Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox randomly redirects


  • This topic is locked This topic is locked
9 replies to this topic

#1 Nyght

Nyght

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 27 June 2010 - 02:32 PM

Recently my Firefox browser has been redirecting me to random ad/scam sites when i click google links. Also most of my programs have been losing their settings and defaulting as though i had just installed them. I am using Windows 7 and i have three accounts on this computer, all of them keep screwing up in odd ways, like whenever i change the background on my account the background changes for all of them. I have scanned the computer with Avast!, Malwarebytes, and Spybot.





I tried attatching the logs like the preperation thread told me to, but it wouldn't upload.


Here is the DDS log:


DDS (Ver_09-09-29.01) - NTFSx86
Run by Kevin at 14:13:37.87 on Sun 06/27/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3071.1485 [GMT -5:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\Installer\MSI6ECF.tmp
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Users\Public\Public Games\Pidgin\pidgin.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kevin\Desktop\dds.com
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe"
StartupFolder: c:\users\kevin\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\brad\appdata\roaming\mozilla\firefox\profiles\ju3trz2t.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-1-14 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-1-14 15856]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-14 164048]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\C2SCSI.SYS [2009-7-24 251248]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-1-14 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-14 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-14 51792]
R2 HyperDeskCustomThemeEnabler;HyperDesk's Custom Theme Enabler;c:\windows\installer\MSI6ECF.tmp [2010-3-20 86016]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-21 1153368]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-3-18 172328]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-1 38224]
R3 NVNET;NVIDIA nForce 10/100 Mbps Ethernet ;c:\windows\system32\drivers\nvmf6232.sys [2010-1-15 287008]
S2 HdThemeEnabler;Hyperdesk Theme Enabler;"c:\program files\the skins factory\hyperdesk\common\hdthemeenabler.exe" -service --> c:\program files\the skins factory\hyperdesk\common\HDThemeEnabler.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvscpapisvr.exe --> c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe --> c:\program files\dragon age\bin_ship\DAUpdaterSvc.Service.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2009-7-13 20992]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]
S3 STVqx5;Digital Blue QX5™ Microscope;c:\windows\system32\drivers\STVqx5.sys [2010-1-16 64512]
S3 STVqx5m;Digital Blue QX5™ Microscopem;c:\windows\system32\drivers\STVqx5m.sys [2010-1-16 6144]

=============== Created Last 30 ================

2010-06-27 14:10 <DIR> --d----- c:\users\brad\appdata\roaming\DAEMON Tools Lite
2010-06-27 01:35 <DIR> --dsh--- C:\$RECYCLE.BIN
2010-06-27 01:33 <DIR> --dsh--- c:\windows\system32\%APPDATA%
2010-06-27 01:05 256,512 a------- c:\windows\PEV.exe
2010-06-27 01:05 161,792 a------- c:\windows\SWREG.exe
2010-06-27 01:05 98,816 a------- c:\windows\sed.exe
2010-06-27 01:05 77,312 a------- c:\windows\MBR.exe
2010-06-27 01:02 <DIR> --d----- C:\%APPDATA%
2010-06-26 19:02 <DIR> --d----- c:\users\brad\appdata\roaming\Outertech
2010-06-26 19:01 <DIR> --d----- c:\users\brad\appdata\roaming\uTorrent
2010-06-22 19:28 <DIR> --d----- c:\program files\GetDiz
2010-06-22 14:15 <DIR> --d----- c:\windows\pss
2010-06-21 11:07 <DIR> --d----- c:\program files\Spore
2010-06-20 15:43 <DIR> --d----- c:\program files\EasyMod
2010-06-19 21:51 <DIR> --d----- c:\users\kevin\.minecraft
2010-06-18 16:11 <DIR> --d----- c:\windows\system32\appmgmt
2010-06-18 10:08 <DIR> --d----- c:\users\brad\appdata\roaming\Malwarebytes
2010-06-17 17:15 <DIR> --d----- c:\users\brad\appdata\roaming\NVIDIA
2010-06-16 18:46 <DIR> --d----- c:\users\brad\appdata\roaming\Vara Software
2010-06-16 18:46 <DIR> --d----- c:\users\brad\appdata\roaming\Wirecast
2010-06-16 18:46 <DIR> --d----- c:\programdata\Telestream
2010-06-16 18:46 <DIR> --d----- c:\program files\common files\eSellerate
2010-06-16 18:46 <DIR> --d----- c:\progra~2\Telestream
2010-06-16 18:45 <DIR> --d----- c:\program files\Ustream
2010-06-16 18:42 <DIR> --d----- c:\programdata\Apple Computer
2010-06-16 10:00 <DIR> --d----- c:\users\brad\appdata\roaming\Skinux
2010-06-16 08:48 <DIR> --d----- c:\users\brad\appdata\roaming\.minecraft
2010-06-16 08:39 <DIR> --d----- c:\users\brad\appdata\roaming\.purple
2010-06-10 09:58 <DIR> --d----- c:\users\kevin\.jogl_ext
2010-06-09 10:05 1,970,176 a------- c:\windows\system32\d3dx9.dll
2010-06-09 10:05 679,936 a------- c:\windows\system32\D3DX81ab.dll
2010-06-04 12:12 <DIR> --d----- c:\programdata\Soluto
2010-06-04 12:12 <DIR> --d----- c:\progra~2\Soluto
2010-06-01 10:57 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 10:57 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-06-01 10:57 <DIR> --d----- c:\programdata\Malwarebytes
2010-06-01 10:57 <DIR> --d----- c:\progra~2\Malwarebytes
2010-06-01 10:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 10:51 <DIR> a-d----- c:\programdata\TEMP
2010-05-28 19:05 <DIR> --d----- c:\windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
2010-05-28 18:51 <DIR> --d----- c:\program files\Mass Effect 2

