Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with tdl3 alureon rootkit


  • This topic is locked This topic is locked
13 replies to this topic

#1 rimmer0910

rimmer0910

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 29 October 2010 - 07:25 AM

Hi there, im just looking for some advice on how to get rid of a hidden driver on my computer which i believe is the reason to why when i try to go to a specific website i always get redirected. I have ran hitman pro 3.5.7 and thats when i found that statement..

"the device stack of the hard disk is referencing a hidden driver".

I have been unable to delete it via hitman pro although i know how to find my hidden devices, just dont know how to delete them or which one it is that is causing the problem.

I am a complete novice to this form of spyware so please help me as much as you can.

I have:-

-enabled my firewall
-disabled CD emulation software
-gained DDS log
-gained GMER log

Here are my logs:-

DDS

DDS (Ver_10-10-21.02) - NTFSx86
Run by Luke at 12:39:16.54 on 29/10/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3032.2002 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUTrayNotifier.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Luke\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.co.uk/
uSearch Bar =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.6.22.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Power2GoExpress] NA
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NPSStartup]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\luke\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.6.22.dll/206
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\luke\appdata\roaming\mozilla\firefox\profiles\u1gezq5k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\luke\appdata\roaming\mozilla\firefox\profiles\u1gezq5k.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-9-17 233472]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\drivers\KMDFMEMIO.sys [2010-8-15 13312]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-9-17 36608]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-8-14 112128]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2010-8-15 238464]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-25 135664]

=============== Created Last 30 ================

2010-10-29 01:29:17 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-10-28 18:28:51 -------- d-----w- c:\progra~2\Hitman Pro
2010-10-28 18:27:48 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{87570f32-b9d6-43b9-8868-18dc66cb469b}\mpengine.dll
2010-10-28 18:27:31 866816 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-28 18:26:29 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-10-27 22:52:28 -------- d-----w- c:\program files\common files\Java(12)
2010-10-20 17:08:33 -------- d-----w- C:\Uninstall
2010-10-20 17:08:33 -------- d-----w- C:\src
2010-10-09 23:36:35 -------- d-----w- c:\program files\iPod
2010-10-09 23:36:34 -------- d-----w- c:\program files\iTunes
2010-10-09 23:35:32 -------- d-----w- c:\program files\QuickTime(174)
2010-10-09 23:35:32 -------- d-----w- c:\progra~2\Apple Computer(181)
2010-10-09 23:33:01 -------- d-----w- c:\program files\Bonjour
2010-10-06 21:26:51 -------- d-----w- C:\.jagex_cache_32
2010-10-03 02:00:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-03 02:00:21 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-10-01 13:40:39 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-10-01 13:40:37 -------- d-----w- c:\program files\ffdshow
2010-10-01 13:20:35 -------- d-----w- c:\users\luke\appdata\local\Fallout3
2010-10-01 13:04:59 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2010-10-01 13:03:44 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-10-01 13:03:44 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2010-10-01 13:03:44 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2010-10-01 13:03:43 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2010-10-01 13:03:17 -------- d-----w- c:\windows\system32\xlive
2010-10-01 13:02:33 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2010-10-01 13:02:33 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2010-10-01 13:02:33 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2010-10-01 13:02:33 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2010-10-01 13:02:33 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2010-10-01 13:02:33 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2010-10-01 13:02:32 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2010-10-01 13:00:52 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-09-29 11:44:24 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-29 11:44:17 13312 ----a-w- c:\program files\internet explorer\iecompat.dll

==================== Find3M ====================

2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-25 19:22:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-10 16:37:06 8147456 begin_of_the_skype_highlighting              06 8147456      end_of_the_skype_highlighting ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:24:40 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:23:14 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:41:42 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:41:42 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 13:39:46 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:07:25 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:01:41 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-08-26 16:01:35 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:01:33 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:01:32 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:01:32 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-26 14:11:10 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-08-17 13:32:33 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-14 22:58:18 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-08-14 22:58:12 315392 ----a-w- c:\windows\HideWin.exe
2010-08-10 15:02:22 274432 ----a-w- c:\windows\system32\schannel.dll
2010-08-10 04:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 04:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 12:41:43.92 ===============

