Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Problem


  • This topic is locked This topic is locked
30 replies to this topic

#1 hilus

hilus

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:05:54 AM

Posted 02 December 2010 - 12:00 PM

Hi this is my first post so please pardon any errors. my computer recently was infected and I have I beleive been successfull in cleaning it out. I used ccleaner, Malwarebytes, Superantispyware, and spybot. However, Internet explorer keeps redirecting to ads sites. Here is my log from Highjackthis.

Thanks for any help you can give....


Logfile of HijackThis v1.99.1
Scan saved at 12:13:30 AM, on 4/15/2007
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net?cid=021006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RosettaStoneLtdController - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Hello,

My apologies for the disastrous initial post, it's what happens when you panic. As I messed that up sufficiently, I chose to start over and do this the correct way. I am presently attempting to clean an unknown infection from my spouses HP laptop. I believe I have done well so far, however the computer still seems to do things of its own accord. Furthermore, when using Internet Explorer it continuously redirects to AD pages. The initial cleaning performed are as follows; Scanned with Avira, Malware bytes, super antispyware, spybot S&D, and CCleaner. All of these scans were successful in removing several suspicious files. However, as stated things still don't seem to be right. Therefore, if I understood the instructions on posting correctly, I have per your instruction scanned and provided the results from DDS and GMer. Thank You for any help you may provide.




DDS (Ver_10-11-27.01) - NTFSx86
Run by at 12:26:40.51 on Fri 12/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.489 [GMT -5:00]


AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jason Devereaux\Desktop\dds.scr


============== Pseudo HJT Report ===============

uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.comcast.net?cid=021006
uSearch Page = hxxp://www.google.com
mLocal Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/
mCustomizeSearch = hxxp://www.google.com/
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com


============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-3 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-3 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-3 60936]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files\rosettastoneltdservices\RosettaStoneLtdController.exe [2008-9-16 352312]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S3 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]


=============== Created Last 30 ================

2010-12-03 06:05:41 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-03 06:05:40 -------- d-----w- c:\program files\Avira
2010-12-03 06:05:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira


==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys >>UNKNOWN [0x868138C6]<<
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
_asm { PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0xc]; MOV ECX, [EBP+0x8]; SUB ESP, 0xc; PUSH EBX; MOV EBX, [EAX+0x60]; MOV EAX, [0xffdf0308]; CMP ECX, [EAX+0xc]; PUSH ESI; PUSH EDI; MOV EDX, 0x204; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8714E030]
3 CLASSPNP[0xF74F2FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000082[0x87158A28]
5 ACPI[0xF7369620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IAAStorageDevice-0[0x86C4C030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!

============= FINISH: 12:28:05.45 ===============




GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-03 15:28:35
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JASOND~1\LOCALS~1\Temp\kfroypoc.sys


---- System - GMER 1.0.15 ----

SSDT F7B873C6 ZwCreateKey
SSDT F7B873BC ZwCreateThread
SSDT F7B873CB ZwDeleteKey
SSDT F7B873D5 ZwDeleteValueKey
SSDT F7B873DA ZwLoadKey
SSDT F7B873A8 ZwOpenProcess
SSDT F7B873AD ZwOpenThread
SSDT F7B873E4 ZwReplaceKey
SSDT F7B873DF ZwRestoreKey
SSDT F7B873D0 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xF72D3D00]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9B62360, 0x2212DD, 0xE8000020]
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xB99A1EBF]
? C:\DOCUME~1\JASOND~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1184] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1436] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1436] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1436] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1436] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1436] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1436] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1436] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1436] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1436] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\iaStor \Device\Ide\iaStor0 [F72427A4] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F72427A4] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [F72427A4] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\CFA3E46BFE9581f4FB117E156442053D\Usage@AiO_Device 1032001725

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Attached File  DDS Attach.zip   3.24KB   0 downloads




EDIT: Topics and posts merged ~BP

Edited by Budapest, 06 December 2010 - 04:28 PM.
Moved from XP to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 AM

Posted 09 December 2010 - 05:35 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:05:54 AM

Posted 11 December 2010 - 10:56 AM

Hi Gringo_pr,

Thanks for your help. It seems that I got the worst out of this computer, but itís still not working right. It seems slow at times, and does things on its own. Here are my latest logs you requested, and PLEASE let me know if I made any errors. I want to get you the information as accurately as possible.

Thank you again....





DDS (Ver_10-11-27.01) - NTFSx86
Run by Jason at 9:58:55.45 on Sat 12/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.274 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Documents and Settings\Jason Devereaux\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com/
mSearch Page = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/
mCustomizeSearch = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jasond~1\applic~1\mozilla\firefox\profiles\kpdun9ru.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [2010-10-28 65560]
R1 CFRPD;CFRPD;c:\windows\system32\drivers\CFRPD.sys [2010-10-28 30648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-3 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-3 61960]
R2 Cleaner_Validator;COMODO System - Cleaner Service;c:\program files\comodo\comodo system-cleaner\Cleaner_Validator.exe [2010-10-28 311744]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-3 11608]
S1 jisjqwrx;jisjqwrx;\??\c:\windows\system32\drivers\jisjqwrx.sys --> c:\windows\system32\drivers\jisjqwrx.sys [?]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-10 14336]

