Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Plausable rootkit becoming a bother


  • This topic is locked This topic is locked
21 replies to this topic

#1 TubesockExtravaganza

TubesockExtravaganza

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 17 November 2010 - 09:19 AM

Original post located here.

Basically, I was having issues with AVG crying about volsnap.sys at the same time as having redirect issues with IExplorer and Firefox. That seems to have passed, but now my resident shield wont shut up about explorer.exe and wininit.exe, i assume because its used so frequently. I've been leaving it (resident shield) shut off for now.

I tried gmer twice and it crashed my computer twice via the fancy new windows BSOD, but I have some logs posted in the previous post that I linked that worked okay.

DDS (Ver_10-11-10.01) - NTFSx86
Run by LordSyren at 12:12:09.46 on Mon 11/15/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1325 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Games\Steam\Steam.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Users\LordSyren\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LordSyren\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LordSyren\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\LordSyren\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\LordSyren\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\games\steam\steam.exe" -silent
uRun: [WebCamRT.exe]
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [<NO NAME>]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\users\lordsyren\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Easy Dock]
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.bob.csueastbay.edu/lib/csueastbay/support/plugins/ebraryRdr.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\lordsy~1\appdata\roaming\mozilla\firefox\profiles\72uzzk00.default\
FF - prefs.js: browser.startup.homepage - www.barbies.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\lordsyren\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-1 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-1 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-5 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-10-9 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-12-27 9006]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S2 HitachiBackupService;Hitachi Backup Service;"c:\program files\hitachi\hitachi backup\hitachibackupservice.exe" --> c:\program files\hitachi\hitachi backup\HitachiBackupService.exe [?]

=============== Created Last 30 ================

2010-11-13 19:03:08 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-11-11 05:18:30 -------- d-----w- C:\162aead0c9b3c476755e522df8773a
2010-11-10 17:24:23 -------- d-----w- c:\program files\ETS
2010-11-10 12:29:48 94848 ----a-w- C:\uxldypob.sys
2010-11-10 12:17:42 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-10 02:21:06 -------- d-----w- c:\users\lordsy~1\appdata\roaming\SUPERAntiSpyware.com
2010-11-10 02:21:06 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-11-10 02:21:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-03 13:29:20 697690 ----a-w- c:\windows\unins000.exe
2010-11-03 13:29:20 -------- d-----w- c:\program files\common files\SourceTec
2010-10-27 13:23:02 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-27 13:23:02 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-19 13:02:30 -------- d-----w- c:\users\lordsy~1\appdata\local\FalloutNV

==================== Find3M ====================

2010-10-12 15:09:41 1409 ----a-w- c:\windows\QTFont.for
2010-09-29 21:52:24 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-09-20 09:25:01 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-09-10 16:37:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 17:26:59 833024 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 17:23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 15:53:07 389632 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:28:29 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:24:40 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:23:14 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:41:42 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:41:42 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:40:26 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:39:46 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:07:25 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:01:35 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:01:33 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:01:32 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:01:32 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 15:21:02 866816 ----a-w- c:\windows\system32\wmpmde.dll

============= FINISH: 12:13:57.59 ===============

Attached Files


Edited by TubesockExtravaganza, 17 November 2010 - 09:20 AM.


BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:33 AM

Posted 17 November 2010 - 10:14 PM

Greetings, and welcome to the forums,

Your hard disk is strapped for space to operate. The log indicates the size of the disk as 288 gigs. The system needs at least 15 percent of that even to run the disk defragmentation utility. You have invaded that space by another 3 gigs. Long and short of it is, you need 15% and you only have roughly 13%. Remove/delete/uninstall what you know you can do without. In addition to that, you have some software that needs to go for security reasons. File sharing software is dangerous. You have no idea who uploaded to any of the shared servers that they use...do you? It would be in your best interest to uninstall any program you know with certainty that you downloaded using the file sharing software. As well, you should delete every single file you downloaded using said software, to include music/video/program(s).

