Most malware scanners find nothing at all. Malwarebytes has never found anything. I have AVG installed, but of course it did not find anything. I have executed MBRcheck and it does find a fake MBR, but it also does not fix it even when I follow the instructions to do so. It seems it doesn't do much good to have all this protection software if it doesn't find anything! This is the first infection I have ever had on my PC.
I have a data backup from 8/14 before I started having any issues, but I cannot perform another backup via the Vista backup because it thinks that my C and D drives are missing. The 8/14 backup will suffice as I had not done much to add to my PC between 8/14 and the onset of this infection.
SYMPTOMS: BSOD at startup when the desktop comes up - most of the time, but not always - and the message changes and sometimes no message other than the PC was shut down to prevent damage. Web site redirection - even when I type in the URL. If I retype it, I can get it back. Always redirect on Google searches. As expected, very slow PC response. Microsoft security updates will not install - other updates from Microsoft not related to security will install. I can run in safe mode without getting BSOD, but the browser redirects still happen. Even if I do get it to boot normally, will likely experience BSOD at some point - sooner or later. IE 8 will not install.
I am fairly PC savvy and am the one that my family turns to when they have PC issues and I can usually fix them...but this I cannot fix as it seems it requires deeper knowledge of computers than what I have! I just fixed my granddaughter's PC and was able to get her data reloaded. I am certainly not at the level you guys are, but I can at least speak the language! I have looked at other posts in the forums that seem to be the same infection, but none of them seem to be exactly the same as what I am experiencing. I saw one that seemed to be exactly what I was experiencing - but they executed tdsskiller from Kaspersky and that fixed it - the same software finds nothing on my PC.
I also opened a ticket with Microsoft, which was related to the security updates not installing, and 2 days later I began experiencing the issues noted above. I spent a while on the phone with them yesterday, and they were trying to do the same things that I have already done - so they were of little help. I think they are going to want me to reinstall Vista but I want to avoid this if at all possible.
Please help!!!
DDS log:
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Liz at 7:43:47.16 on Thu 08/26/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3573.2375 [GMT -5:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Liz\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.dell4me.com/myway
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [cdloader] "c:\users\liz\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
StartupFolder: c:\users\liz\appdata\roaming\micros~1\windows\startm~1\programs\startup\intern~1.lnk - c:\program files\internet explorer\iexplore.exe
StartupFolder: c:\users\liz\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{91120000-0030-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\users\liz\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: comodo.com\secure
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://67.33.42.5/cab/OCXChecker_8198.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.33.42.5/cab/DownloadCenter_8200.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll c:\progra~1\google\google~2\googledesktopnetwork3.dll c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
============= SERVICES / DRIVERS ===============
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-21 243024]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-2-6 27632]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-21 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-21 29584]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-4-22 73728]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-2-6 90112]
S2 USBHSB;GeneLink File Transfer Driver;c:\windows\system32\drivers\usbhsb.sys [2008-10-19 18690]
S3 CSRBC01;CSRBC01.Sys CSR test driver;c:\windows\system32\drivers\csrbc01.sys [2008-5-29 83124]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-22 30192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-08-26 02:41:45 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys
2010-08-25 05:47:36 0 d-----w- C:\$RECYCLE.BIN
2010-08-25 01:41:57 0 d-----w- C:\_OTL
2010-08-23 03:45:34 0 d-----w- c:\users\liz\DoctorWeb
2010-08-22 14:49:50 65536 --sha-w- c:\users\liz\ntuser.dat{149ad336-adef-11df-a5ff-e24a27efb690}.TM.blf
2010-08-22 14:49:50 524288 --sha-w- c:\users\liz\ntuser.dat{149ad336-adef-11df-a5ff-e24a27efb690}.TMContainer00000000000000000002.regtrans-ms
