Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Adware.EZlife or unknown


  • This topic is locked This topic is locked
2 replies to this topic

#1 Kyle.xf

Kyle.xf

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 31 July 2010 - 01:56 PM

Hi all,

I'm having a lot of difficulty with my computer as of the last two or so days. I've run Ad-Aware and Malwarebytes until they no longer find any infections but am still unable to connect to any web pages (i am able to connect to the internet, just not web pages). When I tried to created a GMER log my computer blue-screened, twice, and as such am unable to provide that log data. The first time the computer bluscreened, it was due to an error by the file; kwriikoc.sys The second time the only technical information provided is:

***STOP: 0x000000F4 (0x00000003 , 0x8838CD90 , 0x8838CEDC , 0x82466710)

When I attempt to open a web page, the tab in the browser (firefox, other browsers either do something similar or show unable to find server pages) flashes briefly, but won't even acknowledge that i am attempting to load a page. Not sure if it helps, or if it is related, but the fingerprint reader built into my laptop also seems to be disabled, and that started at the same time my connection problems did.

What follows is log data from malwarebytes regarding the viruses that were cleaned

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\ELWELL_KEVI\AppData\Local\Temp\dssknt.exe (Virus.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.




Follows is the DDS information

DDS (Ver_10-03-17.01) - NTFSx86
Run by ELWELL_KEVI at 11:40:29.54 on Sat 07/31/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.3035.1623 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\vfsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\ELWELL_KEVI\Desktop\dds.scr
\\?\C:\Windows\system32\wbem\WMIADAP.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bentley.edu
uDefault_Page_URL = hxxp://www.bentley.edu
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: moigh Object: {d81ac929-1645-4110-9407-3fb1122cc7e8} - c:\windows\system32\rlzcp.dll
BHO: adShotHlpr Object: {f5dfacbb-a1e1-408d-925c-369344fb7df9} - c:\windows\system32\vlzcp.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [Google Update] "c:\users\elwell_kevi\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\soundmax.exe /tray
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [WD Anywhere Backup] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent
dRun: [Cxiwaludejem] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\CO1425.dll",Startup
StartupFolder: c:\users\elwell_kevi\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = b95702b.exe
uPolicies-disallowrun: 2 = bla.exe
uPolicies-disallowrun: 3 = complaint.scr
uPolicies-disallowrun: 4 = complaint.zip
uPolicies-disallowrun: 5 = fbtre6.exe
uPolicies-disallowrun: 6 = flash_update.exe
uPolicies-disallowrun: 7 = Ipssvc.exe
uPolicies-disallowrun: 8 = kjzna1562565.exe
uPolicies-disallowrun: 9 = klnxv19819115.exe
uPolicies-disallowrun: 10 = mstre6.exe
uPolicies-disallowrun: 11 = TrendAV.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
mPolicies-system: disablecad = 1 (0x1)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: c:\windows\system32\dgxrrem.dll
Trusted Zone: bentley.edu\owa
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli DPPWDFLT

================= FIREFOX ===================

FF - ProfilePath - c:\users\elwell~1\appdata\roaming\mozilla\firefox\profiles\usnfrut2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=08-07-2010&tb_mrud=08-07-2010
FF - prefs.js: browser.startup.homepage - hxxp://www.bentley.edu/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=08-07-2010&tb_mrud=08-07-2010&query=
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\elwell_kevi\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\elwell_kevi\appdata\roaming\mozilla\firefox\profiles\usnfrut2.default\extensions\gametapplayer@gametap.com\plugins\npGameTapWebPlayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1245067913);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("app.update.lastUpdateTime.background-update-timer", 1245067913);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1245067913);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("app.update.lastUpdateTime.microsummary-generator-update-timer", 1244729379);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1245067913);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("browser.migration.version", 1);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("browser.places.importBookmarksHTML", false);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("browser.places.importDefaults", false);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("browser.places.leftPaneFolderId", -1);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("browser.places.smartBookmarksVersion", 1);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("browser.preferences.advanced.selectedTabIndex", 2);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("browser.startup.homepage", "http://www.bentley.edu/");
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("browser.startup.homepage_override.mstone", "rv:1.9.0.10");
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("extensions.enabledItems", "firebug@software.joehewitt.com:1.2.0b7,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10");
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("extensions.lastAppVersion", "3.0.10");
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("extensions.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("network.cookie.prefsMigrated", true);
c:\program files\mozilla firefox\defaults\profile\prefs.js - user_pref("urlclassifier.keyupdatetime.https://sb-ssl.google.com/safebrowsing/newkey", 1247659318);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-8 64288]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-10-3 1185016]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-7-7 24880]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2008-11-7 25824]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-9-25 599344]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2010-3-18 24652]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-10-3 479488]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-7-21 228408]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-11-23 220152]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-31 38224]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-17 69616]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2009-11-23 49152]
S2 TCPIP Pass-through Filter;TCPIP Pass-through Filter;c:\windows\system32\svchost.exe -k netsvcs [2008-1-20 21504]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 PeerDistSvc;BranchCache;c:\windows\system32\svchost.exe -k PeerDist [2008-1-20 21504]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