These need to go:
BitTorrent
DNA
Java™ 6 Update 17
Java™ 6 Update 4
Java™ 6 Update 7
Java™ SE Runtime Environment 6
LimeWire 4.16.6
Viewpoint Media Player

...when finished uninstalling, please reboot the computer.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.
When you see that screen, please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!
Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 TubesockExtravaganza

TubesockExtravaganza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 18 November 2010 - 03:47 PM

Didn't know how ye wanted it, so I just posted it both ways.

Wasn't able to uninstall viewpoint, whatever THAT is, due to me not being an administrator. Which is weird, because i AM an administrator.

Also had to uninstall AVG because I couldn't figure out how to simply disable it.


ComboFix 10-11-17.04 - LordSyren 11/18/2010 13:20:43.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1225 [GMT -7:00]
Running from: c:\users\LordSyren\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

.
((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
.

2010-11-18 20:31 . 2010-11-18 20:32 -------- d-----w- c:\users\LordSyren\AppData\Local\temp
2010-11-18 20:31 . 2010-11-18 20:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-13 19:03 . 2008-01-19 07:42 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-11-11 05:18 . 2010-11-11 05:18 -------- d-----w- C:\162aead0c9b3c476755e522df8773a
2010-11-10 17:24 . 2010-11-10 17:24 -------- d-----w- c:\program files\ETS
2010-11-10 12:29 . 2010-11-10 12:29 94848 ----a-w- C:\uxldypob.sys
2010-11-10 12:17 . 2010-10-07 11:35 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-10 02:21 . 2010-11-10 02:21 -------- d-----w- c:\users\LordSyren\AppData\Roaming\SUPERAntiSpyware.com
2010-11-10 02:21 . 2010-11-10 02:21 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-10 02:21 . 2010-11-10 02:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-03 13:29 . 2010-11-03 13:29 -------- d-----w- c:\program files\Common Files\SourceTec
2010-11-03 13:29 . 2010-11-03 13:28 697690 ----a-w- c:\windows\unins000.exe
2010-10-27 13:23 . 2010-08-26 16:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 13:23 . 2010-08-26 14:11 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-14 08:36 . 2010-10-14 08:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 08:36 . 2010-10-14 08:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-10-12 15:09 . 2010-10-12 15:09 1409 ----a-w- c:\windows\QTFont.for
2010-09-29 21:52 . 2008-02-02 23:14 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-09-20 09:25 . 2010-10-15 05:50 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-09-10 16:37 . 2010-10-14 13:05 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 17:26 . 2010-10-14 13:04 833024 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 17:23 . 2010-10-14 13:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 15:53 . 2010-10-14 13:04 389632 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:28 . 2010-10-14 13:04 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:24 . 2010-10-14 13:04 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:23 . 2010-10-14 13:04 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 14:13 . 2010-10-14 13:04 303616 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 14:12 . 2010-10-14 13:04 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 14:12 . 2010-10-14 13:04 101888 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:41 . 2010-10-14 13:04 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:41 . 2010-10-14 13:04 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:40 . 2010-10-14 13:04 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:39 . 2010-10-14 13:04 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:07 . 2010-10-14 13:04 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:01 . 2010-10-27 13:23 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:01 . 2010-10-27 13:23 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:01 . 2010-10-27 13:23 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:01 . 2010-10-27 13:23 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Steam"="c:\games\steam\steam.exe" [2010-11-17 1242448]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-03 486856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-17 68856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Google Update"="c:\users\LordSyren\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-25 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-25 129560]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-09-24 23552]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-12-17 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-17 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^LordSyren^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Hitachi LifeStudio Tray.lnk]
path=c:\users\LordSyren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hitachi LifeStudio Tray.lnk
backup=c:\windows\pss\Hitachi LifeStudio Tray.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestream Procaster]
2009-09-09 20:42 6313248 ----a-w- c:\program files\Livestream Procaster\Procaster.exe