2010-08-22 14:49:50 524288 --sha-w- c:\users\liz\ntuser.dat{149ad336-adef-11df-a5ff-e24a27efb690}.TMContainer00000000000000000001.regtrans-ms
2010-08-22 05:34:54 0 d-----w- c:\users\liz\appdata\roaming\DataSafeOnline
2010-08-22 03:51:21 0 d-----w- c:\program files\UnHackMe
2010-08-22 03:30:47 65536 --sha-w- c:\users\liz\ntuser.dat{0ecf1a7d-ad98-11df-81cc-001d09c7b142}.TM.blf
2010-08-22 03:30:47 524288 --sha-w- c:\users\liz\ntuser.dat{0ecf1a7d-ad98-11df-81cc-001d09c7b142}.TMContainer00000000000000000002.regtrans-ms
2010-08-22 03:30:47 524288 --sha-w- c:\users\liz\ntuser.dat{0ecf1a7d-ad98-11df-81cc-001d09c7b142}.TMContainer00000000000000000001.regtrans-ms
2010-08-22 00:47:27 0 d-----w- C:\ComboFix
2010-08-21 19:33:58 377635 ----a-w- C:\MGlogs.zip
2010-08-21 19:21:16 0 d-----w- C:\MGtools
2010-08-21 15:25:33 0 ----a-w- c:\users\liz\defogger_reenable
2010-08-21 14:27:56 0 d-----w- c:\program files\common files\Java(4)
2010-08-20 15:00:35 65536 --sha-w- c:\users\liz\ntuser.dat{bc9019bc-ac69-11df-ba2b-001d09c7b142}.TM.blf
2010-08-20 15:00:35 524288 --sha-w- c:\users\liz\ntuser.dat{bc9019bc-ac69-11df-ba2b-001d09c7b142}.TMContainer00000000000000000002.regtrans-ms
2010-08-20 15:00:35 524288 --sha-w- c:\users\liz\ntuser.dat{bc9019bc-ac69-11df-ba2b-001d09c7b142}.TMContainer00000000000000000001.regtrans-ms
2010-08-16 15:19:04 0 d-----w- C:\Mount
2010-08-16 15:16:19 0 d-----w- c:\program files\Windows Imaging
2010-08-16 03:40:41 0 d-----w- c:\program files\Windows AIK
2010-08-14 19:54:26 0 d-----w- c:\program files\WinImage
2010-08-14 16:21:58 0 d-----w- c:\program files\Yahoo!
2010-08-14 01:45:49 0 d-----w- c:\program files\View22
2010-08-12 19:15:56 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 19:15:54 274432 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 19:13:13 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 19:13:11 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 19:13:09 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 19:13:09 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 19:13:04 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 19:13:01 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 19:13:01 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 19:12:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-07-28 15:16:15 140392 ----a-w- c:\windows\system32\drivers\pci.sys
2010-07-28 15:11:04 98816 ----a-w- c:\windows\sed.exe
2010-07-28 15:11:04 77312 ----a-w- c:\windows\MBR.exe
2010-07-28 15:11:04 256512 ----a-w- c:\windows\PEV.exe
2010-07-28 15:11:04 161792 ----a-w- c:\windows\SWREG.exe
2010-07-28 14:09:14 0 d-----w- c:\users\liz\appdata\roaming\Malwarebytes
2010-07-28 14:08:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 14:08:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 14:08:49 0 d-----w- c:\programdata\Malwarebytes
2010-07-28 14:08:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 15:00:53 0 d-----w- c:\users\liz\appdata\roaming\SUPERAntiSpyware.com
2010-07-27 15:00:53 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-07-27 15:00:33 0 d-----w- c:\program files\SUPERAntiSpyware(62)
2010-07-27 15:00:33 0 d-----w- c:\program files\SUPERAntiSpyware
==================== Find3M ====================
2010-08-25 04:29:42 6604 ----a-w- c:\windows\bthservsdp.dat
2010-07-25 15:32:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 13:52:27 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:52:22 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 13:51:26 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-06 02:50:28 86016 ----a-w- c:\windows\inf\infpub.dat
2010-05-06 02:50:27 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-06 02:45:14 143360 ----a-w- c:\windows\inf\infstor.dat
2009-01-21 01:27:30 174 --sha-w- c:\program files\desktop.ini
2009-01-21 01:11:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-03-16 02:29:46 2048 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\lastalive0.dat
2009-03-16 02:29:46 2048 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\lastalive1.dat
2010-05-25 14:16:41 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2010-05-25 14:18:47 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010052520100526\index.dat
2008-04-23 05:38:16 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
2006-09-18 21:43:37 10 --sha-w- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\config.sys
2006-09-18 21:43:37 10 --sha-w- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\config.sys
============= FINISH: 7:44:03.45 ===============
GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-26 07:43:28
Windows 6.0.6001 Service Pack 1
Running: rkmyrjkh-gmer.exe; Driver: C:\Users\Liz\AppData\Local\Temp\pwldapow.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[964] ntdll.dll!NtProtectVirtualMemory 772F8968 5 Bytes JMP 0064000A
