Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

qtctof rootkit


  • This topic is locked This topic is locked
34 replies to this topic

#1 Hawthorne2

Hawthorne2

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 01 August 2010 - 09:37 AM

My browser gets hijacked when I click on my Google search results. Sometimes a new browser tab displays all by itself. Windows restore always fails. The message says no files got changed. Ran MBAM and Spybot, but still get the hijacking. Any help you can give me will be greatly appreciated. I ran GMER and others and have posted the logs as the Preparation guide said to do. Thanks for taking the time to look at them. Regards, Steve



DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Steven at 17:25:50.73 on Sat 07/31/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2284 [GMT -4:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steven\Downloads\Defogger (1).exe
C:\Users\Steven\Downloads\dds (1).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = Preserve
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0309&m=et1161-07
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0309&m=et1161-07
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uWinlogon: Shell=explorer.exe,c:\users\steven\appdata\roaming\ogix.exe
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\steven\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [eRecoveryService]
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\steven\appdata\roaming\mozilla\firefox\profiles\8ck82jaz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\users\steven\appdata\roaming\mozilla\firefox\profiles\8ck82jaz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\steven\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\steven\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

S1 d8a4fef9-85c1-448f-a6f9-2570fb195020;d8a4fef9-85c1-448f-a6f9-2570fb195020;c:\windows\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys [2009-10-10 3584]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
S2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2009-3-9 24576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]
S2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2009-5-25 188276]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-12-23 84832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\drivers\MAudioFastTrackPro.sys [2009-11-9 158600]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42368]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\drivers\PLCND532.sys [2008-3-5 26656]

=============== Created Last 30 ================

2010-07-31 19:59:34 0 ----a-w- c:\users\steven\defogger_reenable
2010-07-21 04:59:18 0 d-----w- c:\programdata\avg9
2010-07-20 20:25:02 0 d-----w- c:\program files\Trend Micro
2010-07-20 10:49:52 0 d-----w- c:\users\steven\appdata\roaming\Malwarebytes
2010-07-20 10:49:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 10:49:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 10:49:41 0 d-----w- c:\programdata\Malwarebytes
2010-07-20 10:49:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 10:21:01 768000 ----a-w- c:\windows\system32\drivers\qtctof.sys
2010-07-20 10:20:29 0 d-----w- c:\users\steven\appdata\roaming\6C53FCFD9D5085CA0B8673C939E774A8
2010-07-09 00:21:29 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-09 00:21:29 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-05 21:11:41 108922 ----a-w- c:\windows\News Rover Uninstaller.exe
2010-07-05 21:11:39 0 d-----w- c:\program files\NewsRover

==================== Find3M ====================

2010-07-31 21:18:00 34990 ----a-w- c:\programdata\nvModes.dat
2010-07-23 13:58:36 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-23 13:58:36 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-23 13:58:35 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 08:20:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-23 05:23:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2005-07-14 18:31:20 27648 --sha-w- c:\windows\system32\AVSredirect.dll

============= FINISH: 17:27:24.36 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-31 20:58:04
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Steven\AppData\Local\Temp\pxryqpob.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\qtctof.sys A device attached to the system is not functioning. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[2868] ntdll.dll!NtProtectVirtualMemory 77964D34 5 Bytes JMP 007D000A
.text C:\Windows\Explorer.EXE[2868] ntdll.dll!NtWriteVirtualMemory 77965674 5 Bytes JMP 007F000A
.text C:\Windows\Explorer.EXE[2868] ntdll.dll!KiUserExceptionDispatcher 77965DC8 5 Bytes JMP 007C000A
.text C:\Windows\System32\svchost.exe[3584] ntdll.dll!NtProtectVirtualMemory 77964D34 5 Bytes JMP 0021000A
.text C:\Windows\System32\svchost.exe[3584] ntdll.dll!NtWriteVirtualMemory 77965674 5 Bytes JMP 0022000A
.text C:\Windows\System32\svchost.exe[3584] ntdll.dll!KiUserExceptionDispatcher 77965DC8 5 Bytes JMP 0020000A
.text C:\Windows\System32\svchost.exe[3584] ole32.dll!CoCreateInstance 76539EA6 5 Bytes JMP 00A1000A
.text C:\Windows\System32\svchost.exe[3584] USER32.dll!GetCursorPos 76460B88 5 Bytes JMP 00AC000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 864B3F08

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] qtctof <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\qtctof@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\qtctof@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qtctof@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qtctof@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\qtctof@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\qtctof@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\qtctof@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\qtctof@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:30:20 AM, on 8/1/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Xnews\Xnews.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=A...amp;m=et1161-07
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=A...amp;m=et1161-07
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\system32\M-AudioTaskBarIcon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Steven\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\Steven\AppData\Local\TVersity\Media Server\MediaServer.exe

--
End of file - 7449 bytes

Attached Files


Edited by Hawthorne2, 01 August 2010 - 10:15 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:04 PM

Posted 07 August 2010 - 06:43 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


=============================


I need to see new sets of log before we proceed. Please run another scan with DDS and GMER, post their corresponding logs when you reply. Also attach the attach.txt of DDS. Thanks.


We're so sorry for the delay,
~Semp


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Hawthorne2

Hawthorne2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 07 August 2010 - 10:40 AM

Hi Sempai,

I re-ran DDS and GMER and have attached the logs. GMER didn't find the rootkit that it did last time. Not sure why. My Google search results still get redirected. I use Chrome mostly. In-between when I first posted and now, MS Security Essentials said it found something and cleaned it. Thanks so much for your help.

Regards, Steve

DDS (Ver_10-03-17.01) - NTFSx86
Run by Steven at 9:49:50.56 on Sat 08/07/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1168 [GMT -4:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Users\Steven\AppData\Local\TVersity\Media Server\MediaServer.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Users\Steven\Downloads\Defogger.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Steven\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = Preserve
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0309&m=et1161-07
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0309&m=et1161-07
uInternet Settings,ProxyOverride = <local>
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\steven\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [eRecoveryService]
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\steven\appdata\roaming\mozilla\firefox\profiles\8ck82jaz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\users\steven\appdata\roaming\mozilla\firefox\profiles\8ck82jaz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\steven\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\steven\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 d8a4fef9-85c1-448f-a6f9-2570fb195020;d8a4fef9-85c1-448f-a6f9-2570fb195020;c:\windows\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys [2009-10-10 3584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2009-3-9 24576]
R2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2009-5-25 188276]
R3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\drivers\MAudioFastTrackPro.sys [2009-11-9 158600]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42368]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-12-23 84832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\drivers\PLCND532.sys [2008-3-5 26656]

=============== Created Last 30 ================

2010-07-31 19:59:34 0 ----a-w- c:\users\steven\defogger_reenable
2010-07-21 04:59:18 0 d-----w- c:\programdata\avg9
2010-07-20 20:25:02 0 d-----w- c:\program files\Trend Micro
2010-07-20 10:49:52 0 d-----w- c:\users\steven\appdata\roaming\Malwarebytes
2010-07-20 10:49:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 10:49:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 10:49:41 0 d-----w- c:\programdata\Malwarebytes
2010-07-20 10:49:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 10:20:29 0 d-----w- c:\users\steven\appdata\roaming\6C53FCFD9D5085CA0B8673C939E774A8
2010-07-09 00:21:29 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-09 00:21:29 0 d-----w- c:\program files\Spybot - Search & Destroy