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R2 HitachiBackupService;Hitachi Backup Service;c:\program files\Hitachi\Hitachi Backup\HitachiBackupService.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-01-06 715248]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys [2006-12-27 9006]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:21]

2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:21]

2010-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1608670652-4244503431-1297419289-1000Core.job
- c:\users\LordSyren\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-26 12:31]

2010-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1608670652-4244503431-1297419289-1000UA.job
- c:\users\LordSyren\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-26 12:31]

2010-11-18 c:\windows\Tasks\User_Feed_Synchronization-{0BDCC9AA-C9B4-45ED-A087-FFFDCB424B6B}.job
- c:\windows\system32\msfeedssync.exe [2008-09-30 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\users\LordSyren\AppData\Roaming\Mozilla\Firefox\Profiles\72uzzk00.default\
FF - prefs.js: browser.startup.homepage - www.barbies.com
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\LordSyren\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WebCamRT.exe - (no file)
HKLM-Run-Easy Dock - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 13:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bopqoityspfongm]
"imagepath"="\??\c:\windows\TEMP\E24C.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pseobbhcchqtpdp]
"imagepath"="\??\c:\windows\TEMP\E0E5.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-11-18 13:38:48
ComboFix-quarantined-files.txt 2010-11-18 20:38

Pre-Run: 46,953,947,136 bytes free
Post-Run: 46,865,965,056 bytes free

- - End Of File - - A3DD7AF9DB4ED8782E90AF2B8A30A11B



#4 TubesockExtravaganza

TubesockExtravaganza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 18 November 2010 - 04:08 PM

Also, after reinstalling AVG, the Resident Shield has stopped crying about explorer.exe and wininit.exe.

So that's good. I think.

#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:33 AM

Posted 18 November 2010 - 08:54 PM

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


KILLALL::

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} -
uRun: [BitTorrent DNA]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} -
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} -
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

Rootkit::
C:\uxldypob.sys
c:\windows\TEMP\E24C.tmp
c:\windows\TEMP\E0E5.tmp

DirLook::
c:\program files\ETS

Folder::
c:\program files\dna
C:\Program Files\Viewpoint

Driver::
bopqoityspfongm
pseobbhcchqtpdp
uxldypob

Reglock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bopqoityspfongm]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pseobbhcchqtpdp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewpointPhotosDeviceConnect"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Viewpoint]

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 TubesockExtravaganza

TubesockExtravaganza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 19 November 2010 - 09:46 AM

Think i'll just leave AVG installed until this blows over, heh.


ComboFix 10-11-18.04 - LordSyren 11/19/2010 7:11.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1281 [GMT -7:00]
Running from: c:\users\LordSyren\Desktop\ComboFix.exe
Command switches used :: c:\users\LordSyren\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPSpeech.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UXLDYPOB
-------\Service_bopqoityspfongm
-------\Service_pseobbhcchqtpdp