.text C:\Windows\system32\svchost.exe[964] ntdll.dll!NtWriteVirtualMemory 772F92A8 5 Bytes JMP 0065000A
.text C:\Windows\system32\svchost.exe[964] ntdll.dll!KiUserExceptionDispatcher 772F99E8 5 Bytes JMP 0063000A
.text C:\Windows\system32\svchost.exe[964] ole32.dll!CoCreateInstance 76F0E188 5 Bytes JMP 009F000A
.text C:\Windows\system32\svchost.exe[964] USER32.dll!GetCursorPos 76E30F5E 5 Bytes JMP 00EF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] ntdll.dll!NtProtectVirtualMemory 772F8968 5 Bytes JMP 0024000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] ntdll.dll!NtWriteVirtualMemory 772F92A8 5 Bytes JMP 0025000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] ntdll.dll!KiUserExceptionDispatcher 772F99E8 5 Bytes JMP 001F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] USER32.dll!DialogBoxIndirectParamW 76E1BD25 5 Bytes JMP 71A15BD3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] USER32.dll!DialogBoxParamW 76E31FD5 5 Bytes JMP 71A15B5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] USER32.dll!DialogBoxParamA 76E580B2 5 Bytes JMP 71A15B98 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] USER32.dll!DialogBoxIndirectParamA 76E583DD 5 Bytes JMP 71A15C0E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] USER32.dll!MessageBoxIndirectA 76E6D471 5 Bytes JMP 71A15B19 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] USER32.dll!MessageBoxIndirectW 76E6D56B 5 Bytes JMP 71A15AD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] USER32.dll!MessageBoxExA 76E6D5D1 5 Bytes JMP 71A15A9B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1080] USER32.dll!MessageBoxExW 76E6D5F5 5 Bytes JMP 71A15A61 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Windows\Explorer.EXE[1632] ntdll.dll!NtProtectVirtualMemory 772F8968 5 Bytes JMP 008D000A
.text C:\Windows\Explorer.EXE[1632] ntdll.dll!NtWriteVirtualMemory 772F92A8 5 Bytes JMP 008F000A
.text C:\Windows\Explorer.EXE[1632] ntdll.dll!KiUserExceptionDispatcher 772F99E8 5 Bytes JMP 008C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] ntdll.dll!NtProtectVirtualMemory 772F8968 5 Bytes JMP 0021000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] ntdll.dll!NtWriteVirtualMemory 772F92A8 5 Bytes JMP 0022000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] ntdll.dll!KiUserExceptionDispatcher 772F99E8 5 Bytes JMP 0020000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] USER32.dll!DialogBoxIndirectParamW 76E1BD25 5 Bytes JMP 71A15BD3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] USER32.dll!DialogBoxParamW 76E31FD5 5 Bytes JMP 71A15B5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] USER32.dll!DialogBoxParamA 76E580B2 5 Bytes JMP 71A15B98 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] USER32.dll!DialogBoxIndirectParamA 76E583DD 5 Bytes JMP 71A15C0E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] USER32.dll!MessageBoxIndirectA 76E6D471 5 Bytes JMP 71A15B19 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] USER32.dll!MessageBoxIndirectW 76E6D56B 5 Bytes JMP 71A15AD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] USER32.dll!MessageBoxExA 76E6D5D1 5 Bytes JMP 71A15A9B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2548] USER32.dll!MessageBoxExW 76E6D5F5 5 Bytes JMP 71A15A61 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\fastfat \Fat 9BA87A7A
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001cd8015bdd
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3ae46f43
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3ae46f43@001bafd6294f 0x5A 0xA7 0x9B 0x72 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3ae46f43@001adca2ed8e 0xEA 0x44 0x5D 0xC0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3ae46f43@001cd48fe620 0xBE 0x2B 0x12 0xC0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3ae46f43@00197f4b8f1e 0xE3 0xD8 0xB3 0xD6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001cd8015bdd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f3ae46f43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f3ae46f43@001bafd6294f 0x5A 0xA7 0x9B 0x72 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f3ae46f43@001adca2ed8e 0xEA 0x44 0x5D 0xC0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f3ae46f43@001cd48fe620 0xBE 0x2B 0x12 0xC0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f3ae46f43@00197f4b8f1e 0xE3 0xD8 0xB3 0xD6 ...
---- EOF - GMER 1.0.15 ----
COMBOFIX log:
ComboFix 10-08-24.0A - Liz 08/25/2010 0:28.5.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3573.3187 [GMT -5:00]
Running from: c:\users\Liz\Downloads\Combo.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\wininit.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))
.
