 16:36 . 2010-06-02 18:01 1082624 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.dll
2010-06-03 16:36 . 2010-06-02 18:01 583960 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avginet.dll
2010-06-02 20:27 . 2010-06-02 20:27 10752 ----a-w- c:\windows\DCEBoot.exe
2010-06-02 18:04 . 2010-06-06 19:16 -------- d-----w- C:\$AVG8.VAULT$
2010-06-02 15:30 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-02 15:30 . 2010-06-02 15:30 -------- d-----w- c:\program files\Panda Security
2010-06-02 15:18 . 2010-06-02 15:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-02 15:09 . 2010-06-02 15:09 1870688 ----a-w- C:\HousecallLauncher.exe
2010-06-02 02:41 . 2010-06-02 02:41 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\EA395D4F762F58DDE91F5E52333F7B2E

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 23:10 . 2008-11-04 23:40 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2010-06-27 00:39 . 2010-03-10 16:42 439816 ----a-w- c:\documents and settings\Michael Gates\Application Data\Real\Update\setup3.10\setup.exe
2010-06-26 18:39 . 2009-02-14 01:15 -------- d-----w- c:\program files\Steam
2010-06-26 16:14 . 2010-06-24 20:29 112 ----a-w- c:\documents and settings\All Users\Application Data\HM3R6PI.dat
2010-06-24 10:27 . 2010-05-14 04:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-23 05:23 . 2008-05-25 15:17 -------- d-----w- c:\program files\City of Heroes
2010-06-23 00:11 . 2010-02-26 03:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 22:11 . 2009-05-24 04:37 63 ---h--w- c:\windows\popcreg.dat
2010-06-19 22:11 . 2009-05-24 03:34 25 ----a-w- c:\windows\popcinfot.dat
2010-06-06 22:32 . 2008-11-17 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2010-06-02 15:18 . 2010-05-09 20:11 -------- d-----w- c:\program files\McAfee Security Scan
2010-05-17 23:26 . 2009-01-30 22:26 -------- d-----w- c:\documents and settings\Michael Gates\Application Data\webex
2010-05-09 20:11 . 2010-05-09 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-09 20:11 . 2010-05-09 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-05-09 20:11 . 2008-11-13 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-07 21:30 . 2008-11-13 19:14 -------- d-----w- c:\program files\NOS
2010-05-04 17:20 . 2007-07-27 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2007-07-27 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2007-07-27 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2007-07-27 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-02-26 03:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-02-26 03:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2007-07-27 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-09 16:01 . 2010-04-06 03:29 139456 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-09 16:01 . 2010-04-06 03:29 190160 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-06 03:29 . 2010-04-06 03:29 138056 ----a-w- c:\documents and settings\Michael Gates\Application Data\PnkBstrK.sys
2010-04-06 03:29 . 2010-04-06 03:29 138056 ----a-w- c:\documents and settings\Michael Gates\Application Data\PnkBstrK.sys
2010-04-06 03:29 . 2010-04-06 03:29 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-06 03:29 . 2010-04-06 03:29 2407792 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-05-13 16:09 . 2009-01-30 22:26 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-05-13 16:09 . 2009-01-30 22:26 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-05-13 16:09 . 2009-01-30 22:26 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-01-30 22:26 . 2009-01-30 22:26 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-27_15.23.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-28 21:57 . 2010-06-28 21:57 16384 c:\windows\temp\Perflib_Perfdata_ef8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-09 4363504]
"Steam"="c:\program files\steam\steam.exe" [2010-05-07 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-24 185896]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 03:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fear2\\FEAR2.exe"=
"c:\\Program Files\\EA Games\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\EA Games\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Paradox Interactive\\East India Company Demo\\eastindia.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\rome total war gold\\RomeTW.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\rome total war gold\\RomeTW-BI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\napoleon total war\\Napoleon.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/24/2010 12:30 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/2/2010 8:30 AM 28552]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\drivers\n100325.sys [5/24/2008 12:11 PM 128000]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/16/2008 7:26 PM 682232]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/24/2010 12:26 PM 135664]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/10/2009 3:01 PM 1684736]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2/21/2010 2:03 PM 588032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 19:30]

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 19:26]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-24 19:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sportsillustrated.cnn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
TCP: {A665FE68-C676-4FAB-8A1E-32DCFA06421A} = 4.2.2.2
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
FF - ProfilePath - c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.search.selectedengine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Michael Gates\Application Data\Mozilla\Firefox\Profiles\7bnyokmm.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 01:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-630328440-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:57,7c,b2,02,07,8e,33,8d,24,81,26,41,03,f4,6c,ee,eb,c1,3e,9f,87,d2,aa,
cf,4d,c4,b1,ec,74,4e,c1,3a,99,3b,27,9f,91,53,c7,4a,99,bd,80,ac,cf,51,df,8c,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1390067357-630328440-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:9a,75,2e,7e,28,48,5f,75,49,93,13,93,be,1a,f6,68,88,5e,86,8d,09,
63,af,94,f1,4e,4a,2d,13,98,7d,f8,36,fe,37,f6,25,17,7f,cb,19,76,9e,15,4d,5d,\
"rkeysecu"=hex:d0,08,4c,e9,47,3c,1d,68,2f,93,29,57,71,e5,34,71
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\LMIinit.dll
.
Completion time: 2010-06-29 01:45:27
ComboFix-quarantined-files.txt 2010-06-29 08:45
ComboFix2.txt 2010-06-27 15:24
ComboFix3.txt 2010-06-26 16:32

Pre-Run: 297,302,331,392 bytes free
Post-Run: 297,302,945,792 bytes free

- - End Of File - - B62FD9177DE098332BE8503BDFB941D5


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:09 PM

Posted 29 June 2010 - 02:16 PM

Hello

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 9
    J2SE Runtime Environment 5.0 Update 6
    Viewpoint Media Player


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 20 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.


TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. Log From ESET Online Scanner
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Dunecat

Dunecat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 30 June 2010 - 09:22 AM

Here are the logs from mbam and eset.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4259

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

6/29/2010 5:39:51 PM
mbam-log-2010-06-29 (17-39-51).txt

Scan type: Quick scan
Objects scanned: 127859
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ca.cab (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ca.cab.1 (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=62443c8971944841af15579f7846369e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-30 02:13:47
# local_time=2010-06-29 07:13:47 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=172886
# found=1
# cleaned=0
# scan_time=5375
C:\Documents and Settings\Michael Gates\Desktop\backups\backup-20100607-095857-996.dll Win32/Adware.Lifze.J application 00000000000000000000000000000000 I




#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:09 PM

Posted 30 June 2010 - 01:35 PM

Hello

Very well done!! This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point.

:DeFogger:
    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    Your Emulation drivers are now re-enabled.
:Uninstall ComboFix:
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files

:Make your Internet Explorer more secure:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.
:Make Firefox more secure::Turn On Automatic Updates:
    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and useing often.
please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:

Gringo

Edited by gringo_pr, 30 June 2010 - 01:35 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:09 PM

Posted 03 July 2010 - 04:41 AM

Since the issue is resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users