==================== Find3M ====================

2010-06-21 12:48 107,888 a------- c:\windows\system32\CmdLineExt.dll
2010-05-22 19:04 139,672 a------- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-22 19:04 218,056 a------- c:\windows\system32\PnkBstrB.exe
2010-05-21 14:14 221,568 -------- c:\windows\system32\MpSigStub.exe
2010-05-13 07:06 2,359,592 a------- c:\windows\system32\pbsvc_apb.exe
2010-05-13 07:06 75,064 a------- c:\windows\system32\PnkBstrA.exe
2010-05-06 15:34 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-22 12:52 1,372 a------- c:\users\brad\appdata\roaming\ttYk8entG0Jjt.vbs
2010-01-19 17:59 1,372 a------- c:\users\brad\appdata\roaming\ED4F7w3kVirHW.vbs
2010-01-19 17:59 1,372 a------- c:\users\brad\appdata\roaming\f4CBDE4.vbs
2010-01-16 23:45 1,372 a------- c:\users\brad\appdata\roaming\c03LZ06.vbs
2010-01-16 23:28 1,372 a------- c:\users\brad\appdata\roaming\Dv6yx3l7xE6bR.vbs
2010-01-16 11:34 1,372 a------- c:\users\brad\appdata\roaming\iNuUGmxqtjLvE.vbs
2010-01-16 11:15 1,372 a------- c:\users\brad\appdata\roaming\nn632oVn1weHi.vbs
2010-01-16 10:48 1,372 a------- c:\users\brad\appdata\roaming\pbtNBDB.vbs
2010-01-16 09:48 1,372 a------- c:\users\brad\appdata\roaming\baBtz2jklxkhZXz.vbs
2010-01-16 09:46 1,372 a------- c:\users\brad\appdata\roaming\zC0j8Vv4ep3ZbQH.vbs
2009-07-13 23:56 291,294 a------- c:\windows\inf\perflib\0409\perfi.dat
2009-07-13 23:56 291,294 a------- c:\windows\inf\perflib\0409\perfh.dat
2009-07-13 23:56 31,548 a------- c:\windows\inf\perflib\0409\perfd.dat
2009-07-13 23:56 31,548 a------- c:\windows\inf\perflib\0409\perfc.dat
2009-07-13 23:41 174 a--sh--- c:\program files\desktop.ini
2009-07-13 19:34 291,294 a------- c:\windows\inf\perflib\0000\perfi.dat
2009-07-13 19:34 291,294 a------- c:\windows\inf\perflib\0000\perfh.dat
2009-07-13 19:34 31,548 a------- c:\windows\inf\perflib\0000\perfd.dat
2009-07-13 19:34 31,548 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 16:26 9,633,792 a--shr-- c:\windows\fonts\StaticCache.dat
2010-01-22 20:03 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-13 20:14 396,800 a--sh--- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 14:14:22.99 ===============







And the GMER scan: GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-27 14:25:51
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Kevin\AppData\Local\Temp\pxloqkoc.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E45AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E45104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E453F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2D634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2D898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E451DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E45958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E456F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E45F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E461A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8AE15AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8AE158EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8AE15A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82A5E5C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A83052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwLoadDriver 82BBC279 7 Bytes JMP 8AE15A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C23F59 5 Bytes JMP 8AE11536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82C3DC5F 5 Bytes JMP 8AE12F28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 82C4BCE3 7 Bytes JMP 8AE158EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CF5E12 7 Bytes JMP 8AE15ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? System32\Drivers\spjn.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 91ABBCA0 5 Bytes JMP 86C171D8
.text a6n0ba3o.SYS 91B8F000 12 Bytes [44, 08, E3, 82, EE, 06, E3, ...]
.text a6n0ba3o.SYS 91B8F00D 9 Bytes [E7, E2, 82, 48, 0B, E3, 82, ...] {OUT 0xe2, EAX; OR BYTE [EAX+0xb], -0x1d; ADD BYTE [EAX], 0x0}
.text a6n0ba3o.SYS 91B8F017 20 Bytes [00, DE, C7, 13, 8B, E6, C5, ...]
.text a6n0ba3o.SYS 91B8F02C 149 Bytes [00, 00, 00, 00, 00, 92, A5, ...]
.text a6n0ba3o.SYS 91B8F0C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9C58A300, 0x3B6D8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9C5CD300, 0x1BEE, 0xE8000020]
.text peauth.sys A2621C9D 28 Bytes [44, 09, 94, 21, 49, 90, 85, ...]
.text peauth.sys A2621CC1 28 Bytes [44, 09, 94, 21, 49, 90, 85, ...]
PAGE peauth.sys A2627B9B 72 Bytes [20, 3A, 8A, B9, 87, CD, 6B, ...]
PAGE peauth.sys A2627BEC 111 Bytes [AE, 8C, AB, A6, BA, 53, A3, ...]
PAGE peauth.sys A2627E20 101 Bytes [49, 08, CE, 6A, 74, 0F, 9A, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[376] ntdll.dll!NtProtectVirtualMemory 770A5360 5 Bytes JMP 002C000A
.text C:\Windows\Explorer.EXE[376] ntdll.dll!NtWriteVirtualMemory 770A5EE0 5 Bytes JMP 0178000A
.text C:\Windows\Explorer.EXE[376] ntdll.dll!KiUserExceptionDispatcher 770A6448 5 Bytes JMP 002B000A
.text C:\Windows\system32\svchost.exe[984] ntdll.dll!NtProtectVirtualMemory 770A5360 5 Bytes JMP 002D000A
.text C:\Windows\system32\svchost.exe[984] ntdll.dll!NtWriteVirtualMemory 770A5EE0 5 Bytes JMP 002E000A
.text C:\Windows\system32\svchost.exe[984] ntdll.dll!KiUserExceptionDispatcher 770A6448 5 Bytes JMP 002C000A
.text C:\Windows\system32\svchost.exe[984] ole32.dll!CoCreateInstance 76E557FC 5 Bytes JMP 0035000A
.text C:\Windows\system32\svchost.exe[984] USER32.dll!GetCursorPos 75A1C198 5 Bytes JMP 00DB000A
.text C:\Windows\Explorer.EXE[1772] ntdll.dll!NtProtectVirtualMemory 770A5360 5 Bytes JMP 0028000A
.text C:\Windows\Explorer.EXE[1772] ntdll.dll!NtWriteVirtualMemory 770A5EE0 5 Bytes JMP 0067000A
.text C:\Windows\Explorer.EXE[1772] ntdll.dll!KiUserExceptionDispatcher 770A6448 5 Bytes JMP 0027000A
.text C:\Windows\system32\wuauclt.exe[3016] ntdll.dll!NtProtectVirtualMemory 770A5360 5 Bytes JMP 0020000A
.text C:\Windows\system32\wuauclt.exe[3016] ntdll.dll!NtWriteVirtualMemory 770A5EE0 5 Bytes JMP 0036000A
.text C:\Windows\system32\wuauclt.exe[3016] ntdll.dll!KiUserExceptionDispatcher 770A6448 5 Bytes JMP 001F000A
.text C:\Windows\explorer.exe[3288] ntdll.dll!NtProtectVirtualMemory 770A5360 5 Bytes JMP 001B000A
.text C:\Windows\explorer.exe[3288] ntdll.dll!NtWriteVirtualMemory 770A5EE0 5 Bytes JMP 001C000A
.text C:\Windows\explorer.exe[3288] ntdll.dll!KiUserExceptionDispatcher 770A6448 5 Bytes JMP 000D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4192] ntdll.dll!NtProtectVirtualMemory 770A5360 5 Bytes JMP 004B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4192] ntdll.dll!NtWriteVirtualMemory 770A5EE0 5 Bytes JMP 004D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4192] ntdll.dll!KiUserExceptionDispatcher 770A6448 5 Bytes JMP 0049000A
.text C:\Windows\explorer.exe[4476] ntdll.dll!NtProtectVirtualMemory 770A5360 5 Bytes JMP 0029000A
.text C:\Windows\explorer.exe[4476] ntdll.dll!NtWriteVirtualMemory 770A5EE0 5 Bytes JMP 002A000A
.text C:\Windows\explorer.exe[4476] ntdll.dll!KiUserExceptionDispatcher 770A6448 5 Bytes JMP 0028000A
.text C:\Windows\Explorer.EXE[5124] ntdll.dll!NtProtectVirtualMemory 770A5360 5 Bytes JMP 001B000A
.text C:\Windows\Explorer.EXE[5124] ntdll.dll!NtWriteVirtualMemory 770A5EE0 5 Bytes JMP 001C000A
.text C:\Windows\Explorer.EXE[5124] ntdll.dll!KiUserExceptionDispatcher 770A6448 5 Bytes JMP 000D000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5620] USER32.dll!TrackPopupMenu 75A44B3B 5 Bytes JMP 64400501 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 860381F8
Device \Driver\volmgr \Device\VolMgrControl 853B91F8
Device \Driver\usbohci \Device\USBPDO-0 86C191F8
Device \Driver\usbehci \Device\USBPDO-1 86C1A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C2B537C1-DCC3-4F1F-9F33-B07427A66028} 86A9B1F8

