Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect, Update Problem...


  • This topic is locked This topic is locked
37 replies to this topic

#1 bunny_fish

bunny_fish

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:38 AM

Posted 20 November 2010 - 07:24 PM

good evening lifesaving smexy awesome forum people :]

computer has various problems that come and go, these are current ones:

Search results get redirected to spam, and popups come out of nowhere
Trying to run Adaware causes computer to crash, only works in Safe Mode
Windows Update doesn't work, and the site is blocked

[I don't know if this is important, but when I tried opening Windows Update or Backup + Restore Center in safe mode, I got a bunch of error messages like these:
C:\Windows\system32\1080theifz595.cpl is not designed to run on Windows or it contains an error, etc. with different names like 12z0spamb0tz45.cpl and not a virus/backdoorz/spyware/hacktool. Just throwin' it out there. ]

other problems that have come and gone are Host Process has stopped working[as soon as you log on],
Crashing every single five minutes, User Profile Service stopped working, and Windows Explorer SUPER slow/constantly crashing.

Computer has been unstable for a week now... : [

it seems today it decided to start crashing every five minutes again.

here's the log ♥

also, couldn't get gmer to run/finish after many attempts.


DDS (Ver_10-11-10.01) - NTFSx86 MINIMAL
Run by Nadine at 13:40:18.42 on Sat 11/20/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\WerFault.exe
C:\Users\Nadine\Desktop\dds.scr
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Wireless N DWA-130] c:\program files\d-link\dwa-130\AirNCFG.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-ca.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-ca.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
TCP: NameServer = 93.188.162.134,93.188.160.14
TCP: {41E7EF4E-AE8B-4523-98B9-5446262A649B} = 93.188.162.134,93.188.160.14
TCP: {AA445B59-7DD0-4965-AE8D-DCED9A6FC5AA} = 93.188.162.134,93.188.160.14
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\nadine\appdata\roaming\mozilla\firefox\profiles\5p3nrz8b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-15 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-22 1355928]
S1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\drivers\anodlwf.sys [2009-6-26 12800]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-3 11608]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-7-28 21504]
S2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [2009-6-29 143360]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-3 135336]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-3 267944]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-3 60936]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-6-17 2749736]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2008-3-26 34128]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-28 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-25 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTL8192U;Realtek RTL8192u 802.11n Wireless LAN USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [2009-3-5 432640]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TipCtrl;TipCtrl;c:\program files\utipu\TipCtrl.exe [2009-2-3 314504]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-6-9 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva143;XDva143;c:\windows\system32\XDva143.sys [2008-7-26 39808]

=============== Created Last 30 ================

2010-11-19 05:24:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-19 05:24:10 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-19 04:15:59 0 ----a-w- c:\windows\system32\RENFE3E.tmp
2010-11-19 04:15:59 0 ----a-w- c:\windows\system32\RENFE3D.tmp
2010-11-19 04:15:59 0 ----a-w- c:\windows\system32\RENFE3C.tmp
2010-11-16 04:53:52 -------- d-----w- c:\program files\SpywareBlaster
2010-11-16 04:52:41 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-16 04:49:32 -------- dc-h--w- c:\progra~2\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-16 04:47:25 -------- d-----w- c:\program files\Lavasoft
2010-11-10 04:51:11 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-09 15:27:26 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{212df3f7-8594-4696-8b81-36eea430555c}\mpengine.dll
2010-11-06 19:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 19:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-11-01 01:39:45 874633 ----a-w- c:\windows\system32\ss_mm_1024_201008.scr
2010-10-26 23:14:35 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 23:14:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-26 23:14:32 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

==================== Find3M ====================

2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-26 22:31:02 2828 --sha-w- c:\progra~2\KGyGaAvL.sys
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-24 05:27:45 874633 ----a-w- c:\windows\system32\ss_mm_1600_201008.scr
2009-04-24 12:42:20 9815040 ----a-w- c:\program files\openofficeorg31.msi
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe

============= FINISH: 13:44:52.59 ===============

Attached Files


i <3 eggnog

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:38 AM

Posted 29 November 2010 - 06:09 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 bunny_fish

bunny_fish
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:38 AM

Posted 01 December 2010 - 12:44 AM

thank you soso much gringo :]!

the computer is bsod'ing every 5 min again, so
dds was run in safe mode, but rku could not.

also, the keyboard stopped working [ cause of registry error? :/ ]



[um, if its not too much to ask, i have a issue w/ my upstairs pc.
i got rid of antimalware doctor/antivirus action but i can't connect to the internet,
it says because of a firewall, but i disabled it and its still not working...]
[sorry for the extra request!!!]


DDS (Ver_10-11-10.01) - NTFSx86 MINIMAL
Run by Nadine at 20:39:51.71 on Tue 11/30/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Nadine\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Wireless N DWA-130] c:\program files\d-link\dwa-130\AirNCFG.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-ca.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-ca.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
TCP: NameServer = 93.188.162.134,93.188.160.14
TCP: {41E7EF4E-AE8B-4523-98B9-5446262A649B} = 93.188.162.134,93.188.160.14
TCP: {AA445B59-7DD0-4965-AE8D-DCED9A6FC5AA} = 93.188.162.134,93.188.160.14
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\nadine\appdata\roaming\mozilla\firefox\profiles\5p3nrz8b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-15 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-22 1355928]
S1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\drivers\anodlwf.sys [2009-6-26 12800]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-3 11608]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-7-28 21504]
S2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [2009-6-29 143360]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-3 135336]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-3 267944]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-3 61960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-6-17 2749736]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2008-3-26 34128]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-28 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-25 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTL8192U;Realtek RTL8192u 802.11n Wireless LAN USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [2009-3-5 432640]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TipCtrl;TipCtrl;c:\program files\utipu\TipCtrl.exe [2009-2-3 314504]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-6-9 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva143;XDva143;c:\windows\system32\XDva143.sys [2008-7-26 39808]

=============== Created Last 30 ================

2010-11-23 03:43:53 -------- d-----w- c:\users\nadine\appdata\roaming\WinBatch
2010-11-19 05:24:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-19 05:24:10 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-19 04:15:59 0 ----a-w- c:\windows\system32\RENFE3E.tmp
2010-11-19 04:15:59 0 ----a-w- c:\windows\system32\RENFE3D.tmp
2010-11-19 04:15:59 0 ----a-w- c:\windows\system32\RENFE3C.tmp
2010-11-16 04:53:52 -------- d-----w- c:\program files\SpywareBlaster
2010-11-16 04:52:41 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-16 04:49:32 -------- dc-h--w- c:\progra~2\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-16 04:47:25 -------- d-----w- c:\program files\Lavasoft
2010-11-10 04:51:11 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-09 15:27:26 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{212df3f7-8594-4696-8b81-36eea430555c}\mpengine.dll
2010-11-06 19:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 19:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-11-01 01:39:45 874633 ----a-w- c:\windows\system32\ss_mm_1024_201008.scr
2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-26 22:31:02 2828 --sha-w- c:\progra~2\KGyGaAvL.sys
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2009-04-24 12:42:20 9815040 ----a-w- c:\program files\openofficeorg31.msi
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe

============= FINISH: 20:42:20.88 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)


Motherboard: ASUSTek Computer INC. | | NARRA2
Processor: AMD Athlon™ 64 X2 Dual Core Processor 5200+ | Socket AM2 | 2611/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 456 GiB total, 202.196 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1.319 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Enhanced Multimedia PS/2 Keyboard
Device ID: ACPI\PNP0303\4&847CC39&0
Manufacturer: HP
Name: Enhanced Multimedia PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&847CC39&0
Service: i8042prt

