Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with many things (hijacker, Win32/Alureon, and others?)


  • This topic is locked This topic is locked
21 replies to this topic

#1 SteveBDH

SteveBDH

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 15 August 2010 - 08:04 AM

This all started when I visited a legitimate site which had been hacked. I noticed I had been infected with something when my browser (both IE and Firefox) started opening tabs at will and redirecting me every time I clicked on a Google search result. Most of the time I would be redirected to pages with ads on them, but sometimes I was redirected to pages that dealt with telling me my machine was infected and that I needed to clean the registry or run anti-malware programs at that site. I killed these pages right away, but something happened because I lost the use of Folder Options and the Registry tool (regedit). I booted into Safe Mode and ran some anti-malware tools (PC Tools SpyDoctor, Malwarebytes' Anti-Malware, Microsoft Security Essentials). Certain viruses and trojans were found, but after I had them cleaned I still had the same symptoms. The strange thing is that when I ran the anti-malware tools again they didn't find any problems. I have been very careful using the computer. I use my firewall (Zone Alarm Pro) to deny Internet access to anything I am not sure about, and I never let anything act as a server. Still, certain strange things are happening. Everytime I boot, I get a Generic Host Process for Win32 Services error. If I click it to go away, then my computer grinds to a halt and nothing functions properly. I have found that if I leave the error message open, and move it out of the way, then the computer runs fine for a very long time, and everything seems to function correctly. Another thing that happens is that strange programs ask for Internet access, such as Adobe when I haven't opened a PDF file, Windows Script processor when I have no script to run, and others. I deny access to all of them. I ran the Microsoft Malicious Software Removal Tool (KB890830), which reported it found the Win32/Alureon virus, but it only partially removed it after a reboot. In preparing for getting help at this forum, the GMER.exe program failed 3 times, once by hanging the machine and twice by blue screening and rebooting. I then disabled the installed anti-malware programs I had running and tried again. I rebooted, ran the DDS program again, and then tried GMER again. This time, GMER just went away after about 3 minutes of scanning. Also, after it disappeared, the machine was non-responsive again. Therefore, there is no GMER log attached.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Steve at 0:42:08.76 on Sat 08/14/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1492 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\F5D8053\v6\WifiSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Belkin\F5D8053\v6\BelkinWCUI.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWi.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiTogglet.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
G:\Utilities\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = about:
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.0\aoltb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.0\aoltb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avgant~1\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [sdr8gdrgdrgke49orkgsjkjfjhsd] c:\docume~1\steve\locals~1\temp\win.exe
uRun: [hsehf98u34i9tjioaugy987iuegdsg] c:\docume~1\steve\locals~1\temp\win16.exe
uRun: [hsef87ehf3jishfs87fhuishfsgggfdgs4g] c:\docume~1\steve\locals~1\temp\x4cmpww.exe
uRun: [Google Update] "c:\documents and settings\steve\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WCULauncher] c:\program files\sony\smartwi connection utility\WCULauncher.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Biomenu] "c:\program files\protector suite ql\menusw.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [oamsxobj] c:\documents and settings\steve\local settings\application data\ljbmxvphs\klcjjbytssd.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [eahthumn] c:\documents and settings\steve\local settings\application data\xmgbrypvk\nwfjjsgtssd.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [oamsxobj] c:\documents and settings\steve\local settings\application data\ljbmxvphs\klcjjbytssd.exe
dRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|12.0"
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\window~1.lnk - c:\windows\explorer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\v6\BelkinWCUI.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Trusted Zone: trymedia.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {9BB24AD9-982D-4FE6-96D4-8689EDA8728D} - hxxp://www.mathxl.com/books/_Players/MEBPlayer.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://geosec.webex.com/client/T23L/webex/ieatgpc.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
Notify: psfus - fusstub.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Trend Micro Anti-Spyware Shell Extension: {03a80b1d-5c6a-42c2-9dfb-81b6005d8023} - c:\program files\trend micro\tmas\sshook.dll
LSA: Notification Packages = scecli fusstub