==================== Find3M ====================

2010-08-05 05:35:26 34990 ----a-w- c:\programdata\nvModes.dat
2010-07-23 13:58:36 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-23 13:58:36 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-23 13:58:35 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-05 21:11:42 108922 ----a-w- c:\windows\News Rover Uninstaller.exe
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-11-17 08:20:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-05-03 14:20:15 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2010-05-03 14:20:15 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2010-05-03 14:20:15 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-10-23 05:23:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2005-07-14 18:31:20 27648 --sha-w- c:\windows\system32\AVSredirect.dll

============= FINISH: 9:51:14.09 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-07 10:26:40
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Steven\AppData\Local\Temp\pxryqpob.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtProtectVirtualMemory 775A4D34 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtWriteVirtualMemory 775A5674 5 Bytes JMP 0024000A
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!KiUserExceptionDispatcher 775A5DC8 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[1120] ole32.dll!CoCreateInstance 76A29EA6 5 Bytes JMP 009D000A
.text C:\Windows\system32\svchost.exe[1120] USER32.dll!GetCursorPos 75C10B88 5 Bytes JMP 00AE000A
.text C:\Windows\Explorer.EXE[3160] ntdll.dll!NtProtectVirtualMemory 775A4D34 5 Bytes JMP 0024000A
.text C:\Windows\Explorer.EXE[3160] ntdll.dll!NtWriteVirtualMemory 775A5674 5 Bytes JMP 0025000A
.text C:\Windows\Explorer.EXE[3160] ntdll.dll!KiUserExceptionDispatcher 775A5DC8 5 Bytes JMP 0023000A

---- EOF - GMER 1.0.15 ----

Attached Files



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:04 PM

Posted 07 August 2010 - 11:39 AM

Hi,

GMER is still showing some signs of TDL rootkit.


One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.



=====================================


Proceed with this instruction only if you do not wish to reformat.


Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  1. Extract the zip file to its own folder.
  2. Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  3. Click Start scan to start scanning.
  4. If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  5. Click on Report to generate a log.
  6. Please post that log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Hawthorne2

Hawthorne2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 07 August 2010 - 11:55 AM

Thanks! I ran TDSSKILLER as instructed, but it didn't find anything. Below is the report. I may eventually reformat, but I'd have a lot of prep work to do before I do that. For now I'd like to see how it can be cleaned. Regards, Steve


