Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects And Self Opening Tabs


  • This topic is locked This topic is locked
14 replies to this topic

#1 TuoDecaps

TuoDecaps

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 26 November 2010 - 06:40 PM

Hello, I am new here. If anyone here could help me it would be so very much appreciated.

Anyway. I run Windows XP Home Professional. A couple of weeks ago I started getting redirects whenever I would search Google. At the time I only had AdAware and MalwareBytes. After I ran scans the redirects stopped for awhile but then came back intermittently. And just two days ago Firefox (My main browser, although it will do it in Chrome too.) started opening tabs by itself to uncloseable pages. And then everything would slow down, I would be unable to reboot or even shut down. Most of my programs would not open, and the color scheme of my system went from the default blue to what looked like a grey Windows 98 color scheme, with different buttons logos. So I ran two system restores, which did not fix the problem.

At this point I downloaded Microsoft Security Essentials. After I ran a scan with that and checked the history, it would find the same virus almost exactly every ten minutes. The virus is called DOS:Shetwirl Trojan. I tell Microsoft to clean/delete it, and it says successful. But then it finds it again very shortly after, usually within thirty seconds. At this point, I started searching for malware removal programs and downloaded IObit 360 Security, AVG 2011, and HijackThis. Although I do not know how HijackThis works.

None of them found anything, after they all ran complete scans. But the problems persist.

If anybody could help me I would be eternally grateful.

Edited by TuoDecaps, 26 November 2010 - 06:42 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 26 November 2010 - 07:24 PM

Hello TuoDecaps ,

Posted Image

Could you please go to the prep guide page listed in blue at the top of this page and get me a DDS scan? :) That would help tremendously. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 TuoDecaps

TuoDecaps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 26 November 2010 - 08:41 PM

The DDS thing won't run and bring up the notepads it's supposed to.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 26 November 2010 - 08:52 PM

Okay....then let's try something else. :)


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to SpacedOut.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 TuoDecaps

TuoDecaps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 26 November 2010 - 09:49 PM

I ran ComboFix and it said it needed to restart because it found something. And then it bluescreened. And when I did reboot the system ComboFix wasn't running.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 26 November 2010 - 10:34 PM

Look in C:\ComboFix.txt for the report. If there isn't one, then try to run it again. If it won't run, then rename it. If it still won't run, then run it in safe mode. I can't do a thing for you without some sort of report.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 04 December 2010 - 09:58 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 12 December 2010 - 04:18 PM

Topic reopened. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 TuoDecaps

TuoDecaps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 12 December 2010 - 06:00 PM

K so here is the log.


ComboFix 10-12-09.04 - Pure Pwnage 12/10/2010 17:50:00.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1645 [GMT -6:00]
Running from: c:\documents and settings\Pure Pwnage\Desktop\ComboFix.exe
AV: BluePoint Security *On-access scanning enabled* (Updated) {b9171357-d4e9-40f0-97ab-c13e6d5d03fd}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hwdrv.sys
c:\windows\system32\srcr.dat
c:\windows\system32\Thumbs.db
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTD.SYS


((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.