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: HID Keyboard Device
Device ID: HID\VID_03F0&PID_0F0C&MI_00\7&1989974A&0&0000
Manufacturer: (Standard keyboards)
Name: HID Keyboard Device
PNP Device ID: HID\VID_03F0&PID_0F0C&MI_00\7&1989974A&0&0000
Service: kbdhid

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: HID Keyboard Device
Device ID: HID\WACOMVKHID&COL02\1&4784345&3&0001
Manufacturer: (Standard keyboards)
Name: HID Keyboard Device
PNP Device ID: HID\WACOMVKHID&COL02\1&4784345&3&0001
Service: kbdhid

Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
Description: Terminal Server Keyboard Driver
Device ID: ROOT\RDP_KBD\0000
Manufacturer: (Standard system devices)
Name: Terminal Server Keyboard Driver
PNP Device ID: ROOT\RDP_KBD\0000
Service: TermDD

==== System Restore Points ===================


==== Installed Programs ======================

32 Bit HP CIO Components Installer
Ad-Aware
Adobe After Effects CS4
Adobe After Effects CS4 Presets
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color Common Settings
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles AE CS4
Adobe Community Help
Adobe CS4 American English Speech Analysis Models
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe Encore CS4
Adobe Encore CS4 Codecs
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 Professional
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe MotionPicture Color Files CS4
Adobe OnLocation CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS5
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Premiere Pro CS4 Third Party Content
Adobe Reader 9.4.1 - Japanese
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Akamai NetSession Interface
ANIWZCS2 Service
Anki
Apple Software Update
ASIO4ALL
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
AVS4YOU Software Navigator 1.3
BitComet 0.59
Bonjour
BufferChm
C4200
C4200_doccd
c4200_Help
Cards_Calendar_OrderGift_DoMorePlugout
CCleaner
Combined Community Codec Pack 2009-09-09
Compatibility Pack for the 2007 Office system
Connect
Content
Copy
Corel Painter 11
Corel Painter 11 - ICA
Corel Painter 11 - IPM
D-Link Wireless N DWA-130
Destination Component
DeviceDiscovery
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
DocProc
Enhanced Multimedia Keyboard Solution
Fax
Free Desktop Clock 2.1
Free YouTube to MP3 Converter version 3.7
GPBaseService
GPBaseService2
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
HP Active Support Library
HP Advisor
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP Imaging Device Functions 10.0
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.5
HP Picasso Media Center Add-In
HP Smart Web Printing
HP Solution Center 13.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
IconHandler 32 bit
Java Auto Updater
Java™ 6 Update 13
Java™ 6 Update 22
JDownloader
Junk Mail filter update
K-Lite Codec Pack 5.8.0 (Full)
kuler
Lame ACM MP3 Codec
Langauge
Licensing Service Install
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft VC9 runtime libraries
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft Works
Microsoft WSE 3.0 Runtime
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox (3.6.12)
MSVC80_x86
MSVCRT
MSVCSetup
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Control Panel
NVIDIA Drivers
OCR Software by I.R.I.S. 10.0
OpenOffice.org 3.2
Pando Media Booster
PanoStandAlone
PDF Settings CS4
PDF Settings CS5
Pen Tablet
Photoshop Camera Raw
Pixel Bender Toolkit
Pixillion Image Converter
Prism Video Converter
PS_AIO_02_Software
PS_AIO_02_Software_Min
PS_AIO_ProductContext
PS_AIO_Software
PS_AIO_Software_min
PSSWCORE
Python 2.5
QuickTime
Rainlendar2 (remove only)
Realtek High Definition Audio Driver
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
SmartWebPrintingOC
Soft Data Fax Modem with SmartCP
SolutionCenter
Sony Media Manager 2.2
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.4
SQL Server System CLR Types
Status
StepMania (remove only)
Suite Shared Configuration CS4
System Requirements Lab
TipCam 2.2
Toolbox
TrayApp
Uninstall 1.0.0.1
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974631)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.4053
VideoToolkit01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.4
WeatherBug Gadget
WebReg
Winamp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WinRAR archiver
μTorrent

==== End Of File ===========================

i <3 eggnog

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:38 AM

Posted 01 December 2010 - 01:02 AM

Hello

I will check the other computer after we have finished this ok


I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 bunny_fish

bunny_fish
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:38 AM

Posted 01 December 2010 - 02:15 PM

the internet is not connecting now, DHCP won't start.
[i was going to go into the registry and fix it but i couldn't remember where the key was]