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\PCI_PNP3760 \Device\00000056 spjn.sys
Device \Driver\volmgr \Device\HarddiskVolume1 853B91F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\volmgr \Device\HarddiskVolume2 853B91F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\cdrom \Device\CdRom0 864FA1F8
Device \Driver\cdrom \Device\CdRom1 864FA1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 853BB1F8
Device \Driver\atapi \Device\Ide\IdePort0 853BB1F8
Device \Driver\atapi \Device\Ide\IdePort1 853BB1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 853BB1F8
Device \Driver\cdrom \Device\CdRom2 864FA1F8
Device \Driver\cdrom \Device\CdRom3 864FA1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86A9B1F8
Device \Driver\sptd \Device\1564461760 spjn.sys
Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\nvstor \Device\RaidPort0 853BC1F8

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 86C191F8
Device \Driver\usbehci \Device\USBFDO-1 86C1A1F8
Device \Driver\a6n0ba3o \Device\Scsi\a6n0ba3o1Port3Path0Target0Lun0 8609B1F8
Device \Driver\c2scsi \Device\Scsi\c2scsi1Port4Path0Target0Lun0 8608F1F8
Device \Driver\c2scsi \Device\Scsi\c2scsi1 8608F1F8
Device \Driver\a6n0ba3o \Device\Scsi\a6n0ba3o1Port3Path0Target1Lun0 8609B1F8
Device \Driver\a6n0ba3o \Device\Scsi\a6n0ba3o1 8609B1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0xC9 0x70 0x2C ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0x7B 0x70 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC1 0x65 0x41 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x13 0xB7 0x3B 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0xC9 0x70 0x2C ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0x7B 0x70 0x33 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC1 0x65 0x41 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x13 0xB7 0x3B 0x1E ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL DFE1212CA7C1571054DC9452A51C6AA601F627366A2915F5504D6ED6BCDEA8F3A8D40083773FE02457A71C5C1C27FA5B4457AAD536AC95107F510B5C888CEAC0955AA8F48CACD0E3BC12F0FD46A50EEAC60B07F7E2E203D16E6D595EAA529649F1B4F41840A2806173EE38E8AF105DCE3A96CD0451C590BE36F778A0FBC87B3858AB2FA87FF9FE8EBE160CF2F9A152E4A8828489F812A83CC24AFA08E4CEA01E3D889808C8D28EC6B56277935BDB0E6EEDDB25B963496615D5416822E786BE6CE59A6338B2112645C134FC691B03E29037B31D6CADAF1AF7833F3B9B16FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5CA9C6AECB7A5D140726C8DE02912F7EB034AD87696F31B914CD0EF9962AD663E4062FDDA13904765077562AD0D764DF3EDE70B2E129F859424A0648A1ED78D257D77A70D94E756E76852B26002CE30CF18E492A498E59DE29591368F714371E87F459E70CF98ABBD72DD2CE3836D2AF5FA13FF62B98865252F85C0AA80575C6169EADBB6F3971F74A8E8C86F4234C1EB1380F01EAC4265EDE6C3BC09B3106F035548EC80F8BC95F368CCB9284A25E4D28B82A99BA15545181B7BC830A0A3263ADDF44CF4AF3A8D299D0391B0CEA8B56144B3471258F9E9E0227A32
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\94F0AA72-8CEB-47A2-A540-A8484EE8823E@IPAddress 127.0.0.1
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\9B73C93B-F7F9-4653-B5EC-84637EBCBB8B@IPAddress 127.0.0.1

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:24 AM

Posted 02 July 2010 - 11:30 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Nyght

Nyght
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 02 July 2010 - 03:22 PM

Thank you, i was starting to wonder if i was going to have to reformat thumbup2.gif