2010-12-11 00:15 . 2010-12-11 00:15 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-12-10 11:46 . 2010-12-10 11:46 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-10 07:58 . 2010-12-10 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-30 10:37 . 2010-11-30 10:37 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\MAGIX
2010-11-30 10:37 . 2010-11-30 10:37 -------- d-----w- c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Xara
2010-11-30 10:37 . 2010-11-30 10:37 -------- d-----w- c:\program files\WMV9_VCM
2010-11-30 10:37 . 2010-11-30 10:37 -------- d-----w- c:\program files\Common Files\MAGIX Shared
2010-11-30 10:36 . 2010-11-30 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX
2010-11-30 10:36 . 2010-11-30 10:36 -------- d-----w- c:\program files\MAGIX
2010-11-30 10:36 . 2007-04-27 16:43 120200 ----a-w- c:\windows\system32\DLLDEV32i.dll
2010-11-30 10:36 . 2010-11-30 10:41 -------- d-----w- c:\windows\system32\MAGIX
2010-11-30 10:36 . 2008-04-15 22:14 700416 ----a-w- c:\windows\system32\mgxoschk.dll
2010-11-29 10:26 . 2010-11-29 10:26 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\Red Kawa
2010-11-29 10:21 . 2010-11-29 10:21 -------- d-----w- c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Geckofx
2010-11-29 10:20 . 2010-11-29 10:20 -------- d-----w- c:\program files\AviSynth 2.5
2010-11-29 10:20 . 2010-11-29 10:20 -------- d-----w- c:\program files\Red Kawa
2010-11-29 10:14 . 2010-11-29 10:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DivX
2010-11-27 03:01 . 2010-11-27 03:12 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-11-27 02:58 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-11-27 02:56 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-11-27 02:56 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-11-27 02:54 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-11-27 02:53 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-11-27 02:52 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-11-27 02:51 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-11-27 02:49 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-11-26 20:08 . 2010-11-26 20:08 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\AVG10
2010-11-26 20:07 . 2010-11-26 20:07 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-26 20:06 . 2010-11-27 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-26 19:48 . 2010-11-26 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-26 19:27 . 2010-11-26 19:27 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\IObit
2010-11-26 19:27 . 2010-11-26 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-11-26 19:26 . 2010-11-26 19:26 -------- d-----w- c:\program files\IObit
2010-11-25 13:50 . 2010-11-25 13:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-11-25 08:33 . 2010-09-15 10:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-25 08:33 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-25 08:22 . 2010-11-25 08:22 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\LimeWire
2010-11-24 14:22 . 2010-11-24 14:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-11 22:13 . 2010-11-25 08:20 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\FrostWire
2010-11-11 22:12 . 2010-11-25 08:20 -------- d-----w- c:\program files\FrostWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-10 12:58 . 2010-07-30 21:59 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-25 13:22 . 2010-07-20 04:20 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-15 08:29 . 2007-06-22 03:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"Google Update"="c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-17 133104]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" [2009-11-15 33120]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SansaDispatch"="c:\documents and settings\Pure Pwnage\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-10-28 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd" [X]
"TkBellExe"="realsched.exe -osboot" [X]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 67072]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"C-Media Mixer"="Mixer.exe" [2002-04-29 1433600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2009-7-24 1687552]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-29 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pure Pwnage^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Pure Pwnage\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-03-01 05:06 2321600 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 07:56 1667584 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 22:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Local Settings\\Apps\\2.0\\BVPQ7OG6.9H9\\3Q4NQ20T.ARO\\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Desktop\\Games\\PC Games Age of Mythology- Full Version (2)\\aom.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Desktop\\Games\\empire earth\\Empire Earth.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Desktop\\Games\\nintendo stuff\\RockNESX.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Age Of Empires 2 & The Conquerors Expansion - Full Game\\age2_x1.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Desktop\\Games\\PC Games Age of Mythology- Full Version (2)\\aomx.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43594:TCP"= 43594:TCP:a
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"56079:TCP"= 56079:TCP:Pando Media Booster
"56079:UDP"= 56079:UDP:Pando Media Booster
"57904:TCP"= 57904:TCP:Pando Media Booster
"57904:UDP"= 57904:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/19/2010 10:20 PM 64288]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/27/2010 11:53 PM 697328]
R0 uGuru;uGuru;c:\windows\system32\drivers\uGuru.SYS [5/12/2007 8:28 AM 10752]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [11/26/2010 1:27 PM 312152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 2:55 AM 1389400]
R3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [7/24/2009 9:45 PM 14336]
S2 BluePoint Personal Edition;BluePoint Personal Edition;"c:\program files\BluePoint Security\BluePoint Personal\bp.exe" --> c:\program files\BluePoint Security\BluePoint Personal\bp.exe [?]
S2 wmcmgc;Windows Management Configuration;c:\windows\System32\svchost.exe -k netsvcs [4/21/2003 6:00 AM 14336]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [6/2/2009 11:20 AM 17149]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 10:26 PM 15264]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [7/24/2009 9:45 PM 18432]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/31/2008 4:23 PM 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
S3 XDva020;XDva020;\??\c:\windows\System32\XDva020.sys --> c:\windows\System32\XDva020.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wmcmgc
.
Contents of the 'Scheduled Tasks' folder