((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 14:19 . 2010-11-19 14:21 -------- d-----w- c:\users\LordSyren\AppData\Local\temp
2010-11-19 14:19 . 2010-11-19 14:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-19 13:44 . 2010-11-16 19:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{60EAAC19-3494-4670-8BA3-1AD7B3AE892B}\mpengine.dll
2010-11-18 20:57 . 2010-11-18 20:57 -------- d-----w- c:\users\LordSyren\AppData\Roaming\AVG10
2010-11-18 20:55 . 2010-11-18 20:55 -------- d--h--w- c:\programdata\Common Files
2010-11-18 20:54 . 2010-11-19 13:40 -------- d-----w- c:\programdata\AVG10
2010-11-18 20:46 . 2010-11-18 20:53 -------- d-----w- c:\programdata\MFAData
2010-11-13 19:03 . 2008-01-19 07:42 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-11-11 05:18 . 2010-11-11 05:18 -------- d-----w- C:\162aead0c9b3c476755e522df8773a
2010-11-10 17:24 . 2010-11-10 17:24 -------- d-----w- c:\program files\ETS
2010-11-10 12:29 . 2010-11-10 12:29 94848 ----a-w- C:\uxldypob.sys
2010-11-10 12:17 . 2010-10-07 11:35 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-10 02:21 . 2010-11-10 02:21 -------- d-----w- c:\users\LordSyren\AppData\Roaming\SUPERAntiSpyware.com
2010-11-10 02:21 . 2010-11-10 02:21 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-10 02:21 . 2010-11-10 02:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-03 13:29 . 2010-11-03 13:29 -------- d-----w- c:\program files\Common Files\SourceTec
2010-11-03 13:29 . 2010-11-03 13:28 697690 ----a-w- c:\windows\unins000.exe
2010-10-27 13:23 . 2010-08-26 16:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 13:23 . 2010-08-26 14:11 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 17:41 . 2009-10-03 13:08 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 08:36 . 2010-10-14 08:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 08:36 . 2010-10-14 08:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-10-12 15:09 . 2010-10-12 15:09 1409 ----a-w- c:\windows\QTFont.for
2010-09-29 21:52 . 2008-02-02 23:14 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-09-20 09:25 . 2010-10-15 05:50 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-09-10 16:37 . 2010-10-14 13:05 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 17:26 . 2010-10-14 13:04 833024 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 17:23 . 2010-10-14 13:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 15:53 . 2010-10-14 13:04 389632 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:28 . 2010-10-14 13:04 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:24 . 2010-10-14 13:04 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:23 . 2010-10-14 13:04 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 14:13 . 2010-10-14 13:04 303616 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 14:12 . 2010-10-14 13:04 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 14:12 . 2010-10-14 13:04 101888 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:41 . 2010-10-14 13:04 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:41 . 2010-10-14 13:04 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:40 . 2010-10-14 13:04 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:39 . 2010-10-14 13:04 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:07 . 2010-10-14 13:04 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:01 . 2010-10-27 13:23 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:01 . 2010-10-27 13:23 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:01 . 2010-10-27 13:23 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:01 . 2010-10-27 13:23 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\ETS ----