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\it8u8c4m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ieeecommunities.org/iswg
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\it8u8c4m.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\it8u8c4m.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\it8u8c4m.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\it8u8c4m.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\plugins\npatgpc.dll
FF - plugin: c:\documents and settings\steve\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\dimdim\plugin\application\npDimDimControl.dll
FF - plugin: c:\program files\firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-8-8 40560]
R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-16 42376]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-20 207280]
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2006-7-22 9216]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2007-5-14 3026]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-16 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-16 81288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 Belkin Wifi Service;Belkin Wifi Service;c:\program files\belkin\f5d8053\v6\WifiSvc.exe [2010-2-20 274432]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-22 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-22 33024]
R2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2006-7-22 14336]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-24 1119888]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-7-22 36352]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-7-22 30080]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2006-7-22 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-7-22 226304]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-1-12 279264]
S1 Bsefebps;Bsefebps; [x]
S1 MpKslb90d56be;MpKslb90d56be;\??\c:\windows\system32\mpenginestore\mpkslb90d56be.sys --> c:\windows\system32\mpenginestore\MpKslb90d56be.sys [?]
S2 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\pcanywhere\awhost32.exe [2001-11-2 114749]
S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2007-5-14 3584]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 hpoius07;USB to IEEE-1284.4 Translation Driver;c:\windows\system32\drivers\hpoius07.sys --> c:\windows\system32\drivers\hpoius07.sys [?]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-2-20 584832]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [2006-7-22 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [2006-7-22 53248]
S4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-8-7 583640]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-16 358600]
S4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-16 1141200]
S4 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-10-23 582424]

============== File Associations ===============

.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-08-13 06:55:26 1619 ----a-w- C:\Malware.txt.bak
2010-08-13 06:52:46 0 ----a-w- c:\documents and settings\steve\defogger_reenable
2010-08-12 13:15:30 53248 ----a-w- c:\windows\system32\Iasv32.dll
2010-08-11 02:22:05 0 d-----w- c:\program files\ISTool
2010-08-11 02:22:05 0 d-----w- c:\docume~1\steve\applic~1\ISTool
2010-08-11 02:18:51 0 d-----w- c:\program files\Inno Setup
2010-08-11 01:04:17 385 ----a-w- c:\documents and settings\steve\catmdedit.properties
2010-08-11 00:51:56 0 d-----w- c:\program files\CatMDEdit
2010-08-09 20:03:00 0 ----a-w- C:\~.exe
2010-08-08 13:51:22 0 d-----w- c:\program files\DriveImage XML
2010-08-08 13:50:00 0 d-----w- C:\archive_db
2010-08-08 13:35:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Paragon
2010-08-08 13:31:26 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2010-08-08 13:30:03 0 d-----w- c:\program files\Paragon Software
2010-08-07 20:24:42 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2010-08-07 20:24:42 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-08-07 20:24:41 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-08-07 20:24:41 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-08-04 01:12:43 0 d-----w- c:\program files\common files\ParetoLogic
2010-08-04 01:12:43 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-08-04 01:12:39 0 d-----w- c:\program files\common files\XoftSpySE
2010-08-04 01:12:39 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2010-08-04 01:12:20 0 d-----w- c:\program files\XoftSpySE6
2010-08-04 01:11:16 0 dc----w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-03 14:43:40 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-03 14:43:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-23 10:32:08 0 d-----w- c:\temp\Hacks
2010-07-23 10:25:53 0 d-----w- c:\program files\HTTrack
2010-07-19 14:15:27 0 d-----w- c:\program files\Palladium Technologies, Inc
2010-07-15 11:35:05 0 d-----w- c:\program files\FirefoxPortable

==================== Find3M ====================

2010-06-02 14:40:35 72080 ----a-w- c:\documents and settings\steve\g2mdlhlpx.exe

============= FINISH: 0:44:10.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:36 PM

Posted 21 August 2010 - 02:35 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 SteveBDH

SteveBDH
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 22 August 2010 - 03:27 AM

Hi Blind Faith:

My situation has not changed since I originally posted here. So, please read my details from my first post. I have included a recent DDS log here, along with the associated attach.txt attached, but GMER will not successfully run (please read details in my first post).

DDS (Ver_10-03-17.01) - NTFSx86
Run by Steve at 4:12:50.84 on Sun 08/22/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1133 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\F5D8053\v6\WifiSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Belkin\F5D8053\v6\BelkinWCUI.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiTogglet.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
G:\Portable Apps\Firefox\FirefoxPortable\FirefoxPortable.exe
G:\Portable Apps\Firefox\FirefoxPortable\App\firefox\firefox.exe
G:\Portable Apps\Firefox\FirefoxPortable\App\firefox\plugin-container.exe
G:\Utilities\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = about:
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.0\aoltb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.0\aoltb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avgant~1\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [sdr8gdrgdrgke49orkgsjkjfjhsd] c:\docume~1\steve\locals~1\temp\win.exe
uRun: [hsehf98u34i9tjioaugy987iuegdsg] c:\docume~1\steve\locals~1\temp\win16.exe
uRun: [hsef87ehf3jishfs87fhuishfsgggfdgs4g] c:\docume~1\steve\locals~1\temp\x4cmpww.exe
uRun: [Google Update] "c:\documents and settings\steve\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WCULauncher] c:\program files\sony\smartwi connection utility\WCULauncher.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Biomenu] "c:\program files\protector suite ql\menusw.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [oamsxobj] c:\documents and settings\steve\local settings\application data\ljbmxvphs\klcjjbytssd.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [eahthumn] c:\documents and settings\steve\local settings\application data\xmgbrypvk\nwfjjsgtssd.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [oamsxobj] c:\documents and settings\steve\local settings\application data\ljbmxvphs\klcjjbytssd.exe
dRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|12.0"
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\window~1.lnk - c:\windows\explorer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\v6\BelkinWCUI.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Trusted Zone: trymedia.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {9BB24AD9-982D-4FE6-96D4-8689EDA8728D} - hxxp://www.mathxl.com/books/_Players/MEBPlayer.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://geosec.webex.com/client/T23L/webex/ieatgpc.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
Notify: psfus - fusstub.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Trend Micro Anti-Spyware Shell Extension: {03a80b1d-5c6a-42c2-9dfb-81b6005d8023} - c:\program files\trend micro\tmas\sshook.dll
LSA: Notification Packages = scecli fusstub

