Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Apple's New Data & Privacy Portal Lets You Download Your Data

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Long Start up

Started by traveler25 , Oct 05 2010 01:35 PM

This topic is locked

17 replies to this topic

#1 traveler25

Members
25 posts
OFFLINE

Gender:Male
Location:San Antonio, TX
Local time:10:48 AM

Posted 05 October 2010 - 01:35 PM

Hello

My Pc takes a long time to stat up and everything has gotten slow, from internet connection to basic pc performance. Any help would be greatly appreciated.

http://speccy.piriform.com/results/PlBbOzl27S5Y9U5QDeo1KZR

I have no idea which startup items or BHO's to disable, delete or who know what?

Also attached is Hijackthis log.
Marcos

Attached Files

hijackthis.log 7.82KB 10 downloads

Edited by hamluis, 05 October 2010 - 02:44 PM.
Merged posts, moved to MRL forum ~ Hamluis.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:48 PM

Posted 12 October 2010 - 06:51 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Then

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

m0le is a proud member of UNITE

#3 traveler25

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:San Antonio, TX
Local time:10:48 AM

Posted 14 October 2010 - 07:01 PM

Hello

I have removed some programs and it is booting up a little faster, but I'm still suspicious.
Here are my dds files, defogger and gmer files.

DDS (Ver_10-10-10.03) - NTFSx86
Run by HP_Administrator at 18:43:21.80 on Thu 10/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1678 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\AnalogX\MaxMem\maxmem.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\maxmem.lnk - c:\program files\analogx\maxmem\maxmem.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\cpxqlop7.default\
FF - prefs.js: browser.search.selectedEngine - Ixquick
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 64288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-6-23 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 66632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 AV88BASE;Cx2388x Base Driver;c:\windows\system32\drivers\av88base.sys [2009-12-7 425472]
S1 czfiaplx;czfiaplx;\??\c:\windows\system32\drivers\czfiaplx.sys --> c:\windows\system32\drivers\czfiaplx.sys [?]
S1 dnmwzuyv;dnmwzuyv;\??\c:\windows\system32\drivers\dnmwzuyv.sys --> c:\windows\system32\drivers\dnmwzuyv.sys [?]
S1 hxswzipm;hxswzipm;\??\c:\windows\system32\drivers\hxswzipm.sys --> c:\windows\system32\drivers\hxswzipm.sys [?]
S1 mifhzhyw;mifhzhyw;\??\c:\windows\system32\drivers\mifhzhyw.sys --> c:\windows\system32\drivers\mifhzhyw.sys [?]
S1 pumkiecg;pumkiecg;\??\c:\windows\system32\drivers\pumkiecg.sys --> c:\windows\system32\drivers\pumkiecg.sys [?]
S1 rqbscmyh;rqbscmyh;\??\c:\windows\system32\drivers\rqbscmyh.sys --> c:\windows\system32\drivers\rqbscmyh.sys [?]
S1 szutpasl;szutpasl;\??\c:\windows\system32\drivers\szutpasl.sys --> c:\windows\system32\drivers\szutpasl.sys [?]
S1 wdxsjdmv;wdxsjdmv;\??\c:\windows\system32\drivers\wdxsjdmv.sys --> c:\windows\system32\drivers\wdxsjdmv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-17 12672]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 12872]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 getPlus® Installer;getPlus® Installer;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-8-12 59552]

=============== Created Last 30 ================

2072-07-31 23:44:42 375808 ----a-w- c:\program files\microsoft games\halo\binkw32.dll
2010-10-14 21:34:32 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 21:34:30 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 21:34:09 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{5947732e-1503-4231-9ff1-6aa078b6838d}\mpengine.dll
2010-10-14 21:33:42 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-08 17:41:57 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-05 20:07:51 -------- d-----w- c:\documents and settings\hp_administrator\New Folder
2010-10-05 19:15:54 -------- d-----w- c:\program files\Speccy
2010-10-05 15:52:05 61440 ----a-w- c:\windows\_detmp.2
2010-10-05 00:39:01 -------- d-----w- C:\~$PVRTmp0$
2010-09-26 18:05:47 -------- d-----w- c:\program files\NetLibrary
2010-09-26 12:51:54 -------- d-----w- c:\program files\OverDrive Media Console
2010-09-25 20:51:44 -------- d-----w- c:\windows\system32\windows media
2010-09-25 20:51:22 -------- d--h--w- c:\windows\msdownld.tmp
2010-09-25 20:51:20 -------- d-----w- c:\program files\Windows Media Components
2010-09-22 23:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-22 23:10:52 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-09-18 17:23:26 974848 ------w- c:\windows\system32\dllcache\mfc42u.dll
2010-09-18 15:58:45 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Ashampoo
2010-09-18 15:58:33 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\ashampoo
2010-09-18 15:58:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\ashampoo
2010-09-17 23:46:56 -------- d-----w- c:\program files\Ashampoo
2010-09-15 03:43:56 -------- d-----w- c:\program files\MSECache