Here is the DDS log:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Kevin at 14:56:36.62 on Fri 07/02/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3071.1720 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\Installer\MSI6ECF.tmp
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\svchost.exe -k netsvcs
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Users\Kevin\Desktop\dds.com
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = www.ijji.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe"
StartupFolder: c:\users\kevin\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\pandy\appdata\roaming\mozilla\firefox\profiles\qr9plkoi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-1-14 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-1-14 15856]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-14 164048]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\C2SCSI.SYS [2009-7-24 251248]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-1-14 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-14 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-14 51792]
R2 HyperDeskCustomThemeEnabler;HyperDesk's Custom Theme Enabler;c:\windows\installer\MSI6ECF.tmp [2010-3-20 86016]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-21 1153368]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-3-18 172328]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 NVNET;NVIDIA nForce 10/100 Mbps Ethernet ;c:\windows\system32\drivers\nvmf6232.sys [2010-1-15 287008]
S2 HdThemeEnabler;Hyperdesk Theme Enabler;"c:\program files\the skins factory\hyperdesk\common\hdthemeenabler.exe" -service --> c:\program files\the skins factory\hyperdesk\common\HDThemeEnabler.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvscpapisvr.exe --> c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe --> c:\program files\dragon age\bin_ship\DAUpdaterSvc.Service.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2009-7-13 20992]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-1 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]
S3 STVqx5;Digital Blue QX5™ Microscope;c:\windows\system32\drivers\STVqx5.sys [2010-1-16 64512]
S3 STVqx5m;Digital Blue QX5™ Microscopem;c:\windows\system32\drivers\STVqx5m.sys [2010-1-16 6144]

=============== Created Last 30 ================

2010-07-01 02:17 <DIR> --d----- c:\program files\StarCraft II Beta
2010-06-30 21:41 <DIR> --d----- c:\windows\system32\%LocalAppData%
2010-06-30 00:32 3,552,208 a------- c:\windows\system32\GameMon.des
2010-06-30 00:31 5,174 a------- c:\windows\system32\nppt9x.vxd
2010-06-30 00:31 4,682 a------- c:\windows\system32\npptNT2.sys
2010-06-30 00:31 <DIR> --d----- c:\program files\common files\INCA Shared
2010-06-29 23:30 <DIR> --d----- C:\ijji
2010-06-29 23:07 427,008 a------- c:\windows\system32\uc_wepic_launching.dll
2010-06-29 23:07 713,312 a------- c:\windows\system32\ijjiSetup.exe
2010-06-29 23:07 208,384 a------- c:\windows\system32\uc_rohan_launching.dll
2010-06-29 23:07 147,456 a------- c:\windows\system32\uc_neosteam_launching.dll
2010-06-29 23:07 86,624 a------- c:\windows\system32\ijjiChannelingPlugin.dll
2010-06-29 23:07 75,264 a------- c:\windows\system32\uc_holybeast_launching.dll
2010-06-29 23:07 64,000 a------- c:\windows\system32\uc_sfighters_launching.dll
2010-06-29 23:07 62,048 a------- c:\windows\system32\ijjiProcessRestarter.exe
2010-06-29 23:07 61,440 a------- c:\windows\system32\uc_atlantica_launching.dll
2010-06-29 23:07 57,952 a------- c:\windows\system32\ijjiPlugin2.dll
2010-06-29 23:07 53,248 a------- c:\windows\system32\uc_luminary_launching.dll
2010-06-29 23:07 9,728 a------- c:\windows\system32\uc_karos_launching.dll
2010-06-29 23:07 <DIR> --d----- c:\program files\ijji
2010-06-28 22:59 <DIR> --d----- c:\program files\EE1
2010-06-27 01:35 <DIR> --dsh--- C:\$RECYCLE.BIN
2010-06-27 01:33 <DIR> --dsh--- c:\windows\system32\%APPDATA%
2010-06-27 01:05 256,512 a------- c:\windows\PEV.exe
2010-06-27 01:05 161,792 a------- c:\windows\SWREG.exe
2010-06-27 01:05 98,816 a------- c:\windows\sed.exe
2010-06-27 01:05 77,312 a------- c:\windows\MBR.exe
2010-06-27 01:02 <DIR> --d----- C:\%APPDATA%
2010-06-22 19:28 <DIR> --d----- c:\program files\GetDiz
2010-06-22 14:15 <DIR> --d----- c:\windows\pss
2010-06-21 11:07 <DIR> --d----- c:\program files\Spore
2010-06-20 15:43 <DIR> --d----- c:\program files\EasyMod
2010-06-19 21:51 <DIR> --d----- c:\users\kevin\.minecraft
2010-06-18 16:11 <DIR> --d----- c:\windows\system32\appmgmt
2010-06-16 18:46 <DIR> --d----- c:\programdata\Telestream
2010-06-16 18:46 <DIR> --d----- c:\program files\common files\eSellerate
2010-06-16 18:46 <DIR> --d----- c:\progra~2\Telestream
2010-06-16 18:45 <DIR> --d----- c:\program files\Ustream
2010-06-16 18:42 <DIR> --d----- c:\programdata\Apple Computer
2010-06-10 09:58 <DIR> --d----- c:\users\kevin\.jogl_ext
2010-06-09 10:05 1,970,176 a------- c:\windows\system32\d3dx9.dll
2010-06-09 10:05 679,936 a------- c:\windows\system32\D3DX81ab.dll
2010-06-04 12:12 <DIR> --d----- c:\programdata\Soluto
2010-06-04 12:12 <DIR> --d----- c:\progra~2\Soluto

==================== Find3M ====================

2010-06-21 12:48 107,888 a------- c:\windows\system32\CmdLineExt.dll
2010-05-22 19:04 139,672 a------- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-22 19:04 218,056 a------- c:\windows\system32\PnkBstrB.exe
2010-05-21 14:14 221,568 -------- c:\windows\system32\MpSigStub.exe
2010-05-13 07:06 2,359,592 a------- c:\windows\system32\pbsvc_apb.exe
2010-05-13 07:06 75,064 a------- c:\windows\system32\PnkBstrA.exe
2010-05-06 15:34 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-22 11:49 1,372 a------- c:\users\pandy\appdata\roaming\VGH6w.vbs
2010-01-21 11:28 1,372 a------- c:\users\pandy\appdata\roaming\NoJwh.vbs
2010-01-21 11:28 1,372 a------- c:\users\pandy\appdata\roaming\ZliCq.vbs
2009-07-13 23:56 291,294 a------- c:\windows\inf\perflib\0409\perfi.dat
2009-07-13 23:56 291,294 a------- c:\windows\inf\perflib\0409\perfh.dat
2009-07-13 23:56 31,548 a------- c:\windows\inf\perflib\0409\perfd.dat
2009-07-13 23:56 31,548 a------- c:\windows\inf\perflib\0409\perfc.dat
2009-07-13 23:41 174 a--sh--- c:\program files\desktop.ini
2009-07-13 19:34 291,294 a------- c:\windows\inf\perflib\0000\perfi.dat
2009-07-13 19:34 291,294 a------- c:\windows\inf\perflib\0000\perfh.dat
2009-07-13 19:34 31,548 a------- c:\windows\inf\perflib\0000\perfd.dat
2009-07-13 19:34 31,548 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 16:26 9,633,792 a--shr-- c:\windows\fonts\StaticCache.dat
2010-01-22 20:03 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-13 20:14 396,800 a--sh--- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 14:57:12.95 ===============