2010/08/07 12:51:02.0948 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/07 12:51:02.0948 ================================================================================
2010/08/07 12:51:02.0948 SystemInfo:
2010/08/07 12:51:02.0948
2010/08/07 12:51:02.0948 OS Version: 6.0.6002 ServicePack: 2.0
2010/08/07 12:51:02.0948 Product type: Workstation
2010/08/07 12:51:02.0948 ComputerName: STUDIO-PC
2010/08/07 12:51:02.0948 UserName: Steven
2010/08/07 12:51:02.0949 Windows directory: C:\Windows
2010/08/07 12:51:02.0949 System windows directory: C:\Windows
2010/08/07 12:51:02.0949 Processor architecture: Intel x86
2010/08/07 12:51:02.0949 Number of processors: 2
2010/08/07 12:51:02.0949 Page size: 0x1000
2010/08/07 12:51:02.0949 Boot type: Normal boot
2010/08/07 12:51:02.0949 ================================================================================
2010/08/07 12:51:03.0838 Initialize success
2010/08/07 12:51:05.0419 ================================================================================
2010/08/07 12:51:05.0419 Scan started
2010/08/07 12:51:05.0419 Mode: Manual;
2010/08/07 12:51:05.0419 ================================================================================
2010/08/07 12:51:05.0710 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/08/07 12:51:05.0784 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2010/08/07 12:51:05.0820 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2010/08/07 12:51:06.0008 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2010/08/07 12:51:06.0037 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2010/08/07 12:51:06.0122 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/08/07 12:51:06.0186 AgereSoftModem (35c391e40471a0b479328fc7b1b5f40f) C:\Windows\system32\DRIVERS\AGRSM.sys
2010/08/07 12:51:06.0263 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2010/08/07 12:51:06.0285 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/08/07 12:51:06.0358 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2010/08/07 12:51:06.0383 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2010/08/07 12:51:06.0463 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2010/08/07 12:51:06.0532 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2010/08/07 12:51:06.0558 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2010/08/07 12:51:06.0631 APLMp50 (1bf91f352d746ad7469fa71783b5fae8) C:\Windows\system32\Drivers\APLMp50.sys
2010/08/07 12:51:06.0738 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2010/08/07 12:51:06.0796 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2010/08/07 12:51:06.0817 ASPI (e54e27976e2c5a6465d44c10b1d87ac0) C:\Windows\System32\DRIVERS\ASPI32.sys
2010/08/07 12:51:06.0890 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/08/07 12:51:06.0920 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/08/07 12:51:07.0022 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/08/07 12:51:07.0050 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2010/08/07 12:51:07.0127 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/08/07 12:51:07.0147 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/08/07 12:51:07.0166 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/08/07 12:51:07.0226 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/08/07 12:51:07.0260 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/08/07 12:51:07.0314 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/08/07 12:51:07.0344 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/08/07 12:51:07.0396 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/08/07 12:51:07.0439 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/08/07 12:51:07.0490 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/08/07 12:51:07.0544 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2010/08/07 12:51:07.0579 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/08/07 12:51:07.0660 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2010/08/07 12:51:07.0685 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
2010/08/07 12:51:07.0772 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2010/08/07 12:51:07.0799 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2010/08/07 12:51:07.0854 d8a4fef9-85c1-448f-a6f9-2570fb195020 (7f109ab3e0251d73dcb56130bab7826e) C:\Windows\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys
2010/08/07 12:51:07.0934 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/08/07 12:51:08.0012 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/08/07 12:51:08.0055 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/08/07 12:51:08.0097 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/08/07 12:51:08.0152 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/08/07 12:51:08.0190 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/08/07 12:51:08.0276 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2010/08/07 12:51:08.0366 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2010/08/07 12:51:08.0428 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/08/07 12:51:08.0527 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/08/07 12:51:08.0563 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2010/08/07 12:51:08.0646 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/08/07 12:51:08.0665 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/08/07 12:51:08.0737 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/08/07 12:51:08.0765 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/08/07 12:51:08.0841 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/08/07 12:51:08.0857 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2010/08/07 12:51:08.0932 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2010/08/07 12:51:08.0986 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/08/07 12:51:09.0061 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/08/07 12:51:09.0140 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/08/07 12:51:09.0154 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/08/07 12:51:09.0231 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/08/07 12:51:09.0267 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2010/08/07 12:51:09.0349 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/08/07 12:51:09.0421 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2010/08/07 12:51:09.0438 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/08/07 12:51:09.0519 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2010/08/07 12:51:09.0598 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/08/07 12:51:09.0649 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Windows\system32\drivers\int15.sys
2010/08/07 12:51:09.0758 IntcAzAudAddService (23ebcee9aaa4d6c88728791fab462456) C:\Windows\system32\drivers\RTKVHDA.sys
2010/08/07 12:51:09.0842 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2010/08/07 12:51:09.0858 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/08/07 12:51:09.0937 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/08/07 12:51:09.0968 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2010/08/07 12:51:10.0042 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/08/07 12:51:10.0123 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/08/07 12:51:10.0139 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2010/08/07 12:51:10.0216 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/08/07 12:51:10.0290 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/08/07 12:51:10.0302 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/08/07 12:51:10.0368 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/08/07 12:51:10.0393 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/08/07 12:51:10.0481 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/08/07 12:51:10.0560 L8042Kbd (58759156a6918913edd368f995be3e53) C:\Windows\system32\DRIVERS\L8042Kbd.sys
2010/08/07 12:51:10.0578 L8042mou (973f78482aa2f2760323900b3a501c40) C:\Windows\system32\DRIVERS\L8042mou.Sys
2010/08/07 12:51:10.0677 LHidFilt (24e0ddb99aeccf86bb37702611761459) C:\Windows\system32\DRIVERS\LHidFilt.Sys
2010/08/07 12:51:10.0718 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/08/07 12:51:10.0804 LMouFilt (d58b330d318361a66a9fe60d7c9b4951) C:\Windows\system32\DRIVERS\LMouFilt.Sys
2010/08/07 12:51:10.0818 LMouKE (2a3e4db78b20b2cd2c548a48a8e6b1b7) C:\Windows\system32\DRIVERS\LMouKE.Sys
2010/08/07 12:51:10.0894 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2010/08/07 12:51:10.0904 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2010/08/07 12:51:10.0915 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2010/08/07 12:51:10.0935 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/08/07 12:51:11.0024 MAUSBFASTTRACKPRO (f3131ec724ede4093374110c445e9358) C:\Windows\system32\DRIVERS\MAudioFastTrackPro.sys
2010/08/07 12:51:11.0115 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2010/08/07 12:51:11.0193 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2010/08/07 12:51:11.0268 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/08/07 12:51:11.0279 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/08/07 12:51:11.0332 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/08/07 12:51:11.0364 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/08/07 12:51:11.0438 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/08/07 12:51:11.0465 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\Windows\system32\DRIVERS\MpFilter.sys
2010/08/07 12:51:11.0543 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2010/08/07 12:51:11.0611 MpNWMon (aeb186afff5d9cfed823c15d846aac3b) C:\Windows\system32\DRIVERS\MpNWMon.sys
2010/08/07 12:51:11.0636 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/08/07 12:51:11.0702 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/08/07 12:51:11.0726 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/08/07 12:51:11.0803 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/08/07 12:51:11.0861 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/08/07 12:51:11.0898 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/08/07 12:51:11.0976 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2010/08/07 12:51:12.0044 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2010/08/07 12:51:12.0072 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/08/07 12:51:12.0146 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/08/07 12:51:12.0178 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/08/07 12:51:12.0262 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/08/07 12:51:12.0271 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/08/07 12:51:12.0350 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/08/07 12:51:12.0422 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/08/07 12:51:12.0438 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/08/07 12:51:12.0502 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/08/07 12:51:12.0551 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/08/07 12:51:12.0622 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/08/07 12:51:12.0666 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/08/07 12:51:12.0717 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/08/07 12:51:12.0763 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/08/07 12:51:12.0828 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/08/07 12:51:12.0844 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/08/07 12:51:12.0944 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/08/07 12:51:13.0036 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/08/07 12:51:13.0080 NPF (6623e51595c0076755c29c00846c4eb2) C:\Windows\system32\drivers\npf.sys
2010/08/07 12:51:13.0136 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/08/07 12:51:13.0172 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/08/07 12:51:13.0252 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/08/07 12:51:13.0343 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/08/07 12:51:13.0355 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/08/07 12:51:13.0452 NVENETFD (d958a2b5f6ad5c3b8ccdc4d7da62466c) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2010/08/07 12:51:13.0710 nvlddmkm (8b75f652726a2ba3197860f300514e3f) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/08/07 12:51:13.0920 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2010/08/07 12:51:13.0935 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2010/08/07 12:51:14.0010 nvstor32 (fa7b8eca6e845b244b7e30a9dcd82c6c) C:\Windows\system32\DRIVERS\nvstor32.sys
2010/08/07 12:51:14.0055 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2010/08/07 12:51:14.0145 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2010/08/07 12:51:14.0173 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/08/07 12:51:14.0247 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/08/07 12:51:14.0272 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/08/07 12:51:14.0346 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/08/07 12:51:14.0362 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2010/08/07 12:51:14.0440 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/08/07 12:51:14.0478 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/08/07 12:51:14.0599 PLCND532 (cf5aa091b8ba5aee3f3adb310b9f73cb) C:\Windows\system32\Drivers\PLCND532.sys
2010/08/07 12:51:14.0665 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/08/07 12:51:14.0740 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2010/08/07 12:51:14.0784 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/08/07 12:51:14.0874 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2010/08/07 12:51:14.0975 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/08/07 12:51:15.0062 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/08/07 12:51:15.0100 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/08/07 12:51:15.0183 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/08/07 12:51:15.0257 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/08/07 12:51:15.0285 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/08/07 12:51:15.0405 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/08/07 12:51:15.0480 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/08/07 12:51:15.0504 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2010/08/07 12:51:15.0589 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/08/07 12:51:15.0679 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/08/07 12:51:15.0807 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/08/07 12:51:15.0864 RVIEG01 (93f66faea8bf047d4242ac85aada403d) C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys
2010/08/07 12:51:15.0876 RVIEGVST (3c74d9fdb1d9831ec932e89f3d874f00) C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys
2010/08/07 12:51:15.0980 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/08/07 12:51:16.0155 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/08/07 12:51:16.0302 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/08/07 12:51:16.0389 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/08/07 12:51:16.0478 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/08/07 12:51:16.0587 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2010/08/07 12:51:16.0644 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2010/08/07 12:51:16.0687 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2010/08/07 12:51:16.0741 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/08/07 12:51:16.0773 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2010/08/07 12:51:16.0804 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2010/08/07 12:51:16.0888 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2010/08/07 12:51:16.0943 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/08/07 12:51:17.0034 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/08/07 12:51:17.0113 srv (0debafcc0e3591fca34f077cab62f7f7) C:\Windows\system32\DRIVERS\srv.sys
2010/08/07 12:51:17.0168 srv2 (6b6f3658e0a58c6c50c5f7fbdf3df633) C:\Windows\system32\DRIVERS\srv2.sys
2010/08/07 12:51:17.0230 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
2010/08/07 12:51:17.0322 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
2010/08/07 12:51:17.0457 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/08/07 12:51:17.0550 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/08/07 12:51:17.0655 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/08/07 12:51:17.0740 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/08/07 12:51:17.0903 Tcpip (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\drivers\tcpip.sys
2010/08/07 12:51:18.0012 Tcpip6 (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\DRIVERS\tcpip.sys
2010/08/07 12:51:18.0186 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/08/07 12:51:18.0270 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/08/07 12:51:18.0353 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/08/07 12:51:18.0442 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/08/07 12:51:18.0598 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/08/07 12:51:18.0733 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/08/07 12:51:18.0820 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/08/07 12:51:18.0913 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/08/07 12:51:19.0066 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2010/08/07 12:51:19.0171 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/08/07 12:51:19.0360 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2010/08/07 12:51:19.0454 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2010/08/07 12:51:19.0771 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/08/07 12:51:19.0879 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/08/07 12:51:20.0086 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/08/07 12:51:20.0248 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
2010/08/07 12:51:20.0331 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2010/08/07 12:51:20.0416 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/08/07 12:51:20.0450 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/08/07 12:51:20.0802 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/08/07 12:51:20.0925 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/08/07 12:51:20.0955 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2010/08/07 12:51:21.0264 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/08/07 12:51:21.0575 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/08/07 12:51:21.0601 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/08/07 12:51:21.0676 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/08/07 12:51:21.0762 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/08/07 12:51:21.0775 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/08/07 12:51:21.0850 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2010/08/07 12:51:21.0921 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2010/08/07 12:51:21.0960 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2010/08/07 12:51:22.0032 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/08/07 12:51:22.0101 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/08/07 12:51:22.0131 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/08/07 12:51:22.0207 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2010/08/07 12:51:22.0309 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/08/07 12:51:22.0383 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/07 12:51:22.0388 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/07 12:51:22.0493 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2010/08/07 12:51:22.0570 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/08/07 12:51:22.0739 WINUSB (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\WinUSB.SYS
2010/08/07 12:51:22.0826 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
2010/08/07 12:51:22.0938 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/08/07 12:51:23.0018 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/08/07 12:51:23.0234 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/08/07 12:51:23.0758 ================================================================================
2010/08/07 12:51:23.0758 Scan finished
2010/08/07 12:51:23.0758 ================================================================================