2010-11-10 17:24 . 2008-05-23 18:56 88189 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\pdf\help.pdf
2010-11-10 17:24 . 2009-01-06 17:08 520267 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\pdf\23839865.pdf
2010-11-10 17:24 . 2004-01-13 21:16 3171 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\security_lock_text.gif
2010-11-10 17:24 . 2005-05-05 21:12 3300 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\reissueKey.gif
2010-11-10 17:24 . 2005-05-05 21:03 3975 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\register.gif
2010-11-10 17:24 . 2007-08-15 16:32 2617 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\powered_by_dr.gif
2010-11-10 17:24 . 2004-01-13 21:16 4436 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\money_back_g.gif
2010-11-10 17:24 . 2004-02-10 00:33 3993 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\exit.gif
2010-11-10 17:24 . 2004-02-18 17:07 4491 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\enterkey.gif
2010-11-10 17:24 . 2009-01-05 15:20 30156 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\EngLangPT_0041.jpg
2010-11-10 17:24 . 2005-05-05 21:10 4153 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\customerSvc.gif
2010-11-10 17:24 . 2004-01-13 21:16 2765 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\continue_free_trial.gif
2010-11-10 17:24 . 2004-01-13 21:16 2760 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\Images\buy.gif
2010-11-10 17:24 . 2006-09-13 06:00 4890624 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\qt-mt335.dll
2010-11-10 17:24 . 2006-07-11 06:00 544768 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\msvcr71d.dll
2010-11-10 17:24 . 2003-02-21 06:00 348160 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\msvcr71.dll
2010-11-10 17:24 . 2006-07-11 06:00 765952 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\msvcp71d.dll
2010-11-10 17:24 . 2003-03-18 06:00 499712 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\msvcp71.dll
2010-11-10 17:24 . 2007-05-03 06:00 774144 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\ImpressarioQtPlugIn.1.03.dll
2010-11-10 17:24 . 2008-10-22 17:06 1339392 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\english_language_lit_and_composition_content_knowledge_practice_test_ebook.exe
2010-11-10 17:24 . 2005-02-17 06:00 3928064 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\DL6PDFL.dll
2010-11-10 17:24 . 2005-02-17 06:00 94208 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\DL6OPP.dll
2010-11-10 17:24 . 2005-02-17 06:00 524372 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\DL6JP2KLib.dll
2010-11-10 17:24 . 2005-02-17 06:00 1630208 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\DL6CoolType.dll
2010-11-10 17:24 . 2005-02-17 06:00 217088 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\DL6BIBUtils.dll
2010-11-10 17:24 . 2005-02-17 06:00 151552 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\DL6BIB.dll
2010-11-10 17:24 . 2005-02-17 06:00 1512960 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\DL6AGM.dll
2010-11-10 17:24 . 2005-02-17 06:00 565248 ----a-w- c:\program files\ETS\English Language Literature and Composition Content Knowledge Practice Test\DL6ACE.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Steam"="c:\games\steam\steam.exe" [2010-11-17 1242448]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-03 486856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-17 68856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Google Update"="c:\users\LordSyren\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-25 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-25 129560]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-09-24 23552]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-12-17 77824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-17 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^LordSyren^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Hitachi LifeStudio Tray.lnk]
path=c:\users\LordSyren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hitachi LifeStudio Tray.lnk
backup=c:\windows\pss\Hitachi LifeStudio Tray.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestream Procaster]
2009-09-09 20:42 6313248 ----a-w- c:\program files\Livestream Procaster\Procaster.exe

R2 HitachiBackupService;Hitachi Backup Service;c:\program files\Hitachi\Hitachi Backup\HitachiBackupService.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-01-06 715248]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys [2006-12-27 9006]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:21]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:21]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1608670652-4244503431-1297419289-1000Core.job
- c:\users\LordSyren\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-26 12:31]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1608670652-4244503431-1297419289-1000UA.job
- c:\users\LordSyren\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-26 12:31]

2010-11-18 c:\windows\Tasks\User_Feed_Synchronization-{0BDCC9AA-C9B4-45ED-A087-FFFDCB424B6B}.job
- c:\windows\system32\msfeedssync.exe [2008-09-30 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\users\LordSyren\AppData\Roaming\Mozilla\Firefox\Profiles\72uzzk00.default\
FF - prefs.js: browser.startup.homepage - www.barbies.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 07:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(9720)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\conime.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\ehome\ehmsas.exe
c:\windows\system32\WerCon.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-11-19 07:30:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-19 14:30
ComboFix2.txt 2010-11-18 20:38

Pre-Run: 56,929,251,328 bytes free
Post-Run: 56,233,512,960 bytes free

- - End Of File - - 1C2E6CD8A9BC01F118807B7254363A74



#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:33 AM

Posted 19 November 2010 - 12:06 PM

The rootkit remains but each time you ran combofix, Windows defender has been enabled. Disable it please:
  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

After we finish up, it is very important that you enable Real-time Protection again.

Next, please open another notepad file...copy and paste the below Bold text into the blank notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

Driver::
uxldypob

Rootkit::
C:\uxldypob.sys

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#8 TubesockExtravaganza

TubesockExtravaganza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 19 November 2010 - 01:22 PM

I disabled the real-time protection, but this log says it was enabled still, somehow.