And here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-02 15:21:42
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Kevin\AppData\Local\Temp\pxloqkoc.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3FAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3F104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3F3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E282D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E27898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3F1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3F958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3F6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3FF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E401A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8B215AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8B2158EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8B215A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82A585C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7D052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwLoadDriver 82BB6279 7 Bytes JMP 8B215A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C1DF59 5 Bytes JMP 8B211536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82C37C5F 5 Bytes JMP 8B212F28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 82C45CE3 4 Bytes JMP 8B2158EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection + 5 82C45CE8 2 Bytes [CC, CC] {INT 3 ; INT 3 }
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CEFE12 7 Bytes JMP 8B215ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? System32\Drivers\spgs.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 912BBCA0 5 Bytes JMP 867BF1D8
.text abl6o3nq.SYS 9138F000 12 Bytes [44, A8, E2, 82, EE, A6, E2, ...]
.text abl6o3nq.SYS 9138F00D 9 Bytes [87, E2, 82, 48, AB, E2, 82, ...] {XCHG EDX, ESP; OR BYTE [EAX-0x55], -0x1e; ADD BYTE [EAX], 0x0}
.text abl6o3nq.SYS 9138F017 20 Bytes [00, DE, 97, 13, 8B, E6, 95, ...]
.text abl6o3nq.SYS 9138F02C 149 Bytes [00, 00, 00, 00, 00, 32, A5, ...]
.text abl6o3nq.SYS 9138F0C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9BD68300, 0x3B6D8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9BDAB300, 0x1BEE, 0xE8000020]
.text peauth.sys 9E21AC9D 28 Bytes [1E, A6, 71, FC, B8, 65, 24, ...]
.text peauth.sys 9E21ACC1 28 Bytes [1E, A6, 71, FC, B8, 65, 24, ...]
PAGE peauth.sys 9E220B9B 72 Bytes [67, 4F, 90, 8D, EF, 1D, 62, ...]
PAGE peauth.sys 9E220BEC 78 Bytes [50, 7C, 4C, C1, 74, 66, C9, ...]
PAGE peauth.sys 9E220C3F 28 Bytes [E4, BE, DB, 93, 75, EF, C1, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[1096] ntdll.dll!NtProtectVirtualMemory 77535360 5 Bytes JMP 007A000A
.text C:\Windows\Explorer.EXE[1096] ntdll.dll!NtWriteVirtualMemory 77535EE0 5 Bytes JMP 007F000A
.text C:\Windows\Explorer.EXE[1096] ntdll.dll!KiUserExceptionDispatcher 77536448 5 Bytes JMP 0079000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2544] ntdll.dll!NtProtectVirtualMemory 77535360 5 Bytes JMP 0037000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2544] ntdll.dll!NtWriteVirtualMemory 77535EE0 5 Bytes JMP 0038000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2544] ntdll.dll!KiUserExceptionDispatcher 77536448 5 Bytes JMP 0034000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3096] USER32.dll!TrackPopupMenu 76A64B3B 4 Bytes JMP 631F05FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\Explorer.EXE[3552] ntdll.dll!NtProtectVirtualMemory 77535360 5 Bytes JMP 002D000A
.text C:\Windows\Explorer.EXE[3552] ntdll.dll!NtWriteVirtualMemory 77535EE0 5 Bytes JMP 002E000A
.text C:\Windows\Explorer.EXE[3552] ntdll.dll!KiUserExceptionDispatcher 77536448 5 Bytes JMP 0014000A
.text C:\Windows\explorer.exe[5016] ntdll.dll!NtProtectVirtualMemory 77535360 5 Bytes JMP 001B000A
.text C:\Windows\explorer.exe[5016] ntdll.dll!NtWriteVirtualMemory 77535EE0 5 Bytes JMP 0020000A
.text C:\Windows\explorer.exe[5016] ntdll.dll!KiUserExceptionDispatcher 77536448 5 Bytes JMP 001A000A
.text C:\Windows\system32\svchost.exe[5620] ntdll.dll!NtProtectVirtualMemory 77535360 5 Bytes JMP 0014000A
.text C:\Windows\system32\svchost.exe[5620] ntdll.dll!NtWriteVirtualMemory 77535EE0 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[5620] ntdll.dll!KiUserExceptionDispatcher 77536448 5 Bytes JMP 0013000A
.text C:\Windows\system32\svchost.exe[5620] ole32.dll!CoCreateInstance 765E57FC 5 Bytes JMP 0070000A
.text C:\Windows\system32\svchost.exe[5620] USER32.dll!GetCursorPos 76A3C198 5 Bytes JMP 0083000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 853C11F8

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\volmgr \Device\VolMgrControl 853BC1F8
Device \Driver\usbohci \Device\USBPDO-0 867A51F8
Device \Driver\usbehci \Device\USBPDO-1 867A61F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C2B537C1-DCC3-4F1F-9F33-B07427A66028} 86586500

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\PCI_PNP7152 \Device\00000057 spgs.sys
Device \Driver\volmgr \Device\HarddiskVolume1 853BC1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\volmgr \Device\HarddiskVolume2 853BC1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\cdrom \Device\CdRom0 8658B1F8
Device \Driver\cdrom \Device\CdRom1 8658B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 853BE1F8
Device \Driver\atapi \Device\Ide\IdePort0 853BE1F8
Device \Driver\atapi \Device\Ide\IdePort1 853BE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 853BE1F8
Device \Driver\cdrom \Device\CdRom2 8658B1F8
Device \Driver\cdrom \Device\CdRom3 8658B1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86586500
Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\nvstor \Device\RaidPort0 853BF1F8

