Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rouge AV Security Suites - Now can't load Windows 7


  • This topic is locked This topic is locked
3 replies to this topic

#1 Peterposer

Peterposer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 30 June 2010 - 07:10 PM

I have been infected by at least Rouge AV Security Suites. I ran Malwarebytes, Avast, Spybot Search and Destroy, CCleaner, Ibot Security 360 and I was and am running the latest full version of Trendmicro 2010. The various malware removal programs each found several files which I deleted. After removal of the suspect files I still get three unwanted web pages: two that say website not found and one page that is blank. This happens almost every time I navigate to a new web page. My intention was to delete the malware and upgrade to Windows 7 with a clean install, which would rid my PC of any remaining infection.

Problem is when trying to install Windows 7 I get the following message: Select a device where you want to install windows. I select C: and then get a message that the driver can't be found. I browse to a thumb drive where the Windows 7 drivers for the Bios are located and the program loads them but then I'm back to the same "can't find driver" message screen. Removing the malware would be great but since I'm installing Windows 7 with a clean install getting the upgrade disk to load would be the ultimate win.

My HDD doesn't show up under Hardware Manager or Disk Manager.

I am running Windows XP Home Edition 2002 - Service Pack 3
Motherboard - MSI G31M3-F V2
Processor - Intel 2 Duo Core E7500 2.93 Ghz
4 gigs of RAM
HDD - Maxtor DiamondMax SATA 320 Gb

I have tried to be diligent and download all of the driver and software updates over time.
It may not be relevant but it took 7 hours to run the gmr scan.
Below are the requested logs and any help would be greatly and sincerely appreciated!! I have been at this every night for the last 5 nights.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Lee at 23:50:32.48 on Tue 06/29/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2204 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\lee\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: motive.com\patttbc.att
Trusted Zone: primerica.com\www.desktop
Trusted Zone: turbotax.com
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://help.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/26.34/uploader2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188055871875
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188055818125
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://www.servicehonda.com/TSWeb/msrdp.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://ive1.primerica.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ive2.primerica.com/dana-cached/sc/JuniperSetupClient.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lee\applic~1\mozilla\firefox\profiles\802dhcjk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-dlink-chromesbox-en-us&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-dlink-ab-en-us&query=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);c:\windows\system32\drivers\NEOFLTR_550_11711.sys [2007-4-10 63264]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-6-29 312152]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-6-29 632792]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-2-22 36368]
R2 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-2-14 544768]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-2-22 339984]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-22 1691480]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 DualCoreCenter;DualCoreCenter;\??\c:\program files\msi\dualcorecenter\ntglm7x.sys --> c:\program files\msi\dualcorecenter\NTGLM7X.sys [?]
S3 RushTopDevice2;RushTopDevice2;\??\c:\program files\msi\dualcorecenter\rushtop.sys --> c:\program files\msi\dualcorecenter\RushTop.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-2-22 50704]
S3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-2-22 497008]
S3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-2-22 689416]
S3 USBAV192.X86;Instant VideoXpress;c:\windows\system32\drivers\USBAV192.X86.SYS [2008-2-16 320256]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-2-14 1527900]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-9 135664]