=============== Created Last 30 ================

2010-12-09 15:03:00 -------- d-----w- c:\docume~1\jasond~1\locals~1\applic~1\Temp
2010-12-08 17:26:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-08 17:26:18 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-12-08 16:50:14 -------- d-----w- c:\windows\system32\Adobe
2010-12-08 15:29:13 874240 ----a-w- c:\windows\system32\drivers\IASTOR.SYS
2010-12-08 13:05:30 -------- d-----w- c:\windows\system32\MpEngineStore
2010-12-08 04:21:28 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-12-08 04:21:27 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-08 04:21:26 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-12-08 04:20:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-08 04:20:31 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-12-08 04:18:59 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-12-08 04:17:59 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-08 04:14:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-12-08 04:12:28 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-12-04 07:10:06 19928 ----a-w- c:\windows\cscmondump.bin
2010-12-04 06:28:20 -------- d-----w- c:\program files\COMODO
2010-12-03 21:32:01 -------- d-----w- c:\docume~1\jasond~1\applic~1\Avira
2010-12-03 20:39:10 -------- d-----w- c:\docume~1\jasond~1\applic~1\ieSpell
2010-12-03 06:05:41 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-03 06:05:40 -------- d-----w- c:\program files\Avira
2010-12-03 06:05:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

==================== Find3M ====================

2010-12-08 17:25:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll IASTOR.SYS
c:\windows\system32\drivers\IASTOR.SYS Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8714E030]
3 CLASSPNP[0xF75F2FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000084[0x87131A28]
5 ACPI[0xF7469620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IAAStorageDevice-0[0x87162030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!

============= FINISH: 10:00:19.37 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/6/2006 3:01:27 AM
System Uptime: 12/9/2010 12:13:33 PM (46 hours ago)

Motherboard: Hewlett-Packard | | 30A6
Processor: Genuine Intel® CPU T2050 @ 1.60GHz | U1 | 1595/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 60 GiB total, 29.991 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 74.412 GiB free.
E: is FIXED (FAT32) - 14 GiB total, 1.002 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X
Adobe Shockwave Player 11.5
Adobeģ Photoshopģ Album Starter Edition 3.0
AiO_Scan_CDA
AiOSoftwareNPI
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
BufferChm
CCleaner
COMODO System-Cleaner
Conexant HD Audio
Content Transfer
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CustomerResearchQFolder
Destinations
DeviceFunctionQFolder
DocProc
DocumentViewer
DocumentViewerQFolder
eSupportQFolder
Fax_CDA
FrostWire 4.17.0
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 1.99.1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 5.3.A
HP Quick Launch Buttons 6.00 E2
HP QuickPlay 2.1
HP Rhapsody
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Update
HP User Guides--System Recovery
HP User Guides 0011
HP Wireless Assistant 2.00 E1
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
Intel® PRO Network Connections Drivers
iTunes
Java Auto Updater
Java™ 6 Update 22
LightScribe 1.4.74.1
Malwarebytes' Anti-Malware
MarketResearch
Media Center Extender
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MobileMe Control Panel
Mozilla Firefox (3.6.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NewCopy_CDA
NVIDIA Drivers
OptionalContentQFolder
Otto
PanoStandAlone
PhotoGallery
ProductContextNPI
QuickTime
RandMap
Readme
Revo Uninstaller 1.90
Rhapsody
Rhapsody Player Engine
Scan
ScannerCopy
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SkinsHP1
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
Spybot - Search & Destroy
Status
SUPERAntiSpyware
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TourSetup
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Wireless Home Network Setup

==== Event Viewer Messages From Past Week ========

12/8/2010 12:14:54 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Windows Malicious Software Removal Tool - November 2010 (KB890830).
12/8/2010 12:14:54 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2443839).
12/8/2010 12:14:54 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Security Update for Microsoft Office 2007 System (KB2289158).
12/8/2010 12:14:54 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2416447).
12/8/2010 12:14:54 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007006e: Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2413381).
12/8/2010 12:14:49 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Security Update for Windows XP (KB981957).
12/8/2010 12:14:49 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Security Update for Windows XP (KB2360937).
12/8/2010 12:14:49 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Security Update for Windows XP (KB2279986).
12/8/2010 12:14:08 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Security Update for Microsoft Office Word 2007 (KB2344993).
12/8/2010 12:14:08 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007006e: Security Update for the 2007 Microsoft Office System (KB2345043).
12/8/2010 12:14:08 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007006e: Security Update for the 2007 Microsoft Office System (KB2344875).
12/8/2010 12:14:03 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024200e: Security Update for Windows XP (KB2296011).
12/8/2010 12:14:03 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80090019: Security Update for Windows XP (KB2378111).
12/8/2010 12:14:03 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80090019: Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2360131).
12/8/2010 12:14:03 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80090017: Security Update for Windows XP (KB2387149).
12/8/2010 12:14:03 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070663: Security Update for Microsoft Office Excel 2007 (KB2345035).
12/8/2010 12:14:03 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070052: Security Update for Windows XP (KB979687).
12/8/2010 12:13:19 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Silverlight (KB2416427).
12/8/2010 12:12:17 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070663: Security Update for Microsoft Office Outlook 2007 (KB2288953).
12/8/2010 12:12:10 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070663: Security Update for the 2007 Microsoft Office System (KB2288621).
12/8/2010 12:07:09 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007f0f4: Security Update for Windows XP (KB981852).
12/8/2010 10:33:45 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
12/7/2010 9:59:59 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
12/7/2010 9:30:11 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service hpqwmiex with arguments "-Service" in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
12/7/2010 9:30:11 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service ehSched with arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}
12/7/2010 1:23:41 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ANGELIC-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{2D96E8F2-A8E7-4BD. The master browser is stopping or an election is being forced.
12/4/2010 9:24:45 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{2D96E8F2-A8E7-4BD0-8D7B-D39420C36A67} because another computer on the network has the same name. The server could not start.
12/4/2010 9:24:45 PM, error: Server [2505] - The server could not bind to the transport \Device\NetbiosSmb because another computer on the network has the same name. The server could not start.
12/4/2010 2:56:10 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'NODC190.tmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/4/2010 2:28:49 AM, error: Service Control Manager [7034] - The RosettaStoneLtdController service terminated unexpectedly. It has done this 1 time(s).
12/4/2010 2:28:38 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the hpqwmiex service to connect.
12/4/2010 2:28:38 AM, error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/4/2010 2:20:19 AM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
12/4/2010 2:19:18 AM, error: Service Control Manager [7034] - The COMODO System - Cleaner Service service terminated unexpectedly. It has done this 1 time(s).
12/4/2010 2:19:11 AM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).
12/4/2010 2:18:39 AM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
12/4/2010 2:14:34 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/4/2010 2:12:28 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb CFRMD CFRPD eeCtrl Fips intelppm SASDIFSV SASKUTIL ssmdrv
12/4/2010 2:12:28 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
12/4/2010 2:12:28 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the CryptSvc service.
12/4/2010 2:12:28 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: All pipe instances are busy.
12/4/2010 2:12:28 AM, error: Service Control Manager [7000] - The Server service failed to start due to the following error: All pipe instances are busy.
12/4/2010 2:12:28 AM, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/4/2010 2:01:57 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'VS4K8917.000' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/4/2010 11:57:10 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
12/10/2010 6:11:13 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.