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 23:52:37 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-09-01 23:52:37 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-09-01 23:52:29 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 17:33:14 1728512 ----a-w- c:\program files\LC.exe
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-25 15:09:35 159843 ----a-w- c:\windows\ScanWiz Uninstaller.exe
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-12 12:15:20 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-12 04:07:46 133616 ------w- c:\windows\system32\pxafs.dll
2010-08-12 04:07:46 126448 ------w- c:\windows\system32\pxinsi64.exe

============= FINISH: 18:43:49.75 ===============

GMER 1.0.15.15315 - http://www.gmer.net
Rootkit quick scan 2010-10-14 18:49:48
Windows 5.1.2600 Service Pack 3
Running: npdet4nb.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\axldypob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- EOF - GMER 1.0.15 ----

Thanks for the help.

Attached Files

Attach.txt 12.09KB 0 downloads
defogger_disable.log 494bytes 0 downloads

#4 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:48 PM

Posted 15 October 2010 - 06:53 PM

Quite a few malware drivers there - they are all marked with a question mark in the log.

Please run TDSSKiller and MBRCheck so we can see if anything else has been invaded.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l report.txt
Now click Start Scan.
If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
Click Close
Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

And

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

m0le is a proud member of UNITE

#5 traveler25

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:San Antonio, TX
Local time:10:48 AM

Posted 15 October 2010 - 07:44 PM

Hello

Thanks for the reply

P.S. If I post anything incorrectly please let me know. And not to get off the subject, I'm taking a class at a college and my gmail account was hacked from China, I already changed the password, but any ideas of how they were able to access my account? This is the first time this has ever happened to me. I will repost in another forum, just let me know which forum, sorry for bothering you outside this subject.

TDSSKiller.exe did not find anything and I ran MBRCheck.exe also and am posting the log here. Awaiting your reply and Thank you again for helping me.