2010-12-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 12:57]

2010-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-776561741-682003330-1004Core.job
- c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-17 07:14]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-776561741-682003330-1004UA.job
- c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-17 07:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Pure Pwnage\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1640187&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {919F3820-EA31-4FE5-BC9F-D0005390A2DF} - c:\documents and settings\Pure Pwnage\Local Settings\Application Data\{919F3820-EA31-4FE5-BC9F-D0005390A2DF}\
FF - Extension: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Extension: AmbientFox: {c8f71e5b-88f8-42a7-98bb-e4c506161de9} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{c8f71e5b-88f8-42a7-98bb-e4c506161de9}
FF - Extension: Green Fox: {d122ad80-ff45-11dd-87af-0800200c9a66} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{d122ad80-ff45-11dd-87af-0800200c9a66}
FF - Extension: Blue Fox: {241aae70-0022-11de-87af-0800200c9a66} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{241aae70-0022-11de-87af-0800200c9a66}
FF - Extension: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {919F3820-EA31-4FE5-BC9F-D0005390A2DF} - c:\documents and settings\Pure Pwnage\Local Settings\Application Data\{919F3820-EA31-4FE5-BC9F-D0005390A2DF}
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKCU-Run-Wtumucafuvah - c:\windows\SECDME.dll
HKLM-Run-USRpdA - (no file)
HKLM-Run-ATT-SST_McciTrayApp - c:\program files\ATT-SST\McciTrayApp.exe
HKLM-Run-BluePoint Personal Edition - c:\program files\BluePoint Security\BluePoint Personal\bluepoint.exe
HKLM-Run-Xweqosuyeg - c:\windows\isoxigot.dll
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
AddRemove-Porrasturvat - Stair Dismount - s:\porrasturvat - stair dismount\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 18:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Pure Pwnage\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?ansaDispatch_1_009.txt%26mime-content-type%3dtext%252fplain%26creation-date%3d2009-3-23%252020.

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722516VLAT20 rev.V34OA6EA -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A61D555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6237b0]; MOV EAX, [0x8a62382c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x8A62CAB8]
3 CLASSPNP[0xB80E905B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\00000069[0x8A6BF9E8]
5 ACPI[0xB7E6E620] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x8A62DD98]
\Driver\atapi[0x8A62F820] -> IRP_MJ_CREATE -> 0x8A61D555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; NOP ; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x620; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskHDS722516VLAT20_________________________V34OA6EA#5&2f64448a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A61D39B
\Driver\atapi -> 0x8a7561f8
user & kernel MBR OK
copy of MBR has been found in sector 9 !
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-776561741-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"???n"=hex:f2,c9,a3,69,ea,62,88,b6,ea,8a,ed,66,ae,6e,4c,ce,73,48,86,11,c1,10,
fb,d9,95,cc,c6,6b,03,71,7f,92,0f,67,d3,cd,f1,33,df,00,f1,47,14,e5,57,22,5f,\
"?????"=hex:ec,ee,9d,df,d8,9e,6e,08,cd,b3,8e,cc,52,eb,d1,80
"???n"=hex:13,16,42,4d,99,1f,af,37,e8,50,95,26,35,89,a2,97,ea,df,67,9a,24,ae,
9f,7b,fc,4d,d8,48,16,d5,50,6f,0c,14,5c,39,13,9a,20,cb,72,c5,9e,67,50,b1,e7,\
"???n"=hex:32,d0,5f,7a,6d,34,a3,05,86,75,f7,8e,96,43,21,6c,0e,48,56,28,dd,4f,
3a,ff,b4,7c,44,c2,40,85,2e,4f,a0,8a,63,21,b8,3b,f3,6d,6d,96,20,3c,db,87,27,\
"??"=hex:c1,2b,27,f1,5e,42,23,dd,9e,8a,30,37,52,93,ad,a5,52,c2,24,87,ae,ad,b8,
66,92,b9,6a,aa,9e,c4,bd,4d,44,2f,7c,76,9c,d4,0f,95,a8,da,3f,8c,71,ea,c7,ed,\
"??"=hex:f9,3c,4c,01,e5,1e,f9,46,76,91,6e,b9,de,50,8d,8b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2952)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\SOUNDMAN.EXE
c:\windows\Mixer.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-12-10 18:35:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-11 00:35

