Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google is hijacked


  • This topic is locked This topic is locked
28 replies to this topic

#1 truefan999

truefan999

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 02 October 2010 - 05:25 PM

Hello

I hve a virus which means that google is hijacked. When I click on links it sends me elsewhere.

Also sometimes normal webpages wont work. They often do if I press refresh.

MBAM and SAS won't run.


Please help I am desperate



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:25:31, on 02/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Documents and Settings\Shane\Application Data\Microsoft\Windows\shell.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Documents and Settings\Shane\Application Data\Microsoft\svchost.exe
C:\DOCUME~1\Shane\LOCALS~1\Temp\dwm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://exchange.shu.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nixat.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\DOCUME~1\Shane\LOCALS~1\Temp\dwm.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [eBook Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [nnmjhgaudio] rundll32.exe "byywut.dll",s
O4 - HKLM\..\Run: [Acronis Toolbar Helper] rundll32.exe "C:\Documents and Settings\Shane\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll", StartProt
O4 - HKLM\..\Run: [rqpmjkaudio] rundll32.exe "cbbxvu.dll",s
O4 - HKLM\..\Run: [opolkjsys] rundll32.exe "yaawtr.dll",s
O4 - HKLM\..\Run: [Crayapiqiyo] rundll32.exe "C:\WINDOWS\igohudusibo.dll",Startup
O4 - HKLM\..\Run: [svchost] C:\Documents and Settings\Shane\Application Data\Microsoft\svchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPAP] C:\Documents and Settings\All Users\Application Data\PPLiveVA\Application\PPAP.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [iiihgdaudio] rundll32.exe "byywut.dll",s
O4 - HKCU\..\Run: [efffccsys] rundll32.exe "wvwtss.dll",s
O4 - HKCU\..\Run: [hggfghsys] rundll32.exe "jkjgec.dll",s
O4 - HKCU\..\Run: [Desktop Cleanup Wizard] rundll32.exe "C:\Documents and Settings\Shane\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll", StartProt
O4 - HKCU\..\Run: [cbyyxvaudio] rundll32.exe "cbbxvu.dll",s
O4 - HKCU\..\Run: [fcbcabsys] rundll32.exe "yaawtr.dll",s
O4 - HKCU\..\Run: [Tcegezonu] rundll32.exe "C:\WINDOWS\kevdinat.dll",Startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www3.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2DD42DE-1AC6-442D-9000-37906729CFAD}: NameServer = 93.188.163.73,93.188.166.108
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.73,93.188.166.108
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.73,93.188.166.108
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.73,93.188.166.108
O20 - AppInit_DLLs: C:\WINDOWS\system32\winamnc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Windows System Backup Dumper (winbackupdumper-id19x6EquCWjwY) - Unknown owner - C:\WINDOWS\system32\winbudump.exe (file missing)

--
End of file - 13231 bytes





BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:22 AM

Posted 02 October 2010 - 05:38 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:22 AM

Posted 05 October 2010 - 08:39 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 2-3 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 truefan999

truefan999
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 06 October 2010 - 04:12 AM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Shane at 10:01:05.20 on 06/10/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1521 [GMT 1:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe
"C:\Documents and Settings\Shane\Application Data\Microsoft\svchost.exe" i
C:\DOCUME~1\Shane\LOCALS~1\Temp\dwm.exe
C:\Documents and Settings\Shane\Application Data\Microsoft\Windows\shell.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://exchange.shu.ac.uk/
mStart Page = hxxp://www.nixat.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uWinlogon: Shell=explorer.exe,c:\documents and settings\shane\application data\microsoft\windows\shell.exe
uWindows: Load=c:\docume~1\shane\locals~1\temp\dwm.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [PPAP] c:\documents and settings\all users\application data\ppliveva\application\PPAP.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [gedaxwaudio] rundll32.exe "byywut.dll",s
uRun: [wvwvtusys] rundll32.exe "yaawtr.dll",s
uRun: [Tcegezonu] rundll32.exe "c:\windows\kevdinat.dll",Startup
uRun: [Desktop Cleanup Wizard] rundll32.exe "c:\documents and settings\shane\local settings\application data\desktop cleanup wizard\dskclnwiz.dll", StartProt
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Wireless Manager] "c:\program files\virgin broadband wireless\Wireless Manager.exe" startup
mRun: [eBook Library Launcher] c:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ssqrppsys] rundll32.exe "yaawtr.dll",s
mRun: [pmllliaudio] rundll32.exe "byywut.dll",s
mRun: [Crayapiqiyo] rundll32.exe "c:\windows\igohudusibo.dll",Startup
mRun: [Acronis Toolbar Helper] rundll32.exe "c:\documents and settings\shane\local settings\application data\desktop cleanup wizard\dskclnwiz.dll", StartProt
mRun: [svchost] c:\documents and settings\shane\application data\microsoft\svchost.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [urpnonaudio] rundll32.exe "byywut.dll",s
dRun: [ssttutsys] rundll32.exe "yaawtr.dll",s
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www3.truprint.co.uk/TruprintActivia.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
AppInit_DLLs: c:\windows\system32\winamnc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Authentication Packages = msv1_0 yaawtr.dll

