Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirects and internet explorer opens spontaneously


  • This topic is locked This topic is locked
27 replies to this topic

#1 oso101

oso101

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 12 December 2010 - 12:00 AM

DDS and GMER logs are pasted below.

Some details on my problem: I first posted about this on the Am I Infected board and was instructed to post these logs here.

I'm running Windows 7. The first sign of a problem I noticed was when Internet Explorer windows began opening spontaneously and loading ad websites. I don't use IE - this occured while I was using Chrome. A window like this pops up every several minutes, usually with an ad on a site called "Epic Arcade" or a google search results page like this: http://www.google.com/search?q=111211url.cptgt.com

I began Googling to see what this problem might be, and noticed that when I clicked on links to malware support forums, my browser was redirected, usually to a site called "7search." Here's one URL that I have been redirected to when clicking on a google link: http://7search.com/scripts/validation/v1/validate.aspx?x=P3ZWU9fFYokfnnjaYxwfhg%3d%3d_nhOtydLqdv9m6IipKcv8Csb3oog/rIHWxLXRQpm5OIxY1HZ0OXtkN7jEn0g2y6mHUizHc1ETuRC8VT5T7SWYTH7WQGSsZNkCqYQ7/1ACCJyEvepuK8cXQge6EJTP0dfaKi2o%2b7n7e7cpA3ZOUknmFBZR8a07pMy%2b4LSmVv6WAUEPMXL569LJ1gS6JS9DKiFFap3QsqaeXqcWCIDXVQaLuIGdh6wSh1hiAWlUa%2bTaTK3zNpFdgdARBBCOdxcaQhTsCnxiwsSWwRxPkmX01CCu3t12JQBQdfSGb2bQcWJHuvb3XdnDhbmQrScmWA/VqNhO

I have already run TDSS Killer and MBAM, and posted the results in the Am I Infected? thread. DDS report follows. Attach.txt and ark.txt are attached.

EDIT: One other symptom I forgot to mention previously - I've also gotten the Walmart gift card popup message mentioned by other posters on this board. It's happened several times upon opening Chrome.





DDS (Ver_10-12-12.01) - NTFSx86
Run by Jesse at 23:43:34.87 on Sat 12/11/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.1901 [GMT -5:00]

AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\Jesse\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jesse\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080725
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080725
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\jesse\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [rasprf10.dll] rundll32.exe "c:\users\jesse\appdata\local\temp\rasprf10.dll",watch
uRun: [mapires.dll] rundll32.exe "c:\users\jesse\appdata\local\temp\mapires.dll",protect
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [BlackArmorBackupMonitor.exe] c:\program files\seagate\blackarmorbackup\BlackArmorBackupMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\blackarmorbackup\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GO36F4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.sfgate.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\jesse\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\jesse\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\jesse\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\jesse\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Extension: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Extension: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Forecastbar Enhanced: {3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8}
FF - Extension: RefGrab-It: refgrabit@refworks.plugin - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\refgrabit@refworks.plugin
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\users\jesse\appdata\roaming\Move Networks

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-30 11608]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-12-15 73728]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-30 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-30 61960]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-4-15 617968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-22 24652]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c98624d7dc4cd7;Google Update Service (gupdate1c98624d7dc4cd7);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-7-25 30192]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-24 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

=============== Created Last 30 ================

2010-12-12 02:24:11 -------- d-----w- c:\users\jesse\appdata\roaming\Malwarebytes
2010-12-12 02:23:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 02:23:43 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-12 02:23:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 02:23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 01:23:15 -------- d-----w- c:\users\jesse\appdata\roaming\Avira
2010-12-10 12:39:38 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{25b165c2-a956-426c-880d-f5fd841f7d0d}\mpengine.dll
2010-11-24 02:50:33 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-19 00:23:00 126976 ------w- c:\windows\system32\BrfxD05b.dll
2010-11-19 00:22:51 1534464 ----a-w- c:\windows\system32\BrWia09b.dll
2010-11-19 00:22:46 176128 ----a-w- c:\windows\system32\BROSNMP.DLL
2010-11-14 18:33:18 -------- d-----w- c:\program files\iTunes
2010-11-14 18:33:18 -------- d-----w- c:\program files\iPod

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-08-15 15:48:30 81408 ----a-w- c:\program files\taskkill.exe

============= FINISH: 23:45:44.09 ===============

Attached Files


Edited by boopme, 12 December 2010 - 01:42 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:47 AM

Posted 19 December 2010 - 02:26 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 oso101

oso101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 19 December 2010 - 03:05 PM

Thanks for the help.