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\it8u8c4m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ieeecommunities.org/iswg
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\it8u8c4m.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\it8u8c4m.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\it8u8c4m.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\it8u8c4m.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\plugins\npatgpc.dll
FF - plugin: c:\documents and settings\steve\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\dimdim\plugin\application\npDimDimControl.dll
FF - plugin: c:\program files\firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-8-8 40560]
R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-16 42376]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-20 207280]
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2006-7-22 9216]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2007-5-14 3026]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-16 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-16 81288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 Belkin Wifi Service;Belkin Wifi Service;c:\program files\belkin\f5d8053\v6\WifiSvc.exe [2010-2-20 274432]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-22 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-22 33024]
R2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2006-7-22 14336]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-24 1119888]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-7-22 36352]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-7-22 30080]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2006-7-22 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-7-22 226304]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-1-12 279264]
S1 Bsefebps;Bsefebps; [x]
S1 MpKslb90d56be;MpKslb90d56be;\??\c:\windows\system32\mpenginestore\mpkslb90d56be.sys --> c:\windows\system32\mpenginestore\MpKslb90d56be.sys [?]
S2 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\pcanywhere\awhost32.exe [2001-11-2 114749]
S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2007-5-14 3584]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 hpoius07;USB to IEEE-1284.4 Translation Driver;c:\windows\system32\drivers\hpoius07.sys --> c:\windows\system32\drivers\hpoius07.sys [?]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-2-20 584832]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [2006-7-22 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [2006-7-22 53248]
S4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-8-7 583640]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-16 358600]
S4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-16 1141200]
S4 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-10-23 582424]

============== File Associations ===============

.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-08-18 12:47:02 0 d-----w- C:\SK_Metadata
2010-08-13 06:55:26 1970 ----a-w- C:\Malware.txt.bak
2010-08-13 06:52:46 0 ----a-w- c:\documents and settings\steve\defogger_reenable
2010-08-12 13:15:30 53248 ----a-w- c:\windows\system32\Iasv32.dll
2010-08-11 02:22:05 0 d-----w- c:\program files\ISTool
2010-08-11 02:22:05 0 d-----w- c:\docume~1\steve\applic~1\ISTool
2010-08-11 02:18:51 0 d-----w- c:\program files\Inno Setup
2010-08-11 01:04:17 385 ----a-w- c:\documents and settings\steve\catmdedit.properties
2010-08-11 00:51:56 0 d-----w- c:\program files\CatMDEdit
2010-08-09 20:03:00 0 ----a-w- C:\~.exe
2010-08-08 13:51:22 0 d-----w- c:\program files\DriveImage XML
2010-08-08 13:50:00 0 d-----w- C:\archive_db
2010-08-08 13:35:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Paragon
2010-08-08 13:31:26 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2010-08-08 13:30:03 0 d-----w- c:\program files\Paragon Software
2010-08-07 20:24:42 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2010-08-07 20:24:42 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-08-07 20:24:41 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-08-07 20:24:41 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-08-04 01:12:43 0 d-----w- c:\program files\common files\ParetoLogic
2010-08-04 01:12:43 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-08-04 01:12:39 0 d-----w- c:\program files\common files\XoftSpySE
2010-08-04 01:12:39 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2010-08-04 01:12:20 0 d-----w- c:\program files\XoftSpySE6
2010-08-04 01:11:16 0 dc----w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-03 14:43:40 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-03 14:43:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-23 10:32:08 0 d-----w- c:\temp\Hacks
2010-07-23 10:25:53 0 d-----w- c:\program files\HTTrack

==================== Find3M ====================

2010-06-02 14:40:35 72080 ----a-w- c:\documents and settings\steve\g2mdlhlpx.exe

============= FINISH: 4:14:55.48 ===============

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:36 PM

Posted 24 August 2010 - 06:48 AM

Hello ! smile.gif

I am Blind Faith or Elle(it's easier to remember,I think) and I will help you with your malware related problems.
As you can see I am still a trainee and that means my work is revised by a coach.
Therefore, it will take a bit longer for me to reply.
So don't be impatient because I won't leave your case suspended in the air,waiting forever.