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 867A51F8
Device \Driver\usbehci \Device\USBFDO-1 867A61F8
Device \Driver\sptd \Device\3975465152 spgs.sys
Device \Driver\c2scsi \Device\Scsi\c2scsi1Port4Path0Target0Lun0 865E41F8
Device \Driver\abl6o3nq \Device\Scsi\abl6o3nq1Port3Path0Target0Lun0 865361F8
Device \Driver\c2scsi \Device\Scsi\c2scsi1 865E41F8
Device \Driver\abl6o3nq \Device\Scsi\abl6o3nq1Port3Path0Target1Lun0 865361F8
Device \Driver\abl6o3nq \Device\Scsi\abl6o3nq1 865361F8
Device \FileSystem\cdfs \Cdfs 857F61F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5B 0xA8 0x92 0xAB ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0x7B 0x70 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC1 0x65 0x41 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x13 0xB7 0x3B 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x48 0x2A 0xDA 0x46 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0x7B 0x70 0x33 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC1 0x65 0x41 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x13 0xB7 0x3B 0x1E ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL DFE1212CA7C1571054DC9452A51C6AA601F627366A2915F5504D6ED6BCDEA8F3A8D40083773FE02457A71C5C1C27FA5B4457AAD536AC95107F510B5C888CEAC0955AA8F48CACD0E3BC12F0FD46A50EEAC60B07F7E2E203D16E6D595EAA529649F1B4F41840A2806173EE38E8AF105DCE3A96CD0451C590BE36F778A0FBC87B3858AB2FA87FF9FE8EBE160CF2F9A152E4A8828489F812A83CC24AFA08E4CEA01E3D889808C8D28EC6B56277935BDB0E6EEDDB25B963496615D5416822E786BE6CE59A6338B2112645C134FC691B03E29037B31D6CADAF1AF7833F3B9B16FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5CA9C6AECB7A5D140726C8DE02912F7EB034AD87696F31B914CD0EF9962AD663E4062FDDA13904765077562AD0D764DF3EDE70B2E129F859424A0648A1ED78D257D77A70D94E756E76852B26002CE30CF18E492A498E59DE29591368F714371E87F459E70CF98ABBD72DD2CE3836D2AF5FA13FF62B98865252F85C0AA80575C6169EADBB6F3971F74A8E8C86F4234C1EB1380F01EAC4265EDE6C3BC09B3106F035548EC80F8BC95F368CCB9284A25E4D28B82A99BA15545181B7BC830A0A3263ADDF44CF4AF3A8D299D0391B0CEA8B56144B3471258F9E9E0227A32

---- EOF - GMER 1.0.15 ----




#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:24 AM

Posted 03 July 2010 - 07:17 AM

Hello, Nyght
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 Nyght

Nyght
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 03 July 2010 - 01:30 PM

I followed your instructions however, when I ran ComboFix it notified me that it had to disable my disc emulation software, i clicked ok then it restarted the computer, i logged in and it began to scan. After reaching Stage_50 the scan froze along with the rest of my computer, i figured it was just "thinking" yet after close to two hours of waiting no progress had been made and i was forced to restart my computer. Should I Run it again?

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:24 AM

Posted 05 July 2010 - 04:24 PM

Just have a look if you can find C:\Combofix.txt and post back with the content of the logfile smile.gif


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 Nyght

Nyght
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 06 July 2010 - 05:00 PM

I could not get combofix to procure a log for me, However I did go ahead and download TDSSKiller. After running it it said that it had found a rootkit and would cure it on my next reboot, as of now firefox is not redirecting me anymore.



Here's the log file from TDSSKiller....

16:38:47:678 1284 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
16:38:47:678 1284 ================================================================================
16:38:47:678 1284 SystemInfo:

16:38:47:678 1284 OS Version: 6.1.7600 ServicePack: 0.0
16:38:47:678 1284 Product type: Workstation
16:38:47:678 1284 ComputerName: DARB1968-PC
16:38:47:678 1284 UserName: Kevin
16:38:47:678 1284 Windows directory: C:\Windows
16:38:47:678 1284 System windows directory: C:\Windows
16:38:47:678 1284 Processor architecture: Intel x86
16:38:47:678 1284 Number of processors: 2
16:38:47:678 1284 Page size: 0x1000
16:38:47:678 1284 Boot type: Normal boot
16:38:47:678 1284 ================================================================================
16:38:47:944 1284 Initialize success
16:38:47:944 1284
16:38:47:944 1284 Scanning Services ...
16:38:48:786 1284 Raw services enum returned 471 services
16:38:48:786 1284
16:38:48:786 1284 Scanning Drivers ...
16:38:49:784 1284 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
16:38:49:816 1284 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
16:38:49:862 1284 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
16:38:49:909 1284 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
16:38:49:987 1284 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
16:38:50:018 1284 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
16:38:50:096 1284 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
16:38:50:143 1284 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
16:38:50:206 1284 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
16:38:50:237 1284 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
16:38:50:268 1284 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
16:38:50:299 1284 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
16:38:50:408 1284 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
16:38:50:471 1284 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
16:38:50:486 1284 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
16:38:50:502 1284 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
16:38:50:533 1284 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
16:38:50:549 1284 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
16:38:50:564 1284 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
16:38:50:580 1284 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
16:38:50:627 1284 AsIO (2b4e66fac6503494a2c6f32bb6ab3826) C:\Windows\system32\drivers\AsIO.sys
16:38:50:642 1284 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\Windows\system32\drivers\aswFsBlk.sys
16:38:50:658 1284 aswMonFlt (58254e06b36b984e33ae314c0ea8f1a5) C:\Windows\system32\drivers\aswMonFlt.sys
16:38:50:674 1284 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\Windows\system32\drivers\aswRdr.sys
16:38:50:689 1284 aswSP (d78b644816db540e103d0b0766fd9967) C:\Windows\system32\drivers\aswSP.sys
16:38:50:720 1284 aswTdi (606d731008d98b6ef946730c597c1642) C:\Windows\system32\drivers\aswTdi.sys
16:38:50:736 1284 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
16:38:50:752 1284 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
16:38:50:767 1284 atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\Windows\system32\DRIVERS\atksgt.sys
16:38:50:798 1284 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
16:38:50:892 1284 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
16:38:50:923 1284 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
16:38:50:954 1284 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
16:38:51:001 1284 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
16:38:51:032 1284 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
16:38:51:095 1284 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
16:38:51:126 1284 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
16:38:51:157 1284 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
16:38:51:173 1284 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
16:38:51:188 1284 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
16:38:51:220 1284 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
16:38:51:251 1284 c2scsi (0b1689474415c400c75a7046e88ca68e) C:\Windows\system32\DRIVERS\c2scsi.sys
16:38:51:344 1284 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
16:38:51:376 1284 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
16:38:51:407 1284 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
16:38:51:438 1284 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
16:38:51:469 1284 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
16:38:51:485 1284 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
16:38:51:516 1284 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
16:38:51:532 1284 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
16:38:51:563 1284 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
16:38:51:578 1284 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
16:38:51:610 1284 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
16:38:51:625 1284 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
16:38:51:641 1284 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
16:38:51:656 1284 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
16:38:51:688 1284 dot4 (b5e479eb83707dd698f66953e922042c) C:\Windows\system32\DRIVERS\Dot4.sys
16:38:51:703 1284 Dot4Print (c25fea07a8e7767e8b89ab96a3b96519) C:\Windows\system32\DRIVERS\Dot4Prt.sys
16:38:51:734 1284 dot4usb (cf491ff38d62143203c065260567e2f7) C:\Windows\system32\DRIVERS\dot4usb.sys
16:38:51:766 1284 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
16:38:51:812 1284 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
16:38:51:922 1284 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
16:38:52:046 1284 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
16:38:52:124 1284 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
16:38:52:171 1284 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
16:38:52:265 1284 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
16:38:52:296 1284 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
16:38:52:343 1284 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
16:38:52:390 1284 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
16:38:52:421 1284 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
16:38:52:452 1284 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
16:38:52:483 1284 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
16:38:52:514 1284 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
16:38:52:546 1284 fvevol (5592f5dba26282d24d2b080eb438a4d7) C:\Windows\system32\DRIVERS\fvevol.sys
16:38:52:577 1284 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
16:38:52:592 1284 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
16:38:52:639 1284 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
16:38:52:655 1284 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
16:38:52:686 1284 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
16:38:52:702 1284 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
16:38:52:733 1284 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
16:38:52:780 1284 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
16:38:52:811 1284 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
16:38:52:842 1284 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
16:38:52:873 1284 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
16:38:52:904 1284 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
16:38:52:920 1284 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
16:38:52:951 1284 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
16:38:52:967 1284 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
16:38:52:998 1284 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
16:38:53:014 1284 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
16:38:53:045 1284 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
16:38:53:076 1284 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
16:38:53:107 1284 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
16:38:53:123 1284 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
16:38:53:154 1284 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
16:38:53:170 1284 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
16:38:53:185 1284 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
16:38:53:216 1284 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\Windows\system32\drivers\klmd.sys
16:38:53:248 1284 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
16:38:53:263 1284 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
16:38:53:294 1284 lirsgt (f8a7212d0864ef5e9185fb95e6623f4d) C:\Windows\system32\DRIVERS\lirsgt.sys
16:38:53:310 1284 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
16:38:53:341 1284 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
16:38:53:357 1284 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
16:38:53:388 1284 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
16:38:53:404 1284 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
16:38:53:419 1284 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
16:38:53:435 1284 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\Windows\system32\drivers\mbamswissarmy.sys
16:38:53:466 1284 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
16:38:53:482 1284 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
16:38:53:497 1284 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
16:38:53:528 1284 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
16:38:53:544 1284 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
16:38:53:560 1284 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
16:38:53:591 1284 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
16:38:53:622 1284 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
16:38:53:638 1284 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
16:38:53:669 1284 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
16:38:53:700 1284 mrxsmb (9e5dd4ef01aed723abf5342ef23ff012) C:\Windows\system32\DRIVERS\mrxsmb.sys
16:38:53:747 1284 mrxsmb10 (6532acbf612a8d340ef9e25e4fef21ee) C:\Windows\system32\DRIVERS\mrxsmb10.sys
16:38:53:794 1284 mrxsmb20 (24d76abe5dcad22f19d105f76fdf0ce1) C:\Windows\system32\DRIVERS\mrxsmb20.sys
16:38:53:903 1284 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
16:38:53:981 1284 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
16:38:54:121 1284 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
16:38:54:152 1284 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
16:38:54:152 1284 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
16:38:54:184 1284 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
16:38:54:199 1284 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
16:38:54:215 1284 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
16:38:54:246 1284 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
16:38:54:277 1284 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
16:38:54:293 1284 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
16:38:54:308 1284 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
16:38:54:355 1284 MTsensor (0f24624106d8042e7f27882d9d6ff5c0) C:\Windows\system32\DRIVERS\ASACPI.sys
16:38:54:402 1284 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
16:38:54:433 1284 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