Marcos

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 124):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB7EE8000 fasttx2k.sys
0xB7ED0000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EB0000 fltmgr.sys
0xB7E9E000 sr.sys
0xB80F8000 Lbd.sys
0xB8108000 PxHelp20.sys
0xB7E87000 KSecDD.sys
0xB7DFA000 Ntfs.sys
0xB7DCD000 NDIS.sys
0xB8118000 ohci1394.sys
0xB8128000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB7DB3000 Mup.sys
0xB8168000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB7634000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB6C07000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6BF3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8448000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB6BCF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8450000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7624000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8458000 \SystemRoot\system32\drivers\Afc.sys
0xB8158000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8178000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB6BAC000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8188000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xB6B8C000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xB6B24000 \SystemRoot\system32\drivers\av88base.sys
0xB8588000 \SystemRoot\system32\drivers\BdaSup.SYS
0xB6A07000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xB85E2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB8460000 \SystemRoot\System32\Drivers\Modem.SYS
0xB67D1000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB67AD000 \SystemRoot\system32\drivers\portcls.sys
0xB8198000 \SystemRoot\system32\drivers\drmk.sys
0xB81A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB8468000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB8470000 \SystemRoot\system32\DRIVERS\PS2.sys
0xB8478000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB87B5000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB81B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB8594000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB6796000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB81C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8480000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB6785000 \SystemRoot\system32\DRIVERS\psched.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8488000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8490000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB672D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB85E4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB66CF000 \SystemRoot\system32\DRIVERS\update.sys
0xB7D87000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8208000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB8228000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB2584000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xB85F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB873A000 \SystemRoot\System32\Drivers\Null.SYS
0xB85F2000 \SystemRoot\System32\Drivers\Beep.SYS
0xB84A8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB84B0000 \SystemRoot\System32\drivers\vga.sys
0xB85F4000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85F6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8360000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8390000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB8560000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB2551000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB24F8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB24D0000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB24AE000 \SystemRoot\System32\drivers\afd.sys
0xB8248000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB248D000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xB8368000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB2462000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB23CA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB8268000 \SystemRoot\System32\Drivers\Fips.SYS
0xB23A4000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB8278000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB8288000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB8751000 \SystemRoot\System32\Drivers\BANTExt.sys
0xB82A8000 \SystemRoot\system32\DRIVERS\IrBus.sys
0xB8370000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB22E0000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB8378000 \SystemRoot\system32\DRIVERS\hidir.sys
0xB82B8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB6779000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB6775000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB82C8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB6761000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8380000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB86BE000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB1FC0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB1CF3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB1B51000 \SystemRoot\System32\Drivers\HTTP.sys
0xB1F58000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xB1A81000 \SystemRoot\system32\DRIVERS\srv.sys
0xB174C000 \SystemRoot\system32\drivers\wdmaud.sys
0xB19E1000 \SystemRoot\system32\drivers\sysaudio.sys
0xB0995000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 31):
0 System Idle Process
4 System
584 C:\WINDOWS\system32\smss.exe
672 csrss.exe
696 C:\WINDOWS\system32\winlogon.exe
744 C:\WINDOWS\system32\services.exe
756 C:\WINDOWS\system32\lsass.exe
940 C:\WINDOWS\system32\svchost.exe
1020 svchost.exe
1112 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1176 C:\WINDOWS\system32\svchost.exe
1276 svchost.exe
1400 svchost.exe
1608 C:\WINDOWS\system32\spoolsv.exe
1748 svchost.exe
1960 sqlbrowser.exe
1988 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
200 svchost.exe
472 mcrdsvc.exe
1496 alg.exe
1672 C:\WINDOWS\explorer.exe
2496 C:\Program Files\Microsoft Security Essentials\msseces.exe
2560 C:\Program Files\AnalogX\MaxMem\maxmem.exe
1352 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
2552 unsecapp.exe
3456 wmiprvse.exe
396 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
4020 C:\Program Files\Mozilla Firefox\firefox.exe
2084 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
3560 C:\Program Files\Mozilla Firefox\plugin-container.exe
2700 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`00d12c00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3160023AS, Rev: 3.43
PhysicalDrive1 Model Number: HDS722516VLAT80, Rev: V34OA6MA

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972
153 GB \\.\PhysicalDrive1 Legit MBR code detected
SHA1: 317A49A9E93F077F2D004734D2A7B6CA7E7B9495

#6 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:48 PM

Posted 16 October 2010 - 04:24 AM

A very good read - please note particularly point 5.

Please run MBAM and Superantispyware

Please download

Malwarebytes Anti-Malware and save it to your desktop.

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
On the Scanner tab:
- Make sure the "Perform Full Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

And then

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
In the Main Menu, click the Preferences... button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

m0le is a proud member of UNITE

#7 traveler25

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:San Antonio, TX
Local time:10:48 AM

Posted 18 October 2010 - 09:51 PM

Hi

Here is my mbam and super antispyware logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4852

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/16/2010 3:42:07 PM
mbam-log-2010-10-16 (15-42-07).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 309687
Time elapsed: 2 hour(s), 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/16/2010 at 06:29 PM

Application Version : 4.35.1002

Core Rules Database Version : 5697
Trace Rules Database Version: 3509

Scan type : Complete Scan
Total Scan Time : 02:29:40

Memory items scanned : 438
Memory threats detected : 0
Registry items scanned : 7867
Registry threats detected : 0
File items scanned : 154407
File threats detected : 0

#8 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:48 PM

Posted 19 October 2010 - 04:27 PM

Absolutely clean.

Please finally run the ESET online scanner

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Leave the top box checked and then check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

m0le is a proud member of UNITE

#9 traveler25

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:San Antonio, TX
Local time:10:48 AM

Posted 20 October 2010 - 09:36 AM

Hello

I ran the Eset online scanner and it did find win32/bagel-zip.worm, but the pc went into standby and when I moved the mouse it came back on and powered itself off, so I could not save the list of found threats. I ran it again this morning and it said none found. Should I still worry?