==== End Of File ===========================


RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>Drivers
Driver: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000
Size: 3977216 bytes

Driver: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB8A29000
Size: 3661824 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2150400 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2150400 bytes

Driver: RAW
Address: 0x804D7000
Size: 2150400 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2150400 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1855488 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1855488 bytes

Driver: C:\WINDOWS\system32\DRIVERS\w39n51.sys
Address: 0xB8890000
Size: 1429504 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Address: 0xB4606000
Size: 1036288 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA3818000
Size: 876544 bytes

Driver: IASTOR.SYS
Address: 0xF7301000
Size: 876544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xB4556000
Size: 720896 bytes

Driver: C:\WINDOWS\system32\drivers\CHDAud.sys
Address: 0xB4759000
Size: 610304 bytes

Driver: Ntfs.sys
Address: 0xF722A000
Size: 577536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA8E2B000
Size: 458752 bytes

Driver: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xA8A52000
Size: 401408 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB8700000
Size: 385024 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA8F46000
Size: 364544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA1EC6000
Size: 360448 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA2079000
Size: 266240 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Address: 0xB4703000
Size: 204800 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB875E000
Size: 196608 bytes

Driver: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xB87D9000
Size: 196608 bytes

Driver: ACPI.sys
Address: 0xF7463000
Size: 188416 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA2359000
Size: 184320 bytes

Driver: NDIS.sys
Address: 0xF71FD000
Size: 184320 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA8E9B000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB89ED000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xA8F1E000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\drivers\tifm21.sys
Address: 0xB8844000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xB8809000
Size: 159744 bytes

Driver: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0x9F0F6000
Size: 155648 bytes

Driver: dmio.sys
Address: 0xF73EF000
Size: 155648 bytes

Driver: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA38EE000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB4735000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB886C000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB87B6000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Address: 0xA06DD000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA8EFC000
Size: 139264 bytes

Driver: C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Address: 0xA8EC6000
Size: 139264 bytes

Driver: ACPI_HAL
Address: 0x806E4000
Size: 134400 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000
Size: 134400 bytes

Driver: fltmgr.sys
Address: 0xF72E1000
Size: 131072 bytes

Driver: ftdisk.sys
Address: 0xF7415000
Size: 126976 bytes

Driver: pcmcia.sys
Address: 0xF7434000
Size: 122880 bytes

Driver: Mup.sys
Address: 0xF71E3000
Size: 106496 bytes

Driver: atapi.sys
Address: 0xF73D7000
Size: 98304 bytes

Driver: C:\DOCUME~1\JASOND~1\LOCALS~1\Temp\kfroypoc.sys
Address: 0x9EE71000
Size: 98304 bytes

Driver: KSecDD.sys
Address: 0xF72CA000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB879F000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\avgntflt.sys
Address: 0x9F0E1000
Size: 86016 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA23FC000
Size: 86016 bytes

Driver: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xB8830000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB8A15000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xA8F9F000
Size: 77824 bytes

Driver: WudfPf.sys
Address: 0xF72B7000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000
Size: 73728 bytes

Driver: pci.sys
Address: 0xF7452000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB878E000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF77E2000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB9F8E000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF7622000
Size: 65536 bytes

Driver: ohci1394.sys
Address: 0xF75A2000
Size: 65536 bytes

Driver: Serial.sys
Address: 0xF7602000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xAB11B000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CFRMD.sys
Address: 0xABC4D000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xB9752000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xB9F7E000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB9792000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xAD3A0000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF75B2000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF75F2000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF77C2000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB9F5E000
Size: 53248 bytes

Driver: VolSnap.sys
Address: 0xF75D2000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB9F3E000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xAB0FB000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB9F9E000
Size: 45056 bytes