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:04 PM

Posted 07 August 2010 - 11:58 AM

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Hawthorne2

Hawthorne2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 07 August 2010 - 12:50 PM

I've run Combofix. It said it found rootkit activity. After it rebooted my system and had completed stage 2, I got a pop-up message that PEV.cfxxe had stopped working. I was prompted to close it, which I did, and then Combofix continued working. Here is its log:

ComboFix 10-08-06.03 - Steven 08/07/2010 13:16:11.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2214 [GMT -4:00]
Running from: c:\users\Steven\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
c:\users\Steven\AppData\Roaming\6C53FCFD9D5085CA0B8673C939E774A8
c:\users\Steven\AppData\Roaming\6C53FCFD9D5085CA0B8673C939E774A8\enemies-names.txt
c:\users\Steven\AppData\Roaming\6C53FCFD9D5085CA0B8673C939E774A8\local.ini
c:\users\Steven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
c:\windows\system32\skinboxer43.dll
c:\windows\TEMP\{0E033168-B7CE-4080-A442-4D5419F17BD1}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_IsRes.dll
c:\windows\TEMP\{0E033168-B7CE-4080-A442-4D5419F17BD1}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_ISUser.dll
c:\windows\TEMP\{0E033168-B7CE-4080-A442-4D5419F17BD1}\{7F811A54-5A09-4579-90E1-C93498E230D9}\isrt.dll
c:\windows\TEMP\{33DBF587-FEC3-4BE4-8B74-C6051B102F7A}\_Setup.dll
c:\windows\TEMP\{B024DC53-5B51-4D81-A278-411F2B4FD419}\_Setup.dll
K:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-07 17:28 . 2010-08-07 17:35 -------- d-----w- c:\users\Steven\AppData\Local\temp
2010-08-07 17:28 . 2010-08-07 17:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-27 16:51 . 2010-07-27 16:51 -------- d-----w- c:\users\Steven\AppData\Local\Deployment
2010-07-21 14:29 . 2010-07-21 14:45 -------- d-----w- c:\users\Steven\AppData\Local\ibopasynu
2010-07-21 04:59 . 2010-07-21 14:23 -------- d-----w- c:\programdata\avg9
2010-07-20 20:25 . 2010-07-20 20:25 -------- d-----w- c:\program files\Trend Micro
2010-07-20 10:49 . 2010-07-20 10:49 -------- d-----w- c:\users\Steven\AppData\Roaming\Malwarebytes
2010-07-20 10:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 10:49 . 2010-07-20 10:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 10:49 . 2010-07-20 10:49 -------- d-----w- c:\programdata\Malwarebytes
2010-07-20 10:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 10:20 . 2010-07-20 10:55 -------- d-----w- c:\users\Steven\AppData\Local\ybiwuepfl
2010-07-09 00:21 . 2010-07-22 01:11 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-09 00:21 . 2010-07-09 00:23 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 17:33 . 2009-12-31 01:30 34990 ----a-w- c:\programdata\nvModes.dat
2010-07-31 22:22 . 2010-02-04 04:34 1356 ----a-w- c:\users\Steven\AppData\Local\d3d9caps.dat
2010-07-31 02:02 . 2010-02-07 01:44 -------- d-----w- c:\program files\Calibre2
2010-07-23 04:47 . 2009-07-07 17:21 -------- d-----w- c:\users\Steven\AppData\Roaming\dvdcss
2010-07-22 01:11 . 2009-05-25 00:15 -------- d-----w- c:\users\Steven\AppData\Roaming\vlc
2010-07-22 01:11 . 2009-05-25 00:12 -------- d-----w- c:\users\Steven\AppData\Roaming\Winamp
2010-07-22 01:11 . 2009-12-13 03:23 -------- d-----w- c:\users\Steven\AppData\Roaming\.BitTornado
2010-07-22 01:11 . 2010-06-21 02:44 -------- d-----w- c:\program files\Bonjour
2010-07-21 04:59 . 2009-09-13 08:33 -------- d-----w- c:\program files\AVG
2010-07-13 03:09 . 2010-02-21 05:34 -------- d-----w- c:\users\Steven\AppData\Roaming\foobar2000
2010-07-08 03:59 . 2009-05-25 00:26 1 ----a-w- c:\users\Steven\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-05 21:12 . 2010-07-05 21:11 -------- d-----w- c:\program files\NewsRover
2010-07-05 21:11 . 2010-07-05 21:11 108922 ----a-w- c:\windows\News Rover Uninstaller.exe
2010-06-30 07:02 . 2009-09-30 16:21 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-21 02:49 . 2010-06-21 02:48 -------- d-----w- c:\program files\iTunes
2010-06-21 02:48 . 2010-06-21 02:48 -------- d-----w- c:\program files\iPod
2010-06-21 02:48 . 2009-07-13 01:57 -------- d-----w- c:\program files\Common Files\Apple
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-13 04:20 . 2009-10-22 22:47 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-26 17:06 . 2010-06-09 20:35 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 20:35 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2009-10-01 16:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2005-07-14 18:31 . 2006-05-24 16:37 27648 --sha-w- c:\windows\System32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-24 68856]
"Google Update"="c:\users\Steven\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-20 135664]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-11-09 643592]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-27 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Steven^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2009-11-09 17:56 643592 ----a-w- c:\windows\System32\M-AudioTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2Go_Menu]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-07-23 18:25 6183456 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2008-07-23 18:29 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-25 09:35 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-04-10 17:29 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:b5,46,ac,8b,01,f8,c9,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 APLMp60;APLMp60 NDIS Protocol Driver;c:\windows\system32\Drivers\APLMp60.sys [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 MAUSBFTP;Service for M-Audio Fast Track Pro (WDM);c:\windows\system32\DRIVERS\mausb.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-06-18 34064]
R3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\Drivers\PLCND532.sys [2008-03-05 26656]
S1 d8a4fef9-85c1-448f-a6f9-2570fb195020;d8a4fef9-85c1-448f-a6f9-2570fb195020;c:\windows\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys [2009-10-10 3584]
S2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
S2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [2001-04-13 188276]
S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\DRIVERS\MAudioFastTrackPro.sys [2009-11-09 158600]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:42]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:42]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1919873361-1462144464-1778340490-1000Core.job
- c:\users\Steven\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-20 05:14]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1919873361-1462144464-1778340490-1000UA.job
- c:\users\Steven\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-20 05:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0309&m=et1161-07
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\8ck82jaz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\8ck82jaz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\users\Steven\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Steven\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-Cakewalk Music Creator - c:\program files\Cakewalk\Cakewalk Music Creator\CWMC_Uninst.isu
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3356)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
c:\users\Steven\AppData\Local\TVersity\Media Server\MediaServer.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
c:\windows\system32\vssvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
c:\program files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
.
**************************************************************************
.
Completion time: 2010-08-07 13:39:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-07 17:39