ComboFix 10-11-30.04 - Nadine 0/2010 Tue 22:40:19.4.2 - x86 MINIMAL

Running from: c:\users\Nadine\Desktop\ComboFix.exe

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\windows\10218tr95zec.ocx

c:\windows\11359hacktool3z0.bin

c:\windows\11544wormze99.dll

c:\windows\116335p93ez.cpl

c:\windows\11669viruzd25.dll

c:\windows\12315trz967e.cpl

c:\windows\12399szy7695.dll

c:\windows\1247thre59z1166.bin

c:\windows\133965pamboz231.ocx

c:\windows\13545trzj6f95.bin

c:\windows\13576hazkto9l51c.exe

c:\windows\1384spywar9z085.dll

c:\windows\14089not-azv9rus25.dll

c:\windows\14238zpy592.exe

c:\windows\142b95wnloader192z.bin

c:\windows\14390ziru94d5.bin

c:\windows\14522spzmbot995.bin

c:\windows\14589spzmbot2955.ocx

c:\windows\14791hac5to9z1a9.exe

c:\windows\15006zro5956.dll

c:\windows\150335acktool599z.exe

c:\windows\15974szamb9t795.bin

c:\windows\16335z9oj5a2.cpl

c:\windows\16605wozm1519.cpl

c:\windows\16798nzt-a-vi9u574d.bin

c:\windows\17441hackt5z985.exe

c:\windows\18909hack5ozl451.ocx

c:\windows\1891not-a-5iruz955.ocx

c:\windows\19181h5cktool6z3.cpl

c:\windows\19349vzrus547.bin

c:\windows\19357s9yz35.exe

c:\windows\19510zor9195.bin

c:\windows\19934zp97195.ocx

c:\windows\19a9baczdoor495.dll

c:\windows\1bc3spa9sz2554.ocx

c:\windows\1bd6addwz591364.exe

c:\windows\1c4bdownlza9er3564.ocx

c:\windows\1c9fth5eat13390z.bin

c:\windows\1z45threa92349.cpl

c:\windows\205825rzj5f9.exe

c:\windows\2066t9oj1z5.dll

c:\windows\2085szeal829.dll

c:\windows\20edt5i9f2217z.cpl

c:\windows\21110hzckto5l5f69.exe

c:\windows\21529ackdozr486.exe

c:\windows\21984zot-5-virus29.exe

c:\windows\22056hac9toolz57.ocx

c:\windows\224595orm4caz.dll

c:\windows\22879zpy51e.bin

c:\windows\22z98s5y498.cpl

c:\windows\235aa5d9zre1692.cpl

c:\windows\23791worz135.bin

c:\windows\23b79i52z88.cpl

c:\windows\2400hzckto5l2399.cpl

c:\windows\2420threz516279.bin

c:\windows\2452z5pambot5239.bin

c:\windows\24929tro925z.exe

c:\windows\24zesparse13559.bin

c:\windows\25342zir9sf15.exe

c:\windows\2541zsp5981.exe

c:\windows\254z6n9t-a-vi5us546.exe

c:\windows\255bthreat9552z5.bin

c:\windows\25799tzoj355.cpl

c:\windows\2580hacktzol907.ocx

c:\windows\2597ztr9j3f2.bin

c:\windows\25cb9hrzat1823.ocx

c:\windows\25dstza9959.dll

c:\windows\25thr9az22550.cpl

c:\windows\261025zy955.ocx

c:\windows\26392t5oj29z.exe

c:\windows\26535tr9jze8.bin

c:\windows\26546w9rz17b.exe

c:\windows\26934spy15az.ocx

c:\windows\2697not-a9virusz5e.cpl

c:\windows\275z9tr9j7cf.cpl

c:\windows\27985tzoj53d.dll

c:\windows\28148worz5859.cpl

c:\windows\28935spamz9t1d5.ocx

c:\windows\29039ha9k5ooz4ed.exe

c:\windows\29157wo5mzf9.dll

c:\windows\2939tro57z8.cpl

c:\windows\29475wo5z198.exe

c:\windows\29591spz6e5.bin

c:\windows\2961zspy51a.bin

c:\windows\29995worm59ez.ocx

c:\windows\29dast9al159z.exe

c:\windows\2b08zi52559.bin

c:\windows\2d75t95eatz9968.dll

c:\windows\2z199wor9105.ocx

c:\windows\2z3835acktool93c.bin

c:\windows\2z635tea9868.ocx

c:\windows\2z74threat5979.bin

c:\windows\2z8659rm31f.exe

c:\windows\2z970tro91115.exe

c:\windows\30890not-z-9iru566.exe

c:\windows\31139v5rus11z9.cpl

c:\windows\31251spam5oz293.cpl

c:\windows\31561not-9-5irzs22d.dll

c:\windows\31849hzck59ol515.bin

c:\windows\350dtzreat52929.bin

c:\windows\35acsteaz2919.bin

c:\windows\3614wor94z5.bin

c:\windows\36e5bazkd5o91287.exe

c:\windows\38z8s5arse26449.ocx

c:\windows\39b4thief91z65.dll

c:\windows\3a57ad5warez393.exe

c:\windows\3da5v9r19z8.cpl

c:\windows\3ee9zh9e51145.exe

c:\windows\3z732not-9-vi5us373.exe

c:\windows\43a9ownloa5er10z6.exe

c:\windows\4455hazktoo97ad.cpl

c:\windows\445zs9y65.bin

c:\windows\4657szeal4869.bin

c:\windows\47c85h9ef228z.bin

c:\windows\4905z5ief228.cpl

c:\windows\49515ownloadez2691.exe

c:\windows\4954steal1516z.bin

c:\windows\4z69spa5se1309.cpl

c:\windows\4z7ba9dwa5e2049.cpl

c:\windows\4z995roja9.bin

c:\windows\5196virus79z5.ocx

c:\windows\51d4bz9kdoor294.cpl

c:\windows\52220sp937z.cpl

c:\windows\522fdownloader6z95.dll

c:\windows\523dbackdoorz8209.bin

c:\windows\5299iz1006.cpl

c:\windows\545z9virus3a2.dll

c:\windows\54c25ddzare1924.dll

c:\windows\550zhacktool19e.bin

c:\windows\554zth9eat8093.ocx

c:\windows\559daddwaze857.bin

c:\windows\565z1spam9ot563.exe

c:\windows\57zfdo5nload9r988.cpl

c:\windows\583worz7ef9.exe

c:\windows\587hac9tool4z25.cpl

c:\windows\5895thiez506.ocx

c:\windows\589bthizf28989.ocx

c:\windows\5925azd9are1504.dll

c:\windows\59946worm29z.ocx

c:\windows\5b3as9ar5z957.ocx

c:\windows\5b5dvzr1895.dll

c:\windows\5b9zth9ef1847.dll

c:\windows\5d41downlzader2912.ocx

c:\windows\5e195ddwarz6529.dll

c:\windows\5e92szea52846.ocx

c:\windows\5ea9bazk59or1933.ocx

c:\windows\5f44back9ozr736.bin

c:\windows\5fd3d9wnloadzr1950.cpl

c:\windows\5z874wo9m299.ocx

c:\windows\5zdb9ir3117.cpl

c:\windows\5ze5t9reat8225.exe

c:\windows\5zeebackdoor5599.bin

c:\windows\6033backdo9r168z5.bin

c:\windows\6139sparze508.ocx

c:\windows\6254spywarez79.ocx

c:\windows\6505vz95s2fa.dll

c:\windows\6599hacktool2z65.bin

c:\windows\65ddba9kdzor2442.bin

c:\windows\669zpy5are14129.cpl

c:\windows\69f6z9ywar51686.exe

c:\windows\6c8fdownloade5793z.cpl

c:\windows\6e7a5parsz31379.cpl

c:\windows\6eeft5ief18z19.ocx

c:\windows\6z9ds5eal542.ocx

c:\windows\70e9addwarz455.ocx

c:\windows\7179addw5re3973z.bin

c:\windows\72209pamb5t25z.ocx

c:\windows\7372vzru576c9.bin

c:\windows\7397z5dware964.ocx

c:\windows\73b95iz10.bin

c:\windows\754fv5r24z59.dll

c:\windows\7575spy95z.cpl

c:\windows\7593s59al2z54.ocx

c:\windows\75ces9arsez508.bin

c:\windows\769zvi51341.ocx

c:\windows\795dv9r21z0.ocx

c:\windows\79bbadd5zre947.exe

c:\windows\79d95teaz9197.exe

c:\windows\79dzaddware2255.exe

c:\windows\7ce5backdozr8559.ocx

c:\windows\7e6zthi9f5591.cpl

c:\windows\8665aczto9l537.ocx

c:\windows\88879zo55b5.dll

c:\windows\8992worz5f5.exe

c:\windows\8b4b59kzoor2440.cpl

c:\windows\8z2vi99475.cpl

c:\windows\90fd5pyware1732z.cpl

c:\windows\93a9ir514z.cpl

c:\windows\94643spamz5tb0.exe

c:\windows\95405worm3fz.dll

c:\windows\95658spzmbot32f.bin

c:\windows\95z99troj752.ocx

c:\windows\96228ziru5244.ocx

c:\windows\97ft9i5f199z.ocx

c:\windows\97zbthreat17795.dll

c:\windows\9838s5ywzre1550.bin

c:\windows\9bb7dowzloader5719.exe

c:\windows\9e61sparse246z5.bin

c:\windows\9z309virus545.dll

c:\windows\9za45ackdoor157.ocx

c:\windows\system32\10075zack9ool76c.dll

c:\windows\system32\102ezpyw9re4385.bin

c:\windows\system32\1080thiefz595.cpl

c:\windows\system32\108279zambo5517.ocx

c:\windows\system32\1090downl5adzr2493.ocx

c:\windows\system32\1125spam9ot5ez.dll

c:\windows\system32\11686no5-9-virzs7a7.exe