I've attached/pasted the DDS logs. When I try to run GMER, I get a BSOD (even though I was able to run it fine when I posted my original message a week ago).

An update on the computer:

At the moment, I am not getting IE popups or Google redirects (although I was the last time I used my computer). However, when the computer starts up, I get an error message saying:
"There was a problem starting c:\Users\Jesse\AppData\Local\Temp\mapires.dll
The specified module could not be found."

Another question - I have a second computer (a netbook) that has not shown any symptoms of infection. However, I frequently transfer files back and forth between these computers using e-mail and SyncToy. Is it worth checking the netbook in case it was infected when I transfered files from the other machine?

DDS log follows:



DDS (Ver_10-12-12.01) - NTFSx86
Run by Jesse at 14:33:58.88 on Sun 12/19/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.2055 [GMT -5:00]

AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe
C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\RSIGuard\RSIGuard.exe
C:\Users\Jesse\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\PrintIsolationHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\wscript.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jesse\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080725
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080725
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\jesse\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [mapires.dll] rundll32.exe "c:\users\jesse\appdata\local\temp\mapires.dll",protect
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [BlackArmorBackupMonitor.exe] c:\program files\seagate\blackarmorbackup\BlackArmorBackupMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\blackarmorbackup\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GO36F4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.sfgate.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\jesse\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\jesse\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\jesse\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\jesse\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Extension: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Extension: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Forecastbar Enhanced: {3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8}
FF - Extension: RefGrab-It: refgrabit@refworks.plugin - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\refgrabit@refworks.plugin
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\jesse\appdata\roaming\mozilla\firefox\profiles\mygms81v.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\users\jesse\appdata\roaming\Move Networks

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-30 11608]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-12-15 73728]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-30 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-30 61960]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-4-15 617968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-22 24652]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c98624d7dc4cd7;Google Update Service (gupdate1c98624d7dc4cd7);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-7-25 30192]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-24 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

=============== Created Last 30 ================

2010-12-14 18:54:07 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-14 18:54:02 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-14 18:54:02 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-12-14 18:54:02 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-14 18:54:02 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-14 18:54:02 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-12-14 18:54:02 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-12-14 18:52:21 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-14 18:52:21 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-12-14 18:52:21 101760 ----a-w- c:\windows\system32\consent.exe
2010-12-12 02:24:11 -------- d-----w- c:\users\jesse\appdata\roaming\Malwarebytes
2010-12-12 02:23:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 02:23:43 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-12 02:23:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 02:23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 01:23:15 -------- d-----w- c:\users\jesse\appdata\roaming\Avira
2010-12-10 12:39:38 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{25b165c2-a956-426c-880d-f5fd841f7d0d}\mpengine.dll
2010-11-24 02:50:33 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

==================== Find3M ====================

2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-20 03:00:24 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-16 04:36:10 314368 ----a-w- c:\windows\system32\webio.dll
2009-08-15 15:48:30 81408 ----a-w- c:\program files\taskkill.exe

============= FINISH: 14:37:23.26 ===============

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:47 AM

Posted 19 December 2010 - 03:26 PM

Hi oso101 and :welcome:

I will be handling your log to help you get cleaned up.
Please give me some time to look it over and I will get back to you as soon as possible.
Here it is 23.00 pm so I'll get some sleep.
See ya later as I'm very tired and I might just fall asleep during typing..stay tuned. :wink:


Regards,
Georgi :hello:


Reason for edit: typo it's 23:00 pm not am, lol. :lol:

Edited by B-boy/StyLe/, 19 December 2010 - 03:35 PM.

cXfZ4wS.png


#5 oso101

oso101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 19 December 2010 - 03:34 PM

Ok, I will keep watching this thread. Thank you!

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:47 AM

Posted 20 December 2010 - 06:40 PM

Hello oso101 ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Sorry for the delay. I had some personal issues.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





STEP 1





I suggest you to uninstall uTorrent as well !