ComboFix 10-11-18.05 - LordSyren 11/19/2010 10:58:22.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1435 [GMT -7:00]
Running from: c:\users\LordSyren\Desktop\ComboFix.exe
Command switches used :: c:\users\LordSyren\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 18:07 . 2010-11-19 18:09 -------- d-----w- c:\users\LordSyren\AppData\Local\temp
2010-11-19 18:07 . 2010-11-19 18:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-19 13:44 . 2010-11-16 19:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{60EAAC19-3494-4670-8BA3-1AD7B3AE892B}\mpengine.dll
2010-11-18 20:57 . 2010-11-18 20:57 -------- d-----w- c:\users\LordSyren\AppData\Roaming\AVG10
2010-11-18 20:55 . 2010-11-18 20:55 -------- d--h--w- c:\programdata\Common Files
2010-11-18 20:54 . 2010-11-19 13:40 -------- d-----w- c:\programdata\AVG10
2010-11-18 20:46 . 2010-11-18 20:53 -------- d-----w- c:\programdata\MFAData
2010-11-13 19:03 . 2008-01-19 07:42 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-11-11 05:18 . 2010-11-11 05:18 -------- d-----w- C:\162aead0c9b3c476755e522df8773a
2010-11-10 17:24 . 2010-11-10 17:24 -------- d-----w- c:\program files\ETS
2010-11-10 12:29 . 2010-11-10 12:29 94848 ----a-w- C:\uxldypob.sys
2010-11-10 12:17 . 2010-10-07 11:35 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-10 02:21 . 2010-11-10 02:21 -------- d-----w- c:\users\LordSyren\AppData\Roaming\SUPERAntiSpyware.com
2010-11-10 02:21 . 2010-11-10 02:21 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-10 02:21 . 2010-11-10 02:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-03 13:29 . 2010-11-03 13:29 -------- d-----w- c:\program files\Common Files\SourceTec
2010-11-03 13:29 . 2010-11-03 13:28 697690 ----a-w- c:\windows\unins000.exe
2010-10-27 13:23 . 2010-08-26 16:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 13:23 . 2010-08-26 14:11 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 17:41 . 2009-10-03 13:08 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 08:36 . 2010-10-14 08:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 08:36 . 2010-10-14 08:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-10-12 15:09 . 2010-10-12 15:09 1409 ----a-w- c:\windows\QTFont.for
2010-09-29 21:52 . 2008-02-02 23:14 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-09-20 09:25 . 2010-10-15 05:50 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-09-10 16:37 . 2010-10-14 13:05 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 17:26 . 2010-10-14 13:04 833024 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 17:23 . 2010-10-14 13:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 15:53 . 2010-10-14 13:04 389632 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:28 . 2010-10-14 13:04 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:24 . 2010-10-14 13:04 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:23 . 2010-10-14 13:04 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 14:13 . 2010-10-14 13:04 303616 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 14:12 . 2010-10-14 13:04 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 14:12 . 2010-10-14 13:04 101888 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:41 . 2010-10-14 13:04 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:41 . 2010-10-14 13:04 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:40 . 2010-10-14 13:04 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:39 . 2010-10-14 13:04 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:07 . 2010-10-14 13:04 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:01 . 2010-10-27 13:23 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:01 . 2010-10-27 13:23 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:01 . 2010-10-27 13:23 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:01 . 2010-10-27 13:23 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Steam"="c:\games\steam\steam.exe" [2010-11-17 1242448]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-03 486856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-17 68856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Google Update"="c:\users\LordSyren\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-25 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-25 129560]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-09-24 23552]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-12-17 77824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-17 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^LordSyren^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Hitachi LifeStudio Tray.lnk]
path=c:\users\LordSyren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hitachi LifeStudio Tray.lnk
backup=c:\windows\pss\Hitachi LifeStudio Tray.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestream Procaster]
2009-09-09 20:42 6313248 ----a-w- c:\program files\Livestream Procaster\Procaster.exe

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R2 HitachiBackupService;Hitachi Backup Service;c:\program files\Hitachi\Hitachi Backup\HitachiBackupService.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-01-06 715248]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys [2006-12-27 9006]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:21]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:21]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1608670652-4244503431-1297419289-1000Core.job
- c:\users\LordSyren\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-26 12:31]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1608670652-4244503431-1297419289-1000UA.job
- c:\users\LordSyren\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-26 12:31]