NOTE: Do not make any type of changes to your system during the cleaning process.The steps you are following are based on strict information from your system.So changes which I did not give instructions for are not recommended.

I will need some time to research the files on your system so please click the Options button at the top bar of this topic and Track this Topic, where you should choose email notifications to know when I replied.



During the cleaning process many files may be hidden so please unhide them by following the instructions listed here: How to show hidden files and folders.

Remember to check your topic for new replies.

Probably, it will take a couple of days until the next reply but after that everything will go faster.

Also please let me know if you still need help after you have read this.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 29 August 2010 - 07:34 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 30 August 2010 - 12:01 PM

Re-opened per the users request.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:36 PM

Posted 30 August 2010 - 12:25 PM

Hello SteveBDH,


Are you still with us?


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 SteveBDH

SteveBDH
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 30 August 2010 - 03:26 PM

Hi Elle:

Yes, I am still with you. Thanks for reopening my case. I await the next step.

SteveBDH

#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:36 PM

Posted 01 September 2010 - 09:34 AM


Hello smile.gif ,



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.




If you decide to continue:



I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Spyware Doctor or AVG Anti-Virus.


I also see 2 firewall programs installed: Norton Internet Worm Protection and ZoneAlarm Pro Firewall, please uninstall one of them due to the problems they might cause to the system.





After you've uninstalled the programs and temporary disabled the online protection of the remaining ones, please try running GMER once more.


If GMER doesn't work this time either please:

  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:36 PM

Posted 04 September 2010 - 03:18 PM

Do you still need help?


Have you resolved the problem? Please let me know.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 SteveBDH

SteveBDH
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 07 September 2010 - 06:57 AM

Yes, I still need help. I was traveling, and just returned. I will post what I have based upon your last set of instructuions today. Thanks.

#12 SteveBDH

SteveBDH
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 07 September 2010 - 01:49 PM

Hi Elle:

GMER still would not run successfully. I downloaded and ran RootRepeal. The first time it ran it bombed on Stealth Objects, but I ran it again and it seemed to work fine. The log is below

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/09/07 14:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x8ADD3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Steve\Local Settings\Apps\2.0\EJE61GON.3Q2\5QMQJW5Z.PE0\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Steve\Local Settings\Apps\2.0\EJE61GON.3Q2\5QMQJW5Z.PE0\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8b9f25cd

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8ba06110

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8ba06070

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8ba06190

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8ba05ab0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8ba06240

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8ba062c0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8b9f26f5

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8ba05fc0

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8b9f1f80

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8b9f1fd0

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0x8b9f21b0

==EOF==

#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:36 PM

Posted 09 September 2010 - 03:02 AM

Hello smile.gif ,



1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:

2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.

3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 SteveBDH

SteveBDH
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 09 September 2010 - 09:57 AM

Hi Elle:

ComboFix ran fine. Below is the report.



ComboFix 10-09-08.03 - Steve 09/09/2010 10:03:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1605 [GMT -4:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~.exe
c:\documents and settings\Steve\g2mdlhlpx.exe
C:\Thumbs.db
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\hwinterface.sys
c:\windows\system32\Iasv32.dll
c:\windows\system32\Settings
c:\windows\system32\Settings\Settings.ini
c:\windows\system32\Temp
c:\windows\system32\Temp\eReader_Install\eReader.ico
c:\windows\system32\Thumbs.db
F:\autorun.inf

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_HWINTERFACE
-------\Legacy_IAS
-------\Service_6to4
-------\Service_hwinterface
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
.