Pre-Run: 94,455,439,360 bytes free
Post-Run: 94,597,484,544 bytes free

- - End Of File - - A73CB76DF9DC4C547F51FF9307684714

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:04 PM

Posted 07 August 2010 - 01:36 PM

We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
Folder::
c:\users\Steven\AppData\Local\ibopasynu
c:\users\Steven\AppData\Local\ybiwuepfl
c:\programdata\avg9

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Hawthorne2

Hawthorne2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 07 August 2010 - 02:14 PM

I created the script and ran it per instructions. Here is the resulting log:


ComboFix 10-08-06.03 - Steven 08/07/2010 14:51:57.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2247 [GMT -4:00]
Running from: c:\users\Steven\Desktop\ComboFix.exe
Command switches used :: c:\users\Steven\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\avg9
c:\programdata\avg9\Cfg\changecfgreg.cfg
c:\programdata\avg9\Cfg\krnl.cfg
c:\programdata\avg9\Cfg\mail.cfg
c:\programdata\avg9\Cfg\malrep.cfg
c:\programdata\avg9\Cfg\scan.cfg
c:\programdata\avg9\Cfg\sched.cfg
c:\programdata\avg9\Cfg\update.cfg
c:\programdata\avg9\Cfg\user.cfg
c:\programdata\avg9\CfgAll\falsealarm.cfg
c:\programdata\avg9\CfgAll\krnlall.cfg
c:\programdata\avg9\CfgAll\updateall.cfg
c:\programdata\avg9\Log\avgchjw.log
c:\programdata\avg9\Log\avgchjw.log.1
c:\programdata\avg9\Log\avgchjw.log.lock
c:\programdata\avg9\Log\avgchjwsrv.log
c:\programdata\avg9\Log\avgchjwsrv.log.lock
c:\programdata\avg9\Log\avgcore.log
c:\programdata\avg9\Log\avgcore.log.lock
c:\programdata\avg9\Log\avgfrw.log
c:\programdata\avg9\Log\avgfrw.log.lock
c:\programdata\avg9\Log\avgldr.log
c:\programdata\avg9\Log\avgldr.log.lock
c:\programdata\avg9\Log\avglng.log
c:\programdata\avg9\Log\avglng.log.lock
c:\programdata\avg9\Log\avgns.log
c:\programdata\avg9\Log\avgns.log.lock
c:\programdata\avg9\Log\avgrs.log
c:\programdata\avg9\Log\avgrs.log.1
c:\programdata\avg9\Log\avgrs.log.10
c:\programdata\avg9\Log\avgrs.log.2
c:\programdata\avg9\Log\avgrs.log.3
c:\programdata\avg9\Log\avgrs.log.4
c:\programdata\avg9\Log\avgrs.log.5
c:\programdata\avg9\Log\avgrs.log.6
c:\programdata\avg9\Log\avgrs.log.7
c:\programdata\avg9\Log\avgrs.log.8
c:\programdata\avg9\Log\avgrs.log.9
c:\programdata\avg9\Log\avgrs.log.lock
c:\programdata\avg9\Log\avgscan.log
c:\programdata\avg9\Log\avgscan.log.lock
c:\programdata\avg9\Log\avgsched.log
c:\programdata\avg9\Log\avgsched.log.lock
c:\programdata\avg9\Log\avgsrm.log
c:\programdata\avg9\Log\avgsrm.log.lock
c:\programdata\avg9\Log\avgtdi.log
c:\programdata\avg9\Log\avgtdi.log.lock
c:\programdata\avg9\Log\avgui.log
c:\programdata\avg9\Log\avgui.log.lock
c:\programdata\avg9\Log\avgupd.log
c:\programdata\avg9\Log\avgupd.log.lock
c:\programdata\avg9\Log\avgwd.log
c:\programdata\avg9\Log\avgwd.log.lock
c:\programdata\avg9\Log\avgwdsvc.log
c:\programdata\avg9\Log\avgwdsvc.log.lock
c:\programdata\avg9\Log\commonpriv.log
c:\programdata\avg9\Log\commonpriv.log.lock
c:\programdata\avg9\Log\fixcfg.log
c:\programdata\avg9\Log\fixcfg.log.lock
c:\programdata\avg9\Log\history.xml
c:\programdata\avg9\Log\vault.log
c:\programdata\avg9\Log\vault.log.lock
c:\programdata\avg9\scanlogs\I_00000001.log
c:\programdata\avg9\scanlogs\I_00000005.log
c:\programdata\avg9\scanlogs\I_00000006.log
c:\programdata\avg9\scanlogs\srm.idx
c:\programdata\avg9\Temp\d57c05a4-0554-434c-a281-f07079ee557e-120-oopp.tmp
c:\programdata\avg9\Temp\file9514.tmp
c:\programdata\avg9\update\backup\avg9us.lng
c:\programdata\avg9\update\backup\avgcorex.dll
c:\programdata\avg9\update\backup\avgfree_us.mht
c:\programdata\avg9\update\backup\avgssff.dll
c:\programdata\avg9\update\backup\avgssie.dll
c:\programdata\avg9\update\backup\avgxpl.dll
c:\programdata\avg9\update\backup\box_bottom_red.gif
c:\programdata\avg9\update\backup\box_top_red.gif
c:\programdata\avg9\update\backup\incavi.avm
c:\programdata\avg9\update\backup\install.rdf
c:\programdata\avg9\update\backup\sb.dat
c:\programdata\avg9\update\backup\sb.dat.xcd
c:\programdata\avg9\update\backup\sc.dat
c:\programdata\avg9\update\backup\sc.dat.xcd
c:\programdata\avg9\update\backup\searchshield.jar
c:\programdata\avg9\update\prepare\temp\cty.cty
c:\users\Steven\AppData\Local\ibopasynu
c:\users\Steven\AppData\Local\ybiwuepfl
c:\windows\TEMP\{410FABCF-5C57-4F56-83B6-962B9AD47282}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_IsRes.dll
c:\windows\TEMP\{410FABCF-5C57-4F56-83B6-962B9AD47282}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_ISUser.dll
c:\windows\TEMP\{410FABCF-5C57-4F56-83B6-962B9AD47282}\{7F811A54-5A09-4579-90E1-C93498E230D9}\isrt.dll
c:\windows\TEMP\{F2BE74C9-BB72-4253-82CC-A0B65F9BCF16}\_Setup.dll
c:\windows\TEMP\{FA49296C-6B03-446D-894F-A00291EA4DAF}\_Setup.dll
K:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-07 19:00 . 2010-08-07 19:07 -------- d-----w- c:\users\Steven\AppData\Local\temp
2010-08-07 19:00 . 2010-08-07 19:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-07 19:00 . 2010-08-07 19:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-30 01:16 . 2010-07-30 01:16 21504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{59198FEF-1402-F09C-94D6-87BAB6DB4214}-svchost.exe
2010-07-27 16:51 . 2010-07-27 16:51 -------- d-----w- c:\users\Steven\AppData\Local\Deployment
2010-07-20 20:25 . 2010-07-20 20:25 -------- d-----w- c:\program files\Trend Micro
2010-07-20 10:49 . 2010-07-20 10:49 -------- d-----w- c:\users\Steven\AppData\Roaming\Malwarebytes
2010-07-20 10:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 10:49 . 2010-07-20 10:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 10:49 . 2010-07-20 10:49 -------- d-----w- c:\programdata\Malwarebytes
2010-07-20 10:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 00:21 . 2010-07-22 01:11 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-09 00:21 . 2010-07-09 00:23 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 19:04 . 2009-12-31 01:30 34990 ----a-w- c:\programdata\nvModes.dat
2010-07-31 22:22 . 2010-02-04 04:34 1356 ----a-w- c:\users\Steven\AppData\Local\d3d9caps.dat
2010-07-31 02:02 . 2010-02-07 01:44 -------- d-----w- c:\program files\Calibre2
2010-07-23 04:47 . 2009-07-07 17:21 -------- d-----w- c:\users\Steven\AppData\Roaming\dvdcss
2010-07-22 01:11 . 2009-05-25 00:15 -------- d-----w- c:\users\Steven\AppData\Roaming\vlc
2010-07-22 01:11 . 2009-05-25 00:12 -------- d-----w- c:\users\Steven\AppData\Roaming\Winamp
2010-07-22 01:11 . 2009-12-13 03:23 -------- d-----w- c:\users\Steven\AppData\Roaming\.BitTornado
2010-07-22 01:11 . 2010-06-21 02:44 -------- d-----w- c:\program files\Bonjour
2010-07-21 04:59 . 2009-09-13 08:33 -------- d-----w- c:\program files\AVG
2010-07-13 03:09 . 2010-02-21 05:34 -------- d-----w- c:\users\Steven\AppData\Roaming\foobar2000
2010-07-08 03:59 . 2009-05-25 00:26 1 ----a-w- c:\users\Steven\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-05 21:12 . 2010-07-05 21:11 -------- d-----w- c:\program files\NewsRover
2010-07-05 21:11 . 2010-07-05 21:11 108922 ----a-w- c:\windows\News Rover Uninstaller.exe
2010-06-30 07:02 . 2009-09-30 16:21 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-21 02:49 . 2010-06-21 02:48 -------- d-----w- c:\program files\iTunes
2010-06-21 02:48 . 2010-06-21 02:48 -------- d-----w- c:\program files\iPod
2010-06-21 02:48 . 2009-07-13 01:57 -------- d-----w- c:\program files\Common Files\Apple
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 02:42 . 2010-06-21 02:42 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-13 04:20 . 2009-10-22 22:47 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-29 23:02 . 2010-05-29 23:02 501872 ----a-w- c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Toolbar\Update\gtb63BD.tmp.exe
