Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown virus "Type Vundo"?


  • This topic is locked This topic is locked
23 replies to this topic

#1 nbtech_2001

nbtech_2001

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 27 June 2010 - 12:46 AM

Hi and thank you for your time spent on this,

This new post was recommended by "boopme" moderator who had started helping me in another section of this forum.

referenced original post

I followed the steps and did exactly as he asked except for one problem scanning with the "gmer.exe" log. It crashed my computer several times so I decided I had to leave that out of my following posted logs.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Owner at 20:49:52.76 on Sat 06/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2643 [GMT -7:00]

FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: : {a88d4168-1919-4d6f-9754-492073d3f88d} - c:\windows\system32\ovhlsda.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [H/PC Connection Agent] "c:\progra~1\micros~2\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [M-Audio Taskbar Icon] c:\windows\system32\MAFWTray.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
dRunOnce: []
mExplorerRun: [] 1 (0x1)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232744791234
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer =
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AutorunsDisabled - ovhlsda.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 setuid
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.1.131 HP0017A42D62B6

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\bl6kojr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage|yahoo.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\compaq_owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\compaq_owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 uspsiwog;uspsiwog;c:\windows\system32\drivers\uspsiwog.sys [2005-10-24 23424]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-10-19 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67656]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-3-29 95024]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2005-10-24 14336]
R2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [2006-3-8 8864]
R2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [2006-3-8 8864]
R2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [2006-3-8 8864]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-10-19 88040]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-10-19 818432]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
R3 MAFW;Service for M-Audio FireWire;c:\windows\system32\drivers\mafw.sys [2010-1-8 192392]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2009-10-19 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2009-10-19 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-10-19 115216]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 qhleytqg;NDIS System Monitor;c:\windows\system32\svchost.exe -k netsvcs [2005-10-24 14336]
S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\ma763010.sys --> c:\windows\system32\drivers\MA763010.sys [?]
S3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [2009-10-19 32680]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 12872]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-6-3 120168]

=============== Created Last 30 ================

2010-06-27 03:43:55 20 ----a-w- c:\documents and settings\compaq_owner\defogger_reenable
2010-06-26 03:37:06 32824 ----a-w- c:\windows\system32\rrMon.sys
2010-06-26 03:36:54 0 d-----w- c:\program files\Registrar Registry Manager
2010-06-26 02:59:19 0 d-----w- c:\program files\Trend Micro
2010-06-26 02:58:00 0 d-----w- c:\program files\Unlocker
2010-06-25 20:11:29 0 d-----w- c:\program files\KellySoftware
2010-06-25 05:45:18 0 d-----w- c:\program files\Free Window Registry Repair
2010-06-25 02:39:04 0 d-----w- c:\docume~1\alluse~1\applic~1\FileCure
2010-06-25 01:30:57 35871 ----a-w- c:\windows\system32\dllcache\wbfirdma.sys
2010-06-25 01:29:58 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-06-25 01:28:58 123995 ----a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-06-25 01:27:58 48736 ----a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-06-25 01:26:58 94698 ----a-w- c:\windows\system32\dllcache\sk98xwin.sys
2010-06-25 01:25:58 77824 ----a-w- c:\windows\system32\dllcache\s3sav4m.sys
2010-06-25 01:24:57 49024 ----a-w- c:\windows\system32\dllcache\ql1280.sys
2010-06-25 01:23:59 35328 ----a-w- c:\windows\system32\dllcache\pcntpci5.sys
2010-06-25 01:22:59 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2010-06-25 01:21:59 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-06-25 01:20:57 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2010-06-25 01:19:58 471102 ----a-w- c:\windows\system32\dllcache\imskdic.dll
2010-06-25 01:18:57 150239 ----a-w- c:\windows\system32\dllcache\hsf_amos.sys
2010-06-25 01:17:57 27165 ----a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-06-25 01:16:59 117760 ----a-w- c:\windows\system32\dllcache\e100b325.sys
2010-06-25 01:15:59 3072 ----a-w- c:\windows\system32\dllcache\cwbase.sys
2010-06-25 01:14:59 39552 ----a-w- c:\windows\system32\dllcache\brparwdm.sys
2010-06-25 01:13:54 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-06-12 04:58:05 0 d-----w- c:\program files\ClickWhen
2010-06-09 00:35:19 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-06-23 07:46:11 5322 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-06 11:52:46 2462720 ----a-w- c:\windows\system32\dllcache\wmvcore.dll
2010-03-31 07:16:34 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10:40 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2009-10-07 04:08:43 2207 ----a-w- c:\program files\unins000.dat
2003-06-16 22:23:22 131072 ----a-w- c:\program files\T2DXi.dll
2003-06-16 22:17:50 4317184 ----a-w- c:\program files\Triangle II.dll
2003-06-03 19:33:38 90112 ----a-w- c:\program files\Triangle II.exe
2002-12-17 10:00:00 82253 ----a-w- c:\program files\unins000.exe
2009-06-09 02:45:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060820090609\index.dat