2010-08-18 12:47 . 2010-08-18 12:47 -------- d-----w- C:\SK_Metadata
2010-08-11 02:22 . 2010-08-11 02:22 -------- d-----w- c:\program files\ISTool
2010-08-11 02:22 . 2010-08-11 02:22 -------- d-----w- c:\documents and settings\Steve\Application Data\ISTool
2010-08-11 02:22 . 2010-08-11 02:22 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\ISTool
2010-08-11 02:18 . 2010-08-11 02:22 -------- d-----w- c:\program files\Inno Setup
2010-08-11 00:51 . 2010-08-11 01:04 -------- d-----w- c:\program files\CatMDEdit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 13:52 . 2010-03-01 00:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-09 11:52 . 2008-11-17 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-08 16:26 . 2008-11-16 18:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-08 10:36 . 2010-09-08 10:40 316416 ----a-w- c:\windows\Internet Logs\xDBDB.tmp
2010-09-08 10:36 . 2010-09-08 10:40 4641792 ----a-w- c:\windows\Internet Logs\xDBDA.tmp
2010-09-07 15:56 . 2010-09-07 16:02 80384 ----a-w- c:\windows\Internet Logs\xDBD9.tmp
2010-09-07 15:11 . 2010-09-07 16:02 4634624 ----a-w- c:\windows\Internet Logs\xDBD8.tmp
2010-09-07 12:40 . 2010-09-07 12:47 4634624 ----a-w- c:\windows\Internet Logs\xDBD6.tmp
2010-09-07 12:40 . 2010-09-07 12:47 2750464 ----a-w- c:\windows\Internet Logs\xDBD7.tmp
2010-09-07 12:24 . 2009-06-20 13:50 -------- d-----w- c:\program files\Common Files\PC Tools
2010-09-03 05:21 . 2007-11-06 19:51 -------- d-----w- c:\documents and settings\Steve\Application Data\Skype
2010-08-30 06:27 . 2010-08-30 07:39 2647040 ----a-w- c:\windows\Internet Logs\xDBD5.tmp
2010-08-30 06:26 . 2010-08-30 07:39 4596736 ----a-w- c:\windows\Internet Logs\xDBD4.tmp
2010-08-28 14:12 . 2007-07-07 14:19 -------- d-----w- c:\program files\Google
2010-08-28 02:45 . 2010-08-28 02:47 3730432 ----a-w- c:\windows\Internet Logs\xDBD3.tmp
2010-08-28 02:44 . 2010-08-28 02:47 4589056 ----a-w- c:\windows\Internet Logs\xDBD2.tmp
2010-08-25 15:59 . 2007-01-28 08:43 -------- d-----w- c:\program files\Firefox
2010-08-14 16:05 . 2010-08-15 11:38 122880 ----a-w- c:\windows\Internet Logs\xDBD1.tmp
2010-08-14 16:03 . 2010-08-15 11:37 4528640 ----a-w- c:\windows\Internet Logs\xDBD0.tmp
2010-08-14 02:52 . 2010-08-14 02:56 21504 ----a-w- c:\windows\Internet Logs\xDBCF.tmp
2010-08-14 02:44 . 2010-08-14 02:55 4524032 ----a-w- c:\windows\Internet Logs\xDBCE.tmp
2010-08-13 10:47 . 2010-08-14 02:38 4524032 ----a-w- c:\windows\Internet Logs\xDBCC.tmp
2010-08-13 10:47 . 2010-08-14 02:38 32768 ----a-w- c:\windows\Internet Logs\xDBCD.tmp
2010-08-13 08:22 . 2010-08-13 10:30 4520960 ----a-w- c:\windows\Internet Logs\xDBCA.tmp
2010-08-13 08:22 . 2010-08-13 10:30 13312 ----a-w- c:\windows\Internet Logs\xDBCB.tmp
2010-08-13 08:14 . 2010-08-13 08:22 4526592 ----a-w- c:\windows\Internet Logs\xDBC8.tmp
2010-08-13 08:14 . 2010-08-13 08:22 58880 ----a-w- c:\windows\Internet Logs\xDBC9.tmp
2010-08-13 07:17 . 2010-08-13 07:33 4520960 ----a-w- c:\windows\Internet Logs\xDBC6.tmp
2010-08-13 07:16 . 2010-08-13 07:34 85504 ----a-w- c:\windows\Internet Logs\xDBC7.tmp
2010-08-12 18:56 . 2010-08-12 19:00 22528 ----a-w- c:\windows\Internet Logs\xDBC5.tmp
2010-08-12 18:40 . 2010-08-12 19:00 4493312 ----a-w- c:\windows\Internet Logs\xDBC4.tmp
2010-08-12 16:57 . 2010-08-12 18:24 77312 ----a-w- c:\windows\Internet Logs\xDBC3.tmp
2010-08-12 16:51 . 2010-08-12 18:24 4519424 ----a-w- c:\windows\Internet Logs\xDBC2.tmp
2010-08-12 12:49 . 2010-08-12 13:12 4523008 ----a-w- c:\windows\Internet Logs\xDBC0.tmp
2010-08-12 12:38 . 2010-08-12 13:12 32768 ----a-w- c:\windows\Internet Logs\xDBC1.tmp
2010-08-11 16:40 . 2010-08-12 11:37 148992 ----a-w- c:\windows\Internet Logs\xDBBF.tmp
2010-08-11 16:26 . 2010-08-12 11:36 4531200 ----a-w- c:\windows\Internet Logs\xDBBE.tmp
2010-08-10 14:04 . 2010-08-10 14:23 181760 ----a-w- c:\windows\Internet Logs\xDBBD.tmp
2010-08-10 13:53 . 2010-08-10 14:23 4521984 ----a-w- c:\windows\Internet Logs\xDBBC.tmp
2010-08-09 20:14 . 2010-08-10 13:09 182656 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-08-09 16:59 . 2010-08-09 19:47 4568576 ----a-w- c:\windows\Internet Logs\xDBBA.tmp
2010-08-09 16:58 . 2010-08-09 19:47 156160 ----a-w- c:\windows\Internet Logs\xDBBB.tmp