ATTACH

DDS (Ver_10-10-21.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 15/08/2010 07:25:30
System Uptime: 29/10/2010 12:32:49 (0 hours ago)

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | R510/P510
Processor: Intel® Core™2 Duo CPU T6400 @ 2.00GHz | U2E1 | 1200/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 69.308 GiB free.
D: is FIXED (NTFS) - 144 GiB total, 107.328 GiB free.
E: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP125: 13/10/2010 20:25:49 - Scheduled Checkpoint
RP126: 15/10/2010 03:00:20 - Windows Update
RP127: 16/10/2010 00:56:58 - Windows Update
RP128: 28/10/2010 19:03:53 - Restore Operation

==== Installed Programs ======================

7-Zip 4.65
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Atheros WLAN Client
BitComet 1.22
CyberLink DVD Suite
CyberLink Power2Go
Easy Battery Manager
Easy Display Manager
Easy Network Manager 3.0
Easy SpeedUp Manager
ffdshow v1.1.3562 [2010-09-07]
Google Toolbar for Internet Explorer
Google Update Helper
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
imagine digital freedom - Samsung
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java™ 6 Update 20
LabelPrint
LightScribe System Software 1.12.37.1
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SOAP Toolkit 2.0 SP2
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Mozilla Firefox (3.6.10)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Namuga 1.3M Webcam
Play AVStation
Play Camera
PowerDirector
PowerDVD
PowerProducer
QuickTime
Realtek High Definition Audio Driver
Samsung Magic Doctor
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio USB Driver Installer
Samsung Recovery Solution III
Samsung Update Plus
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype Toolbars
Skype™ 4.2
Synaptics Pointing Device Driver
The Settlers 7 - Paths to a Kingdom
Ubisoft Game Launcher
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
User Guide
Winamp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
Xvid 1.2.1 final uninstall

==== Event Viewer Messages From Past Week ========

28/10/2010 20:16:37, Error: EventLog [6008] - The previous system shutdown at 8:15:06 PM on 10/28/2010 was unexpected.
28/10/2010 19:37:47, Error: Service Control Manager [7024] - The Hitman Pro 3.5 Crusader (Boot) service terminated with service-specific error 0 (0x0).
28/10/2010 19:37:31, Error: Microsoft-Windows-Kernel-General [5] - {Registry Hive Recovered} Registry hive (file): '\??\C:\Users\Luke\AppData\Local\Microsoft\Windows\UsrClass.dat' was corrupted and it has been recovered. Some data might have been lost.
28/10/2010 19:36:57, Error: EventLog [6008] - The previous system shutdown at 7:34:59 PM on 10/28/2010 was unexpected.
28/10/2010 19:22:02, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.91.1591.0 Loading engine version: 1.1.6201.0
28/10/2010 19:20:16, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Software Updater service to connect.
28/10/2010 19:20:16, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
27/10/2010 23:45:39, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
27/10/2010 23:44:49, Error: EventLog [6008] - The previous system shutdown at 11:42:45 PM on 10/27/2010 was unexpected.
27/10/2010 23:33:11, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {4991D34B-80A1-4291-83B6-3328366B9097} to the user Luke-PC\Luke SID (S-1-5-21-2304537606-3560117430-333176861-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
27/10/2010 22:58:03, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
27/10/2010 22:58:03, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
23/10/2010 23:55:53, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.