2010-05-26 17:06 . 2010-06-09 20:35 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 20:35 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2009-10-01 16:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2005-07-14 18:31 . 2006-05-24 16:37 27648 --sha-w- c:\windows\System32\AVSredirect.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-07_17.36.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-07 19:06 . 2007-04-28 04:06 10704 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\dotnetinstaller.exe
+ 2010-08-07 19:06 . 2008-03-13 15:35 20480 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\{7F811A54-5A09-4579-90E1-C93498E230D9}\WMIAcerCheck.exe
+ 2010-08-07 19:06 . 2008-06-26 15:17 12288 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_ISUser.dll
+ 2008-01-21 01:58 . 2010-08-07 19:04 58084 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-08-07 19:04 89904 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-05-25 02:20 . 2010-08-07 19:04 10246 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1919873361-1462144464-1778340490-1000_UserData.bin
+ 2009-05-25 02:30 . 2010-08-07 18:46 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-05-25 02:30 . 2010-08-07 17:12 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-25 02:30 . 2010-08-07 18:46 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-25 02:30 . 2010-08-07 17:12 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-17 02:47 . 2010-08-07 17:33 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-17 02:47 . 2010-08-05 05:35 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-17 02:47 . 2010-08-07 17:33 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-17 02:47 . 2010-08-05 05:35 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-17 02:47 . 2010-08-05 05:35 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-17 02:47 . 2010-08-07 17:33 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-05 19:02 . 2010-08-07 17:31 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-05 19:02 . 2010-08-07 19:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-05 19:02 . 2010-08-07 19:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-05 19:02 . 2010-08-07 17:31 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-05 19:02 . 2010-08-07 19:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-05 19:02 . 2010-08-07 17:31 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-07 17:31 . 2010-08-07 17:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-08-07 19:02 . 2010-08-07 19:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-08-07 19:02 . 2010-08-07 19:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-08-07 17:31 . 2010-08-07 17:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-08-07 19:06 . 2010-08-07 19:06 324552 c:\windows\Temp\{6D842F5D-9487-4047-9E72-D83E5A5EEBBE}\_Setup.dll
+ 2010-08-07 19:06 . 2006-11-02 04:34 318464 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\{7F811A54-5A09-4579-90E1-C93498E230D9}\wimgapi.dll
+ 2010-08-07 19:06 . 2007-04-28 04:10 222144 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\{7F811A54-5A09-4579-90E1-C93498E230D9}\isrt.dll
+ 2010-08-07 19:06 . 2008-05-06 14:28 311296 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\{7F811A54-5A09-4579-90E1-C93498E230D9}\HidChk.exe
+ 2010-08-07 19:06 . 2006-06-21 21:38 122947 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\{7F811A54-5A09-4579-90E1-C93498E230D9}\check_process.dll
+ 2010-08-07 19:06 . 2007-04-28 04:10 108480 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_IsRes.dll
+ 2006-11-02 10:33 . 2010-08-07 18:54 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-08-07 17:38 595446 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-08-07 18:54 101144 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-08-07 17:38 101144 c:\windows\System32\perfc009.dat
- 2009-05-28 04:55 . 2010-08-06 08:15 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-05-28 04:55 . 2010-08-07 17:43 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-08-07 19:06 . 2007-02-19 01:06 2723264 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\{7F811A54-5A09-4579-90E1-C93498E230D9}\vcredist_x86.exe
+ 2010-08-07 19:06 . 2008-03-29 00:22 3200960 c:\windows\Temp\{3CEE383F-BBE3-4C24-B523-CA431B84C761}\{7F811A54-5A09-4579-90E1-C93498E230D9}\vcredist_x64_SP1.exe
+ 2009-05-25 02:30 . 2010-08-07 18:46 1867776 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-25 02:30 . 2010-08-07 17:12 1867776 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-24 68856]
"Google Update"="c:\users\Steven\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-20 135664]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-11-09 643592]
"eRecoveryService"="" [BU]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-27 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Steven^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2009-11-09 17:56 643592 ----a-w- c:\windows\System32\M-AudioTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2Go_Menu]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-07-23 18:25 6183456 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2008-07-23 18:29 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-25 09:35 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-04-10 17:29 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:b5,46,ac,8b,01,f8,c9,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 APLMp60;APLMp60 NDIS Protocol Driver;c:\windows\system32\Drivers\APLMp60.sys [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 MAUSBFTP;Service for M-Audio Fast Track Pro (WDM);c:\windows\system32\DRIVERS\mausb.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-06-18 34064]
R3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\Drivers\PLCND532.sys [2008-03-05 26656]
S1 d8a4fef9-85c1-448f-a6f9-2570fb195020;d8a4fef9-85c1-448f-a6f9-2570fb195020;c:\windows\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys [2009-10-10 3584]
S2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
S2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [2001-04-13 188276]
S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\DRIVERS\MAudioFastTrackPro.sys [2009-11-09 158600]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:42]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:42]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1919873361-1462144464-1778340490-1000Core.job
- c:\users\Steven\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-20 05:14]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1919873361-1462144464-1778340490-1000UA.job
- c:\users\Steven\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-20 05:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0309&m=et1161-07
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\8ck82jaz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\8ck82jaz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-07 15:07
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3588)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
c:\users\Steven\AppData\Local\TVersity\Media Server\MediaServer.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
c:\windows\system32\vssvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
c:\program files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
.
**************************************************************************
.
Completion time: 2010-08-07 15:11:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-07 19:11
ComboFix2.txt 2010-08-07 17:39