2010-08-25 05:47 . 2010-08-25 05:48 -------- d-----w- c:\users\Liz\AppData\Local\temp
2010-08-25 05:47 . 2010-08-25 05:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-25 05:47 . 2010-08-25 05:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-25 05:09 . 2010-08-25 05:10 -------- d-----w- C:\32788R22FWJFW
2010-08-25 01:41 . 2010-08-25 01:41 -------- d-----w- C:\_OTL
2010-08-23 03:45 . 2010-08-23 13:41 -------- d-----w- c:\users\Liz\DoctorWeb
2010-08-22 05:34 . 2010-08-22 05:34 -------- d-----w- c:\users\Liz\AppData\Roaming\DataSafeOnline
2010-08-22 03:51 . 2010-08-22 03:53 -------- d-----w- c:\program files\UnHackMe
2010-08-22 00:47 . 2010-08-25 02:25 -------- d-----w- C:\ComboFix
2010-08-21 19:33 . 2010-08-21 19:50 377635 ----a-w- C:\MGlogs.zip
2010-08-21 19:21 . 2010-08-21 19:50 -------- d-----w- C:\MGtools
2010-08-21 14:27 . 2010-08-21 14:27 -------- d-----w- c:\program files\Common Files\Java(4)
2010-08-16 15:19 . 2010-08-16 15:19 -------- d-----w- C:\Mount
2010-08-16 15:16 . 2010-08-16 15:16 -------- d-----w- c:\program files\Windows Imaging
2010-08-16 03:40 . 2010-08-16 15:16 -------- d-----w- c:\program files\Windows AIK
2010-08-15 20:05 . 2010-08-15 20:55 -------- d-----w- c:\users\Liz\AppData\Roaming\ImgBurn
2010-08-15 19:41 . 2010-08-15 19:41 -------- d-----w- c:\program files\ImgBurn
2010-08-14 19:54 . 2010-08-14 19:54 -------- d-----w- c:\program files\WinImage
2010-08-14 16:22 . 2010-08-14 16:22 -------- d-----w- c:\users\Liz\AppData\Roaming\Yahoo!
2010-08-14 16:21 . 2010-08-16 15:04 -------- d-----w- c:\program files\Yahoo!
2010-08-14 01:46 . 2010-08-14 01:46 -------- d-----w- c:\users\Liz\AppData\Local\view22
2010-08-14 01:45 . 2010-08-14 01:45 -------- d-----w- c:\program files\View22
2010-08-12 19:15 . 2010-05-27 19:16 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 19:15 . 2010-06-11 15:31 274432 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 19:13 . 2010-06-21 13:18 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 19:13 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 19:13 . 2010-06-08 17:00 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 19:13 . 2010-06-08 17:00 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 19:13 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 19:13 . 2010-06-18 14:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 19:13 . 2010-06-18 14:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 19:12 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-07-28 15:16 . 2006-11-02 09:50 140392 ----a-w- c:\windows\system32\drivers\pci.sys
2010-07-28 14:09 . 2010-07-28 14:09 -------- d-----w- c:\users\Liz\AppData\Roaming\Malwarebytes
2010-07-28 14:08 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 14:08 . 2010-07-28 14:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 14:08 . 2010-07-28 14:08 -------- d-----w- c:\progra~2\Malwarebytes
2010-07-28 14:08 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-27 15:02 . 2010-07-27 15:02 63488 ----a-w- c:\users\Liz\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-27 15:02 . 2010-07-27 15:02 52224 ----a-w- c:\users\Liz\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-27 15:01 . 2010-07-27 15:01 117760 ----a-w- c:\users\Liz\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-27 15:00 . 2010-07-27 15:00 -------- d-----w- c:\users\Liz\AppData\Roaming\SUPERAntiSpyware.com
2010-07-27 15:00 . 2010-07-27 15:00 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-07-27 15:00 . 2010-08-22 20:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-27 15:00 . 2010-08-22 04:43 -------- d-----w- c:\program files\SUPERAntiSpyware(62)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 04:29 . 2008-04-22 21:52 6604 ----a-w- c:\windows\bthservsdp.dat
2010-08-25 03:59 . 2010-06-17 04:00 0 ----a-w- c:\users\Liz\AppData\Local\prvlcl.dat
2010-08-25 02:04 . 2008-05-19 13:19 6540 ----a-w- c:\users\Liz\AppData\Local\d3d9caps.dat
2010-08-24 20:33 . 2009-10-04 16:01 -------- d-----w- c:\program files\honestech VHS to DVD 4.0 Plus
2010-08-22 14:45 . 2008-08-29 17:34 -------- d-----w- c:\program files\iTunes
2010-08-22 14:41 . 2008-04-22 22:00 -------- d-----w- c:\program files\Java
2010-08-22 14:41 . 2009-03-14 01:24 -------- d-----w- c:\program files\EfficientDiary
2010-08-22 14:41 . 2008-09-27 17:05 -------- d-----w- c:\program files\INITIO
2010-08-22 14:41 . 2008-08-29 17:34 -------- d-----w- c:\program files\iPod
2010-08-22 14:41 . 2008-04-22 22:00 -------- d-----w- c:\program files\Common Files\Java