c:\windows\system32\12134ziru95d35.dll

c:\windows\system32\12695worm5z5.ocx

c:\windows\system32\127z8sp5mbot397.exe

c:\windows\system32\12z0s5y6b9.cpl

c:\windows\system32\13455zp9mb5t65.exe

c:\windows\system32\141fthie930z45.cpl

c:\windows\system32\14685woz95925.ocx

c:\windows\system32\14727no5-a-zirus590.bin

c:\windows\system32\14b6spy5zre22219.bin

c:\windows\system32\14cbtz5ef18919.cpl

c:\windows\system32\151abac95oor1322z.dll

c:\windows\system32\15209not-a-zir9s35f.bin

c:\windows\system32\15298n9z-a-virus79c.cpl

c:\windows\system32\1595add5are3z9.ocx

c:\windows\system32\15z569py5c1.exe

c:\windows\system32\15z5steal9629.cpl

c:\windows\system32\15z89hief747.ocx

c:\windows\system32\1622zsp5309.dll

c:\windows\system32\164599py4z5.exe

c:\windows\system32\1659zwo9m485.exe

c:\windows\system32\16698noz-a-virus9d95.dll

c:\windows\system32\167445acktzol793.bin

c:\windows\system32\17418zot-a-vi5us79b.cpl

c:\windows\system32\176935z9m4b9.exe

c:\windows\system32\177z95acktoo943e.ocx

c:\windows\system32\178zs9arse7775.ocx

c:\windows\system32\1839tro5417z.dll

c:\windows\system32\18436zpamb9t745.bin

c:\windows\system32\18468notza-vir9s6a95.exe

c:\windows\system32\187zbackdoo929515.exe

c:\windows\system32\18855zo9m21.exe

c:\windows\system32\18av9z2570.exe

c:\windows\system32\19149hreatz7568.dll

c:\windows\system32\192195pambot45ez.bin

c:\windows\system32\19515tr9j58z.ocx

c:\windows\system32\198975pzmbot51d.cpl

c:\windows\system32\1991s5z65d.cpl

c:\windows\system32\19935spyz069.cpl

c:\windows\system32\1995z5irus217.ocx

c:\windows\system32\199z9tro5199.exe

c:\windows\system32\19z27h5cktool3f1.cpl

c:\windows\system32\1a53b9ckdoorz36.cpl

c:\windows\system32\1cb9thizf15125.ocx

c:\windows\system32\1d3zad9ware5422.exe

c:\windows\system32\1z371worm5b9.bin

c:\windows\system32\1z5espars942.bin

c:\windows\system32\1z792vir5s703.ocx

c:\windows\system32\1z958not-5-virus55.bin

c:\windows\system32\1zb59ackdoor1962.dll

c:\windows\system32\20282z95m764.bin

c:\windows\system32\20426ha5k9oolz96.bin

c:\windows\system32\204zdo5nloader2889.dll

c:\windows\system32\20535spamzo991.bin

c:\windows\system32\20669nzt-a-95rus35c.exe

c:\windows\system32\20709viruz250.cpl

c:\windows\system32\2088azdwar93235.dll

c:\windows\system32\20z65t5oj1459.exe

c:\windows\system32\21459tr5j50z.exe

c:\windows\system32\21800not-5-vzr9s582.ocx

c:\windows\system32\21836spamb5t1z9.ocx

c:\windows\system32\21fzvi926215.ocx

c:\windows\system32\22544hacktool76z9.dll

c:\windows\system32\22585troz5389.dll

c:\windows\system32\22692tr5j6z4.ocx

c:\windows\system32\226not5a9zirus5b.cpl

c:\windows\system32\228619zy725.dll

c:\windows\system32\228ba9kzo5r2392.ocx

c:\windows\system32\229509pambot7za.dll

c:\windows\system32\22954troz585.exe

c:\windows\system32\23143zac5tool696.bin

c:\windows\system32\233155acktool59z9.dll

c:\windows\system32\2351hacktzol38f9.dll

c:\windows\system32\237595ot-a-9irus2z0.dll

c:\windows\system32\2417295y5d7z.exe

c:\windows\system32\2439threat13z59.dll

c:\windows\system32\245z4s9ambot7b0.ocx

c:\windows\system32\24609spzmbot50a.cpl

c:\windows\system32\246z3worm596.exe

c:\windows\system32\24832sp5zf9.bin

c:\windows\system32\24942hack95ol2za.dll

c:\windows\system32\249985rzj8c.exe

c:\windows\system32\25209pywarz2985.cpl

c:\windows\system32\2525hackzo9l55b.exe

c:\windows\system32\2526stzal9997.dll

c:\windows\system32\254009a5ktoolz18.dll

c:\windows\system32\256255py295z.ocx

c:\windows\system32\25805sp9mbot72z.exe

c:\windows\system32\25879szy59c.exe

c:\windows\system32\258z5virus4c99.dll

c:\windows\system32\25d7spy5are91z8.exe

c:\windows\system32\25z9sparse2953.cpl

c:\windows\system32\265fszeal895.bin

c:\windows\system32\2681t5iz91291.dll

c:\windows\system32\26917not-a-viruz34b5.bin

c:\windows\system32\27397szambot580.exe

c:\windows\system32\27590troj59z9.bin

c:\windows\system32\27czpyware39745.bin

c:\windows\system32\28072n5t-a-vi9us3z9.bin

c:\windows\system32\282z8sp9153.ocx

c:\windows\system32\28355spam9zt435.exe

c:\windows\system32\28793not-a-59ruz29a.dll

c:\windows\system32\28924z9y76a5.cpl

c:\windows\system32\28950not-a-zirus2935.exe

c:\windows\system32\28aez95al2681.dll

c:\windows\system32\2924spzrse16655.dll

c:\windows\system32\2932threaz272995.cpl

c:\windows\system32\29495ownzoader9433.cpl

c:\windows\system32\29509spazbo95d.dll

c:\windows\system32\29524not-a9vir5s2z2.cpl

c:\windows\system32\29589pambot4dz5.cpl

c:\windows\system32\295zbackdoor1185.bin

c:\windows\system32\298ddowzl9ader2405.dll

c:\windows\system32\299159irus276z.dll

c:\windows\system32\2999zp5mbot200.bin

c:\windows\system32\2bf5steal599z.dll

c:\windows\system32\2d14downlozder2695.bin

c:\windows\system32\2da8t5izf2991.bin

c:\windows\system32\2f6fbackdo5r39z.ocx

c:\windows\system32\2fe4thiez597.exe

c:\windows\system32\2z05thi952485.bin

c:\windows\system32\2z355worm579.ocx

c:\windows\system32\2z893tro525d.dll

c:\windows\system32\2z97spywa5e1793.cpl

c:\windows\system32\2z985w5rm61a.cpl

c:\windows\system32\2zd8addwa5e9813.cpl

c:\windows\system32\304b9ir3z05.dll

c:\windows\system32\30611ha5ktoz950e.dll

c:\windows\system32\306bstza91655.exe

c:\windows\system32\307z8t5oj4e49.dll

c:\windows\system32\30919not-a-vir5s77az.dll

c:\windows\system32\31395trojz9.exe

c:\windows\system32\31440zo9m25c.bin

c:\windows\system32\3155w9rz44f.bin

c:\windows\system32\32095hacktoo93z5.bin

c:\windows\system32\325879pambot5z8.bin

c:\windows\system32\32589pyware2789z.dll

c:\windows\system32\33bszy9ar51840.exe

c:\windows\system32\340czownloa95r2680.dll

c:\windows\system32\3460bzckd5or1966.cpl

c:\windows\system32\351dad9ware28z5.cpl

c:\windows\system32\35455tzal9789.exe

c:\windows\system32\3597thizf2501.dll

c:\windows\system32\3654w9rz518.cpl

c:\windows\system32\36a1spz9se895.exe

c:\windows\system32\3835sp949z.dll

c:\windows\system32\38z9a5dware1148.dll

c:\windows\system32\3952backdozr1093.exe

c:\windows\system32\39917spy19z5.ocx

c:\windows\system32\3a5bzddwa5e1719.bin

c:\windows\system32\3cc95dzware1146.exe

c:\windows\system32\3czbs9eal5070.bin

c:\windows\system32\3d42dzw9loader15375.cpl

c:\windows\system32\3d58addware33z9.exe

c:\windows\system32\3e69backdoo52z94.dll

c:\windows\system32\3z4spa95otc.cpl

c:\windows\system32\3z5cba5kdoo9935.cpl

c:\windows\system32\3z95spyw9r5576.cpl

c:\windows\system32\4069d5wnzoader979.bin

c:\windows\system32\40909otza-v5rus7f7.bin

c:\windows\system32\4192zir2957.bin

c:\windows\system32\4205ste9lz513.dll

c:\windows\system32\42279zcktool61e5.bin

c:\windows\system32\44019az5tool34d.dll

c:\windows\system32\4446spzmb956e9.bin