Thanks Marcos

#10 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:48 PM

Posted 20 October 2010 - 12:02 PM

Bagel is a nasty worm which we need to check has been removed. ESET can't tell us so we need to run Combofix, this will also remove the malware if it finds it.

Please download ComboFix from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Comfix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

m0le is a proud member of UNITE

#11 traveler25

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:San Antonio, TX
Local time:10:48 AM

Posted 20 October 2010 - 05:55 PM

Hello

Well I can't make heads or tails out of this, but here is my ComboFix, man I thought I had patience. You guys are the greatest!

ComboFix 10-10-20.01 - HP_Administrator 10/20/2010 17:25:39.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1780 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\comfix.exe.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 )))))))))))))))))))))))))))))))
.

2072-07-31 23:44 . 2004-08-24 20:27 375808 ----a-w- c:\program files\Microsoft Games\Halo\binkw32.dll
2010-10-20 14:27 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00CD5907-25FC-45A3-854A-14F281E3DCD0}\mpengine.dll
2010-10-16 17:23 . 2010-10-16 17:23 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-10-16 17:11 . 2010-10-16 17:11 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-10-16 17:05 . 2010-10-16 17:25 -------- d-----w- c:\windows\SHELLNEW
2010-10-16 17:01 . 2010-10-16 17:01 -------- d-----r- C:\MSOCache
2010-10-15 21:59 . 2010-10-15 21:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SuperEasy
2010-10-15 21:58 . 2010-10-15 21:58 -------- d-----w- c:\program files\SuperEasy Software
2010-10-14 21:34 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 21:34 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 21:33 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-08 17:41 . 2010-10-08 17:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-05 20:07 . 2010-10-05 20:07 -------- d-----w- c:\documents and settings\HP_Administrator\New Folder
2010-10-05 19:15 . 2010-10-05 19:16 -------- d-----w- c:\program files\Speccy
2010-10-05 15:52 . 2001-11-27 16:42 61440 ----a-w- c:\windows\_detmp.2
2010-10-05 00:39 . 2010-10-05 00:39 -------- d-----w- C:\~$PVRTmp0$
2010-09-29 04:27 . 2010-10-07 12:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\vlc
2010-09-26 18:05 . 2010-09-26 18:05 -------- d-----w- c:\program files\NetLibrary
2010-09-26 12:51 . 2010-09-26 12:51 -------- d-----w- c:\program files\OverDrive Media Console
2010-09-25 20:51 . 2010-09-25 20:51 -------- d-----w- c:\windows\system32\windows media
2010-09-25 20:51 . 2010-09-25 20:51 -------- d--h--w- c:\windows\msdownld.tmp
2010-09-25 20:51 . 2010-09-25 20:51 -------- d-----w- c:\program files\Windows Media Components
2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2009-01-18 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2009-01-18 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2004-08-10 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-17 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
MaxMem.lnk - c:\program files\AnalogX\MaxMem\maxmem.exe [2010-2-15 125424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\uTorrent.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Downloads\\Left.4.Dead.Full-Rip.Skullptura\\Left 4 Dead\\left4dead.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24383:TCP"= 24383:TCP:BitComet 24383 TCP
"24383:UDP"= 24383:UDP:BitComet 24383 UDP
"57061:TCP"= 57061:TCP:Pando Media Booster
"57061:UDP"= 57061:UDP:Pando Media Booster
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2010 2:22 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [6/23/2009 11:01 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 66632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1357464]
R3 AV88BASE;Cx2388x Base Driver;c:\windows\system32\drivers\av88base.sys [12/7/2009 7:32 PM 425472]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S1 czfiaplx;czfiaplx;\??\c:\windows\system32\drivers\czfiaplx.sys --> c:\windows\system32\drivers\czfiaplx.sys [?]
S1 dnmwzuyv;dnmwzuyv;\??\c:\windows\system32\drivers\dnmwzuyv.sys --> c:\windows\system32\drivers\dnmwzuyv.sys [?]
S1 hxswzipm;hxswzipm;\??\c:\windows\system32\drivers\hxswzipm.sys --> c:\windows\system32\drivers\hxswzipm.sys [?]
S1 mifhzhyw;mifhzhyw;\??\c:\windows\system32\drivers\mifhzhyw.sys --> c:\windows\system32\drivers\mifhzhyw.sys [?]
S1 pumkiecg;pumkiecg;\??\c:\windows\system32\drivers\pumkiecg.sys --> c:\windows\system32\drivers\pumkiecg.sys [?]
S1 rqbscmyh;rqbscmyh;\??\c:\windows\system32\drivers\rqbscmyh.sys --> c:\windows\system32\drivers\rqbscmyh.sys [?]
S1 szutpasl;szutpasl;\??\c:\windows\system32\drivers\szutpasl.sys --> c:\windows\system32\drivers\szutpasl.sys [?]
S1 wdxsjdmv;wdxsjdmv;\??\c:\windows\system32\drivers\wdxsjdmv.sys --> c:\windows\system32\drivers\wdxsjdmv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 12872]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [8/12/2009 9:47 AM 59552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 17:49]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1442792629-1606164383-696859238-1008Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-17 03:10]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1442792629-1606164383-696859238-1008UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-17 03:10]