16:38:54:480 1284 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
16:38:54:511 1284 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
16:38:54:542 1284 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
16:38:54:558 1284 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
16:38:54:574 1284 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
16:38:54:605 1284 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
16:38:54:620 1284 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
16:38:54:636 1284 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
16:38:54:652 1284 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
16:38:54:683 1284 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
16:38:54:683 1284 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
16:38:54:730 1284 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
16:38:54:839 1284 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
16:38:54:901 1284 NVENETFD (b5e37e31c053bc9950455a257526514b) C:\Windows\system32\DRIVERS\nvm62x32.sys
16:38:55:182 1284 nvlddmkm (dbc71cb5f25eaac174a54e8c4c648aa1) C:\Windows\system32\DRIVERS\nvlddmkm.sys
16:38:55:322 1284 NVNET (d22e432e402499ac264a113d7168b91f) C:\Windows\system32\DRIVERS\nvmf6232.sys
16:38:55:369 1284 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
16:38:55:400 1284 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
16:38:55:447 1284 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
16:38:55:525 1284 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
16:38:55:572 1284 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
16:38:55:603 1284 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
16:38:55:650 1284 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
16:38:55:681 1284 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
16:38:55:759 1284 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
16:38:55:806 1284 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
16:38:55:853 1284 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
16:38:55:884 1284 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
16:38:55:993 1284 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
16:38:56:024 1284 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
16:38:56:071 1284 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
16:38:56:118 1284 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\Windows\system32\Drivers\PxHelp20.sys
16:38:56:196 1284 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
16:38:56:243 1284 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
16:38:56:274 1284 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
16:38:56:290 1284 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
16:38:56:321 1284 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
16:38:56:336 1284 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
16:38:56:352 1284 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
16:38:56:368 1284 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
16:38:56:383 1284 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
16:38:56:399 1284 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
16:38:56:414 1284 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
16:38:56:446 1284 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
16:38:56:492 1284 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
16:38:56:508 1284 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
16:38:56:524 1284 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
16:38:56:555 1284 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
16:38:56:570 1284 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
16:38:56:602 1284 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
16:38:56:617 1284 SahdIa32 (0b2d5d2341437d7d7e1a6c7bbce3786a) C:\Windows\system32\Drivers\SahdIa32.sys
16:38:56:633 1284 SaibIa32 (7a5f65b16249af2bc9d18d815f5d7172) C:\Windows\system32\Drivers\SaibIa32.sys
16:38:56:664 1284 SaibVd32 (e333c9515822de586a3ff759a0c9b7bf) C:\Windows\system32\Drivers\SaibVd32.sys
16:38:56:680 1284 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
16:38:56:711 1284 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
16:38:56:726 1284 secdrv (c71394d99a04ca76484492f590c9cba5) C:\Windows\system32\drivers\secdrv.sys
16:38:56:758 1284 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
16:38:56:773 1284 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
16:38:56:789 1284 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
16:38:56:867 1284 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
16:38:56:882 1284 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
16:38:56:898 1284 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
16:38:56:914 1284 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
16:38:56:929 1284 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
16:38:56:960 1284 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
16:38:56:976 1284 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
16:38:56:992 1284 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
16:38:57:023 1284 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
16:38:57:070 1284 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
16:38:57:148 1284 srv (50a83ca406c808bd35ac9141a0c7618f) C:\Windows\system32\DRIVERS\srv.sys
16:38:57:179 1284 srv2 (dce7e10feaabd4cae95948b3de5340bb) C:\Windows\system32\DRIVERS\srv2.sys
16:38:57:194 1284 srvnet (bd1433a32792fd0dc450479094fc435a) C:\Windows\system32\DRIVERS\srvnet.sys
16:38:57:210 1284 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
16:38:57:226 1284 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
16:38:57:226 1284 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
16:38:57:257 1284 STVqx5 (b978e124cc4609d8080bcd20094e196b) C:\Windows\system32\drivers\STVqx5.sys
16:38:57:272 1284 STVqx5m (53412e0c961fa3bbce5c30bb6275f87e) C:\Windows\system32\drivers\STVqx5m.sys
16:38:57:304 1284 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
16:38:57:335 1284 Tcpip (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\drivers\tcpip.sys
16:38:57:460 1284 TCPIP6 (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\DRIVERS\tcpip.sys
16:38:57:491 1284 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
16:38:57:538 1284 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
16:38:57:584 1284 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
16:38:57:616 1284 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
16:38:57:709 1284 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
16:38:57:740 1284 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
16:38:57:772 1284 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
16:38:57:818 1284 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
16:38:57:865 1284 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
16:38:57:943 1284 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
16:38:57:990 1284 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
16:38:58:021 1284 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
16:38:58:084 1284 usbaudio (2436a42aab4ad48a9b714e5b0f344627) C:\Windows\system32\drivers\usbaudio.sys
16:38:58:130 1284 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
16:38:58:224 1284 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
16:38:58:286 1284 usbehci (ff32d4f3ec3c68b2ca61782c7964f54e) C:\Windows\system32\DRIVERS\usbehci.sys
16:38:58:318 1284 usbhub (b0dfc7b484e0ca0c27bda5433b82d94a) C:\Windows\system32\DRIVERS\usbhub.sys
16:38:58:364 1284 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
16:38:58:442 1284 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
16:38:58:442 1284 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:38:58:474 1284 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
16:38:58:505 1284 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\Windows\system32\DRIVERS\VClone.sys
16:38:58:536 1284 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
16:38:58:552 1284 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
16:38:58:583 1284 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
16:38:58:598 1284 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
16:38:58:614 1284 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
16:38:58:630 1284 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
16:38:58:661 1284 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
16:38:58:676 1284 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
16:38:58:708 1284 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
16:38:58:786 1284 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
16:38:58:832 1284 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
16:38:58:864 1284 volsnap (dd1e3faf79c02c699c6308cb3335351e) C:\Windows\system32\DRIVERS\volsnap.sys
16:38:58:864 1284 Suspicious file (Forged): C:\Windows\system32\DRIVERS\volsnap.sys. Real md5: dd1e3faf79c02c699c6308cb3335351e, Fake md5: 58df9d2481a56edde167e51b334d44fd
16:38:58:864 1284 File "C:\Windows\system32\DRIVERS\volsnap.sys" infected by TDSS rootkit ... 16:38:59:020 1284 Backup copy found, using it..
16:38:59:035 1284 will be cured on next reboot
16:38:59:082 1284 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
16:38:59:113 1284 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
16:38:59:207 1284 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
16:38:59:363 1284 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
16:38:59:378 1284 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
16:38:59:378 1284 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
16:38:59:410 1284 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
16:38:59:425 1284 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
16:38:59:456 1284 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
16:38:59:488 1284 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
16:38:59:503 1284 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
16:38:59:519 1284 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
16:38:59:550 1284 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
16:38:59:550 1284 Reboot required for cure complete..
16:38:59:800 1284 Cure on reboot scheduled successfully
16:38:59:800 1284
16:38:59:815 1284 Completed
16:38:59:815 1284
16:38:59:815 1284 Results:
16:38:59:815 1284 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:38:59:815 1284 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:38:59:815 1284
16:38:59:815 1284 KLMD(ARK) unloaded successfully


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:24 AM

Posted 10 July 2010 - 05:49 AM

Hi,

  1. Please download MBR.exe and save it to your windows directory (usually C:\windows).
  2. Now click Start > Run and copy/paste the following text in the box that opens. Do not copy the word "code".
    CODE
    cmd /c mbr.exe -t >log.txt&start log.txt
  3. Press enter.
  4. An mbr.log should open. Please post its contents in your next reply.





Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:24 AM

Posted 13 July 2010 - 11:14 AM

Still with me?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:24 AM

Posted 16 July 2010 - 11:28 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users