Driver: MountMgr.sys
Address: 0xF75C2000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB9F4E000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xB9F6E000
Size: 40960 bytes

Driver: isapnp.sys
Address: 0xF7592000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xB9762000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF77D2000
Size: 40960 bytes

Driver: disk.sys
Address: 0xF75E2000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF77B2000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF77A2000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xB9F2E000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xAB12B000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xAB13B000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7882000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xAC228000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF795A000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF794A000
Size: 28672 bytes

Driver: C:\DOCUME~1\JASOND~1\LOCALS~1\Temp\mbr.sys
Address: 0xA80F6000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7812000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CFRPD.sys
Address: 0xAC260000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7962000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF796A000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xA8AC4000
Size: 24576 bytes

Driver: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xAC218000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xAC220000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Address: 0xA80B6000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF7952000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xAC250000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xAC230000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xF781A000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF797A000
Size: 20480 bytes

Driver: PxHelp20.sys
Address: 0xF7822000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF7982000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7972000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xADF79000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF79AA000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF7A6A000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xB8DC7000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xA1542000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB8DCB000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xA44A1000
Size: 16384 bytes

Driver: ACPIEC.sys
Address: 0xF79AE000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79A2000
Size: 12288 bytes

Driver: compbatt.sys
Address: 0xF79A6000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
Address: 0xF7A52000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xA4076000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB67F2000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xBA7CC000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xAE6FF000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7A72000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xAE6FB000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xF7A56000
Size: 12288 bytes

Driver: aliide.sys
Address: 0xF7A9A000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7AB6000
Size: 8192 bytes

Driver: dmload.sys
Address: 0xF7A9C000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
Address: 0xF7ABC000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7AB4000
Size: 8192 bytes

Driver: intelide.sys
Address: 0xF7A96000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7A92000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\MCSTRM.SYS
Address: 0xF7B46000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7AB8000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7ABA000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7AF6000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7AF0000
Size: 8192 bytes

Driver: viaide.sys
Address: 0xF7A98000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7A94000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7CD5000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xABFD4000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xABFE5000
Size: 4096 bytes

Driver: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xF7B5B000
Size: 4096 bytes

Driver: pciide.sys
Address: 0xF7B5A000
Size: 4096 bytes

==============================================
>Stealth

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 AM

Posted 11 December 2010 - 12:07 PM

Hello

You did very well.

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:05:54 AM

Posted 11 December 2010 - 09:16 PM

Hi Gringo_pr,

Again thanks for all your help. I did as instructed and ran Combo-fix. The first time it crashed after getting a message that there were insufficient resources to complete the operations. So I restarted the computer as it had locked up and went through the windows services under administrative tools and turned off some unneeded services. I then rebooted and ran Combo-fix again and it was successful. Below is the Combo-fix log file. The computer seems normal at the moment; however I will need to play with it for a bit to make sure. If you have any other suggestions please feel free. Again many thanks for your assistance.




ComboFix 10-12-11.03 - Jason 12/11/2010 20:13:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.573 [GMT -5:00]
Running from: c:\documents and settings\Jason \Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.

2010-12-11 15:29 . 2010-12-11 15:29 -------- d-----w- c:\program files\7-Zip
2010-12-09 15:03 . 2010-12-09 15:03 -------- d-----w- c:\documents and settings\Jason Devereaux\Local Settings\Application Data\Temp
2010-12-08 17:26 . 2010-12-08 17:25 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-08 17:26 . 2010-12-08 17:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-08 17:25 . 2010-12-08 17:25 -------- d-----w- c:\program files\Java
2010-12-08 16:50 . 2010-12-08 16:50 -------- d-----w- c:\windows\system32\Adobe
2010-12-08 16:41 . 2010-12-08 16:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-08 15:29 . 2010-12-08 15:29 874240 ----a-w- c:\windows\system32\drivers\IASTOR.SYS
2010-12-08 13:05 . 2010-12-08 15:30 -------- d-----w- c:\windows\system32\MpEngineStore
2010-12-08 04:21 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-12-08 04:21 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-08 04:21 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-12-08 04:20 . 2010-09-10 05:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-08 04:20 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-12-08 04:18 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-12-08 04:17 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-08 04:14 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-12-08 04:12 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-12-08 02:06 . 2010-12-08 02:06 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-08 02:06 . 2010-12-08 02:06 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-08 02:05 . 2010-12-08 02:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-12-05 00:15 . 2010-12-05 02:16 -------- d-----w- c:\windows\BDOSCAN8
2010-12-04 07:10 . 2010-12-12 01:02 20544 ----a-w- c:\windows\cscmondump.bin
2010-12-04 06:28 . 2010-12-04 06:28 -------- d-----w- c:\program files\COMODO
2010-12-03 21:32 . 2010-12-03 21:32 -------- d-----w- c:\documents and settings\Jason Devereaux\Application Data\Avira
2010-12-03 20:39 . 2010-12-03 20:39 -------- d-----w- c:\documents and settings\Jason Devereaux\Application Data\ieSpell
2010-12-03 06:05 . 2010-12-12 01:11 -------- d-----w- c:\program files\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-08 17:25 . 2007-09-11 20:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-29 21:42 . 2007-04-14 16:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 21:42 . 2007-04-14 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-28 14:54 . 2010-10-28 14:54 30648 ----a-w- c:\windows\system32\drivers\CFRPD.sys
2010-10-28 14:54 . 2010-10-28 14:54 65560 ----a-w- c:\windows\system32\drivers\CFRMD.sys
2010-09-18 17:23 . 2004-08-10 15:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 15:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 15:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 15:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