============= SERVICES / DRIVERS ===============

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/11/08 12:08:56];c:\program files\cyberlink\powerdvd9\000.fcl [2009-9-1 87536]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-2-12 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-2-12 108392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-4 32512]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
R3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [2010-9-25 16640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-7 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101003.002\NAVENG.SYS [2010-10-3 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101003.002\NAVEX15.SYS [2010-10-3 1371184]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-9-25 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-9-25 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-9-25 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-9-25 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-9-25 25704]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-12 38224]
S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2010-9-25 16896]

=============== Created Last 30 ================

2010-10-03 18:01:15 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-10-03 18:01:12 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2010-10-03 18:01:08 406016 ------w- c:\windows\system32\dllcache\usp10.dll
2010-10-03 16:43:54 0 d-----w- c:\windows\system32\xircom
2010-10-03 16:43:54 0 d-----w- c:\windows\system32\wbem\snmp
2010-10-02 22:18:52 0 d-----w- c:\program files\Trend Micro
2010-09-25 14:25:04 0 d-----w- c:\docume~1\alluse~1\applic~1\xml_param
2010-09-25 12:55:45 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
2010-09-25 12:55:17 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
2010-09-25 12:54:45 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
2010-09-25 12:54:19 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
2010-09-25 12:53:47 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2010-09-25 12:53:34 0 d-----w- c:\program files\Daniusoft
2010-09-25 12:12:49 16640 ----a-w- c:\windows\system32\drivers\DsAudioDevice_310.sys
2010-09-25 12:12:34 16896 ----a-w- c:\windows\system32\drivers\VirtualAudio.sys
2010-09-19 13:00:35 87040 ---ha-w- c:\windows\system32\yaawtr.dll
2010-09-18 09:44:25 0 d-----w- c:\docume~1\shane\applic~1\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2010-09-18 09:44:00 0 d-----w- c:\program files\BBC iPlayer Desktop
2010-09-12 13:48:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-12 13:48:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-11 13:38:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 16:22:10 77824 ---ha-w- c:\windows\system32\byywut.dll
2010-09-10 16:17:03 140288 ----a-w- c:\windows\system32\pcre3.dll
2010-09-07 23:22:21 46640 ----a-w- c:\windows\system32\msln.exe

==================== Find3M ====================

2010-09-10 21:32:20 167936 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-27 06:28:54 8463360 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2002-11-24 02:18:46 1399 -c--a-w- c:\program files\PPF.NFO
2010-02-09 23:59:26 32768 -csha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2010-02-01 17:40:39 49152 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010012520100201\index.dat
2010-02-09 21:29:46 49152 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010020120100208\index.dat
2010-02-09 23:59:26 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010020920100210\index.dat
2010-02-09 23:59:26 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010021020100211\index.dat
2010-01-14 09:09:29 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-01-14 09:09:29 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-01-14 09:09:29 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 10:04:08.67 ===============


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:22 AM

Posted 06 October 2010 - 06:07 PM

Hello,

Thanks for the DDS log. Please run Gmer and post its log as requested in my previous post. If your have trouble running Gmer,then Run RkuUnhooker and post its log.


Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:22 AM

Posted 08 October 2010 - 09:39 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 2-3 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 truefan999

truefan999
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 09 October 2010 - 06:50 AM

GMER log.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-09 12:49:19
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Shane\LOCALS~1\Temp\kwldqpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwAllocateVirtualMemory [0xB08BC580]
SSDT 89E4A228 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB08BC6B0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwWriteVirtualMemory [0xB08BC7E0]

Code 8A650530 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x8A623200, 0x32AAA, 0xE0000060]
? C:\WINDOWS\system32\drivers\NDIS.sys Access is denied.
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB31B6380, 0x3DF545, 0xE8000020]
.text C:\Program Files\CyberLink\PowerDVD9\000.fcl section is writeable [0xA523D000, 0x2892, 0xE8000020]
.vmp2 C:\Program Files\CyberLink\PowerDVD9\000.fcl entry point in ".vmp2" section [0xA5260050]

---- User code sections - GMER 1.0.15 ----

? C:\Documents and Settings\Shane\Application Data\Microsoft\svchost.exe[624] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll
? C:\WINDOWS\System32\svchost.exe[4380] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[4388] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[4396] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[6084] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dllunknown module: urlmon.dll
.text C:\WINDOWS\System32\svchost.exe[6084] USER32.dll!SetForegroundWindow 7E4242ED 8 Bytes [B8, 01, 00, 00, 00, C2, 04, ...] {MOV EAX, 0x1; RET 0x4}
? C:\WINDOWS\System32\svchost.exe[6092] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dllunknown module: urlmon.dll
.text C:\WINDOWS\System32\svchost.exe[6092] USER32.dll!SetForegroundWindow 7E4242ED 8 Bytes [B8, 01, 00, 00, 00, C2, 04, ...] {MOV EAX, 0x1; RET 0x4}

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [8A62A984] NDIS.sys[.reloc]
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\winamnc.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Shane\Local Settings\Temporary Internet Files\Content.IE5\EAC0104E\background_gradient[2] 453 bytes
File C:\Documents and Settings\Shane\Local Settings\Temporary Internet Files\Content.IE5\EAC0104E\tools[1] 3560 bytes
File C:\Documents and Settings\Shane\Local Settings\Temporary Internet Files\Content.IE5\EAC0104E\Common[1].js 3159 bytes
File C:\Documents and Settings\Shane\Local Settings\Temporary Internet Files\Content.IE5\EAC0104E\httpErrorPagesScripts[2] 7579 bytes
File C:\Documents and Settings\Shane\Local Settings\Temporary Internet Files\Content.IE5\EAC0104E\NavBar[1].xml 2513 bytes
File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\system32\drivers\symndis.sys (size mismatch) 35120/182656 bytes executable
File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 212224/182656 bytes executable

---- EOF - GMER 1.0.15 ----


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:22 AM

Posted 10 October 2010 - 09:26 PM

Hello,

Thanks for the logs. Let's get to cleaning your machine now?


1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 truefan999

truefan999
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 12 October 2010 - 01:31 AM

Thanks. I downloaded combofix. It would not run so I changed its name to myapp.exe and it ran.

However, it went to the blue screen stating that it was running but just stayed there and did nothing.

I even ran it and left it overnight and it was still like that in the morning

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:22 AM

Posted 12 October 2010 - 09:35 PM

Hello,

Go ahead and reboot your machine and run Combofix again.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:22 AM

Posted 14 October 2010 - 06:25 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 truefan999

truefan999
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 15 October 2010 - 03:03 AM