2010-08-09 11:10 . 2010-08-09 11:20 79872 ----a-w- c:\windows\Internet Logs\xDBB9.tmp
2010-08-09 11:09 . 2010-08-09 11:19 4532224 ----a-w- c:\windows\Internet Logs\xDBB8.tmp
2010-08-09 10:58 . 2007-03-15 12:10 -------- d-----w- c:\program files\TurboTax
2010-08-09 01:34 . 2010-08-09 01:39 48640 ----a-w- c:\windows\Internet Logs\xDBB7.tmp
2010-08-09 01:34 . 2010-08-09 01:38 4495872 ----a-w- c:\windows\Internet Logs\xDBB6.tmp
2010-08-08 18:59 . 2010-08-08 13:51 -------- d-----w- c:\program files\DriveImage XML
2010-08-08 16:40 . 2010-08-08 18:49 173056 ----a-w- c:\windows\Internet Logs\xDBB5.tmp
2010-08-08 16:39 . 2010-08-08 18:49 4511232 ----a-w- c:\windows\Internet Logs\xDBB4.tmp
2010-08-08 13:35 . 2010-08-08 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Paragon
2010-08-08 13:30 . 2010-08-08 13:30 -------- d-----w- c:\program files\Paragon Software
2010-08-07 20:12 . 2010-08-07 20:22 93696 ----a-w- c:\windows\Internet Logs\xDBB3.tmp
2010-08-07 20:01 . 2010-08-07 20:22 4500480 ----a-w- c:\windows\Internet Logs\xDBB2.tmp
2010-08-06 22:04 . 2010-08-07 14:52 247296 ----a-w- c:\windows\Internet Logs\xDBB1.tmp
2010-08-06 22:00 . 2010-08-07 14:52 4530688 ----a-w- c:\windows\Internet Logs\xDBB0.tmp
2010-08-05 20:43 . 2010-08-06 12:29 142336 ----a-w- c:\windows\Internet Logs\xDBAF.tmp
2010-08-05 20:42 . 2010-08-06 12:28 4486656 ----a-w- c:\windows\Internet Logs\xDBAE.tmp
2010-08-05 12:46 . 2010-08-07 20:24 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2010-08-04 20:40 . 2010-08-05 11:47 4489216 ----a-w- c:\windows\Internet Logs\xDBAC.tmp
2010-08-04 20:40 . 2010-08-05 11:47 159232 ----a-w- c:\windows\Internet Logs\xDBAD.tmp
2010-08-04 01:12 . 2010-08-04 01:12 -------- d-----w- c:\program files\XoftSpySE6
2010-08-04 01:12 . 2010-08-04 01:12 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-08-04 01:12 . 2010-08-04 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-08-04 01:12 . 2010-08-04 01:12 -------- d-----w- c:\program files\Common Files\XoftSpySE
2010-08-04 01:12 . 2010-08-04 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-08-04 01:11 . 2010-08-04 01:11 -------- dc----w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-03 22:29 . 2010-08-04 01:15 17920 ----a-w- c:\windows\Internet Logs\xDBAB.tmp
2010-08-03 22:29 . 2010-08-04 01:15 4485120 ----a-w- c:\windows\Internet Logs\xDBAA.tmp
2010-08-03 21:12 . 2010-08-03 21:19 4485120 ----a-w- c:\windows\Internet Logs\xDBA8.tmp
2010-08-03 21:12 . 2010-08-03 21:19 29696 ----a-w- c:\windows\Internet Logs\xDBA9.tmp
2010-08-03 21:07 . 2010-08-03 21:10 4487680 ----a-w- c:\windows\Internet Logs\xDBA6.tmp
2010-08-03 21:07 . 2010-08-03 21:10 39424 ----a-w- c:\windows\Internet Logs\xDBA7.tmp
2010-08-03 21:03 . 2010-08-03 21:05 50176 ----a-w- c:\windows\Internet Logs\xDBA5.tmp
2010-08-03 21:03 . 2010-08-03 21:05 4485120 ----a-w- c:\windows\Internet Logs\xDBA4.tmp
2010-08-03 20:53 . 2010-08-03 20:57 36864 ----a-w- c:\windows\Internet Logs\xDBA3.tmp
2010-08-03 20:53 . 2010-08-03 20:57 4485120 ----a-w- c:\windows\Internet Logs\xDBA2.tmp
2010-08-03 20:48 . 2010-08-03 20:50 40960 ----a-w- c:\windows\Internet Logs\xDBA1.tmp
2010-08-03 20:48 . 2010-08-03 20:50 4487680 ----a-w- c:\windows\Internet Logs\xDBA0.tmp
2010-08-03 20:42 . 2010-08-03 20:44 64512 ----a-w- c:\windows\Internet Logs\xDB9F.tmp
2010-08-03 20:42 . 2010-08-03 20:44 4487168 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2010-08-03 20:03 . 2010-08-03 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-03 19:59 . 2010-08-03 20:01 193024 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2010-08-03 18:41 . 2010-08-03 20:01 4485632 ----a-w- c:\windows\Internet Logs\xDB9C.tmp
2010-08-03 15:48 . 2010-08-03 17:17 4499456 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2010-08-03 15:48 . 2010-08-03 17:17 38400 ----a-w- c:\windows\Internet Logs\xDB9B.tmp
2010-08-03 14:50 . 2010-08-03 14:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-03 14:36 . 2010-08-03 14:37 34304 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2010-08-03 14:14 . 2010-08-03 14:37 4485120 ----a-w- c:\windows\Internet Logs\xDB98.tmp
2010-08-03 13:11 . 2010-08-03 13:16 63488 ----a-w- c:\windows\Internet Logs\xDB97.tmp