==== End Of File ===========================


GMER

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-29 13:15:17
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Luke\AppData\Local\Temp\kxldapow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1776] USER32.dll!TrackPopupMenu 76F21417 5 Bytes JMP 696CDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[2548] kernel32.dll!SetUnhandledExceptionFilter 76E16E2D 4 Bytes JMP 63185164 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[2548] ole32.dll!OleLoadFromStream 774A9794 4 Bytes JMP 63C39D32 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2948] ntdll.dll!LdrLoadDll 77607933 5 Bytes JMP 00F713F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 84BECAEA
Device \Driver\iaStor -> DriverStartIo \Device\Ide\IAAStorageDevice-0 84BECAEA
Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD3200BEVT-35ZCT1___________________11.01A11#4&2a75c234&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Processes - GMER 1.0.15 ----

Process (*** hidden *** ) -2117036968
Process (*** hidden *** ) -2082157056
Process (*** hidden *** ) -2076675912
Process (*** hidden *** ) -2076346616
Process (*** hidden *** ) -2076327384
Process (*** hidden *** ) -2076211464
Process (*** hidden *** ) -2076199920
Process (*** hidden *** ) -2075988480
Process (*** hidden *** ) -2075955712
Process (*** hidden *** ) -2075627336
Process (*** hidden *** ) -2075559304
Process (*** hidden *** ) -2074035728
Process (*** hidden *** ) -2073980368
Process (*** hidden *** ) -2073949744
Process (*** hidden *** ) -2073907712
Process (*** hidden *** ) -2073896120
Process (*** hidden *** ) -2073029312
Process (*** hidden *** ) -2072798288
Process (*** hidden *** ) -2072699392
Process (*** hidden *** ) -2072683008
Process (*** hidden *** ) -2072596296
Process (*** hidden *** ) -2072446616
Process (*** hidden *** ) -2072258544
Process (*** hidden *** ) -2072107592
Process (*** hidden *** ) -2072017560
Process (*** hidden *** ) -2071668024
Process (*** hidden *** ) -2070495744
Process (*** hidden *** ) -2070245192
Process (*** hidden *** ) -2070190864
Process (*** hidden *** ) -2070178160
Process (*** hidden *** ) -2070032896
Process (*** hidden *** ) -2069796368
Process (*** hidden *** ) -2069546320
Process (*** hidden *** ) -2069360456
Process (*** hidden *** ) -2069359112
Process (*** hidden *** ) -2069320832
Process (*** hidden *** ) -2069136512
Process (*** hidden *** ) -2069124232
Process (*** hidden *** ) -2069089576
Process (*** hidden *** ) -2069058048
Process (*** hidden *** ) -2068863768
Process (*** hidden *** ) -2068765384
Process (*** hidden *** ) -2068750152
Process (*** hidden *** ) -2068720456
Process (*** hidden *** ) -2068680520
Process (*** hidden *** ) -2068477736
Process (*** hidden *** ) -2068443952
Process (*** hidden *** ) -2056899488
Process (*** hidden *** ) -2056898632
Process (*** hidden *** ) -2056897080
Process (*** hidden *** ) -2056869288
Process (*** hidden *** ) -2056712704
Process (*** hidden *** ) -2056295240
Process (*** hidden *** ) -2056285256
Process (*** hidden *** ) -2056227104
Process (*** hidden *** ) -2056226408
Process (*** hidden *** ) -2056200984
Process (*** hidden *** ) -2056190200
Process (*** hidden *** ) -2056174600
Process (*** hidden *** ) -2056167936
Process (*** hidden *** ) -2056074424
Process (*** hidden *** ) -2056068936
Process (*** hidden *** ) -2056054424
Process (*** hidden *** ) -2055982112
Process (*** hidden *** ) -2055941960
Process (*** hidden *** ) -2055936952
Process (*** hidden *** ) -2055907840
Process (*** hidden *** ) -2055814984
Process (*** hidden *** ) -2055782912