============= FINISH: 20:51:08.32 ===============



I was also told to post my MBytes Log

Malwarebytes' Anti-Malware 1.41
Database version: 3177
Windows 5.1.2600 Service Pack 3 (Safe Mode)

6/25/2010 8:58:37 Western Sun
mbam-log-2010-06-25 (20-58-33).txt

Scan type: Quick Scan
Objects scanned: 17863
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a88d4168-1919-4d6f-9754-492073d3f88d} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a88d4168-1919-4d6f-9754-492073d3f88d} (Trojan.BHO.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\ovhlsda.dll (Trojan.BHO.H) -> No action taken.

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:45 PM

Posted 02 July 2010 - 03:52 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 nbtech_2001

nbtech_2001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 08 July 2010 - 08:27 PM

Hi thanks for the reply,

Nothing has really changed and the the weird reg entry and associated file names still lurk inside my computer. The startup is a little faster since my first reply but that could be because I disabled startup programs. Here are the logs you required to have posted. I was not able to complete my gmer scan due to it freezing midway through a scan. I was not able to post the the gmer scan in the past posts as well due to crashes that it caused. I followed exact instructions on the gmere.exe program and I have disabled
my cd emulation software. I should also mention I have no anti virus software running on my computer to possibly block a scan.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Owner at 18:10:10.52 on Thu 07/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2788 [GMT -7:00]

FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: : {a88d4168-1919-4d6f-9754-492073d3f88d} - c:\windows\system32\ovhlsda.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [H/PC Connection Agent] "c:\progra~1\micros~2\wcescomm.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [M-Audio Taskbar Icon] c:\windows\system32\MAFWTray.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232744791234
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer =
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AutorunsDisabled - ovhlsda.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 setuid
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.1.131 HP0017A42D62B6

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\bl6kojr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage|yahoo.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\compaq_owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\compaq_owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============

R0 uspsiwog;uspsiwog;c:\windows\system32\drivers\uspsiwog.sys [2005-10-24 23424]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-10-19 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67656]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-3-29 95024]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2005-10-24 14336]
R2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [2006-3-8 8864]
R2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [2006-3-8 8864]
R2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [2006-3-8 8864]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-10-19 88040]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-10-19 818432]
R2 Seagate Sync Service;Seagate Sync Service;c:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
R3 MAFW;Service for M-Audio FireWire;c:\windows\system32\drivers\mafw.sys [2010-1-8 192392]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2009-10-19 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2009-10-19 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-10-19 115216]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 qhleytqg;NDIS System Monitor;c:\windows\system32\svchost.exe -k netsvcs [2005-10-24 14336]
S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\ma763010.sys --> c:\windows\system32\drivers\MA763010.sys [?]
S3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [2009-10-19 32680]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 12872]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-6-3 120168]