------- Sigcheck -------

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974_0$\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2004-08-10 15:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"nwiz"="nwiz.exe" [2006-04-15 1519616]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk.disabled [2006-6-5 1719]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McComponentHostService"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"RosettaStoneLtdController"=2 (0x2)
"AntiSpywareService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [10/28/2010 9:54 AM 65560]
R1 CFRPD;CFRPD;c:\windows\system32\drivers\CFRPD.sys [10/28/2010 9:54 AM 30648]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S1 jisjqwrx;jisjqwrx;\??\c:\windows\system32\drivers\jisjqwrx.sys --> c:\windows\system32\drivers\jisjqwrx.sys [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S4 Cleaner_Validator;COMODO System - Cleaner Service;c:\program files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe [10/28/2010 9:54 AM 311744]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 10:00 AM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - avipbb
*Deregistered* - ssmdrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-12-11 c:\windows\Tasks\COMODO Updater.job
- c:\program files\COMODO\COMODO System-Cleaner\Updater.exe [2010-10-28 14:54]
.
.
------- Supplementary Scan -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.comcast.net/
mLocal Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
FF - ProfilePath - c:\documents and settings\Jason Devereaux\Application Data\Mozilla\Firefox\Profiles\kpdun9ru.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 20:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???@Z??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll IASTOR.SYS
c:\docume~1\JASOND~1\LOCALS~1\Temp\catchme.sys
c:\windows\system32\drivers\IASTOR.SYS Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8717B9C0]
3 CLASSPNP[0xF75F2FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000086[0x8714C978]
5 ACPI[0xF7469620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IAAStorageDevice-0[0x86C32030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-11 20:30:30
ComboFix-quarantined-files.txt 2010-12-12 01:30

Pre-Run: 32,258,371,584 bytes free
Post-Run: 32,225,972,224 bytes free

- - End Of File - - 310BBD4C4EE04A4A9BA58D8EDE027F3B

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 AM

Posted 11 December 2010 - 09:40 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:05:54 AM

Posted 11 December 2010 - 10:20 PM

Hi Gringo

You are the man! I ran TDSSKiller and nothing came up. Here is the log file. I would like to clean out any junk. Please make any suggestions you would like!