Process (*** hidden *** ) -2055757640
Process (*** hidden *** ) -2055639552
Process (*** hidden *** ) -2054763288
Process (*** hidden *** ) -2050169552
Process (*** hidden *** ) -2043911552
Process (*** hidden *** ) -2041354064
Process (*** hidden *** ) -2041352704
Process (*** hidden *** ) -2039620992
Process (*** hidden *** ) -2032830120
Process (*** hidden *** ) -2032809408
Process (*** hidden *** ) -2030159296
Process (*** hidden *** ) -2030148920
Process (*** hidden *** ) -2030106520
Process (*** hidden *** ) -2026880840
Process (*** hidden *** ) -2026821880
Process (*** hidden *** ) -2026368840
Process (*** hidden *** ) -2026322432
Process (*** hidden *** ) -2026289384
Process (*** hidden *** ) -2025759232
Process (*** hidden *** ) -2025738056
Process (*** hidden *** ) -2025654384
Process (*** hidden *** ) -2025653688
Process (*** hidden *** ) -2025573816
Process (*** hidden *** ) -2025561264
Process (*** hidden *** ) -2025556792
Process (*** hidden *** ) -2025494600
Process (*** hidden *** ) -2025319096
Process (*** hidden *** ) -2024972800
Process (*** hidden *** ) -2024247808
Process (*** hidden *** ) -2024161096
Process (*** hidden *** ) -2024124928
Process (*** hidden *** ) -2024017736
Process (*** hidden *** ) -2023809680
Process (*** hidden *** ) -2023793448
Process (*** hidden *** ) -2023731712
Process (*** hidden *** ) -2023687672
Process (*** hidden *** ) -2023645000
Process (*** hidden *** ) -2023394008
Process (*** hidden *** ) -2023285984
Process (*** hidden *** ) -2023041960
Process (*** hidden *** ) -2023021408
Process (*** hidden *** ) -2023011512
Process (*** hidden *** ) -2022796136
Process (*** hidden *** ) -2022697952
Process (*** hidden *** ) -2022658704
Process (*** hidden *** ) -2022621696
Process (*** hidden *** ) -2022597120
Process (*** hidden *** ) -2022596424
Process (*** hidden *** ) -2022595624
Process (*** hidden *** ) -2022556160
Process (*** hidden *** ) -2022353448
Process (*** hidden *** ) -2022213296
Process (*** hidden *** ) -2021886472
Process (*** hidden *** ) -2021746880
Process (*** hidden *** ) -2021661120
Process (*** hidden *** ) -2021655968
Process (*** hidden *** ) -2021565344
Process (*** hidden *** ) -2021561576
Process (*** hidden *** ) -2021532760
Process (*** hidden *** ) -2021501528
Process (*** hidden *** ) -2021490504
Process (*** hidden *** ) -2021459856
Process (*** hidden *** ) -2021384008
Process (*** hidden *** ) -2021378152
Process (*** hidden *** ) -2021357912
Process (*** hidden *** ) -2021326664
Process (*** hidden *** ) -2021287720
Process (*** hidden *** ) -2021184872
Process (*** hidden *** ) -2021171016
Process (*** hidden *** ) -2020975104
Process (*** hidden *** ) -2020928336
Process (*** hidden *** ) -2020889784
Process (*** hidden *** ) -2020831048
Process (*** hidden *** ) -2020827648
Process (*** hidden *** ) -2020805104
Process (*** hidden *** ) -2020738744
Process (*** hidden *** ) -2020683592
Process (*** hidden *** ) -2020680992
Process (*** hidden *** ) -2020591208
Process (*** hidden *** ) -2020577792
Process (*** hidden *** ) -2020566312
Process (*** hidden *** ) -2020518776
Process (*** hidden *** ) -2020356992
Process (*** hidden *** ) -2020305008
Process (*** hidden *** ) -2020198456
Process (*** hidden *** ) -2020119112
Process (*** hidden *** ) -2020095360
Process (*** hidden *** ) -2020044176
Process (*** hidden *** ) -2019656192
Process (*** hidden *** ) -2019649872
Process (*** hidden *** ) -2019611256
Process (*** hidden *** ) -2019522280
Process (*** hidden *** ) -2019256560
Process (*** hidden *** ) -1998153336
Process (*** hidden *** ) -1998148096
Process (*** hidden *** ) -1998136680