=============== Created Last 30 ================

2010-06-29 23:11:08 0 d-----w- c:\docume~1\compaq~1\applic~1\uTorrent
2010-06-28 20:30:41 0 d-----w- c:\program files\VirtualDJ
2010-06-27 03:43:55 20 ----a-w- c:\documents and settings\compaq_owner\defogger_reenable
2010-06-26 03:37:06 32824 ----a-w- c:\windows\system32\rrMon.sys
2010-06-26 03:36:54 0 d-----w- c:\program files\Registrar Registry Manager
2010-06-26 02:59:19 0 d-----w- c:\program files\Trend Micro
2010-06-26 02:58:00 0 d-----w- c:\program files\Unlocker
2010-06-25 20:11:29 0 d-----w- c:\program files\KellySoftware
2010-06-25 05:45:18 0 d-----w- c:\program files\Free Window Registry Repair
2010-06-25 02:39:04 0 d-----w- c:\docume~1\alluse~1\applic~1\FileCure
2010-06-25 01:30:57 35871 ----a-w- c:\windows\system32\dllcache\wbfirdma.sys
2010-06-25 01:29:58 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-06-25 01:28:58 123995 ----a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-06-25 01:27:58 48736 ----a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-06-25 01:26:58 94698 ----a-w- c:\windows\system32\dllcache\sk98xwin.sys
2010-06-25 01:25:58 77824 ----a-w- c:\windows\system32\dllcache\s3sav4m.sys
2010-06-25 01:24:57 49024 ----a-w- c:\windows\system32\dllcache\ql1280.sys
2010-06-25 01:23:59 35328 ----a-w- c:\windows\system32\dllcache\pcntpci5.sys
2010-06-25 01:22:59 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2010-06-25 01:21:59 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-06-25 01:20:57 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2010-06-25 01:19:58 471102 ----a-w- c:\windows\system32\dllcache\imskdic.dll
2010-06-25 01:18:57 150239 ----a-w- c:\windows\system32\dllcache\hsf_amos.sys
2010-06-25 01:17:57 27165 ----a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-06-25 01:16:59 117760 ----a-w- c:\windows\system32\dllcache\e100b325.sys
2010-06-25 01:15:59 3072 ----a-w- c:\windows\system32\dllcache\cwbase.sys
2010-06-25 01:14:59 39552 ----a-w- c:\windows\system32\dllcache\brparwdm.sys
2010-06-25 01:13:54 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-06-12 04:58:05 0 d-----w- c:\program files\ClickWhen

==================== Find3M ====================

2010-06-23 07:46:11 5322 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-10-07 04:08:43 2207 ----a-w- c:\program files\unins000.dat
2003-06-16 22:23:22 131072 ----a-w- c:\program files\T2DXi.dll
2003-06-16 22:17:50 4317184 ----a-w- c:\program files\Triangle II.dll
2003-06-03 19:33:38 90112 ----a-w- c:\program files\Triangle II.exe
2002-12-17 10:00:00 82253 ----a-w- c:\program files\unins000.exe
2009-06-09 02:45:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060820090609\index.dat

============= FINISH: 18:11:02.85 ===============

Edited by nbtech_2001, 08 July 2010 - 08:28 PM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 11 July 2010 - 02:39 PM

Hello, nbtech_2001.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!
P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.






Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

I don't see an Anti Virus Program running on your machine. Before we continue, we need to install one, otherwise all our work will be wasted as you'll get infected while we work.
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Step 2

After installing the antivirus, please try GMER again. This time, run it without checking devices. If that crashes or hangs, then try it in Safe Mode without checking devices. If that doesn't work, try again in Safe Mode, but only check files and sections.

etavares

Edited by etavares, 11 July 2010 - 02:40 PM.