c:\windows\system32\4471ba5kzoo92402.dll

c:\windows\system32\450fzpywa9e191.cpl

c:\windows\system32\4524wozm593.cpl

c:\windows\system32\4565v9r176z.ocx

c:\windows\system32\45c5b5czdoor1359.bin

c:\windows\system32\45c8threaz9502.dll

c:\windows\system32\45ezthreat159259.cpl

c:\windows\system32\4615azdware2698.dll

c:\windows\system32\46f5v9r3091z.ocx

c:\windows\system32\475fszarse1029.exe

c:\windows\system32\48c5s9ezl2381.dll

c:\windows\system32\490espywa5e2z89.cpl

c:\windows\system32\4931vir5999z.dll

c:\windows\system32\4adfsz5ware2915.exe

c:\windows\system32\4b50spyware973z5.ocx

c:\windows\system32\4b55tzrea99921.bin

c:\windows\system32\4df9backdoz51474.ocx

c:\windows\system32\4ffetzie924855.ocx

c:\windows\system32\5026z9r2280.cpl

c:\windows\system32\50z29worm6ac.bin

c:\windows\system32\5125backdooz9808.bin

c:\windows\system32\51594spy39z.exe

c:\windows\system32\5189spz67d.exe

c:\windows\system32\51e9steal1463z.cpl

c:\windows\system32\5241vi9uz617.bin

c:\windows\system32\52adzir990.bin

c:\windows\system32\5303t9r5at1948z.bin

c:\windows\system32\5359threa53z798.dll

c:\windows\system32\537779py500z.exe

c:\windows\system32\5391worm6e9z.exe

c:\windows\system32\54005zo9136.bin

c:\windows\system32\5420spywarz9552.bin

c:\windows\system32\5497zddware522.cpl

c:\windows\system32\54a9spar5e190z.ocx

c:\windows\system32\5530dow9loader20z5.dll

c:\windows\system32\55349parsez774.ocx

c:\windows\system32\5549hackto9l5fz.exe

c:\windows\system32\565dspywarz699.dll

c:\windows\system32\56829irus14z.cpl

c:\windows\system32\5699vir3250z.dll

c:\windows\system32\569z1not-a-virus420.ocx

c:\windows\system32\56fcdoznloader2890.ocx

c:\windows\system32\56z59ro5122.exe

c:\windows\system32\57315hief95z5.dll

c:\windows\system32\573ds95ware3z54.ocx

c:\windows\system32\573s9ambot6z3.ocx

c:\windows\system32\574zthi591269.cpl

c:\windows\system32\57e49pyware5303z.ocx

c:\windows\system32\5906vzr25935.exe

c:\windows\system32\59238notza-virus19f.cpl

c:\windows\system32\5939addware5988z.bin

c:\windows\system32\5945zroj5b6.cpl

c:\windows\system32\59499zpy5b2.ocx

c:\windows\system32\5959spyware17z8.dll

c:\windows\system32\595espy9zre1928.bin

c:\windows\system32\59a6threat92z83.dll

c:\windows\system32\59f095reatz5315.cpl

c:\windows\system32\5a55t9zef843.dll

c:\windows\system32\5b2as9zal492.exe

c:\windows\system32\5cz7s9ywar5422.exe

c:\windows\system32\5d5ezpyw5re29839.cpl

c:\windows\system32\5e05t9reaz13216.exe

c:\windows\system32\5f46t9iez259.dll

c:\windows\system32\5f5sp9ware2z79.ocx

c:\windows\system32\5z60th9eat54705.dll

c:\windows\system32\5z65addware9669.cpl

c:\windows\system32\5zadbackdoo52649.ocx

c:\windows\system32\6175spywzre935.bin

c:\windows\system32\623v5r3z9.bin

c:\windows\system32\6250t9zef1598.dll

c:\windows\system32\6286stea95z35.exe

c:\windows\system32\629fth9ef2z55.exe

c:\windows\system32\6365ba9kdoor46z.ocx

c:\windows\system32\6396thie5185z.bin

c:\windows\system32\63b5addwzre5955.exe

c:\windows\system32\63f8b9ck5ozr1193.dll

c:\windows\system32\64139pa5boz47f.cpl

c:\windows\system32\6459vi523z0.ocx

c:\windows\system32\649zir5168.cpl

c:\windows\system32\6515zhreat31924.ocx

c:\windows\system32\654do9zloader24885.bin

c:\windows\system32\6676do59loader1z56.dll

c:\windows\system32\6705azd9are2699.cpl

c:\windows\system32\67fdthr95t201z2.dll

c:\windows\system32\6955ba5kdo9z2598.bin

c:\windows\system32\696bad9warz5204.bin

c:\windows\system32\69795tezl186.ocx

c:\windows\system32\6987st5al1147z.exe

c:\windows\system32\6a2a9h5ef13z.ocx

c:\windows\system32\6a94t5izf1686.dll

c:\windows\system32\6c59thief29z.dll

c:\windows\system32\6cz4t9ie5370.ocx

c:\windows\system32\6dee5t9al1z85.bin

c:\windows\system32\6ez5t9ief716.exe

c:\windows\system32\731cspy9are4z95.cpl

c:\windows\system32\736ethr59t33z9.bin

c:\windows\system32\73z5th5e9t7900.ocx

c:\windows\system32\74c9zi91635.exe

c:\windows\system32\75989z5al1235.bin

c:\windows\system32\75b9ste5l2z99.cpl

c:\windows\system32\76b25ddwar91z19.cpl

c:\windows\system32\776cstzal995.ocx

c:\windows\system32\7796s5yware220z9.exe

c:\windows\system32\79029pa5sz992.cpl

c:\windows\system32\799eaddware9z5.dll

c:\windows\system32\79a5spywarz1189.bin

c:\windows\system32\7b2fz9ief2159.cpl

c:\windows\system32\7b45zpar9e2756.dll

c:\windows\system32\7bc5ad5warz1939.cpl

c:\windows\system32\7cz0download9r2105.bin

c:\windows\system32\7ec2th5ea9z995.dll

c:\windows\system32\7faabzckd5or3249.cpl

c:\windows\system32\7faespywaz95656.exe

c:\windows\system32\8277sza9bot505.exe

c:\windows\system32\884sz5al9325.ocx

c:\windows\system32\89zsteal3515.ocx

c:\windows\system32\8dct9ze51716.ocx

c:\windows\system32\8z79t5oj272.cpl

c:\windows\system32\9093spambo514z9.exe

c:\windows\system32\90z9sparse2151.ocx

c:\windows\system32\9147spzrse557.exe

c:\windows\system32\92037not-a5viruz537.bin

c:\windows\system32\9388spa5sez04.cpl

c:\windows\system32\9427not-a-95ruszb2.cpl

c:\windows\system32\9712virzs45f5.bin

c:\windows\system32\9758wozm9a55.ocx

c:\windows\system32\978spy556z.bin

c:\windows\system32\9895addzare1335.dll

c:\windows\system32\98c2bzckdoor24895.bin

c:\windows\system32\9978hacktozl58.exe

c:\windows\system32\997ethizf1851.dll

c:\windows\system32\9c51sparse109z.cpl

c:\windows\system32\9e4fs5eaz2246.bin

c:\windows\system32\a1c5p9waze1882.cpl

c:\windows\system32\d13z9eal12295.cpl

c:\windows\system32\e745dzwar92379.cpl

c:\windows\system32\e8s59rse3z1.bin

c:\windows\system32\f9spywarz544.bin

c:\windows\system32\z06355ackt9ol22a.ocx

c:\windows\system32\z14405a9ktool3c8.bin

c:\windows\system32\z1adspar596.bin

c:\windows\system32\z1d59arse1185.dll

c:\windows\system32\z326thre5t257519.ocx

c:\windows\system32\z42worm955.cpl

c:\windows\system32\z4370tr9j515.bin

c:\windows\system32\z4953not-a-vi5us484.bin

c:\windows\system32\z5299troj3f3.ocx

c:\windows\system32\z554hacktool292.bin

c:\windows\system32\z6167tr9j55d.dll

c:\windows\system32\z67515p9e7.dll

c:\windows\system32\z6eaad9ware2955.bin

c:\windows\system32\z7592w9rm45a.ocx

c:\windows\system32\z7cest9al27365.cpl

c:\windows\system32\z914s5ambot63b.ocx

c:\windows\system32\z98bback5oor1424.dll

c:\windows\system32\zb85ste9l2548.exe

c:\windows\system32\zc5aad5ware24209.ocx

c:\windows\system32\zd05th9eat17508.exe

c:\windows\system32\ze12s5eal2929.ocx

c:\windows\z1b0backdoo52695.bin

c:\windows\z21asp5w9re3152.dll

c:\windows\z2923troj55.ocx

c:\windows\z2st5al469.cpl

c:\windows\z37479or561f.dll

c:\windows\z5113t9oj602.cpl

c:\windows\z529worm499.dll

c:\windows\z59esteal125.bin

c:\windows\z6b9vir9605.bin

c:\windows\z76659ir5s729.cpl