2010/12/11 22:13:54.0156 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/11 22:13:54.0171 ================================================================================
2010/12/11 22:13:54.0171 SystemInfo:
2010/12/11 22:13:54.0171
2010/12/11 22:13:54.0171 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/11 22:13:54.0171 Product type: Workstation
2010/12/11 22:13:54.0171 ComputerName: PC192371242527
2010/12/11 22:13:54.0171 UserName: Jason Devereaux
2010/12/11 22:13:54.0171 Windows directory: C:\WINDOWS
2010/12/11 22:13:54.0171 System windows directory: C:\WINDOWS
2010/12/11 22:13:54.0171 Processor architecture: Intel x86
2010/12/11 22:13:54.0171 Number of processors: 2
2010/12/11 22:13:54.0171 Page size: 0x1000
2010/12/11 22:13:54.0171 Boot type: Normal boot
2010/12/11 22:13:54.0171 ================================================================================
2010/12/11 22:13:54.0859 Initialize success
2010/12/11 22:14:00.0296 ================================================================================
2010/12/11 22:14:00.0296 Scan started
2010/12/11 22:14:00.0296 Mode: Manual;
2010/12/11 22:14:00.0296 ================================================================================
2010/12/11 22:14:00.0625 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/12/11 22:14:00.0687 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/11 22:14:00.0703 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/12/11 22:14:00.0750 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/11 22:14:00.0812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/11 22:14:00.0890 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/11 22:14:00.0953 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/11 22:14:00.0984 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/12/11 22:14:01.0031 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/12/11 22:14:01.0078 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/11 22:14:01.0109 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/11 22:14:01.0328 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/12/11 22:14:01.0390 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/12/11 22:14:01.0437 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/12/11 22:14:01.0468 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/12/11 22:14:01.0531 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/11 22:14:01.0578 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/12/11 22:14:01.0609 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/12/11 22:14:01.0640 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/12/11 22:14:01.0703 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/11 22:14:01.0750 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/11 22:14:01.0812 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/11 22:14:01.0890 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/11 22:14:01.0921 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/11 22:14:01.0984 BTWUSB (7024e11dab9410b31a37547575249dd7) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/12/11 22:14:02.0312 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/12/11 22:14:02.0328 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/11 22:14:02.0390 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/11 22:14:02.0421 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/12/11 22:14:02.0453 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/11 22:14:02.0531 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/11 22:14:02.0562 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/11 22:14:02.0625 CFRMD (e42567e4389bbd370711568fd4de9c3f) C:\WINDOWS\system32\DRIVERS\CFRMD.sys
2010/12/11 22:14:02.0703 CFRPD (cc7d04b1e233aa7e304dc2a747c045e9) C:\WINDOWS\system32\DRIVERS\CFRPD.sys
2010/12/11 22:14:02.0796 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/12/11 22:14:02.0859 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/12/11 22:14:02.0906 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/12/11 22:14:02.0968 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/12/11 22:14:03.0031 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/12/11 22:14:03.0062 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/12/11 22:14:03.0140 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/11 22:14:03.0218 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/11 22:14:03.0296 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/11 22:14:03.0343 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/11 22:14:03.0390 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/11 22:14:03.0453 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/11 22:14:03.0484 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/11 22:14:03.0546 E100B (6ca101f9aa3d845ba31f6e13c01301a8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/11 22:14:03.0609 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
2010/12/11 22:14:03.0656 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys
2010/12/11 22:14:03.0796 eeCtrl (08035db1987412cced1d4201263776ed) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/12/11 22:14:04.0218 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/11 22:14:04.0265 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/11 22:14:04.0328 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/11 22:14:04.0359 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/11 22:14:04.0437 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/11 22:14:04.0484 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/11 22:14:04.0546 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/11 22:14:04.0625 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/11 22:14:04.0671 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/11 22:14:04.0734 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2010/12/11 22:14:04.0828 HdAudAddService (bb42bb78bbbc1e83292ef26973598daf) C:\WINDOWS\system32\drivers\CHDAud.sys
2010/12/11 22:14:04.0875 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/11 22:14:04.0921 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/11 22:14:04.0984 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/12/11 22:14:05.0031 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/12/11 22:14:05.0062 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/12/11 22:14:05.0109 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/12/11 22:14:05.0187 HSFHWAZL (89e256c5f5346be265d9f86ac8625d4f) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/12/11 22:14:05.0312 HSF_DPV (0e44af3828111d4c3e73c33ac95226d8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/12/11 22:14:05.0468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/11 22:14:05.0562 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/11 22:14:05.0609 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/12/11 22:14:05.0656 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/11 22:14:05.0765 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\IASTOR.SYS
2010/12/11 22:14:05.0828 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/11 22:14:05.0906 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/12/11 22:14:05.0921 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/11 22:14:06.0000 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/11 22:14:06.0031 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/11 22:14:06.0093 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/11 22:14:06.0125 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/11 22:14:06.0171 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/11 22:14:06.0234 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/11 22:14:06.0281 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/11 22:14:06.0343 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/11 22:14:06.0421 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/11 22:14:06.0453 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/11 22:14:06.0500 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/11 22:14:06.0578 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/11 22:14:06.0828 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINDOWS\system32\drivers\MCSTRM.sys
2010/12/11 22:14:06.0890 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/11 22:14:06.0968 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/12/11 22:14:07.0015 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/11 22:14:07.0078 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/11 22:14:07.0109 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/11 22:14:07.0156 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/11 22:14:07.0203 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/11 22:14:07.0250 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/12/11 22:14:07.0281 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/11 22:14:07.0359 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/11 22:14:07.0390 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/11 22:14:07.0437 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/11 22:14:07.0468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/11 22:14:07.0500 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/11 22:14:07.0546 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/11 22:14:07.0609 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/11 22:14:07.0640 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/11 22:14:07.0687 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/11 22:14:07.0734 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/11 22:14:07.0781 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/11 22:14:07.0812 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/11 22:14:07.0843 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/11 22:14:07.0859 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/11 22:14:07.0890 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/11 22:14:07.0906 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/11 22:14:07.0937 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/11 22:14:07.0984 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/11 22:14:08.0015 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/11 22:14:08.0062 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/11 22:14:08.0156 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/11 22:14:08.0406 nv (88d8f8d4c3243e0bb0ed57496868e52e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/11 22:14:08.0671 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/11 22:14:08.0703 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/11 22:14:08.0781 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/11 22:14:08.0921 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/12/11 22:14:08.0953 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/11 22:14:08.0984 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/11 22:14:09.0015 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/11 22:14:09.0062 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/11 22:14:09.0093 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/12/11 22:14:09.0234 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/12/11 22:14:09.0265 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/12/11 22:14:09.0359 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/11 22:14:09.0390 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/11 22:14:09.0421 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/11 22:14:09.0468 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/11 22:14:09.0515 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/12/11 22:14:09.0546 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/12/11 22:14:09.0578 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/12/11 22:14:09.0625 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/12/11 22:14:09.0656 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/12/11 22:14:09.0718 QWAVEDRV (2bb1d2baf3493362e5c1949c5f210d5f) C:\WINDOWS\system32\DRIVERS\qwavedrv.sys
2010/12/11 22:14:09.0765 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/11 22:14:09.0843 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/11 22:14:09.0875 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/11 22:14:09.0906 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/11 22:14:09.0953 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/11 22:14:09.0984 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/11 22:14:10.0015 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/11 22:14:10.0062 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/11 22:14:10.0109 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/11 22:14:10.0203 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/12/11 22:14:10.0343 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/11 22:14:10.0343 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/11 22:14:10.0437 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/12/11 22:14:10.0484 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/11 22:14:10.0531 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/11 22:14:10.0562 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/11 22:14:10.0625 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/12/11 22:14:10.0656 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/12/11 22:14:10.0703 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/12/11 22:14:10.0750 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/12/11 22:14:10.0812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/11 22:14:10.0859 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/11 22:14:10.0953 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/11 22:14:11.0031 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/12/11 22:14:11.0078 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/11 22:14:11.0125 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/11 22:14:11.0187 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/11 22:14:11.0281 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/11 22:14:11.0359 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/11 22:14:11.0421 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/11 22:14:11.0515 SynTP (c9a1785cc0d7a040dd0fdbfeaa8be135) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/12/11 22:14:11.0593 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/11 22:14:11.0703 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/11 22:14:11.0750 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/11 22:14:11.0796 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/11 22:14:11.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/11 22:14:11.0921 tifm21 (9179e07503630d6fb2e4162ff0196191) C:\WINDOWS\system32\drivers\tifm21.sys
2010/12/11 22:14:12.0187 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/12/11 22:14:12.0250 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/11 22:14:12.0281 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/12/11 22:14:12.0375 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/11 22:14:12.0437 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/11 22:14:12.0484 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/12/11 22:14:12.0531 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/11 22:14:12.0593 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/11 22:14:12.0640 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/11 22:14:12.0687 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/11 22:14:12.0718 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/11 22:14:12.0750 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/11 22:14:12.0812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/11 22:14:12.0890 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/12/11 22:14:12.0937 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/11 22:14:13.0000 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/12/11 22:14:13.0046 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/11 22:14:13.0062 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/11 22:14:13.0218 w39n51 (4e7b07653f4f9937cf62ad2869fba520) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2010/12/11 22:14:13.0390 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/11 22:14:13.0468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/11 22:14:13.0578 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/11 22:14:13.0781 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/11 22:14:13.0843 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/12/11 22:14:13.0890 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/12/11 22:14:13.0953 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/11 22:14:14.0015 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/11 22:14:14.0406 ================================================================================
2010/12/11 22:14:14.0406 Scan finished
2010/12/11 22:14:14.0406 ================================================================================