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:12 AM

Posted 06 November 2010 - 06:36 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok,

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:12 AM

Posted 09 November 2010 - 06:08 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 rimmer0910

rimmer0910
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 11 November 2010 - 08:06 AM

hi there, im sorry about the late post but ive been trying to find out whether my computer is still infected and it appears not to be. When i was on my browser, it used to change to different websites etc. But when i did a scan on hitman pro. i was able to delete the toolkit. Does that mean its gone permanently or temporary?

Sorry again for the late reply,

Rimmer0910

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:12 AM

Posted 11 November 2010 - 12:05 PM

Hello

the virus may be gone, but here at BC we do more than just remove the virus we also help close the security problems that let it in. so it would be best just to follow my instructions and let me have the reports That I asked for


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 rimmer0910

rimmer0910
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 12 November 2010 - 07:13 AM

hi there, i cannot get to the rootkit.com website for that log but i have the dds logs here.

DDS (Ver_10-10-21.02) - NTFSx86
Run by Luke at 12:08:32.70 on 12/11/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3032.1403 [GMT 0:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Samsung\Samsung Update Plus\SLUTrayNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Luke\Desktop\dds(2).scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.co.uk/
uSearch Bar =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.6.22.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Power2GoExpress] NA
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NPSStartup]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\luke\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.6.22.dll/206
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\luke\appdata\roaming\mozilla\firefox\profiles\u1gezq5k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\luke\appdata\roaming\mozilla\firefox\profiles\u1gezq5k.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-9-17 233472]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\drivers\KMDFMEMIO.sys [2010-8-14 13312]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-9-17 36608]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-8-14 112128]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2010-8-14 238464]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-25 135664]

=============== Created Last 30 ================

2010-11-10 02:17:00 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-09 08:34:08 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{69027173-61d9-4bef-86e0-a0d412ccecda}\mpengine.dll
2010-10-29 01:29:17 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-10-28 18:28:51 -------- d-----w- c:\progra~2\Hitman Pro
2010-10-28 18:27:31 866816 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-28 18:26:29 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-10-27 22:52:28 -------- d-----w- c:\program files\common files\Java(12)
2010-10-20 17:08:33 -------- d-----w- C:\Uninstall
2010-10-20 17:08:33 -------- d-----w- C:\src

==================== Find3M ====================

2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-25 19:22:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-10 16:37:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 08:09:46 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:24:40 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:23:14 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:41:42 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:41:42 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 13:39:46 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:07:25 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:01:41 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-08-26 16:01:35 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:01:33 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:01:32 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:01:32 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-26 14:11:10 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-08-17 13:32:33 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-14 22:58:18 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-08-14 22:58:12 315392 ----a-w- c:\windows\HideWin.exe

============= FINISH: 12:08:56.51 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-21.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 15/08/2010 07:25:30
System Uptime: 11/11/2010 09:15:00 (27 hours ago)

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | R510/P510
Processor: Intel® Core™2 Duo CPU T6400 @ 2.00GHz | U2E1 | 1600/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 54.151 GiB free.
D: is FIXED (NTFS) - 144 GiB total, 107.621 GiB free.
E: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
Description: Microsoft Composite Battery
Device ID: ROOT\COMPOSITE_BATTERY\0000
Manufacturer: Microsoft
Name: Microsoft Composite Battery
PNP Device ID: ROOT\COMPOSITE_BATTERY\0000
Service: Compbatt