Pre-Run: 94,461,325,312 bytes free
Post-Run: 95,151,996,928 bytes free

- - End Of File - - C4B2858FDBF6FB0CE87E8366AF32D8DD

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 12 December 2010 - 06:31 PM

Woweee! No wonder you had problems! :blink:

Since it's been quite a while, let's do this again :

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. YOU MUST UNINSTALL AVG FOR THIS TO RUN.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to spacedout.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 TuoDecaps

TuoDecaps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 12 December 2010 - 08:05 PM

K here is the new log.

ComboFix 10-12-11.06 - Pure Pwnage 12/12/2010 18:41:12.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1619 [GMT -6:00]
Running from: c:\documents and settings\Pure Pwnage\Desktop\spacedout.exe
AV: BluePoint Security *Enabled/Updated* {b9171357-d4e9-40f0-97ab-c13e6d5d03fd}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-11-13 to 2010-12-13 )))))))))))))))))))))))))))))))
.

2010-12-11 12:15 . 2010-12-11 12:15 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-12-11 00:15 . 2010-12-11 02:07 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-12-10 11:46 . 2010-12-10 11:46 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-10 07:58 . 2010-12-10 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-30 10:37 . 2010-11-30 10:37 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\MAGIX
2010-11-30 10:37 . 2010-11-30 10:37 -------- d-----w- c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Xara
2010-11-30 10:37 . 2010-11-30 10:37 -------- d-----w- c:\program files\WMV9_VCM
2010-11-30 10:37 . 2010-11-30 10:37 -------- d-----w- c:\program files\Common Files\MAGIX Shared
2010-11-30 10:36 . 2010-11-30 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX
2010-11-30 10:36 . 2010-11-30 10:36 -------- d-----w- c:\program files\MAGIX
2010-11-30 10:36 . 2007-04-27 16:43 120200 ----a-w- c:\windows\system32\DLLDEV32i.dll
2010-11-30 10:36 . 2010-11-30 10:41 -------- d-----w- c:\windows\system32\MAGIX
2010-11-30 10:36 . 2008-04-15 22:14 700416 ----a-w- c:\windows\system32\mgxoschk.dll
2010-11-29 10:26 . 2010-11-29 10:26 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\Red Kawa
2010-11-29 10:21 . 2010-11-29 10:21 -------- d-----w- c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Geckofx
2010-11-29 10:20 . 2010-11-29 10:20 -------- d-----w- c:\program files\AviSynth 2.5
2010-11-29 10:20 . 2010-11-29 10:20 -------- d-----w- c:\program files\Red Kawa
2010-11-29 10:14 . 2010-11-29 10:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DivX
2010-11-27 03:01 . 2010-11-27 03:12 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-11-27 02:58 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-11-27 02:56 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-11-27 02:56 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-11-27 02:54 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-11-27 02:53 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-11-27 02:52 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-11-27 02:51 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-11-27 02:49 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-11-26 20:08 . 2010-11-26 20:08 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\AVG10
2010-11-26 20:07 . 2010-11-26 20:07 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-26 20:06 . 2010-11-27 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-26 19:48 . 2010-11-26 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-26 19:27 . 2010-11-26 19:27 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\IObit
2010-11-26 19:27 . 2010-11-26 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-11-26 19:26 . 2010-11-26 19:26 -------- d-----w- c:\program files\IObit