#5 nbtech_2001

nbtech_2001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 13 July 2010 - 09:19 PM

I have removed my p2p program, removed all trusted sites from internet explorer (Does it matter if I only use Firefox?) and am currently downloading the recommended anti virus program. My next post will be of the gmer log that I will try in safe mode.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 14 July 2010 - 05:30 PM

ok, any luck with GMER? As for the IE/FF...it only matters if you opened IE for anything. If you're using FF, those trusted sites don't get that access to FF. Did the A/V program installation go well?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 nbtech_2001

nbtech_2001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 15 July 2010 - 09:19 PM

Ok, the avast A/V program installed just fine and I have run no scans yet. I ran the gmer program in safe mode and was only able to come up with the following log. I froze my computer towards the end and it looked as though I could not complete the scan. I saved the log quickly and produced this...I can't even open this gmer program without it freezing my computer??

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-14 02:11:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pgldypog.sys


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ExAcquireRundownProtection + 1AF 80570108 7 Bytes JMP 8B246090

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x27 0xFF 0xBC 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA2 0xEE 0xD1 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x74 0xB5 0xC0 0xB2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x27 0xFF 0xBC 0x19 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA2 0xEE 0xD1 0x79 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x74 0xB5 0xC0 0xB2 ...


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 16 July 2010 - 05:39 PM

Hello, nbtech_2001.
Ok, let's get to work. The good news is that it's likely not a rootkit based on the GMER log. Let's take care of that file. It's persistent based on your other thread, so we may need to try more than one approach.

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.) (don't forget both your antivirus and Spybot's TeaTimer)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares

Edited by etavares, 16 July 2010 - 05:40 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 nbtech_2001

nbtech_2001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 19 July 2010 - 09:35 PM

Please excuse the delay. Here is my combo fix log. There doesn't seem to be any issues with my machine at this moment.


ComboFix 10-07-19.01 - Compaq_Owner 07/19/2010 18:37:07.1.2 - x86
Running from: c:\documents and settings\Compaq_Owner\Desktop\etavaresCF.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\Data
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\uspsiwog.sys
c:\windows\system32\drivers\vfcfadag.sys
c:\windows\system32\eigxdpd.dll
c:\windows\system32\inf
c:\windows\system32\inf\MA_CMIDI.INF
c:\windows\system32\ovhlsda.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
D:\Autorun.inf
F:\autorun.inf
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\system32\dllcache\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_QHLEYTQG
-------\Legacy_USPSIWOG
-------\Service_npf
-------\Service_qhleytqg
-------\Service_uspsiwog