==== System Restore Points ===================

RP158: 06/11/2010 18:10:29 - Scheduled Checkpoint
RP159: 07/11/2010 14:16:40 - Scheduled Checkpoint
RP160: 09/11/2010 03:07:13 - Scheduled Checkpoint
RP161: 09/11/2010 08:33:53 - Windows Update
RP162: 10/11/2010 03:00:11 - Windows Update
RP163: 10/11/2010 22:34:19 - Scheduled Checkpoint
RP164: 11/11/2010 22:42:25 - Scheduled Checkpoint

==== Installed Programs ======================

7-Zip 4.65
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Atheros WLAN Client
BitComet 1.22
CyberLink DVD Suite
CyberLink Power2Go
Easy Battery Manager
Easy Display Manager
Easy Network Manager 3.0
Easy SpeedUp Manager
ffdshow v1.1.3562 [2010-09-07]
Google Toolbar for Internet Explorer
Google Update Helper
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
imagine digital freedom - Samsung
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java™ 6 Update 20
LabelPrint
LightScribe System Software 1.12.37.1
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SOAP Toolkit 2.0 SP2
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Mozilla Firefox (3.6.12)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Namuga 1.3M Webcam
Play AVStation
Play Camera
PowerDirector
PowerDVD
PowerProducer
QuickTime
Realtek High Definition Audio Driver
Samsung Magic Doctor
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio USB Driver Installer
Samsung Recovery Solution III
Samsung Update Plus
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype Toolbars
Skype™ 4.2
Synaptics Pointing Device Driver
The Settlers 7 - Paths to a Kingdom
Ubisoft Game Launcher
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
User Guide
Winamp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
Xvid 1.2.1 final uninstall

==== Event Viewer Messages From Past Week ========

10/11/2010 22:33:58, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
10/11/2010 16:50:29, Error: EventLog [6008] - The previous system shutdown at 4:40:49 PM on 11/10/2010 was unexpected.
10/11/2010 14:18:24, Error: EventLog [6008] - The previous system shutdown at 1:52:51 PM on 11/10/2010 was unexpected.
09/11/2010 19:37:52, Error: EventLog [6008] - The previous system shutdown at 7:36:39 PM on 11/9/2010 was unexpected.
08/11/2010 22:01:27, Error: EventLog [6008] - The previous system shutdown at 10:00:31 PM on 11/8/2010 was unexpected.
08/11/2010 12:02:20, Error: EventLog [6008] - The previous system shutdown at 12:00:59 PM on 11/8/2010 was unexpected.
07/11/2010 13:05:43, Error: EventLog [6008] - The previous system shutdown at 1:00:06 PM on 11/7/2010 was unexpected.
06/11/2010 12:27:13, Error: EventLog [6008] - The previous system shutdown at 12:26:15 PM on 11/6/2010 was unexpected.
06/11/2010 02:53:45, Error: EventLog [6008] - The previous system shutdown at 2:51:58 AM on 11/6/2010 was unexpected.
05/11/2010 17:35:54, Error: Service Control Manager [7024] - The Hitman Pro 3.5 Crusader (Boot) service terminated with service-specific error 0 (0x0).
05/11/2010 17:35:54, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
05/11/2010 11:30:47, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error: An instance of the service is already running.
05/11/2010 11:28:40, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

==== End Of File ===========================

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:12 AM

Posted 12 November 2010 - 09:28 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:12 AM

Posted 15 November 2010 - 12:44 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 rimmer0910

rimmer0910
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 15 November 2010 - 09:14 AM

Heres combofix log, there were no problems or issues...

ComboFix 10-11-14.04 - Luke 15/11/2010 13:58:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3032.1627 [GMT 0:00]
Running from: c:\users\Luke\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Luke\Desktop\Internet Explorer.lnk

.
((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
.