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software





IMPORTANT NOTE: One or more of the identified infections is related to the rootkit TDL4 component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:





STEP 2





Please download ComboFix from one of these locations:

Link 1
Link 2

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Also tell me how is your PC running now. Please post a description of any remaining problems.



Regards,
Georgi

cXfZ4wS.png


#7 oso101

oso101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 20 December 2010 - 10:38 PM

Hello,

I ran ComboFix as requested. While it was running, a message popped up saying "PEV.exe has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."

I ignored it, and ComboFix continued to run.

However, after ComboFix finished, I am unable to open any files or programs. When I click on ComboFix.txt, I get a message saying:

“C:\ComboFix.txt
Illegal operation attempted on a registry key that has been marked for deletion.”

I get a similar message when I try to open a web browser, or any other program.

I am now posting from a different computer, because I am unable to open a web browser or ComboFix.txt on the infected computer.

How should I proceed? Thank you very much for the help!

#8 oso101

oso101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 21 December 2010 - 01:50 PM

An update: after rebooting my computer, I was able to open ComboFix.txt. I seem to be able to open all programs and files without getting error messages now.

Here's the ComboFix log:


ComboFix 10-12-16.05 - Jesse 12/20/2010 22:21:53.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.2075 [GMT -5:00]
Running from: c:\users\Jesse\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Jesse\AppData\Roaming\EurekaLog

.
((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))
.

2010-12-21 03:30 . 2010-12-21 03:30 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-12-21 03:17 . 2010-12-21 03:18 -------- d-----w- C:\32788R22FWJFW
2010-12-14 18:54 . 2010-10-27 04:32 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-14 18:54 . 2010-11-02 04:41 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-14 18:54 . 2010-11-02 04:40 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-12-14 18:54 . 2010-11-02 04:40 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-14 18:54 . 2010-11-02 04:39 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-14 18:54 . 2010-11-02 04:34 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-12-14 18:54 . 2010-11-02 04:34 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-12-14 18:52 . 2010-10-20 04:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-14 18:52 . 2010-10-20 02:58 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-12-14 18:52 . 2010-10-16 04:41 101760 ----a-w- c:\windows\system32\consent.exe
2010-12-12 02:24 . 2010-12-12 02:24 -------- d-----w- c:\users\Jesse\AppData\Roaming\Malwarebytes
2010-12-12 02:23 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 02:23 . 2010-12-12 02:23 -------- d-----w- c:\programdata\Malwarebytes
2010-12-12 02:23 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 02:23 . 2010-12-12 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 01:23 . 2010-12-11 01:23 -------- d-----w- c:\users\Jesse\AppData\Roaming\Avira
2010-12-10 12:39 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{25B165C2-A956-426C-880D-F5FD841F7D0D}\mpengine.dll
2010-11-30 03:31 . 2010-11-30 04:17 -------- d-----w- c:\users\Jesse\AppData\Roaming\vlc
2010-11-24 02:50 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-08 13:51 . 2009-06-30 18:57 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-23 14:50 . 2009-06-30 18:57 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-19 15:41 . 2009-10-03 13:24 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-08-15 15:48 . 2009-08-15 15:48 81408 ----a-w- c:\program files\taskkill.exe
2010-08-10 21:42 . 2010-08-10 21:42 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-25 68856]
"Google Update"="c:\users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-12-03 36864]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-19 3444736]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-10 30192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]
"BlackArmorBackupMonitor.exe"="c:\program files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe" [2009-04-15 4352928]
"AcronisTimounterMonitor"="c:\program files\Seagate\BlackArmorBackup\TimounterMonitor.exe" [2009-04-15 959672]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-04-15 376272]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-30 963976]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
RSIGuard Stretch Edition.lnk - c:\program files\RSIGuard\RSIGuard.exe [2008-6-5 6848512]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-25 08:10 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DupeEliminatorTray.lnk]
backup=c:\windows\pss\DupeEliminatorTray.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DupeEliminatorTray.lnk