Pre-Run: 95,677,054,976 bytes free
Post-Run: 94,596,739,072 bytes free

- - End Of File - - DFC4BB63C034A00A37FDB246412644B1


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:04 PM

Posted 08 August 2010 - 01:01 AM

Hi,

Please download and run this AVG Remover tool to make sure that there's no more AVG remnants. Then make sure that Microsoft Security Essentials is properly running.


====================================


1. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



2. I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:04 PM

Posted 11 August 2010 - 05:12 AM

Are you still with us?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Hawthorne2

Hawthorne2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 11 August 2010 - 09:27 AM

Yes, I'm still here, but I've been avoiding my problems. My PC actually wouldn't boot yesterday, but I finally got it to work. Here is the ESEt log. My Google searches still get redirected.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.url Win32/Adware.ADON application cleaned by deleting - quarantined
C:\Users\Steven\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\eBay.url Win32/Adware.ADON application cleaned by deleting - quarantined

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:04 PM

Posted 11 August 2010 - 09:38 AM

1. Please run another DDS scan and post the new report.


2. Please download MBRCheck to your desktop.
  1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
  2. It will open a black window, please do not fix anything (if it gives you an option).
  3. Exit that window and it will produce a log (MBRCheck_date_time).
  4. Please post that log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 Hawthorne2

Hawthorne2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 12 August 2010 - 08:49 PM

Here are the logs. Thanks again for your help!


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: eMachines
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: eMachines
System Product Name: ET1161-07
Logical Drives Mask: 0x000007fe

Kernel Drivers (total 137):
0x81E1C000 \SystemRoot\system32\ntkrnlpa.exe
0x821D5000 \SystemRoot\system32\hal.dll
0x86F51000 \SystemRoot\system32\kdcom.dll
0x80410000 \SystemRoot\system32\PSHED.dll
0x80421000 \SystemRoot\system32\BOOTVID.dll
0x80429000 \SystemRoot\system32\CLFS.SYS
0x8046A000 \SystemRoot\system32\CI.dll
0x8054A000 \SystemRoot\System32\drivers\dajkally.sys
0x80558000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805D4000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8060F000 \SystemRoot\system32\drivers\acpi.sys
0x80655000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8065E000 \SystemRoot\system32\drivers\msisadrv.sys
0x80666000 \SystemRoot\system32\drivers\pci.sys
0x8068D000 \SystemRoot\System32\drivers\partmgr.sys
0x8069C000 \SystemRoot\system32\drivers\volmgr.sys
0x806AB000 \SystemRoot\System32\drivers\volmgrx.sys
0x806F5000 \SystemRoot\system32\drivers\pciide.sys
0x806FC000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8070A000 \SystemRoot\System32\drivers\mountmgr.sys
0x8071A000 \SystemRoot\system32\drivers\atapi.sys
0x80722000 \SystemRoot\system32\drivers\ataport.SYS
0x80740000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x80764000 \SystemRoot\system32\DRIVERS\storport.sys
0x807A5000 \SystemRoot\system32\drivers\fltmgr.sys
0x807D7000 \SystemRoot\system32\drivers\fileinfo.sys
0x8240F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x82480000 \SystemRoot\system32\drivers\ndis.sys
0x8258B000 \SystemRoot\system32\drivers\msrpc.sys
0x825B6000 \SystemRoot\system32\drivers\NETIO.SYS
0x8260E000 \SystemRoot\System32\drivers\tcpip.sys
0x826F8000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x89C0A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x89D1A000 \SystemRoot\system32\drivers\volsnap.sys
0x89D53000 \SystemRoot\System32\Drivers\spldr.sys
0x89D5B000 \SystemRoot\System32\Drivers\mup.sys
0x89D6A000 \SystemRoot\System32\drivers\ecache.sys
0x89D91000 \SystemRoot\system32\drivers\disk.sys
0x89DA2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x89DC3000 \SystemRoot\system32\drivers\crcdisk.sys
0x89DD9000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x89DE4000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x89DED000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x89C00000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x82713000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x82751000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8E201000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8E327000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8E329000 \SystemRoot\system32\drivers\modem.sys
0x8E336000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8E405000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8E505000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8E51D000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x8EA04000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8F315000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x8F317000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8F3B8000 \SystemRoot\System32\drivers\watchdog.sys
0x8F3C4000 \SystemRoot\system32\DRIVERS\serscan.sys
0x8F3CC000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8E523000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8E52E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8E545000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8E550000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8E573000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8E582000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8E596000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8E5AB000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8E5BB000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8E5C6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8F3FB000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8E5D1000 \SystemRoot\system32\DRIVERS\ks.sys
0x8E3C3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8E3CD000 \SystemRoot\system32\DRIVERS\umbus.sys
0x82760000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8E3DA000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x82795000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x827B8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8E3EB000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x827CF000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E3F4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x89DCC000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0x827DF000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x827E8000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x827F0000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0x8FA01000 \SystemRoot\system32\DRIVERS\MAudioFastTrackPro.sys
0x8FA27000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8FA3C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8FA45000 \SystemRoot\System32\Drivers\Null.SYS
0x8FA4C000 \SystemRoot\System32\Drivers\Beep.SYS
0x8FA66000 \SystemRoot\System32\drivers\vga.sys
0x8FA72000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8FA93000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8FA9B000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8FAA3000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8FAAE000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8FABC000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8FAC5000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8FADB000 \SystemRoot\system32\DRIVERS\smb.sys
0x8FAEF000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8FB21000 \SystemRoot\system32\drivers\afd.sys
0x8FB69000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8FB7F000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8FB8D000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8FBA0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8FBDC000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8FBE6000 \SystemRoot\System32\Drivers\dfsc.sys
0x8FBFD000 \??\C:\Windows\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys
0x807E7000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x818F0000 \SystemRoot\System32\win32k.sys
0x8FA53000 \SystemRoot\System32\drivers\Dxapi.sys
0x825F1000 \SystemRoot\system32\DRIVERS\monitor.sys
0x81B10000 \SystemRoot\System32\TSDDD.dll
0x81B30000 \SystemRoot\System32\cdd.dll
0x805E1000 \SystemRoot\system32\drivers\luafv.sys
0xA1406000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xA1416000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA1429000 \SystemRoot\system32\drivers\spsys.sys
0xA14D9000 \SystemRoot\system32\drivers\HTTP.sys
0xA1546000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA1563000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA157C000 \SystemRoot\System32\drivers\mpsdrv.sys
0xA1591000 \SystemRoot\system32\drivers\mrxdav.sys
0xA15B2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA2000000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA2039000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA2051000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA2078000 \SystemRoot\System32\DRIVERS\srv.sys
0xA20C6000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0xA20CF000 \??\C:\Windows\system32\drivers\int15.sys
0xA20D6000 \SystemRoot\system32\drivers\peauth.sys
0xA21B4000 \??\C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys
0xA15D1000 \??\C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys
0xA21DC000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA21E6000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA4802000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA4817000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x771B0000 \Windows\System32\ntdll.dll