((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-20 01:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-07-16 08:49 . 2010-07-19 08:24 312000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-16 00:26 . 2010-07-16 00:26 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Publish Providers
2010-07-16 00:24 . 2010-07-16 00:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Sony
2010-07-16 00:16 . 2010-07-16 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2010-07-16 00:16 . 2010-07-16 00:16 -------- d-----w- c:\program files\Sony
2010-07-16 00:13 . 2010-07-19 01:19 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Sony
2010-07-14 03:04 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-14 03:04 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-14 03:04 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-14 03:04 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-14 03:04 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-14 03:04 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-14 03:04 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-14 03:04 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-14 03:04 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-14 03:03 . 2010-07-14 03:03 -------- d-----w- c:\program files\Alwil Software
2010-07-14 03:03 . 2010-07-14 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-03 23:47 . 2010-07-14 02:14 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Yahoo
2010-07-03 23:42 . 2010-07-14 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-29 23:11 . 2010-07-09 00:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\uTorrent
2010-06-28 20:30 . 2010-06-28 20:30 -------- d-----w- c:\program files\VirtualDJ
2010-06-26 03:37 . 2009-11-13 19:23 32824 ----a-w- c:\windows\system32\rrMon.sys
2010-06-26 03:36 . 2010-06-26 03:37 -------- d-----w- c:\program files\Registrar Registry Manager
2010-06-26 02:59 . 2010-06-26 02:59 -------- d-----w- c:\program files\Trend Micro
2010-06-26 02:58 . 2010-06-26 02:58 -------- d-----w- c:\program files\Unlocker
2010-06-25 20:11 . 2010-06-25 20:11 -------- d-----w- c:\program files\KellySoftware
2010-06-25 06:01 . 2010-06-25 06:01 439816 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-06-25 05:45 . 2010-06-25 06:12 -------- d-----w- c:\program files\Free Window Registry Repair
2010-06-25 02:39 . 2010-06-25 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
2010-06-25 02:17 . 2010-06-25 02:17 89 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_819F77349C6EACE47A5F57B413B0E78D.dll
2010-06-25 01:31 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-06-25 01:30 . 2001-08-17 19:10 35871 ----a-w- c:\windows\system32\dllcache\wbfirdma.sys
2010-06-25 01:29 . 2001-08-18 05:36 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-06-25 01:28 . 2001-08-17 19:14 123995 ----a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-06-25 01:27 . 2001-08-17 19:11 48736 ----a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-06-25 01:26 . 2001-08-17 19:12 94698 ----a-w- c:\windows\system32\dllcache\sk98xwin.sys
2010-06-25 01:25 . 2001-08-17 19:50 77824 ----a-w- c:\windows\system32\dllcache\s3sav4m.sys
2010-06-25 01:24 . 2001-08-17 20:52 49024 ----a-w- c:\windows\system32\dllcache\ql1280.sys
2010-06-25 01:23 . 2001-08-17 19:11 35328 ----a-w- c:\windows\system32\dllcache\pcntpci5.sys
2010-06-25 01:22 . 2008-04-13 18:54 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2010-06-25 01:21 . 2001-08-17 21:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-06-25 01:20 . 2001-08-17 19:12 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2010-06-25 01:19 . 2004-08-04 05:00 471102 ----a-w- c:\windows\system32\dllcache\imskdic.dll
2010-06-25 01:18 . 2001-08-17 20:28 150239 ----a-w- c:\windows\system32\dllcache\hsf_amos.sys
2010-06-25 01:17 . 2001-08-17 19:13 27165 ----a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-06-25 01:16 . 2001-08-17 19:12 117760 ----a-w- c:\windows\system32\dllcache\e100b325.sys
2010-06-25 01:15 . 2001-08-17 19:19 3072 ----a-w- c:\windows\system32\dllcache\cwbase.sys
2010-06-25 01:14 . 2001-08-17 20:12 3168 ----a-w- c:\windows\system32\dllcache\brparimg.sys
2010-06-25 01:13 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 02:04 . 2007-06-30 22:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-20 01:45 . 2010-03-15 01:07 -------- d-----w- c:\program files\Common Files\Akamai
2010-07-19 23:53 . 2009-07-19 04:00 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\vlc
2010-07-18 21:47 . 2007-04-20 02:34 61136 -c--a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-18 16:25 . 2009-02-20 20:32 8 ----a-w- c:\windows\system32\nvModes.dat