Ok here is the combofix log

ComboFix 10-10-10.02 - Shane 14/10/2010 12:04:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2214 [GMT 1:00]
Running from: c:\downloads\myapp.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shane\Application Data\avdrn.dat
c:\documents and settings\Shane\Application Data\Microsoft\stor.cfg
c:\documents and settings\Shane\Application Data\Microsoft\svchost.exe
c:\documents and settings\Shane\Application Data\Microsoft\Windows\shell.exe
c:\documents and settings\Shane\Local Settings\Application Data\Desktop Cleanup Wizard
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
C:\Thumbs.db
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\efdecb.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pcre3.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\spool\prtprocs\w32x86\K3yW9u179.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\yaawtr.dll
E:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\system32\drivers\ndis(2).sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-14 02:05 . 2008-04-14 04:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 16:54 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-13 16:53 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-13 16:53 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 16:53 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 16:53 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 16:53 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-03 18:01 . 2010-08-17 13:17 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-10-03 18:01 . 2010-06-18 17:43 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2010-10-03 18:01 . 2010-04-16 15:36 406016 ------w- c:\windows\system32\dllcache\usp10.dll
2010-10-03 16:49 . 2010-10-03 16:49 -------- d-----w- C:\rsit
2010-10-03 16:43 . 2010-10-03 16:43 -------- d-----w- c:\windows\system32\xircom
2010-10-03 16:43 . 2010-10-03 16:43 -------- d-----w- c:\windows\system32\wbem\snmp
2010-10-03 16:43 . 2010-10-03 16:43 -------- d-----w- c:\program files\microsoft frontpage
2010-10-02 22:18 . 2010-10-02 22:18 388096 ----a-r- c:\documents and settings\Shane\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-02 22:18 . 2010-10-02 22:18 -------- d-----w- c:\program files\Trend Micro
2010-09-25 14:25 . 2010-09-25 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2010-09-25 12:55 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
2010-09-25 12:55 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
2010-09-25 12:54 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
2010-09-25 12:54 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
2010-09-25 12:53 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2010-09-25 12:53 . 2010-09-25 12:53 -------- d-----w- c:\program files\Daniusoft
2010-09-25 12:12 . 2009-01-08 17:00 16640 ----a-w- c:\windows\system32\drivers\DsAudioDevice_310.sys
2010-09-25 12:12 . 2008-08-12 20:08 16896 ----a-w- c:\windows\system32\drivers\VirtualAudio.sys
2010-09-19 13:00 . 2010-10-14 11:20 87040 ---ha-w- c:\windows\system32\yaawtr.dll
2010-09-19 09:07 . 2010-09-19 09:07 -------- d-----w- c:\documents and settings\Shane\Local Settings\Application Data\{3E7F74DC-5B6E-4DC4-9891-B4A11F91F5E4}
2010-09-18 11:23 . 2010-09-18 11:23 974848 ------w- c:\windows\system32\dllcache\mfc42u.dll
2010-09-18 09:44 . 2010-09-18 09:44 -------- d-----w- c:\documents and settings\Shane\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-09 288048]
"xxxuvvsys"="yaawtr.dll" [2010-10-14 87040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-21 90112]
"AlcWzrd"="ALCWZRD.EXE" [2005-06-29 2806272]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-09-01 75048]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"eBook Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-01-25 906640]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iihfedsys"="yaawtr.dll" [2010-10-14 87040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"cbbawxsys"="yaawtr.dll" [2010-10-14 87040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 yaawtr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Shane\\My Documents\\Utilis\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/11/08 12:08];c:\program files\CyberLink\PowerDVD9\000.fcl [01/09/2009 17:59 87536]
R3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [25/09/2010 13:12 16640]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [25/09/2010 13:53 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [25/09/2010 13:54 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [25/09/2010 13:54 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [25/09/2010 13:55 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [25/09/2010 13:55 25704]
S2 winbackupdumper-id19x6EquCWjwY;Windows System Backup Dumper;c:\windows\system32\winbudump.exe --> c:\windows\system32\winbudump.exe [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [18/11/2008 19:17 23888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/09/2010 14:48 38224]
S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [25/09/2010 13:12 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = https://exchange.shu.ac.uk/
mStart Page = hxxp://www.nixat.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PPAP - c:\documents and settings\All Users\Application Data\PPLiveVA\Application\PPAP.exe
HKCU-Run-Tcegezonu - c:\windows\kevdinat.dll
HKCU-Run-Desktop Cleanup Wizard - c:\documents and settings\Shane\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
HKCU-Run-yaawuraudio - efdecb.dll
HKLM-Run-Crayapiqiyo - c:\windows\igohudusibo.dll
HKLM-Run-Acronis Toolbar Helper - c:\documents and settings\Shane\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
HKLM-Run-iihijhaudio - efdecb.dll
HKU-Default-Run-cbyvsqaudio - efdecb.dll
SafeBoot-ccEvtMgr
SafeBoot-ccSetMgr
SafeBoot-Symantec Antivirus
SafeBoot-Symantec Antvirus
AddRemove-HijackThis - c:\program files\HijackThis\HijackThis.exe



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\yaawtr.dll

- - - - - - - > 'explorer.exe'(2236)
c:\windows\system32\WININET.dll
c:\windows\system32\yaawtr.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-14 12:26:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-14 11:26