2010-11-25 13:50 . 2010-11-25 13:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-11-25 08:33 . 2010-09-15 10:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-25 08:33 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-25 08:22 . 2010-11-25 08:22 -------- d-----w- c:\documents and settings\Pure Pwnage\Application Data\LimeWire
2010-11-24 14:22 . 2010-11-24 14:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-10 12:58 . 2010-07-30 21:59 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-25 13:22 . 2010-07-20 04:20 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-15 08:29 . 2007-06-22 03:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"Google Update"="c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-17 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SansaDispatch"="c:\documents and settings\Pure Pwnage\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-10-28 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd" [X]
"TkBellExe"="realsched.exe -osboot" [X]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 67072]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"C-Media Mixer"="Mixer.exe" [2002-04-29 1433600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2009-7-24 1687552]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-29 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pure Pwnage^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Pure Pwnage\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-03-01 05:06 2321600 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 07:56 1667584 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 22:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Local Settings\\Apps\\2.0\\BVPQ7OG6.9H9\\3Q4NQ20T.ARO\\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Desktop\\Games\\PC Games Age of Mythology- Full Version (2)\\aom.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Desktop\\Games\\empire earth\\Empire Earth.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Desktop\\Games\\nintendo stuff\\RockNESX.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Age Of Empires 2 & The Conquerors Expansion - Full Game\\age2_x1.exe"=
"c:\\Documents and Settings\\Pure Pwnage\\Desktop\\Games\\PC Games Age of Mythology- Full Version (2)\\aomx.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43594:TCP"= 43594:TCP:a
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"56079:TCP"= 56079:TCP:Pando Media Booster
"56079:UDP"= 56079:UDP:Pando Media Booster
"57904:TCP"= 57904:TCP:Pando Media Booster
"57904:UDP"= 57904:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/19/2010 10:20 PM 64288]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/27/2010 11:53 PM 697328]
R0 uGuru;uGuru;c:\windows\system32\drivers\uGuru.SYS [5/12/2007 8:28 AM 10752]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [11/26/2010 1:27 PM 312152]
R3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [7/24/2009 9:45 PM 14336]
S2 BluePoint Personal Edition;BluePoint Personal Edition;"c:\program files\BluePoint Security\BluePoint Personal\bp.exe" --> c:\program files\BluePoint Security\BluePoint Personal\bp.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 2:55 AM 1389400]
S2 wmcmgc;Windows Management Configuration;c:\windows\System32\svchost.exe -k netsvcs [4/21/2003 6:00 AM 14336]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [6/2/2009 11:20 AM 17149]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [7/24/2009 9:45 PM 18432]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/31/2008 4:23 PM 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
S3 XDva020;XDva020;\??\c:\windows\System32\XDva020.sys --> c:\windows\System32\XDva020.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - Lavasoft Kernexplorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wmcmgc
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 12:57]