2010-07-16 02:40 . 2009-07-14 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2010-07-10 02:30 . 2010-04-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-09 00:57 . 2006-07-27 02:56 -------- d-----w- c:\program files\Yahoo!
2010-07-09 00:57 . 2009-03-22 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-03 23:47 . 2009-03-22 04:29 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Yahoo!
2010-07-03 18:47 . 2009-09-05 00:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-26 01:57 . 2009-03-26 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-26 01:54 . 2005-12-01 07:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-26 01:53 . 2005-12-01 05:27 -------- d-----w- c:\program files\Google
2010-06-26 01:51 . 2009-07-06 07:02 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\IGN_DLM
2010-06-25 02:25 . 2009-09-04 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-06-25 02:21 . 2009-09-04 23:59 -------- d-----w- c:\program files\Security Task Manager
2010-06-25 02:17 . 2010-06-25 02:17 482 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_81E90534E670EF04FA83ACE54D005A9A.dll
2010-06-23 07:46 . 2009-03-26 05:19 5322 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-14 14:31 . 2005-10-25 00:54 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 04:58 . 2010-06-12 04:58 -------- d-----w- c:\program files\ClickWhen
2010-06-09 22:13 . 2009-12-27 02:15 -------- d-----w- c:\program files\Spectrasonics
2010-06-04 21:08 . 2009-03-21 02:58 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 07:13 . 2010-02-10 07:25 50354 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Facebook\uninstall.exe
2010-06-02 07:13 . 2010-02-10 07:25 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Facebook
2010-05-15 01:14 . 2009-09-05 00:11 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-06 10:41 . 2005-10-25 00:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-10-25 00:59 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-10-07 04:08 . 2009-10-07 04:08 2207 ----a-w- c:\program files\unins000.dat
2003-06-16 22:23 . 2003-06-16 22:23 131072 ----a-w- c:\program files\T2DXi.dll
2003-06-16 22:17 . 2003-06-16 22:17 4317184 ----a-w- c:\program files\Triangle II.dll
2003-06-03 19:33 . 2003-06-03 19:33 90112 ----a-w- c:\program files\Triangle II.exe
2002-12-17 10:00 . 2002-12-17 10:00 82253 ----a-w- c:\program files\unins000.exe
2009-03-03 06:43 . 2009-03-03 06:43 110592 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-01 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"nwiz"="nwiz.exe" [2009-03-28 1657376]
"M-Audio Taskbar Icon"="c:\windows\system32\MAFWTray.exe" [2009-07-29 252424]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-29 3168216]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2010-06-28 20:57 2837864 ----a-w- c:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 22:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-28 07:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
"Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe"
"iTunesHelper"="C:\iTunesHelper.exe"
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe"
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\program files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\iTunes.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"f:\\Project apollo\\orbiter.exe"=
"f:\\Adobe CS4 trial\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\MA763010.sys [x]
R3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [2010-01-29 32680]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-06-24 12872]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [2009-06-03 120168]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-01 691696]
S1 aswSP;aswSP; [x]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-01-29 233136]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-06-24 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-06-24 67656]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-03-30 95024]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 aswFsBlk;aswFsBlk; [x]
S2 MarxDev1;MarxDev1; [x]
S2 MarxDev2;MarxDev2; [x]
S2 MarxDev3;MarxDev3; [x]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-01-29 88040]
S2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]
S3 MAFW;Service for M-Audio FireWire;c:\windows\system32\DRIVERS\mafw.sys [2009-07-29 192392]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-29 70664]
S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-29 58816]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-01-29 115216]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - USPSIWOG
*Deregistered* - uspsiwog