c:\windows\z7c9spars51586.bin

c:\windows\z8151ha9k5ool75f.bin

c:\windows\z9115n9t-a5virus3c4.dll

c:\windows\za5a9ir1356.exe

c:\windows\zef9vir1756.dll

c:\windows\zf0download5r2949.exe



.

((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))

.



2010-12-01 06:51 . 2010-12-01 06:51 -------- d-----w- c:\users\Nadine\AppData\Local\temp

2010-12-01 06:51 . 2010-12-01 06:51 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2010-12-01 06:51 . 2010-12-01 06:51 -------- d-----w- c:\users\sarah\AppData\Local\temp

2010-12-01 06:51 . 2010-12-01 06:51 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-11-23 03:43 . 2010-11-23 03:43 -------- d-----w- c:\users\Nadine\AppData\Roaming\WinBatch

2010-11-19 05:29 . 2010-11-19 05:29 -------- d-----w- c:\program files\Common Files\Java

2010-11-19 05:24 . 2010-11-19 05:23 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2010-11-19 05:24 . 2010-11-19 05:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-19 05:23 . 2010-11-19 05:23 -------- d-----w- c:\program files\Java

2010-11-19 04:15 . 2010-11-19 04:15 0 ----a-w- c:\windows\system32\RENFE3E.tmp

2010-11-19 04:15 . 2010-11-19 04:15 0 ----a-w- c:\windows\system32\RENFE3D.tmp

2010-11-19 04:15 . 2010-11-19 04:15 0 ----a-w- c:\windows\system32\RENFE3C.tmp

2010-11-16 04:53 . 2010-11-20 03:47 -------- d-----w- c:\program files\SpywareBlaster

2010-11-16 04:52 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-11-16 04:49 . 2010-11-16 04:49 -------- dc-h--w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-16 04:47 . 2010-11-16 04:52 -------- d-----w- c:\programdata\Lavasoft

2010-11-16 04:47 . 2010-11-16 04:47 -------- d-----w- c:\program files\Lavasoft

2010-11-10 04:51 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2010-11-09 15:27 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{212DF3F7-8594-4696-8B81-36EEA430555C}\mpengine.dll

2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-23 03:39 . 2009-07-03 19:20 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-11-03 02:37 . 2009-07-03 19:20 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-11-01 01:39 . 2010-11-01 01:39 874633 ----a-w- c:\windows\system32\ss_mm_1024_201008.scr

2010-10-19 18:41 . 2009-10-02 20:56 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-09-26 22:31 . 2009-08-19 11:27 2828 --sha-w- c:\programdata\KGyGaAvL.sys

2010-09-13 13:56 . 2010-10-13 14:43 8147456 ----a-w- c:\windows\system32\wmploc.DLL

2010-09-08 06:01 . 2010-10-13 14:44 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 05:57 . 2010-10-13 14:44 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 05:57 . 2010-10-13 14:44 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-08 05:56 . 2010-10-13 14:43 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-09-08 05:56 . 2010-10-13 14:43 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-09-08 05:04 . 2010-10-13 14:44 385024 ----a-w- c:\windows\system32\html.iec

2010-09-08 04:26 . 2010-10-13 14:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2010-09-08 04:25 . 2010-10-13 14:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2010-09-06 16:20 . 2010-10-13 14:44 125952 ----a-w- c:\windows\system32\srvsvc.dll

2010-09-06 16:19 . 2010-10-13 14:44 17920 ----a-w- c:\windows\system32\netevent.dll

2010-09-06 13:45 . 2010-10-13 14:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys

2010-09-06 13:45 . 2010-10-13 14:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-09-06 13:45 . 2010-10-13 14:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys

2009-04-24 12:42 . 2009-04-24 12:42 9815040 ----a-w- c:\program files\openofficeorg31.msi

2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe

2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe

.



------- Sigcheck -------



[7] 2008-04-06 . B076B2AB806B3F696DAB21375389101C . 35384 . . [6.0.6000.16609] . . c:\windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys

[7] 2008-04-06 . B076B2AB806B3F696DAB21375389101C . 35384 . . [6.0.6000.16609] . . c:\windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.16609_none_957131ccdbca3f9c\kbdclass.sys

[7] 2008-04-06 . C9B0CF786D5F151A43C7BE8E243F2819 . 35384 . . [6.0.6000.20734] . . c:\windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.20734_none_95d55d61f504b486\kbdclass.sys

[7] 2008-01-19 . 37605E0A8CF00CBBA538E753E4344C6E . 35384 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\kbdclass.sys

[7] 2008-01-19 . 37605E0A8CF00CBBA538E753E4344C6E . 35384 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\keyboard.inf_f55d5e51\kbdclass.sys

[7] 2008-01-19 . 37605E0A8CF00CBBA538E753E4344C6E . 35384 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6001.18000_none_974e6dd8d8f8ec7e\kbdclass.sys

[7] 2008-01-19 . 37605E0A8CF00CBBA538E753E4344C6E . 35384 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6002.18005_none_9939e6e4d61ab7ca\kbdclass.sys

[7] 2006-11-02 . 1A48765F92BA1A88445FC25C9C9D94FC . 32872 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\keyboard.inf_93b1c41f\kbdclass.sys



c:\windows\System32\drivers\kbdclass.sys ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 39408]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]

"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]

"D-Link D-Link Wireless N DWA-130"="c:\program files\D-Link\DWA-130\AirNCFG.exe" [2008-08-15 1679360]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]



c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"



[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk

backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup

backupExtension=.CommonStartup



[HKLM\~\startupfolder\C:^Users^sarah^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]

2009-08-05 19:27 1644088 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2008-05-22 22:49 92704 ----a-w- c:\windows\System32\nvmctray.dll



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]

2008-06-10 11:27 54672 ----a-w- c:\windows\System32\jureg.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-288271997-264638971-2121170997-1000]

"EnableNotificationsRef"=dword:00000001



R1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\DRIVERS\anodlwf.sys [2008-05-06 12800]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]

R2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [2008-07-09 143360]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-03 135336]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-09-23 1355928]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-11 2749736]

R3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys [2008-03-26 34128]