2010-10-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\cpxqlop7.default\
FF - prefs.js: browser.search.selectedEngine - Ixquick
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\MI1933~1\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MI1933~1\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\35.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3156)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-20 17:36:37
ComboFix-quarantined-files.txt 2010-10-20 22:36
ComboFix2.txt 2010-10-04 16:46

Pre-Run: 83,101,327,360 bytes free
Post-Run: 83,161,186,304 bytes free

- - End Of File - - 2FF804927E73E20031610124EAE012DF

#12 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:48 PM

Posted 20 October 2010 - 06:20 PM

Some drivers that are stopped but may not be helping your startup. Please rerun Combofix using the instructions below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

FCopy::
c:\windows\ServicePackFiles\i386\TCPIP.SYS | c:\windows\system32\drivers\TCPIP.SYS
c:\windows\ServicePackFiles\i386\TCPIP.SYS | c:\windows\system32\dllcache\TCPIP.SYS

File::
c:\windows\system32\drivers\czfiaplx.sys
c:\windows\system32\drivers\dnmwzuyv.sys
c:\windows\system32\drivers\hxswzipm.sys
c:\windows\system32\drivers\mifhzhyw.sys
c:\windows\system32\drivers\pumkiecg.sys
c:\windows\system32\drivers\rqbscmyh.sys
c:\windows\system32\drivers\szutpasl.sys
c:\windows\system32\drivers\wdxsjdmv.sys

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Driver::
czfiaplx
dnmwzuyv
hxswzipm
mifhzhyw
pumkiecg
rqbscmyh
szutpasl
wdxsjdmv

Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

m0le is a proud member of UNITE

#13 traveler25

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:San Antonio, TX
Local time:10:48 AM

Posted 21 October 2010 - 05:18 PM

Hello

Ran the combo fix with the script and here is the log. Looks like greek to me.
Thanks Marcos

ComboFix 10-10-20.04 - HP_Administrator 10/21/2010 16:56:50.3.1 - x86
Running from: c:\documents and settings\HP_Administrator\Desktop\comfix.exe.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\drivers\czfiaplx.sys"
"c:\windows\system32\drivers\dnmwzuyv.sys"
"c:\windows\system32\drivers\hxswzipm.sys"
"c:\windows\system32\drivers\mifhzhyw.sys"
"c:\windows\system32\drivers\pumkiecg.sys"
"c:\windows\system32\drivers\rqbscmyh.sys"
"c:\windows\system32\drivers\szutpasl.sys"
"c:\windows\system32\drivers\wdxsjdmv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\TCPIP.SYS --> c:\windows\system32\drivers\TCPIP.SYS
c:\windows\ServicePackFiles\i386\TCPIP.SYS --> c:\windows\system32\dllcache\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_czfiaplx
-------\Service_dnmwzuyv
-------\Service_hxswzipm
-------\Service_mifhzhyw
-------\Service_pumkiecg
-------\Service_rqbscmyh
-------\Service_szutpasl
-------\Service_wdxsjdmv