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\bl6kojr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage|yahoo.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-AutorunsDisabled - ovhlsda.dll
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Registrar Registry Manager 6.50 (Lite Edition) - c:\program files\Registrar Registry Manager\unwise.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 19:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\CLBCATQ.DLL

- - - - - - - > 'lsass.exe'(1352)
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(4580)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\nview.dll
f:\tortoisecvs\TortoiseShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~2\wcescomm.exe
c:\progra~1\MICROS~2\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-07-19 19:31:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 02:19

Pre-Run: 8,870,100,992 bytes free
Post-Run: 8,783,720,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - D73973F5E74713A1D9BCE86351BEFAB4

Edited by nbtech_2001, 19 July 2010 - 09:36 PM.


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 20 July 2010 - 07:54 PM

Hello, nbtech_2001.

Ok, let's isntall an antivirus, then we can continue to remove the orphans.

I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 nbtech_2001

nbtech_2001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 23 July 2010 - 07:21 PM

I have downloaded Avast and I will give it a run then report back with the results.

#12 nbtech_2001

nbtech_2001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 24 July 2010 - 01:59 AM

The Avast scan has found some files I have downloaded in the past and quarantined them. There is no longer a "greyed" out box where my file restore option is located (This used to be disabled due to a group policy change I believe happened due to the malware or a virus) This change I believe happened after the Combofix scan. If the Avast scan only found a few songs I downloaded a while ago, what does that mean? I would also like to mention that "Malware bytes" no longer detects the "ovhlsda" and associated suspicious files anymore, so they must be gone?

So far this has been tremendously successful and I have noticed system performance improving while also noticing no longer blocked group policy options thumbup2.gif

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 24 July 2010 - 06:34 AM

Hello, nbtech_2001.

Great! Nothing major if it's picking up MP3s...it's doing it's job. Yes, not detecting that is a good thing. We still have a few things left to do, but we're making progress.

Please delete your copy of Combofix and download again as below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 nbtech_2001

nbtech_2001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 25 July 2010 - 04:21 PM

Here you are..