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 AM

Posted 11 December 2010 - 10:29 PM

I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Driver::
jisjqwrx


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:05:54 AM

Posted 11 December 2010 - 11:50 PM

Hi Gringo,

Ok did what you asked and here is what happened. Combofix began its scan and all was normal until a windows error message appeared which stated that an error had occurred with PEV.cfxxe, it asked if I wanted to debug, send a report to Microsoft or donít send a report. I clicked donít send. Combofix then continued with its scan and restarted the computer. Upon restart the combofix window opened and it said that the scan was complete and a log was being generated. Thatís when another error message popped up. Hpqwmiex.exe fault and it asked the same, Debug, send or donít send a report. Thatís when I decided to have a look in the windows services and event viewer. I found the following:



ADMIN TOOLS>EVENT VIEWER>APPLICATION:

Application Error, Event ID: 1000, Description: Faulting application, hpqwmiex.exe, version 2.0.1.8, faulting module hpqwmiex.exe, version 2.0.1.8, fault address 0x00005fe7.



Also found multiple serious faults and warnings (too many to list) for COM+ and EVENTSYSTEM.



Also under ADMIN TOOLS>EVENT VIEWER>SYSTEM: services terminated unexpectedly or failed to start: hpqwmiex.exe, COM+, getPlus helper 3004, Media center Extender service.



Also discovered in ADMIN TOOLS>SERVICES, that although the following services were set to start automatically they failed to start: COM+ SYSTEM Application, getPlus ® helper 3004, hpqwmiex, Media center Extender service,











So I'm not sure what happened. Could I have turned off or set to manual a service that these depend on? well anyway here is the log from COMBO-Fix.







ComboFix 10-12-11.03 - Jason Devereaux 12/11/2010 22:52:03.3.2 - x86
Running from: c:\documents and settings\Jason Devereaux\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason Devereaux\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_jisjqwrx


((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.

2010-12-11 15:29 . 2010-12-11 15:29 -------- d-----w- c:\program files\7-Zip
2010-12-09 15:03 . 2010-12-09 15:03 -------- d-----w- c:\documents and settings\Jason Devereaux\Local Settings\Application Data\Temp
2010-12-08 17:26 . 2010-12-08 17:25 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-08 17:26 . 2010-12-08 17:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-08 17:25 . 2010-12-08 17:25 -------- d-----w- c:\program files\Java
2010-12-08 16:50 . 2010-12-08 16:50 -------- d-----w- c:\windows\system32\Adobe
2010-12-08 16:41 . 2010-12-08 16:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-08 15:29 . 2010-12-08 15:29 874240 ----a-w- c:\windows\system32\drivers\IASTOR.SYS
2010-12-08 13:05 . 2010-12-08 15:30 -------- d-----w- c:\windows\system32\MpEngineStore
2010-12-08 04:21 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-12-08 04:21 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-08 04:21 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-12-08 04:20 . 2010-09-10 05:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-08 04:20 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-12-08 04:18 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-12-08 04:17 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-08 04:14 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-12-08 04:12 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-12-08 02:06 . 2010-12-08 02:06 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-08 02:06 . 2010-12-08 02:06 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-08 02:05 . 2010-12-08 02:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-12-05 00:15 . 2010-12-05 02:16 -------- d-----w- c:\windows\BDOSCAN8
2010-12-04 07:10 . 2010-12-12 04:00 20544 ----a-w- c:\windows\cscmondump.bin
2010-12-04 06:28 . 2010-12-04 06:28 -------- d-----w- c:\program files\COMODO
2010-12-03 21:32 . 2010-12-03 21:32 -------- d-----w- c:\documents and settings\Jason Devereaux\Application Data\Avira
2010-12-03 20:39 . 2010-12-03 20:39 -------- d-----w- c:\documents and settings\Jason Devereaux\Application Data\ieSpell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-08 17:25 . 2007-09-11 20:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-29 21:42 . 2007-04-14 16:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 21:42 . 2007-04-14 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-28 14:54 . 2010-10-28 14:54 30648 ----a-w- c:\windows\system32\drivers\CFRPD.sys
2010-10-28 14:54 . 2010-10-28 14:54 65560 ----a-w- c:\windows\system32\drivers\CFRMD.sys
2010-09-18 17:23 . 2004-08-10 15:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 15:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 15:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 15:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