2010-08-03 13:04 . 2010-08-03 13:16 4485120 ----a-w- c:\windows\Internet Logs\xDB96.tmp
2010-08-03 12:33 . 2010-08-03 12:44 3507712 ----a-w- c:\windows\Internet Logs\xDB95.tmp
2010-08-03 12:33 . 2010-08-03 12:44 4486656 ----a-w- c:\windows\Internet Logs\xDB94.tmp
2010-07-29 05:25 . 2010-07-29 05:54 4464128 ----a-w- c:\windows\Internet Logs\xDB92.tmp
2010-07-29 05:25 . 2010-07-29 05:54 3411968 ----a-w- c:\windows\Internet Logs\xDB93.tmp
2010-07-28 08:43 . 2010-07-28 10:01 4462592 ----a-w- c:\windows\Internet Logs\xDB90.tmp
2010-07-28 08:42 . 2010-07-28 10:01 14848 ----a-w- c:\windows\Internet Logs\xDB91.tmp
2010-07-28 08:11 . 2010-07-28 08:42 3830784 ----a-w- c:\windows\Internet Logs\xDB8F.tmp
2010-07-28 08:10 . 2010-07-28 08:42 4464640 ----a-w- c:\windows\Internet Logs\xDB8E.tmp
2010-07-24 12:16 . 2010-07-24 15:08 88064 ----a-w- c:\windows\Internet Logs\xDB8D.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-11-28 902432]
"WCULauncher"="c:\program files\Sony\SmartWi Connection Utility\WCULauncher.exe" [2006-02-08 73728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-01 198160]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-13 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7561216]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 569413]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2010-02-01 136744]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
Windows Explorer.lnk - c:\windows\explorer.exe [2006-7-22 1033728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053\v6\BelkinWCUI.exe [2010-2-20 1232896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= "c:\program files\Trend Micro\Tmas\sshook.dll" [2006-08-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 15:51 24638 ----a-w- c:\windows\system32\Pcanotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-23 01:11 39936 ----a-w- c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-06-01 18:53 1093208 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpySE]
2009-10-23 21:58 4854040 ----a-w- c:\program files\XoftSpySE6\XoftSpySE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XoftSpyService"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"PCToolsSSDMonitorSvc"=2 (0x2)
"MsMpSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Gizmo\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Dimdim\\Plugin\\Application\\Dimdim.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Dimdim\\Updater\\next.exe"=
"c:\\Program Files\\Dimdim\\Plugin\\Application\\myScreen.exe"=
"c:\\Documents and Settings\\Steve\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/8/2010 9:31 AM 40560]
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/22/2006 2:31 PM 9216]
R2 Belkin Wifi Service;Belkin Wifi Service;c:\program files\Belkin\F5D8053\v6\WifiSvc.exe [2/20/2010 9:47 AM 274432]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 9:13 PM 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 9:13 PM 33024]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [3/28/2009 9:38 AM 31896]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/22/2006 2:31 PM 36352]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/22/2006 2:31 PM 30080]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [7/22/2006 2:31 PM 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/22/2006 2:31 PM 226304]
S1 Bsefebps;Bsefebps; [x]
S1 MpKslb90d56be;MpKslb90d56be;\??\c:\windows\system32\MpEngineStore\MpKslb90d56be.sys --> c:\windows\system32\MpEngineStore\MpKslb90d56be.sys [?]
S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [5/14/2007 10:13 PM 3584]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:46 AM 135664]
S3 hpoius07;USB to IEEE-1284.4 Translation Driver;c:\windows\system32\DRIVERS\hpoius07.sys --> c:\windows\system32\DRIVERS\hpoius07.sys [?]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2/20/2010 9:47 AM 584832]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [7/22/2006 3:46 PM 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [7/22/2006 3:46 PM 53248]
S4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [8/7/2010 4:24 PM 583640]
S4 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [10/23/2009 5:58 PM 582424]
.
Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-17 14:57]