Pre-Run: 10,448,216,064 bytes free
Post-Run: 11,467,788,288 bytes free

- - End Of File - - 01F55B71358CE4797955376BC6B42167


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:22 AM

Posted 16 October 2010 - 10:23 AM

Hello,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/topic351198.html

Killall::

Collect::
c:\windows\system32\yaawtr.dll

Folder::
c:\documents and settings\Shane\Local Settings\Application Data\{3E7F74DC-5B6E-4DC4-9891-B4A11F91F5E4}

DDS::
uStart Page = https://exchange.shu.ac.uk/
mStart Page = hxxp://www.nixat.com/
uInternet Settings,ProxyServer = http=127.0.0.1:50370

Driver::
winbackupdumper-id19x6EquCWjwY

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xxxuvvsys"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iihfedsys"=-
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"cbbawxsys"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to THIS CHANNEL and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:22 AM

Posted 18 October 2010 - 04:56 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 truefan999

truefan999
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 22 October 2010 - 10:58 AM

ComboFix 10-10-21.08 - Shane 22/10/2010 16:33:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2204 [GMT 1:00]
Running from: c:\downloads\1979\myapp.exe
Command switches used :: c:\downloads\1979\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

file zipped: c:\windows\system32\yaawtr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shane\Application Data\Microsoft\stor.cfg
c:\documents and settings\Shane\Application Data\Microsoft\svchost.exe
c:\documents and settings\Shane\Application Data\Microsoft\Windows\shell.exe
c:\documents and settings\Shane\Local Settings\Application Data\{3E7F74DC-5B6E-4DC4-9891-B4A11F91F5E4}
c:\documents and settings\Shane\Local Settings\Application Data\{3E7F74DC-5B6E-4DC4-9891-B4A11F91F5E4}\chrome.manifest
c:\documents and settings\Shane\Local Settings\Application Data\{3E7F74DC-5B6E-4DC4-9891-B4A11F91F5E4}\chrome\content\_cfg.js
c:\documents and settings\Shane\Local Settings\Application Data\{3E7F74DC-5B6E-4DC4-9891-B4A11F91F5E4}\chrome\content\overlay.xul
c:\documents and settings\Shane\Local Settings\Application Data\{3E7F74DC-5B6E-4DC4-9891-B4A11F91F5E4}\install.rdf
c:\documents and settings\Shane\Local Settings\Application Data\Desktop Cleanup Wizard
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
C:\Thumbs.db
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pcre3.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\spool\prtprocs\w32x86\K3yW9u179.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\yaawtr.dll
c:\windows\system32\yaxyvv.dll
D:\install.exe
E:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{3C642349-E65B-4E71-9B16-C2C2C41999CA}\RP409\A0068115.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_WINBACKUPDUMPER-ID19X6EQUCWJWY
-------\Service_NPF
-------\Service_winbackupdumper-id19x6EquCWjwY