((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2072-07-31 23:44 . 2004-08-24 20:27 375808 ----a-w- c:\program files\Microsoft Games\Halo\binkw32.dll
2010-10-21 21:25 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{660A5BB6-11FF-4DBB-93B0-7E840AA13CFD}\mpengine.dll
2010-10-16 17:23 . 2010-10-16 17:23 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-10-16 17:11 . 2010-10-16 17:11 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-10-16 17:05 . 2010-10-16 17:25 -------- d-----w- c:\windows\SHELLNEW
2010-10-16 17:01 . 2010-10-16 17:01 -------- d-----r- C:\MSOCache
2010-10-15 21:59 . 2010-10-15 21:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SuperEasy
2010-10-15 21:58 . 2010-10-15 21:58 -------- d-----w- c:\program files\SuperEasy Software
2010-10-14 21:34 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 21:34 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 21:33 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-08 17:41 . 2010-10-08 17:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-05 20:07 . 2010-10-05 20:07 -------- d-----w- c:\documents and settings\HP_Administrator\New Folder
2010-10-05 19:15 . 2010-10-05 19:16 -------- d-----w- c:\program files\Speccy
2010-10-05 15:52 . 2001-11-27 16:42 61440 ----a-w- c:\windows\_detmp.2
2010-10-05 00:39 . 2010-10-05 00:39 -------- d-----w- C:\~$PVRTmp0$
2010-09-29 04:27 . 2010-10-07 12:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\vlc
2010-09-26 18:05 . 2010-09-26 18:05 -------- d-----w- c:\program files\NetLibrary
2010-09-26 12:51 . 2010-09-26 12:51 -------- d-----w- c:\program files\OverDrive Media Console
2010-09-25 20:51 . 2010-09-25 20:51 -------- d-----w- c:\windows\system32\windows media
2010-09-25 20:51 . 2010-09-25 20:51 -------- d--h--w- c:\windows\msdownld.tmp
2010-09-25 20:51 . 2010-09-25 20:51 -------- d-----w- c:\program files\Windows Media Components
2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-17 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
MaxMem.lnk - c:\program files\AnalogX\MaxMem\maxmem.exe [2010-2-15 125424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\uTorrent.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Downloads\\Left.4.Dead.Full-Rip.Skullptura\\Left 4 Dead\\left4dead.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24383:TCP"= 24383:TCP:BitComet 24383 TCP
"24383:UDP"= 24383:UDP:BitComet 24383 UDP
"57061:TCP"= 57061:TCP:Pando Media Booster
"57061:UDP"= 57061:UDP:Pando Media Booster
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2010 2:22 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [6/23/2009 11:01 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 66632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1357464]
R3 AV88BASE;Cx2388x Base Driver;c:\windows\system32\drivers\av88base.sys [12/7/2009 7:32 PM 425472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 12872]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [8/12/2009 9:47 AM 59552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-10-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 17:49]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1442792629-1606164383-696859238-1008Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-17 03:10]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1442792629-1606164383-696859238-1008UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-17 03:10]

2010-10-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\cpxqlop7.default\
FF - prefs.js: browser.search.selectedEngine - Ixquick
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\MI1933~1\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MI1933~1\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\35.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3720)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-10-21 17:11:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-21 22:11
ComboFix2.txt 2010-10-20 22:36
ComboFix3.txt 2010-10-04 16:46

Pre-Run: 83,048,927,232 bytes free
Post-Run: 82,898,894,848 bytes free

- - End Of File - - 4F669FC5F93897DBDC8F4BE1DBEA276E

#14 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:48 PM

Posted 21 October 2010 - 06:05 PM

That looks better.

Please run ESET's online scanner and then StartupLite

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Leave the top box checked and then check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Then

Please download StartupLite. to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve performance.

How is the startup now?

m0le is a proud member of UNITE

#15 traveler25

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:San Antonio, TX
Local time:10:48 AM

Posted 24 October 2010 - 10:47 AM

Hello
Ran eset online scan and nothing was found, ran Startup Lite and the only recommendation was to remove an Nvida driver, but since it was already disabled I left it alone. My Pc now boots up fully in less than 2 minutes, whereas before it took over 10 minutes, thanks for all the help.

Will contribute soon.

Thank you Marcos