=============== Created Last 30 ================

2010-07-31 15:16:30 0 d-----w- c:\users\elwell~1\appdata\roaming\Malwarebytes
2010-07-31 15:16:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 15:16:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 15:16:20 0 d-----w- c:\programdata\Malwarebytes
2010-07-31 15:16:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 01:48:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-29 00:14:14 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-07-29 00:13:46 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-07-29 00:13:02 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-07-29 00:12:59 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-07-29 00:12:28 2048 ----a-w- c:\windows\system32\tzres.dll
2010-07-29 00:11:45 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-07-29 00:11:45 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-07-29 00:10:41 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-07-29 00:10:40 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-07-29 00:10:40 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-07-29 00:10:40 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-07-29 00:10:40 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-07-29 00:08:21 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-07-28 05:25:11 0 d-----w- c:\program files\4Videosoft Studio
2010-07-27 14:11:02 0 d-----w- c:\program files\StarCraft II
2010-07-24 19:21:08 0 d-----w- c:\programdata\MemeoCommon
2010-07-24 19:20:01 0 d-----w- c:\users\elwell~1\appdata\roaming\WD
2010-07-24 19:19:43 0 d-----w- c:\program files\common files\eSellerate
2010-07-24 19:19:41 0 d-----w- c:\program files\WD
2010-07-24 19:08:50 0 d-----w- c:\program files\Western Digital
2010-07-24 19:08:44 20992 ----a-w- c:\windows\jestertb.dll
2010-07-12 15:13:38 0 d-----w- c:\program files\Hero Editor
2010-07-12 15:13:33 249856 ------w- c:\windows\Setup1.exe
2010-07-12 15:13:31 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-07-12 13:17:05 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 18:41:47 0 d-----w- c:\program files\Diablo II
2010-07-08 21:50:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-08 21:45:21 0 dc-h--w- c:\programdata\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-08 21:44:56 0 d-----w- c:\programdata\Lavasoft
2010-07-08 21:44:56 0 d-----w- c:\program files\Lavasoft
2010-07-08 16:33:19 0 d-----w- c:\programdata\AIM Toolbar
2010-07-08 16:33:19 0 d-----w- c:\program files\AIM Toolbar
2010-07-08 16:33:16 0 d-----w- c:\program files\common files\Software Update Utility
2010-07-08 16:32:57 0 d-----w- c:\programdata\AIM
2010-07-08 16:32:44 0 d-----w- c:\program files\AIM
2010-07-08 16:32:08 0 d-----w- c:\programdata\AOL Downloads

==================== Find3M ====================

2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-21 06:10:56 86016 ----a-w- c:\windows\inf\infpub.dat
2010-03-21 06:10:56 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-21 06:10:54 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-21 06:10:54 143360 ----a-w- c:\windows\inf\infstor.dat
2009-04-09 16:12:58 4104192 ----a-w- c:\windows\inf\settings\wincfgad.exe
2008-08-18 19:05:32 709936 ----a-w- c:\windows\inf\settings\BiosConfigUtility.exe
2008-01-21 02:42:50 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:09 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:09 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:09 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:09 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:42:43.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 09 August 2010 - 09:09 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

There are definite signs of infection.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your old copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 21 August 2010 - 10:25 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users