------- Sigcheck -------

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974_0$\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2004-08-10 15:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"nwiz"="nwiz.exe" [2006-04-15 1519616]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk.disabled [2006-6-5 1719]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McComponentHostService"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"RosettaStoneLtdController"=2 (0x2)
"AntiSpywareService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 rkhdrv40;Rootkit Unhooker Driver; [x]
S1 CFRMD;CFRMD;c:\windows\system32\DRIVERS\CFRMD.sys [2010-10-28 65560]
S1 CFRPD;CFRPD;c:\windows\system32\DRIVERS\CFRPD.sys [2010-10-28 30648]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 Cleaner_Validator;COMODO System - Cleaner Service;c:\program files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe [2010-10-28 311744]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-12-11 c:\windows\Tasks\COMODO Updater.job
- c:\program files\COMODO\COMODO System-Cleaner\Updater.exe [2010-10-28 14:54]
.
.
------- Supplementary Scan -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.comcast.net/
mLocal Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
FF - ProfilePath - c:\documents and settings\Jason Devereaux\Application Data\Mozilla\Firefox\Profiles\kpdun9ru.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???@Z??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3948)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\RMSvc.exe
c:\windows\system32\locator.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-12-11 23:06:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-12 04:06
ComboFix2.txt 2010-12-12 01:30

Pre-Run: 32,222,232,576 bytes free
Post-Run: 32,097,304,576 bytes free

- - End Of File - - D0C64C290C1C6207F657DA1059BA9563








#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 AM

Posted 11 December 2010 - 11:57 PM

Hello

that error is from Combofix and happens from time to time

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..
Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:05:54 AM

Posted 12 December 2010 - 01:01 AM

Hi Gringo,

Boy I never thought this was going to take this long, you have no idea how much I appreciate this. As for the P2P, I have warned my wife about this. She got the computer from her brother when he got a new one and he left the P2P stuff on it for her. I will work on getting her off it. This is not worth the trouble. As for your instructions:

1. Java cache cleaned out.

2. TFC ran without issues. No reboot needed, seemed to clean quit a lot, about 90MB.

3. Malwarebytes updated and quick scan performed without issues. No reboot required, and -nothing was found or cleaned. Log as follows:

4. Hijack This, Log as follows.



As for the EVENT VIEWER: itís still indicating several services have stopped suddenly.

The following services failed to or have stopped: Pml Driver HPZ12, : COM+ SYSTEM Application, getPlus ® helper 3004, hpqwmiex.exe, Media center Extender service,

Again, your help was more than I can express here. Wish I could buy you coffee, beer, diner!




Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5298

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/12/2010 12:38:45 AM
mbam-log-2010-12-12 (00-38-45).txt

Scan type: Quick scan
Objects scanned: 172667
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of HijackThis v1.99.1
Scan saved at 12:40:19 AM, on 12/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO System - Cleaner Service (Cleaner_Validator) - Unknown owner - C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 AM

Posted 12 December 2010 - 01:23 AM

Hello

As for the EVENT VIEWER:
is it causing any adverse effects?

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
      O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
      O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
      O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:05:54 AM

Posted 13 December 2010 - 10:49 AM

Hi Gringo,

Sorry for the long delay. Had some problems running ESET, It keeps locking up the computer and I have to restart to fix it. It freezes at 7% and never gets past that. I noticed it hangs for a long time on itunes.msi. Later, it just stopped at spybot/reg user.reg. Any ideas? Other than this computer seems to be running better. ThanksÖ.



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 AM

Posted 13 December 2010 - 10:56 AM

F-Secure Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go HERE to run an online scan from F-Secure
  • Click on Start scanning
  • This will open a new window

    In Interner Explorer
  • It will require an activex control, please install it
  • Click Accept

  • In Firefox
  • It will require an Add-on to be installed, please install it
  • Order to install the Add-on Firefox needs to be restarted, please do so
[*]Click Full System Scan
[*]It will now download the scanner this may take a while please be patient
[*]It will then start scanning wait for the scan to finish
[*]Click Automatic cleaning (recommended)
[*]Wait for it finish the cleaning process
[*]Click show report
[*]This will open up a window with the results of the scan copy and paste those results as a reply to this topic[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:05:54 AM

Posted 14 December 2010 - 07:31 AM

Hi Gringo

Ok, finally completed the scan. Took longer than I thought, the log file follows. I was also able to fix the issues with the error messages and the COM+, everything seems to be ok now. Again thanks for everything.



Scanning Report

Monday, December 13, 2010 13:28:08 - 14:40:48

Computer name: PC192371242527

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\ E:\

--------------------------------------------------------------------------------

No malware found

--------------------------------------------------------------------------------



Statistics

Scanned:

Files: 50436

System: 3576

Not scanned: 9

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\TEMP\396038C36FEE9EC32F99B4B3D29AF836B3181B4F8A05659A1CCD6D5D5BDC3958

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\DOCUMENTS AND SETTINGS\JASON DEVEREAUX\LOCAL SETTINGS\TEMP\HSPERFDATA_JASON DEVEREAUX\3872

C:\DOCUMENTS AND SETTINGS\JASON DEVEREAUX\LOCAL SETTINGS\TEMP\HSPERFDATA_JASON DEVEREAUX\3088



--------------------------------------------------------------------------------



Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users