Processes (total 69):
0 System Idle Process
4 System
388 C:\Windows\System32\smss.exe
476 csrss.exe
520 C:\Windows\System32\wininit.exe
536 csrss.exe
572 C:\Windows\System32\services.exe
584 C:\Windows\System32\lsass.exe
592 C:\Windows\System32\lsm.exe
720 C:\Windows\System32\svchost.exe
772 C:\Windows\System32\nvvsvc.exe
800 C:\Windows\System32\svchost.exe
824 C:\Windows\System32\winlogon.exe
872 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
996 C:\Windows\System32\svchost.exe
1072 C:\Windows\System32\svchost.exe
1208 C:\Windows\System32\audiodg.exe
1280 C:\Windows\System32\svchost.exe
1296 C:\Windows\System32\SLsvc.exe
1340 C:\Windows\System32\svchost.exe
1424 C:\Windows\System32\svchost.exe
1448 C:\Windows\System32\nvvsvc.exe
1676 C:\Windows\System32\spoolsv.exe
1700 C:\Windows\System32\svchost.exe
296 C:\Windows\System32\agrsmsvc.exe
320 C:\Program Files\Bonjour\mDNSResponder.exe
1572 C:\Windows\System32\svchost.exe
1508 C:\Windows\System32\svchost.exe
964 C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
1896 C:\Users\Steven\AppData\Local\TVersity\Media Server\MediaServer.exe
2588 WUDFHost.exe
2816 C:\Windows\System32\dwm.exe
2888 C:\Windows\explorer.exe
3192 C:\Program Files\Microsoft Security Essentials\msseces.exe
3216 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
3240 C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
3276 C:\Windows\WindowsMobile\wmdc.exe
3292 C:\Windows\System32\M-AudioTaskBarIcon.exe
3408 C:\Program Files\Windows Media Player\wmpnscfg.exe
3556 C:\Program Files\Windows Media Player\wmpnetwk.exe
3584 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3700 C:\Program Files\Logitech\SetPoint\SetPoint.exe
3908 C:\Windows\System32\svchost.exe
3984 C:\Windows\System32\mobsync.exe
2024 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
1356 C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
3804 C:\Windows\System32\VSSVC.exe
2780 C:\Windows\System32\svchost.exe
3684 C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
3504 C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
1536 C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
4072 C:\Program Files\Winamp\winamp.exe
3184 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2468 C:\Program Files\iPod\bin\iPodService.exe
2576 C:\Program Files\iTunes\iTunesHelper.exe
2040 C:\Windows\System32\svchost.exe
5776 C:\Windows\System32\taskeng.exe
2292 C:\Windows\System32\taskeng.exe
4304 C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
3008 C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
4004 C:\Windows\System32\notepad.exe
2812 C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
4184 C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
1812 C:\Users\Steven\Downloads\Defogger.exe
3672 MpCmdRun.exe
4068 C:\Windows\System32\dllhost.exe
2996 dllhost.exe


DDS (Ver_10-03-17.01) - NTFSx86
Run by Steven at 21:36:46.77 on Thu 08/12/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1330 [GMT -4:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
C:\Users\Steven\AppData\Local\TVersity\Media Server\MediaServer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steven\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steven\Downloads\Defogger.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Steven\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0309&m=et1161-07
uInternet Settings,ProxyOverride = <local>
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\steven\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [neufie] c:\windows\system32\config\systemprofile\neufie.exe /Q
dRun: [Xruwagijobake] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\WUINlt.dll",Startup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\steven\appdata\roaming\mozilla\firefox\profiles\8ck82jaz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\users\steven\appdata\roaming\mozilla\firefox\profiles\8ck82jaz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\steven\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\steven\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 d8a4fef9-85c1-448f-a6f9-2570fb195020;d8a4fef9-85c1-448f-a6f9-2570fb195020;c:\windows\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys [2009-10-10 3584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2009-3-9 24576]
R2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2009-5-25 188276]
R3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\drivers\MAudioFastTrackPro.sys [2009-11-9 158600]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42368]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-12-23 84832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\drivers\PLCND532.sys [2008-3-5 26656]

=============== Created Last 30 ================

2010-08-11 04:20:58 0 d-----w- c:\program files\iPod
2010-08-11 00:35:32 0 d-----w- c:\programdata\RegCure
2010-08-09 15:09:22 5 ----a-w- C:\zrpt.xml
2010-08-08 09:44:41 0 d-----w- c:\program files\ESET
2010-08-07 19:10:46 0 d-sh--w- C:\$RECYCLE.BIN
2010-08-07 17:05:48 98816 ----a-w- c:\windows\sed.exe
2010-08-07 17:05:48 77312 ----a-w- c:\windows\MBR.exe
2010-08-07 17:05:48 256512 ----a-w- c:\windows\PEV.exe
2010-08-07 17:05:48 161792 ----a-w- c:\windows\SWREG.exe
2010-07-31 19:59:34 0 ----a-w- c:\users\steven\defogger_reenable
2010-07-20 20:25:02 0 d-----w- c:\program files\Trend Micro
2010-07-20 10:49:52 0 d-----w- c:\users\steven\appdata\roaming\Malwarebytes
2010-07-20 10:49:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 10:49:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 10:49:41 0 d-----w- c:\programdata\Malwarebytes
2010-07-20 10:49:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-08-10 23:00:59 34990 ----a-w- c:\programdata\nvModes.dat
2010-07-23 13:58:36 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-23 13:58:36 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-23 13:58:35 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-05 21:11:42 108922 ----a-w- c:\windows\News Rover Uninstaller.exe
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-11-17 08:20:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-05-03 14:20:15 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2010-05-03 14:20:15 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2010-05-03 14:20:15 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-10-23 05:23:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2005-07-14 18:31:20 27648 --sha-w- c:\windows\system32\AVSredirect.dll

============= FINISH: 21:37:53.99 ===============

Attached Files



#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:04 PM

Posted 13 August 2010 - 10:17 AM

1. We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".

    CODE
    :Files
    c:\windows\System32\drivers\dajkally.sys
    C:\zrpt.xml

    :Commands
    [emptytemp]

  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



2. Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users