2010-11-18 c:\windows\Tasks\User_Feed_Synchronization-{0BDCC9AA-C9B4-45ED-A087-FFFDCB424B6B}.job
- c:\windows\system32\msfeedssync.exe [2008-09-30 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\users\LordSyren\AppData\Roaming\Mozilla\Firefox\Profiles\72uzzk00.default\
FF - prefs.js: browser.startup.homepage - www.barbies.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(7496)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\conime.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-11-19 11:17:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-19 18:17
ComboFix2.txt 2010-11-19 14:30
ComboFix3.txt 2010-11-18 20:38

Pre-Run: 56,278,532,096 bytes free
Post-Run: 56,243,118,080 bytes free

- - End Of File - - DE80FE01A7FC801CB2C7125E398F6878



#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:33 AM

Posted 19 November 2010 - 01:29 PM

Try to open windows defender. You should receive a message that says, Windows Defender is turned off...do you want to turn it on? Let me know if that's the case or not...the rootkit is still present.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 TubesockExtravaganza

TubesockExtravaganza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 30 November 2010 - 09:54 AM

Sorry for the massive delay, I was out of town.

So I turned off defender (Reaccessing asked if i want to turn on, as you described) but combofix didnt seem to have noticed.

Also I've noticed two things. The redirect is back and working on Chrome, though not nearly as well, and combofix says volsnap.sys had been created - the rootkit'd file that i had suspected from the start. But maybe it's just coincidence.. Did combo finally kill those files you wanted?

Attached Files

  • Attached File  log.txt   14.49KB   2 downloads


#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:33 AM

Posted 30 November 2010 - 04:49 PM

Please run DDS again and post back the resulting Attach.txt and DDS logs. Also, please let me know exactly when it was that you noticed the return of browser redirection. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 TubesockExtravaganza

TubesockExtravaganza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 01 December 2010 - 11:02 AM

I noticed it two days ago, but I just tried my browsers and the redirect went away as mysteriously as it had last time. So I don't even know what's going on at this point. Either way, thank you so much for your continued assistance.




DDS (Ver_10-11-10.01) - NTFSx86
Run by LordSyren at 8:51:20.33 on Wed 12/01/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1035 [GMT -7:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Games\Steam\Steam.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Users\LordSyren\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LordSyren\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\LordSyren\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conime.exe
C:\Users\LordSyren\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:50370
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\games\steam\steam.exe" -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\users\lordsyren\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.bob.csueastbay.edu/lib/csueastbay/support/plugins/ebraryRdr.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\lordsy~1\appdata\roaming\mozilla\firefox\profiles\72uzzk00.default\
FF - prefs.js: browser.startup.homepage - www.barbies.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-10-9 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-12-27 9006]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S2 HitachiBackupService;Hitachi Backup Service;"c:\program files\hitachi\hitachi backup\hitachibackupservice.exe" --> c:\program files\hitachi\hitachi backup\HitachiBackupService.exe [?]