R3 Normandy;Normandy SR2; [x]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-07-15 3223416]

R3 RTL8192U;Realtek RTL8192u 802.11n Wireless LAN USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192u.sys [2009-03-05 432640]

R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 TipCtrl;TipCtrl;c:\program files\uTIPu\TipCtrl.exe [2009-02-03 314504]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R3 XDva143;XDva143;c:\windows\system32\XDva143.sys [2008-07-27 39808]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-13 721904]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]





[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Akamai REG_MULTI_SZ Akamai

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder



2010-12-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 07:46]



2010-11-15 c:\windows\Tasks\User_Feed_Synchronization-{230FA473-277D-4015-864E-013F124EA394}.job

- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]



2010-12-01 c:\windows\Tasks\User_Feed_Synchronization-{47FF7EE2-3727-421C-8C35-F0DEBED05E88}.job

- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]



2010-11-17 c:\windows\Tasks\User_Feed_Synchronization-{48A521D0-EC3E-4F67-9361-6D40B1DEF0BE}.job

- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]



2010-12-01 c:\windows\Tasks\User_Feed_Synchronization-{948AD632-264E-4086-B294-EE1C458C4DC9}.job

- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]



2010-12-01 c:\windows\Tasks\User_Feed_Synchronization-{F179E5E7-BEFB-451A-AF35-897E415213DB}.job

- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Nadine\AppData\Roaming\Mozilla\Firefox\Profiles\5p3nrz8b.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Nadine\AppData\Roaming\Mozilla\Firefox\Profiles\5p3nrz8b.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -



WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)

HKLM-RunOnce-<NO NAME> - (no file)

SafeBoot-WudfPf

SafeBoot-WudfRd

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe

MSConfigStartUp-Veoh - c:\program files\Veoh Networks\Veoh\VeohClient.exe

MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe







**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-30 22:51

Windows 6.0.6002 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************



[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------



[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

Completion time: 2010-11-30 22:56:12

ComboFix-quarantined-files.txt 2010-12-01 06:56

ComboFix2.txt 2009-06-13 21:11



Pre-Run: 218,641,510,400 bytes free

Post-Run: 235,274,080,256 bytes free



- - End Of File - - C3908F895492B2B880FBC082C75F292F
i <3 eggnog

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:38 AM

Posted 01 December 2010 - 03:30 PM

Greetings

Let me know if after you restart the computer you still have connec tion problems

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
c:\windows\System32\DriverStore\FileRepository\keyboard.inf_f55d5e51\kbdclass.sys | c:\windows\System32\drivers\kbdclass.sys


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 bunny_fish

bunny_fish
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:38 AM

Posted 01 December 2010 - 11:09 PM

good evening : ]
i fixed the internet issue, but
everything else is the same : P


ComboFix 10-11-30.04 - Nadine 1/2010 Wed 18:22:06.5.2 - x86 MINIMAL
Running from: c:\users\Nadine\Desktop\ComboFix.exe
Command switches used :: c:\users\Nadine\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\System32\DriverStore\FileRepository\keyboard.inf_f55d5e51\kbdclass.sys --> c:\windows\System32\drivers\kbdclass.sys
.
((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
.

2010-12-02 02:33 . 2010-12-02 02:33 -------- d-----w- c:\users\Nadine\AppData\Local\temp
2010-12-02 02:33 . 2010-12-02 02:33 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-02 02:33 . 2010-12-02 02:33 -------- d-----w- c:\users\sarah\AppData\Local\temp
2010-12-02 02:33 . 2010-12-02 02:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-02 02:22 . 2008-01-19 07:41 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-11-23 03:43 . 2010-11-23 03:43 -------- d-----w- c:\users\Nadine\AppData\Roaming\WinBatch
2010-11-19 05:29 . 2010-11-19 05:29 -------- d-----w- c:\program files\Common Files\Java
2010-11-19 05:24 . 2010-11-19 05:23 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-19 05:24 . 2010-11-19 05:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-19 05:23 . 2010-11-19 05:23 -------- d-----w- c:\program files\Java
2010-11-19 04:15 . 2010-11-19 04:15 0 ----a-w- c:\windows\system32\RENFE3E.tmp
2010-11-19 04:15 . 2010-11-19 04:15 0 ----a-w- c:\windows\system32\RENFE3D.tmp
2010-11-19 04:15 . 2010-11-19 04:15 0 ----a-w- c:\windows\system32\RENFE3C.tmp
2010-11-16 04:53 . 2010-11-20 03:47 -------- d-----w- c:\program files\SpywareBlaster
2010-11-16 04:52 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-16 04:49 . 2010-11-16 04:49 -------- dc-h--w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-16 04:47 . 2010-11-16 04:52 -------- d-----w- c:\programdata\Lavasoft
2010-11-16 04:47 . 2010-11-16 04:47 -------- d-----w- c:\program files\Lavasoft
2010-11-10 04:51 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-09 15:27 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{212DF3F7-8594-4696-8B81-36EEA430555C}\mpengine.dll
2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-23 03:39 . 2009-07-03 19:20 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-03 02:37 . 2009-07-03 19:20 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-01 01:39 . 2010-11-01 01:39 874633 ----a-w- c:\windows\system32\ss_mm_1024_201008.scr
2010-10-19 18:41 . 2009-10-02 20:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-26 22:31 . 2009-08-19 11:27 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-09-13 13:56 . 2010-10-13 14:43 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-13 14:44 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-13 14:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-13 14:44 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-13 14:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-13 14:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-13 14:44 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-13 14:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-13 14:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-13 14:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-13 14:44 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-13 14:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-13 14:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-13 14:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-04-24 12:42 . 2009-04-24 12:42 9815040 ----a-w- c:\program files\openofficeorg31.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-130"="c:\program files\D-Link\DWA-130\AirNCFG.exe" [2008-08-15 1679360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^sarah^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2009-08-05 19:27 1644088 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-22 22:49 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2008-06-10 11:27 54672 ----a-w- c:\windows\System32\jureg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-288271997-264638971-2121170997-1000]
"EnableNotificationsRef"=dword:00000001

R1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\DRIVERS\anodlwf.sys [2008-05-06 12800]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
R2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [2008-07-09 143360]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-03 135336]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-09-23 1355928]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-11 2749736]
R3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys [2008-03-26 34128]
R3 Normandy;Normandy SR2; [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-07-15 3223416]
R3 RTL8192U;Realtek RTL8192u 802.11n Wireless LAN USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192u.sys [2009-03-05 432640]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TipCtrl;TipCtrl;c:\program files\uTIPu\TipCtrl.exe [2009-02-03 314504]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XDva143;XDva143;c:\windows\system32\XDva143.sys [2008-07-27 39808]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-13 721904]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 07:46]

2010-11-15 c:\windows\Tasks\User_Feed_Synchronization-{230FA473-277D-4015-864E-013F124EA394}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]

2010-12-02 c:\windows\Tasks\User_Feed_Synchronization-{47FF7EE2-3727-421C-8C35-F0DEBED05E88}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]

2010-11-17 c:\windows\Tasks\User_Feed_Synchronization-{48A521D0-EC3E-4F67-9361-6D40B1DEF0BE}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]

2010-12-02 c:\windows\Tasks\User_Feed_Synchronization-{948AD632-264E-4086-B294-EE1C458C4DC9}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]

2010-12-02 c:\windows\Tasks\User_Feed_Synchronization-{F179E5E7-BEFB-451A-AF35-897E415213DB}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nadine\AppData\Roaming\Mozilla\Firefox\Profiles\5p3nrz8b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Nadine\AppData\Roaming\Mozilla\Firefox\Profiles\5p3nrz8b.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-01 18:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-12-01 18:37:08
ComboFix-quarantined-files.txt 2010-12-02 02:37
ComboFix2.txt 2010-12-01 06:56
ComboFix3.txt 2009-06-13 21:11