2010-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 15:46]

2010-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 15:46]

2010-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3999800018-375985611-3862066182-1006Core.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 13:29]

2010-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3999800018-375985611-3862066182-1006UA.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 13:29]

2010-08-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-09-09 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-09-02 c:\windows\Tasks\next.job
- c:\documents and settings\All Users\Application Data\Dimdim\Updater\next.exe [2010-04-01 10:14]

2010-09-02 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-23 21:58]

2010-08-24 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-23 21:58]

2010-09-08 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-08-07 12:46]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Trusted Zone: trymedia.com
DPF: {9BB24AD9-982D-4FE6-96D4-8689EDA8728D} - hxxp://www.mathxl.com/books/_Players/MEBPlayer.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\it8u8c4m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ieeecommunities.org/iswg
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\it8u8c4m.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\it8u8c4m.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\it8u8c4m.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\it8u8c4m.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\plugins\npatgpc.dll
FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Dimdim\Plugin\Application\npDimDimControl.dll
FF - plugin: c:\program files\Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
.
.
------- File Associations -------
.
.txt=UltraEdit.txt
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-oamsxobj - c:\documents and settings\Steve\Local Settings\Application Data\ljbmxvphs\klcjjbytssd.exe
MSConfigStartUp-eahthumn - c:\documents and settings\Steve\Local Settings\Application Data\xmgbrypvk\nwfjjsgtssd.exe
MSConfigStartUp-hsef87ehf3jishfs87fhuishfsgggfdgs4g - c:\docume~1\Steve\LOCALS~1\Temp\x4cmpww.exe
MSConfigStartUp-hsehf98u34i9tjioaugy987iuegdsg - c:\docume~1\Steve\LOCALS~1\Temp\win16.exe
MSConfigStartUp-oamsxobj - c:\documents and settings\Steve\Local Settings\Application Data\ljbmxvphs\klcjjbytssd.exe
MSConfigStartUp-sdr8gdrgdrgke49orkgsjkjfjhsd - c:\docume~1\Steve\LOCALS~1\Temp\win.exe
AddRemove-Repair Tool for Outlook Express_is1 - c:\program files\Outlook Express Repair Tool\Repair Tool for OE\unins000.exe
AddRemove-Uniblue RegistryBooster 2009 - c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}\Uniblue RegistryBooster.exe
AddRemove-WebMeeting Plug-in - c:\documents and settings\All Users\Application Data\{AC4F4F81-FEAF-4CD9-9B40-6B859D0CC31C}\WebMeeting.exe
AddRemove-{1E2A10BE-8577-473E-9D5B-F2F566EAFD24}_is1 - c:\program files\Palladium Technologies
AddRemove-{30AF2740-9497-4EB9-9BDE-FC17B5921385}_is1 - c:\program files\Palladium Technologies
AddRemove-{C9C641B6-DB5C-4C84-B6C9-9540388DA0DA} - c:\documents and settings\All Users\Application Data\{AC4F4F81-FEAF-4CD9-9B40-6B859D0CC31C}\WebMeeting.exe
AddRemove-{E63E34A7-E552-412B-9E40-FD6FC5227ABA} - c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}\Uniblue RegistryBooster.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 10:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3999800018-375985611-3862066182-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{623DB4F4-66DC-0DF3-3A0F-CF7D99F713ED}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1744)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\passport.dll
c:\program files\Protector Suite QL\BhTcAll.dll
c:\program files\Protector Suite QL\BhDevTfm.dll
c:\program files\Protector Suite QL\AlgVer.dll
c:\program files\Protector Suite QL\TCBioLib.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Protector Suite QL\mysafe.dll

- - - - - - - > 'lsass.exe'(1800)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll

- - - - - - - > 'explorer.exe'(2980)
c:\program files\Dropbox\DropboxExt.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Sony\SmartWi Connection Utility\SmartWiService.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-09 10:43:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-09 14:42

Pre-Run: 24,860,909,568 bytes free
Post-Run: 25,593,626,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1485424E21E25E13BE57E7A56F5FE77B


#15 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:36 PM

Posted 11 September 2010 - 06:16 PM

Hi,


1.Please try running GMER again and post the log into your nexr reply.

----------------------------------------------------------------------------------

2.Also, you haven't uninstalled one Antivirus and Firewall program, please do so, you are overwhelming your system.



---------------------------------------------------------------------------------
3.How is your system working?



---------------------------------------------------------



Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users