=============== Created Last 30 ================

2010-11-30 14:38:17 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{902cf4e7-1eea-468e-83f2-2a8ee380113f}\mpengine.dll
2010-11-29 21:06:01 -------- d-----w- c:\users\lordsy~1\appdata\local\temp
2010-11-29 21:04:10 -------- d-sh--w- C:\$RECYCLE.BIN
2010-11-18 20:57:03 -------- d-----w- c:\users\lordsy~1\appdata\roaming\AVG10
2010-11-18 20:55:45 -------- d--h--w- c:\progra~2\Common Files
2010-11-18 20:54:03 -------- d-----w- c:\progra~2\AVG10
2010-11-18 20:46:24 -------- d-----w- c:\progra~2\MFAData
2010-11-18 20:16:59 98816 ----a-w- c:\windows\sed.exe
2010-11-18 20:16:59 89088 ----a-w- c:\windows\MBR.exe
2010-11-18 20:16:59 256512 ----a-w- c:\windows\PEV.exe
2010-11-18 20:16:59 161792 ----a-w- c:\windows\SWREG.exe
2010-11-13 19:03:08 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-11-11 05:18:30 -------- d-----w- C:\162aead0c9b3c476755e522df8773a
2010-11-10 17:24:23 -------- d-----w- c:\program files\ETS
2010-11-10 12:29:48 94848 ----a-w- C:\uxldypob.sys
2010-11-10 12:17:42 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-10 02:21:06 -------- d-----w- c:\users\lordsy~1\appdata\roaming\SUPERAntiSpyware.com
2010-11-10 02:21:06 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-11-10 02:21:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-03 13:29:20 697690 ----a-w- c:\windows\unins000.exe
2010-11-03 13:29:20 -------- d-----w- c:\program files\common files\SourceTec

==================== Find3M ====================

2010-10-19 17:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 08:36:52 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 08:36:50 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-10-12 15:09:41 1409 ----a-w- c:\windows\QTFont.for
2010-09-29 21:52:24 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-09-20 09:25:01 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-09-10 16:37:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 17:26:59 833024 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 17:23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 15:53:07 389632 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:28:29 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:24:40 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:23:14 17920 ----a-w- c:\windows\system32\netevent.dll

============= FINISH: 8:52:20.41 ===============

#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:33 AM

Posted 01 December 2010 - 11:15 AM

Please upload the attach.txt that goes with that last scan. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 TubesockExtravaganza

TubesockExtravaganza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 01 December 2010 - 02:21 PM

Musta forgot to hit attach file

Attached Files


Edited by TubesockExtravaganza, 01 December 2010 - 06:19 PM.


#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:33 AM

Posted 01 December 2010 - 09:49 PM

In my second posting, I mentioned:

...It would be in your best interest to uninstall any program you know with certainty that you downloaded using the file sharing software. As well, you should delete every single file you downloaded using said software..

And I have to ask...have you done this? It seems to me, there are quite a few programs on that system that were quite possibly downloaded via file sharing programs. I would also like to know why you reinstalled the Java SE Runtime Environment 6. Unless you are a software developer, you don't need it. Are you?

In addition to uninstalling Java "SE" again, please remove the following:
Adobe Reader 8.1.3 <--outdated and exploited. Download the latest version Here
SoulSeek Client 156c <--file sharing program
Oxin's Style! Cry of Pleasure <--I can't find anything good regarding these next two items
Oxin's Style! Everlust
RegTweaker version 3.2.1 <--Useless and more probably, damaging...

None of the programs which purport to "clean" the registry, actually clean..."prune" is the better way of describing it. Many users find themselves in a jam from having used this type of software. Not long, things stop working. It's best to restore whatever registry entries that program may have removed, then uninstall it.

Removing stray registry entries that may have been left behind from failed uninstalls or poorly written uninstall strings using any of these automatic removal programs, is pointless as any benefit is negligible.
Worse case scenario, some registry entries that may indeed be necessary, could be removed as "orphaned" entries, when in fact they are just sitting in the registry, idle because whatever program needs them is either not running, or perhaps something from some other removable media may not be in use. When the time comes that you want to use them, they won't work.

There are other cleaners available that will do a better job for you regarding disk cleanup. I would prefer that you use "CCleaner" for disk cleanup. That also has a registry pruning feature but please don't bother using it for reasons detailed above. The disk cleaner feature though is excellent.

Lastly, I should point out, your Firefox browser is woefully out dated:
Mozilla Firefox (3.6.6)
...the current version is 3.6.12
Please open firefox and click Help. Scroll to and select Check for Updates...

On your next reply, please answer the following:
1) Have you removed any and all files/programs that you know you downloaded using file sharing software?
2) Are you a software developer?

...and please run combofix again and post back the resulting log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users