((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

2010-10-22 04:37 . 2010-10-22 15:47 100864 ---ha-w- c:\windows\system32\yaxyvv.dll
2010-10-17 16:52 . 2010-10-17 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-10-17 16:52 . 2010-10-17 16:52 -------- d-----w- c:\documents and settings\Shane\Application Data\Office Genuine Advantage
2010-10-15 02:04 . 2008-04-14 04:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-14 15:01 . 2010-10-14 15:01 -------- d-----w- C:\myapp
2010-10-14 15:01 . 2010-10-14 15:01 -------- d-----w- c:\program files\BBC iPlayer Desktop
2010-10-14 13:27 . 2010-10-14 13:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-14 11:40 . 2010-10-14 13:24 -------- d-----w- C:\RECYCLER(2)
2010-10-13 16:54 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-13 16:53 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-13 16:53 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 16:53 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 16:53 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 16:53 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 17:19 . 2010-10-15 10:41 -------- d--h--w- c:\windows\msdownld.tmp
2010-10-03 18:01 . 2010-08-17 13:17 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-10-03 18:01 . 2010-06-18 17:43 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2010-10-03 18:01 . 2010-04-16 15:36 406016 ------w- c:\windows\system32\dllcache\usp10.dll
2010-10-03 16:49 . 2010-10-03 16:49 -------- d-----w- C:\rsit
2010-10-03 16:43 . 2010-10-03 16:43 -------- d-----w- c:\windows\system32\xircom
2010-10-03 16:43 . 2010-10-03 16:43 -------- d-----w- c:\windows\system32\wbem\snmp
2010-10-03 16:43 . 2010-10-03 16:43 -------- d-----w- c:\program files\microsoft frontpage
2010-10-02 22:18 . 2010-10-02 22:18 388096 ----a-r- c:\documents and settings\Shane\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-02 22:18 . 2010-10-02 22:18 -------- d-----w- c:\program files\Trend Micro
2010-09-25 14:25 . 2010-09-25 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2010-09-25 12:55 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
2010-09-25 12:55 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
2010-09-25 12:54 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
2010-09-25 12:54 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
2010-09-25 12:53 . 2009-09-01 09:40 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2010-09-25 12:53 . 2010-09-25 12:53 -------- d-----w- c:\program files\Daniusoft
2010-09-25 12:12 . 2009-01-08 17:00 16640 ----a-w- c:\windows\system32\drivers\DsAudioDevice_310.sys
2010-09-25 12:12 . 2008-08-12 20:08 16896 ----a-w- c:\windows\system32\drivers\VirtualAudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-22 15:47 . 2010-09-19 13:00 87040 ---ha-w- c:\windows\system32\yaawtr.dll
2010-10-14 11:20 . 2010-09-19 13:00 87040 ---ha-w- c:\windows\system32\yaawtr(2).dll
2010-09-18 11:23 . 2007-04-03 07:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 04:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 04:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 21:32 . 2009-03-09 20:18 167936 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-09-09 13:38 . 2008-10-16 19:38 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2008-10-16 19:38 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2009-01-08 19:20 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2009-01-08 19:20 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 06:13 . 2010-09-07 23:22 46640 ----a-w- c:\windows\system32\msln.exe
2010-09-01 11:51 . 2008-04-14 04:39 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2009-01-08 19:14 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 12:10 . 2009-01-08 19:20 389120 ----a-w- c:\windows\system32\html.iec
2010-08-27 08:02 . 2008-04-14 04:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05 . 2008-04-14 04:42 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:37 . 2009-01-08 19:12 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-10-03 11:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 04:41 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 04:42 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-04-14 04:42 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPAP"="c:\documents and settings\All Users\Application Data\PPLiveVA\Application\PPAP.exe" [BU]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"wvwvtusys"="yaawtr.dll" [2010-10-22 87040]
"Tcegezonu"="c:\windows\kevdinat.dll" [BU]
"Desktop Cleanup Wizard"="c:\documents and settings\Shane\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll" [BU]
"khecabaudio"="yaxyvv.dll" [2010-10-22 100864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-21 90112]
"AlcWzrd"="ALCWZRD.EXE" [2005-06-29 2806272]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-09-01 75048]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"eBook Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-01-25 906640]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ssqrppsys"="yaawtr.dll" [2010-10-22 87040]
"Crayapiqiyo"="c:\windows\igohudusibo.dll" [BU]
"Acronis Toolbar Helper"="c:\documents and settings\Shane\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll" [BU]
"yaaxxyaudio"="yaxyvv.dll" [2010-10-22 100864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ssttutsys"="yaawtr.dll" [2010-10-22 87040]
"nnmmmlaudio"="yaxyvv.dll" [2010-10-22 100864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 yaawtr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Shane\\My Documents\\Utilis\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/11/08 12:08];c:\program files\CyberLink\PowerDVD9\000.fcl [01/09/2009 17:59 87536]
R3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [25/09/2010 13:12 16640]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [25/09/2010 13:53 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [25/09/2010 13:54 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [25/09/2010 13:54 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [25/09/2010 13:55 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [25/09/2010 13:55 25704]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [18/11/2008 19:17 23888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/09/2010 14:48 38224]
S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [25/09/2010 13:12 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-22 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\yaawtr.dll
c:\windows\system32\ssqqpp.dll

- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WININET.dll
c:\windows\system32\yaawtr.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\ssqqpp.dll
c:\docume~1\Shane\LOCALS~1\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Virgin Broadband Wireless\ndis_events.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-10-22 16:52:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-22 15:52
ComboFix2.txt 2010-10-14 11:26

Pre-Run: 9,046,020,096 bytes free
Post-Run: 9,307,803,648 bytes free

- - End Of File - - 895806BD64E897FD680DA75F4D15A4F3




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users