ComboFix 10-07-19.01 - Compaq_Owner 07/25/2010 13:47:41.2.2 - x86
Running from: c:\documents and settings\Compaq_Owner\Desktop\etavaresCF.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-20 01:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-07-20 01:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-07-16 08:49 . 2010-07-19 08:24 312000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-16 00:26 . 2010-07-16 00:26 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Publish Providers
2010-07-16 00:24 . 2010-07-16 00:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Sony
2010-07-16 00:16 . 2010-07-16 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2010-07-16 00:16 . 2010-07-16 00:16 -------- d-----w- c:\program files\Sony
2010-07-16 00:13 . 2010-07-19 01:19 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Sony
2010-07-14 03:04 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-14 03:04 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-14 03:04 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-14 03:04 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-14 03:04 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-14 03:04 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-14 03:04 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-14 03:04 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-14 03:04 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-14 03:03 . 2010-07-14 03:03 -------- d-----w- c:\program files\Alwil Software
2010-07-14 03:03 . 2010-07-14 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-03 23:47 . 2010-07-14 02:14 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Yahoo
2010-07-03 23:42 . 2010-07-14 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-28 20:30 . 2010-06-28 20:30 -------- d-----w- c:\program files\VirtualDJ
2010-06-26 03:37 . 2009-11-13 19:23 32824 ----a-w- c:\windows\system32\rrMon.sys
2010-06-26 03:36 . 2010-06-26 03:37 -------- d-----w- c:\program files\Registrar Registry Manager
2010-06-26 02:59 . 2010-06-26 02:59 -------- d-----w- c:\program files\Trend Micro
2010-06-26 02:58 . 2010-06-26 02:58 -------- d-----w- c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 20:40 . 2010-03-15 01:07 -------- d-----w- c:\program files\Common Files\Akamai
2010-07-25 19:05 . 2007-06-30 22:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-24 06:48 . 2009-07-19 04:00 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\vlc
2010-07-23 22:20 . 2009-09-05 00:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-18 21:47 . 2007-04-20 02:34 61136 -c--a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-18 16:25 . 2009-02-20 20:32 8 ----a-w- c:\windows\system32\nvModes.dat
2010-07-16 02:40 . 2009-07-14 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2010-07-10 02:30 . 2010-04-09 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-09 00:57 . 2006-07-27 02:56 -------- d-----w- c:\program files\Yahoo!
2010-07-09 00:57 . 2009-03-22 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-03 23:47 . 2009-03-22 04:29 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Yahoo!
2010-06-26 01:57 . 2009-03-26 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-26 01:54 . 2005-12-01 07:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-26 01:53 . 2005-12-01 05:27 -------- d-----w- c:\program files\Google
2010-06-26 01:51 . 2009-07-06 07:02 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\IGN_DLM
2010-06-25 20:11 . 2010-06-25 20:11 -------- d-----w- c:\program files\KellySoftware
2010-06-25 06:12 . 2010-06-25 05:45 -------- d-----w- c:\program files\Free Window Registry Repair
2010-06-25 06:01 . 2010-06-25 06:01 439816 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-06-25 02:39 . 2010-06-25 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
2010-06-25 02:25 . 2009-09-04 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-06-25 02:21 . 2009-09-04 23:59 -------- d-----w- c:\program files\Security Task Manager
2010-06-25 02:17 . 2010-06-25 02:17 89 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_819F77349C6EACE47A5F57B413B0E78D.dll
2010-06-23 07:46 . 2009-03-26 05:19 5322 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-14 14:31 . 2005-10-25 00:54 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 04:58 . 2010-06-12 04:58 -------- d-----w- c:\program files\ClickWhen
2010-06-09 22:13 . 2009-12-27 02:15 -------- d-----w- c:\program files\Spectrasonics
2010-06-04 21:08 . 2009-03-21 02:58 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 07:13 . 2010-02-10 07:25 50354 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Facebook\uninstall.exe
2010-06-02 07:13 . 2010-02-10 07:25 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Facebook
2010-05-15 01:14 . 2009-09-05 00:11 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-06 10:41 . 2005-10-25 00:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-10-25 00:59 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-10-07 04:08 . 2009-10-07 04:08 2207 ----a-w- c:\program files\unins000.dat
2003-06-16 22:23 . 2003-06-16 22:23 131072 ----a-w- c:\program files\T2DXi.dll
2003-06-16 22:17 . 2003-06-16 22:17 4317184 ----a-w- c:\program files\Triangle II.dll
2003-06-03 19:33 . 2003-06-03 19:33 90112 ----a-w- c:\program files\Triangle II.exe
2002-12-17 10:00 . 2002-12-17 10:00 82253 ----a-w- c:\program files\unins000.exe
2009-03-03 06:43 . 2009-03-03 06:43 110592 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-01 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"nwiz"="nwiz.exe" [2009-03-28 1657376]
"M-Audio Taskbar Icon"="c:\windows\system32\MAFWTray.exe" [2009-07-29 252424]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-29 3168216]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2010-06-28 20:57 2837864 ----a-w- c:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 22:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-28 07:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
"Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe"
"iTunesHelper"="C:\iTunesHelper.exe"
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe"
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\program files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\iTunes.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"f:\\Project apollo\\orbiter.exe"=
"f:\\Adobe CS4 trial\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\MA763010.sys [x]
R3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [2010-01-29 32680]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-01-29 115216]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-06-24 12872]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [2009-06-03 120168]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-01 691696]
S1 aswSP;aswSP; [x]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-01-29 233136]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-06-24 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-06-24 67656]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-03-30 95024]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 aswFsBlk;aswFsBlk; [x]
S2 MarxDev1;MarxDev1; [x]
S2 MarxDev2;MarxDev2; [x]
S2 MarxDev3;MarxDev3; [x]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-01-29 88040]
S2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]
S3 MAFW;Service for M-Audio FireWire;c:\windows\system32\DRIVERS\mafw.sys [2009-07-29 192392]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-29 70664]
S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-29 58816]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\bl6kojr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage|yahoo.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 13:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1338794714-3880524513-31511235-1009\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000002
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1352)
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(1052)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
f:\tortoisecvs\TortoiseShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-07-25 13:55:15
ComboFix-quarantined-files.txt 2010-07-25 20:54
ComboFix2.txt 2010-07-20 02:31

Pre-Run: 8,796,459,008 bytes free
Post-Run: 8,790,757,376 bytes free

- - End Of File - - 43ECFBA8B62CB3D6D66E2EA73AFA87DC


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 25 July 2010 - 07:39 PM

Hello, nbtech_2001.


Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 21 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.



Step 2

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 3

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

Please download TFC by OldTimer and save it to your desktop.
alternate download link

  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista or Windows 7, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.




Step 4

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push



Step 5


AFter all the above, please let me know how your computer is running and please post a fresh DDS log.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users