Pre-Run: 235,068,600,320 bytes free
Post-Run: 235,148,582,912 bytes free

- - End Of File - - 38C6C624CA1D6E8FAD1DF4ECB2F311B5

Edited by bunny_fish, 01 December 2010 - 11:11 PM.

i <3 eggnog

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:38 AM

Posted 02 December 2010 - 12:46 AM

we are going to check the router

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 bunny_fish

bunny_fish
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:38 AM

Posted 02 December 2010 - 01:01 AM

: ]



Windows IP Configuration

Host Name . . . . . . . . . . . . : Gregory
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ok.shawcable.net

Wireless LAN adapter Wireless Network Connection 2:

Connection-specific DNS Suffix . : ok.shawcable.net
Description . . . . . . . . . . . : D-Link DWA-130 Wireless N USB Adapter(rev.C)
Physical Address. . . . . . . . . : 00-22-B0-73-F5-44
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a521:d965:172f:91a0%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, December 01, 2010 9:59:00 PM
Lease Expires . . . . . . . . . . : Wednesday, December 08, 2010 9:59:00 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 369107632
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-50-D5-37-00-1E-8C-DF-4C-D2
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet
Physical Address. . . . . . . . . : 00-1E-8C-DF-4C-D2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{41E7EF4E-AE8B-4523-98B9-5446262A649B}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 19:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.ok.shawcable.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 21:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.ok.shawcable.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.1

DNS request timed out.
timeout was 2 seconds.
Name: google.com
Addresses: 72.14.204.103
72.14.204.104
72.14.204.147
72.14.204.99

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 209.191.122.70
98.137.149.56
69.147.125.65
67.195.160.76
72.30.2.43



Pinging google.com [72.14.204.99] with 32 bytes of data:

Reply from 72.14.204.99: bytes=32 time=86ms TTL=54

Reply from 72.14.204.99: bytes=32 time=91ms TTL=54



Ping statistics for 72.14.204.99:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 86ms, Maximum = 91ms, Average = 88ms



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=78ms TTL=53

Reply from 209.191.122.70: bytes=32 time=77ms TTL=53



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 77ms, Maximum = 78ms, Average = 77ms

===========================================================================
Interface List
15 ...00 22 b0 73 f5 44 ...... D-Link DWA-130 Wireless N USB Adapter(rev.C)
8 ...00 1e 8c df 4c d2 ...... NVIDIA nForce 10/100 Mbps Ethernet
1 ........................... Software Loopback Interface 1
9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
17 ...00 00 00 00 00 00 00 e0 isatap.{41E7EF4E-AE8B-4523-98B9-5446262A649B}
12 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
13 ...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #2
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
24 ...00 00 00 00 00 00 00 e0 isatap.ok.shawcable.net
23 ...00 00 00 00 00 00 00 e0 isatap.ok.shawcable.net
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.101 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.101 286
192.168.0.101 255.255.255.255 On-link 192.168.0.101 286
192.168.0.255 255.255.255.255 On-link 192.168.0.101 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.101 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.101 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
15 286 fe80::/64 On-link
15 286 fe80::a521:d965:172f:91a0/128
On-link
1 306 ff00::/8 On-link
15 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
i <3 eggnog

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:38 AM

Posted 02 December 2010 - 01:18 AM

Resetting Router

Letís try to reset the router to its default configuration.
  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you donít know the router's default password, you can look it up. Here
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using or you can use OpenDNS
Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.

flush the DNS:

Now lets flush the DNS on the computer:

  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:


    ipconfig /flushdns

Now lets check the router again

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 bunny_fish

bunny_fish
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:38 AM

Posted 03 December 2010 - 11:17 PM

yaaay the redirecting and popups have gone away now!


Windows IP Configuration

Host Name . . . . . . . . . . . . : Gregory
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ok.shawcable.net

Wireless LAN adapter Wireless Network Connection 2:

Connection-specific DNS Suffix . : ok.shawcable.net
Description . . . . . . . . . . . : D-Link DWA-130 Wireless N USB Adapter(rev.C)
Physical Address. . . . . . . . . : 00-22-B0-73-F5-44
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a521:d965:172f:91a0%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, December 03, 2010 8:04:33 PM
Lease Expires . . . . . . . . . . : Friday, December 10, 2010 8:04:32 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 369107632
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-50-D5-37-00-1E-8C-DF-4C-D2
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet
Physical Address. . . . . . . . . : 00-1E-8C-DF-4C-D2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{41E7EF4E-AE8B-4523-98B9-5446262A649B}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 19:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.ok.shawcable.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 21:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.ok.shawcable.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 23:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.ok.shawcable.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 72.14.213.105
72.14.213.147
72.14.213.104
72.14.213.99
72.14.213.103
72.14.213.106

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 67.195.160.76
72.30.2.43
98.137.149.56
209.191.122.70
69.147.125.65



Pinging google.com [72.14.213.106] with 32 bytes of data:

Reply from 72.14.213.106: bytes=32 time=26ms TTL=53

Reply from 72.14.213.106: bytes=32 time=29ms TTL=53



Ping statistics for 72.14.213.106:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 29ms, Average = 27ms



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=91ms TTL=53

Reply from 209.191.122.70: bytes=32 time=83ms TTL=53



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 83ms, Maximum = 91ms, Average = 87ms

===========================================================================
Interface List
15 ...00 22 b0 73 f5 44 ...... D-Link DWA-130 Wireless N USB Adapter(rev.C)
8 ...00 1e 8c df 4c d2 ...... NVIDIA nForce 10/100 Mbps Ethernet
1 ........................... Software Loopback Interface 1
9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
17 ...00 00 00 00 00 00 00 e0 isatap.{41E7EF4E-AE8B-4523-98B9-5446262A649B}
12 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
13 ...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #2
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
24 ...00 00 00 00 00 00 00 e0 isatap.ok.shawcable.net
23 ...00 00 00 00 00 00 00 e0 isatap.ok.shawcable.net
26 ...00 00 00 00 00 00 00 e0 isatap.ok.shawcable.net
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.100 286
192.168.0.100 255.255.255.255 On-link 192.168.0.100 286
192.168.0.255 255.255.255.255 On-link 192.168.0.100 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.100 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.100 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
15 286 fe80::/64 On-link
15 286 fe80::a521:d965:172f:91a0/128
On-link
1 306 ff00::/8 On-link
15 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
i <3 eggnog

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:38 AM

Posted 03 December 2010 - 11:28 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Javaô 6 Update 13

and click on remove

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 bunny_fish

bunny_fish
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:38 AM

Posted 04 December 2010 - 12:50 AM

the java wouldn't uninstall, everything else the same : [



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18975

12/3/2010 9:37:34 PM
mbam-log-2010-12-03 (21-37-34).txt

Scan type: Quick scan
Objects scanned: 132914
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:35 PM, on 12/3/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\DWA-130\AirNCFG.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\msfeedssync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-130] C:\Program Files\D-Link\DWA-130\AirNCFG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} (Symantec Configuration Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-ca.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-ca.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
O23 - Service: ANIWConn Service (ANIWConnService) - Unknown owner - C:\Windows\system32\ANIWConnService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: TipCtrl - Utipu inc. - C:\Program Files\uTIPu\TipCtrl.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8621 bytes
i <3 eggnog

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:38 AM

Posted 04 December 2010 - 01:27 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
      O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
      O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 bunny_fish

bunny_fish
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:38 AM

Posted 04 December 2010 - 01:52 AM

with the pc bsod'ing every 5 min, the scan doesn't finish : [
i <3 eggnog




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users