2010-08-21 13:52 . 2008-08-29 17:32 -------- d-----w- c:\progra~2\Apple Computer
2010-08-16 15:06 . 2008-10-23 15:24 -------- d-----w- c:\progra~2\WinZip
2010-08-14 19:39 . 2009-09-06 18:03 -------- d-----w- c:\progra~2\Roxio
2010-08-13 08:05 . 2009-11-27 22:34 -------- d-----w- c:\progra~2\Microsoft Help
2010-08-13 08:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-05 13:00 . 2008-08-28 17:17 -------- d-----w- c:\progra~2\Avanquest Bluetooth SDK
2010-07-25 15:32 . 2010-07-25 15:33 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-23 20:28 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-07-15 13:52 . 2009-06-21 23:11 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:52 . 2010-07-15 13:52 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 13:51 . 2009-06-21 23:11 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-01 21:03 . 2008-05-08 14:51 -------- d-----w- c:\users\Liz\AppData\Roaming\ZoomBrowser EX
2010-07-01 21:03 . 2008-04-29 23:24 -------- d-----w- c:\progra~2\ZoomBrowser
2010-06-03 03:21 . 2009-06-21 23:11 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-03-16 02:29 . 2009-03-14 20:04 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2009-03-16 02:29 . 2009-03-14 20:04 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2008-04-23 05:38 . 2008-04-23 05:25 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
2006-09-18 21:43 . 2006-11-02 06:25 10 --sha-w- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\config.sys
2006-09-18 21:43 . 2006-11-02 06:25 10 --sha-w- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\config.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-07 39408]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"cdloader"="c:\users\Liz\AppData\Roaming\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-12 101136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-02 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
c:\users\Liz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Internet Explorer.lnk - c:\program files\Internet Explorer\iexplore.exe [2009-6-10 634632]
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2009-11-27 845584]
OneNote Table Of Contents.onetoc2 [2009-12-15 3656]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Button Manager v1.874.lnk]
backup=c:\windows\pss\Button Manager v1.874.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HD Writer AE 1.0.lnk]
backup=c:\windows\pss\HD Writer AE 1.0.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Bluetooth Laser Mobile Mouse.lnk]
backup=c:\windows\pss\HP Bluetooth Laser Mobile Mouse.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SetPoint.lnk]
backup=c:\windows\pss\SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
backup=c:\windows\pss\TotalMedia Backup Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Liz^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^E-mail.lnk]
backup=c:\windows\pss\E-mail.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Liz^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-02 73728]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
R2 USBHSB;GeneLink File Transfer Driver;c:\windows\system32\Drivers\usbhsb.sys [2001-12-17 18690]
R3 CSRBC01;CSRBC01.Sys CSR test driver;c:\windows\system32\Drivers\CSRBC01.sys [2008-05-29 83124]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-02 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:04]
2010-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:04]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.dell4me.com/myway
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: comodo.com\secure
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://67.33.42.5/cab/OCXChecker_8198.cab
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.33.42.5/cab/DownloadCenter_8200.cab
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunOnce-<NO NAME> - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 00:47
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F2BACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8c1a0322
\Driver\ACPI -> acpi.sys @ 0x82a9fd4c
\Driver\atapi -> ataport.SYS @ 0x82d6c9a8
\Driver\iaStor -> iastor.sys @ 0x82cabc1a
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-25 00:50:18
ComboFix-quarantined-files.txt 2010-08-25 05:50
ComboFix2.txt 2010-07-28 16:22
Pre-Run: 60,813,881,344 bytes free
Post-Run: 60,744,015,872 bytes free
- - End Of File - - 99D8469309D18028F4A0D54BB5F72936
Attached Files
Edited by lizzieintn, 27 August 2010 - 10:16 AM.