2010-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-776561741-682003330-1004Core.job
- c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-17 07:14]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-776561741-682003330-1004UA.job
- c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-17 07:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Pure Pwnage\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1640187&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Pure Pwnage\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExt: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExt: XULRunner: {919F3820-EA31-4FE5-BC9F-D0005390A2DF} - c:\documents and settings\Pure Pwnage\Local Settings\Application Data\{919F3820-EA31-4FE5-BC9F-D0005390A2DF}\
FF - Ext: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Ext: AmbientFox: {c8f71e5b-88f8-42a7-98bb-e4c506161de9} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{c8f71e5b-88f8-42a7-98bb-e4c506161de9}
FF - Ext: Green Fox: {d122ad80-ff45-11dd-87af-0800200c9a66} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{d122ad80-ff45-11dd-87af-0800200c9a66}
FF - Ext: Blue Fox: {241aae70-0022-11de-87af-0800200c9a66} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{241aae70-0022-11de-87af-0800200c9a66}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\documents and settings\Pure Pwnage\Application Data\Mozilla\Firefox\Profiles\2stjjku7.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {919F3820-EA31-4FE5-BC9F-D0005390A2DF} - c:\documents and settings\Pure Pwnage\Local Settings\Application Data\{919F3820-EA31-4FE5-BC9F-D0005390A2DF}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 18:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Pure Pwnage\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?ansaDispatch_1_009.txt%26mime-content-type%3dtext%252fplain%26creation-date%3d2009-3-23%252020.

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722516VLAT20 rev.V34OA6EA -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A641555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6477b0]; MOV EAX, [0x8a64782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x8A6B4AB8]
3 CLASSPNP[0xB80E905B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\00000068[0x8A6BC9E8]
5 ACPI[0xB7E6E620] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x8A749D98]
\Driver\atapi[0x8A74A358] -> IRP_MJ_CREATE -> 0x8A641555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; NOP ; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x620; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskHDS722516VLAT20_________________________V34OA6EA#5&2f64448a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A64139B
\Driver\atapi -> 0x8a7561f8
user & kernel MBR OK
copy of MBR has been found in sector 9 !
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-776561741-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"???n"=hex:f2,c9,a3,69,ea,62,88,b6,ea,8a,ed,66,ae,6e,4c,ce,73,48,86,11,c1,10,
fb,d9,95,cc,c6,6b,03,71,7f,92,0f,67,d3,cd,f1,33,df,00,f1,47,14,e5,57,22,5f,\
"?????"=hex:ec,ee,9d,df,d8,9e,6e,08,cd,b3,8e,cc,52,eb,d1,80
"???n"=hex:13,16,42,4d,99,1f,af,37,e8,50,95,26,35,89,a2,97,ea,df,67,9a,24,ae,
9f,7b,fc,4d,d8,48,16,d5,50,6f,0c,14,5c,39,13,9a,20,cb,72,c5,9e,67,50,b1,e7,\
"???n"=hex:32,d0,5f,7a,6d,34,a3,05,86,75,f7,8e,96,43,21,6c,0e,48,56,28,dd,4f,
3a,ff,b4,7c,44,c2,40,85,2e,4f,a0,8a,63,21,b8,3b,f3,6d,6d,96,20,3c,db,87,27,\
"??"=hex:c1,2b,27,f1,5e,42,23,dd,9e,8a,30,37,52,93,ad,a5,52,c2,24,87,ae,ad,b8,
66,92,b9,6a,aa,9e,c4,bd,4d,44,2f,7c,76,9c,d4,0f,95,a8,da,3f,8c,71,ea,c7,ed,\
"??"=hex:f9,3c,4c,01,e5,1e,f9,46,76,91,6e,b9,de,50,8d,8b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(556)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\SOUNDMAN.EXE
c:\windows\Mixer.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-12-12 19:03:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-13 01:03
ComboFix2.txt 2010-12-11 00:35

Pre-Run: 94,974,222,336 bytes free
Post-Run: 95,158,988,800 bytes free

- - End Of File - - 66886379151AA03566A9C28F89F03809

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 13 December 2010 - 03:56 PM

Hello,

Have you run MBAM recently? If not, please be sure it's updated and have a scan with it. :)

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 TuoDecaps

TuoDecaps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 17 December 2010 - 02:57 PM

As I though about it I decided to just reinstall Windows. Thank you for all your help though.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 17 December 2010 - 07:23 PM

Hello there,

Thanks for letting me know. :thumbup2:

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 27 December 2010 - 11:57 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users