=============== Created Last 30 ================

2010-06-30 03:50:19 525824 ----a-w- c:\temp\dds.scr
2010-06-30 03:43:47 0 ----a-w- c:\documents and settings\lee\defogger_reenable
2010-06-30 03:42:36 50477 ----a-w- c:\temp\Defogger.exe
2010-06-30 03:26:49 363520 ----a-w- c:\temp\rkill.com
2010-06-30 03:06:10 812344 ----a-w- c:\temp\HJTInstall.exe
2010-06-30 02:30:58 131 ----a-w- c:\windows\CRC.INI
2010-06-30 02:24:52 0 d-----w- c:\program files\COMODO
2010-06-30 01:03:02 2128476 ----a-w- c:\temp\avg_avwt_stb_all_9_115_internaltesting.exe
2010-06-30 00:49:33 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-06-30 00:49:33 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-06-30 00:49:33 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-06-30 00:49:32 0 d-----w- c:\program files\common files\PC Tools
2010-06-30 00:48:55 10239072 ----a-w- c:\temp\rminstall.exe
2010-06-30 00:46:51 0 d-----w- c:\program files\FileASSASSIN
2010-06-30 00:46:25 167034 ----a-w- c:\temp\fa-setup.exe
2010-06-30 00:04:25 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-06-30 00:04:22 0 d-----w- c:\program files\IObit
2010-06-30 00:03:44 9205688 ----a-w- c:\temp\is360setup.exe
2010-06-29 23:44:06 0 d-----w- c:\program files\CCleaner
2010-06-29 23:43:17 3396176 ----a-w- c:\temp\ccsetup233.exe
2010-06-29 12:32:00 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-06-29 12:30:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-06-29 12:29:46 408088 ----a-w- c:\temp\Norton_Download_Manager.exe
2010-06-29 03:11:25 0 ----a-w- c:\temp\a2AntiMalwareSetup.exe
2010-06-28 23:18:54 0 d-----w- c:\program files\Windows Easy Transfer 7
2010-06-28 23:16:21 7609104 ----a-w- c:\temp\wet7xp_x86.exe
2010-06-28 06:44:22 529684 ----a-w- c:\temp\Realtek_LAN_PCIE_MB.zip
2010-06-28 03:44:42 319488 ----a-w- c:\windows\HideWin.exe
2010-06-28 02:58:41 0 d-----w- c:\program files\Setup Files
2010-06-28 02:26:24 2518261 ----a-w- c:\temp\LiveUpdate.zip
2010-06-28 02:24:53 550538 ----a-w- c:\temp\7529v14.zip
2010-06-28 02:23:48 578191 ----a-w- c:\temp\7529v17.zip
2010-06-28 02:22:29 5005061 ----a-w- c:\temp\intel_p55_inf_mb.zip
2010-06-28 02:07:30 0 d-----w- c:\temp\Intel_HECI_MB
2010-06-28 02:02:23 34145391 ----a-w- c:\temp\Intel_HECI_MB.zip
2010-06-28 01:58:46 83829610 ----a-w- c:\temp\realtek_hd_all_mb.zip
2010-06-28 01:22:31 14249472 ----a-w- c:\temp\SeaToolsforWindowsSetup-1202.exe
2010-06-28 00:32:26 77312 ----a-w- c:\temp\drivedetect.exe
2010-06-28 00:01:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate
2010-06-28 00:01:32 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2010-06-28 00:01:07 0 d-----w- c:\program files\Seagate
2010-06-28 00:01:07 0 d-----w- c:\program files\common files\Seagate
2010-06-27 23:37:20 160217136 ----a-w- c:\temp\DiscWizardSetup.en.exe
2010-06-27 21:50:25 1908 ----a-w- c:\windows\diagwrn.xml
2010-06-27 21:50:25 1908 ----a-w- c:\windows\diagerr.xml
2010-06-27 21:40:26 0 d-----w- c:\windows\Performance
2010-06-27 21:39:31 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-06-27 21:37:51 8669472 ----a-w- c:\temp\Windows7UpgradeAdvisorSetup.exe
2010-06-27 18:58:50 0 d-----w- c:\program files\BustedVacuum
2010-06-27 17:41:14 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-27 17:41:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-27 17:37:55 16409960 ----a-w- c:\temp\spybotsd162.exe
2010-06-27 03:47:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-27 03:43:13 52566928 ----a-w- c:\temp\setup_av_free.exe
2010-06-26 20:00:42 10341832 ----a-w- c:\temp\windows-kb890830-v3.8.exe
2010-06-26 01:36:08 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-06-26 01:36:05 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-06-26 01:36:05 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-06-26 01:36:05 0 ----a-w- c:\windows\system32\nvdrswr.lk
2010-06-25 00:51:45 7982 ----a-w- c:\windows\ComcastSecurity.ico
2010-06-25 00:51:45 16958 ----a-w- c:\windows\x_icon_64.ico
2010-06-25 00:51:45 15086 ----a-w- c:\windows\ComcastEmail.ico
2010-06-25 00:51:45 1150 ----a-w- c:\windows\favicon.ico
2010-06-25 00:51:24 0 d-----w- c:\program files\Comcast
2010-06-25 00:42:10 1232 ----a-w- C:\net_save.dna
2010-06-25 00:41:16 0 d-----w- c:\program files\support.com
2010-06-22 01:35:12 610304 ----a-w- c:\temp\TCPOptimizer.exe
2010-06-11 01:07:02 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-06-11 01:06:41 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-11 01:05:43 7959 ----a-w- c:\windows\system32\nvinfo.pb
2010-06-11 01:05:43 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-11 01:05:42 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-11 01:05:41 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-11 01:05:41 10256384 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-11 01:05:40 2186342 ----a-w- c:\windows\system32\nvdata.bin
2010-06-11 01:00:16 82045688 ----a-w- c:\temp\197.45_desktop_winxp_32bit_english_whql.exe
2010-06-07 21:34:52 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-06-07 21:34:42 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-06-07 21:34:42 13902440 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 21:34:42 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-07 21:34:40 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2010-06-07 21:34:40 145000 ----a-w- c:\windows\system32\nvcolor.exe

==================== Find3M ====================

2010-06-28 00:01:41 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-06-28 00:01:41 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-06-28 00:01:36 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-06-07 23:57:00 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
2010-06-07 23:57:00 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-06-07 23:57:00 4554752 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcodins.dll
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-06-07 23:57:00 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
2010-06-07 23:57:00 1359872 ----a-w- c:\windows\system32\nvapi.dll
2010-06-07 23:57:00 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-05-28 16:58:26 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-05-24 03:45:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052320080524\index.dat

============= FINISH: 23:51:52.89 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-30 08:08:15
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Lee\LOCALS~1\Temp\kwldrpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB71343A0, 0x592C35, 0xE8000020]
.rsrc C:\WINDOWS\System32\DRIVERS\serial.sys entry point in ".rsrc" section [0xB7C03094]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1328] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0124000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1328] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0125000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1328] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0123000C
.text C:\WINDOWS\System32\svchost.exe[1580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1580] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1580] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1580] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0151000A
.text C:\WINDOWS\System32\svchost.exe[1580] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E3000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2608] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104505FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\explorer.exe[3416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\explorer.exe[3416] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\explorer.exe[3416] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_550_11711.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8B34DEC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\serial.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:52 AM

Posted 04 July 2010 - 07:01 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Gmer shows the TDL3 rootkit. Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#3 Peterposer

Peterposer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 04 July 2010 - 08:19 PM

mOle,

Thanks so much for your reply, however I have just found the rootkit that was causing me all of the headaches and I have upgraded to Windows 7. I am good to go thumbup.gif . Thanks again for your reply.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:52 AM

Posted 05 July 2010 - 01:48 PM

Thanks for letting me know. I will close the topic safe in the knowledge that the rootkit has been banished thumbup2.gif

-----------------------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users