2010-11-15 14:04 . 2010-11-15 14:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-15 01:20 . 2010-11-15 01:20 -------- d-----w- c:\program files\Bullfrog
2010-11-15 01:20 . 1998-07-30 12:51 305152 ----a-w- c:\windows\IsUninst.exe
2010-11-12 14:52 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D25CB623-A150-4BF3-892F-6FAF09A16A17}\mpengine.dll
2010-11-12 12:31 . 2009-10-20 20:34 162320 ----a-w- c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
2010-11-12 12:30 . 2010-11-12 12:42 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-11-12 12:30 . 2010-11-12 12:42 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-11-12 12:29 . 2010-11-15 01:35 -------- d-----w- c:\programdata\Kaspersky Lab
2010-11-12 12:29 . 2010-11-12 12:29 -------- d-----w- c:\program files\Kaspersky Lab
2010-11-12 12:28 . 2010-11-12 12:28 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-11-10 02:17 . 2010-10-07 11:35 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-10-29 01:29 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-10-28 18:28 . 2010-10-28 18:34 -------- d-----w- c:\programdata\Hitman Pro
2010-10-28 18:27 . 2010-08-20 15:21 866816 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-28 18:26 . 2010-08-31 15:40 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-10-27 22:52 . 2010-10-27 22:52 -------- d-----w- c:\program files\Common Files\Java(12)
2010-10-21 15:39 . 2010-10-21 15:39 -------- d-----w- c:\programdata\CyberLink
2010-10-21 15:10 . 2010-10-21 15:11 -------- d-----w- c:\users\Luke\AppData\Roaming\CyberLink
2010-10-21 15:10 . 2010-10-21 15:10 -------- d-----w- c:\users\Public\CyberLink
2010-10-20 17:08 . 2010-10-20 17:09 -------- d-----w- C:\Uninstall
2010-10-20 17:08 . 2010-10-20 17:08 -------- d-----w- C:\src
2010-10-20 14:39 . 2010-10-28 21:19 -------- d-----w- c:\program files\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-15 01:33 . 2010-08-14 23:41 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-10-19 10:41 . 2010-08-15 00:34 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-25 19:22 . 2010-09-25 19:22 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-17 22:45 . 2007-10-25 16:26 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-09-08 08:09 . 2010-10-01 13:40 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-08-26 16:01 . 2010-10-28 18:29 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:01 . 2010-10-28 18:29 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:01 . 2010-10-28 18:29 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:01 . 2010-10-28 18:29 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 2289664]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-09-17 102400]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-25 39408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-19 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-19 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-19 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-17 6111232]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-11-12 340520]

c:\users\Luke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-8-14 576000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-25 135664]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-01-08 233472]
S2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\DRIVERS\kmdfmemio.sys [2006-11-14 13312]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-01-08 36608]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\Drivers\VMC326.sys [2008-09-03 238464]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-03-17 16:56 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-25 19:24]

2010-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-25 19:24]

2010-11-15 c:\windows\Tasks\User_Feed_Synchronization-{A70CE42E-5EA5-437C-938B-F31E84B12A39}.job
- c:\windows\system32\msfeedssync.exe [2010-10-28 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\u1gezq5k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\u1gezq5k.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-NPSStartup - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-15 14:04
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-15 14:06:36
ComboFix-quarantined-files.txt 2010-11-15 14:06

Pre-Run: 62,458,597,376 bytes free
Post-Run: 62,860,705,792 bytes free

- - End Of File - - CDD86597E6B04ADA7741DB1D8EBD3F08

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:12 AM

Posted 15 November 2010 - 12:18 PM

Hello

when i try to go to a specific website i always get redirected.

what website or is it any website


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 rimmer0910

rimmer0910
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 15 November 2010 - 04:59 PM

hello,

it used to be every website i went on via google search engine but it doesnt happen anymore! Thats why I thought I had gotten rid of it.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:12 AM

Posted 15 November 2010 - 05:30 PM

Hello

That good because I havent seen much in the logs



Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8.1.2

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:12 AM

Posted 18 November 2010 - 02:59 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:12 AM

Posted 21 November 2010 - 02:40 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users