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-03-17 01:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2009-05-26 21:46 1159168 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2008-12-24 15:26 114688 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Software]
2009-05-21 15:14 1025264 ----a-w- c:\program files\Common Files\supportsoft\bin\bcont.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-25 20:42 133104 ----atw- c:\users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-11 23:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 05:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2007-08-31 19:13 988584 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-06-16 15:27 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-11 23:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-12-21 15:58 184320 ----a-w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]
2007-08-31 13:01 328992 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-07-25 08:04 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-09-05 03:49 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-09-26 02:00 328056 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2009-07-14 01:14 65024 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c98624d7dc4cd7;Google Update Service (gupdate1c98624d7dc4cd7);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-10 30192]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-25 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-02 73728]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [2009-04-15 617968]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-25 02:49]

2010-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 17:28]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 17:28]

2010-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2312722535-741426179-1844562128-1000Core.job
- c:\users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-25 20:42]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2312722535-741426179-1844562128-1000UA.job
- c:\users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-25 20:42]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080725
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Jesse\AppData\Roaming\Mozilla\Firefox\Profiles\mygms81v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.sfgate.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - %profile%\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Forecastbar Enhanced: {3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8} - %profile%\extensions\{3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8}
FF - Ext: RefGrab-It: refgrabit@refworks.plugin - %profile%\extensions\refgrabit@refworks.plugin
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Jesse\AppData\Roaming\Move Networks
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3140)
c:\program files\RSIGuard\RSIWatch.dll
.
Completion time: 2010-12-20 22:32:26
ComboFix-quarantined-files.txt 2010-12-21 03:32

Pre-Run: 86,605,074,432 bytes free
Post-Run: 87,044,771,840 bytes free

- - End Of File - - DADB831CA6B89D468A69C26E9E923009

#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:47 AM

Posted 22 December 2010 - 09:33 AM

Hi oso101,


I haven't forgotten you. I needed some time for research...



Sorry to hear about your troubles with ComboFix.
This is a common error. In most circumstances a simple reboot is all that is required to resolve the problem.



I don't see that Combofix removed any files in that last run which it should have if a rootkit was present.
I need a bit of information. Can you please copy/paste this file into your next reply:
C:\Qoobox\ComboFix-quarantined-files.txt



Also please press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK
C:\QooBox\Add-Remove Programs.txt
A text file should open. Please post the contents of that file in your next reply.



Then do this:



Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.Link 1
Link 2
Link 3
  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.



  • In your next reply I want to see:
  • ComboFix-quarantined-files.txt
  • Add-Remove Programs.txt
  • MBRCheck.txt



Regards,
Georgi

cXfZ4wS.png


#10 oso101

oso101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 22 December 2010 - 09:40 AM

Okay, here are the requested logs.

1. ComboFix-quarantined-files.txt

2010-12-21 03:31:09 . 2010-12-21 03:31:09 162 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SigmatelSysTrayApp.reg.dat
2010-12-21 03:27:32 . 2010-12-21 03:27:32 15,613 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-12-21 03:18:19 . 2010-12-21 03:21:53 62 ----a-w- C:\Qoobox\Quarantine\catchme.log

2. Add-Remove Programs.txt


MFC-7840W
µTorrent
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
BlackArmor Backup
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
CamStudio
Chinese Simplified Fonts Support For Adobe Reader 9
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Comcast Desktop Software (v1.2.0.9)
Conexant HDA D330 MDC V.92 Modem
Dell-eBay
Dell Best of Web
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card
Desktop Doctor
Digital Line Detect
EDocs
EndNote 9 Volume License Edition
Google Chrome
Google Desktop
Google Earth
Google Gears
Google Talk Plugin
Google Update Helper
Google Updater
GoToAssist 8.0.0.514
ISI ResearchSoft - Export Helper
iTunes
Java™ 6 Update 15
Java™ 6 Update 5
KC Softwares VideoInspector
Laptop Integrated Webcam Driver (1.04.01.1011)
Live! Cam Avatar Creator
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft IntelliType Pro 6.2
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Sync Framework 2.0 Core Components (x86) ENU
Microsoft Sync Framework 2.0 Provider Services (x86) ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MobileMe Control Panel
Modem Diagnostic Tool
Move Media Player
Mozilla Firefox (3.6.13)
Mozilla Thunderbird (2.0.0.21)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Netflix Movie Viewer
NetWaiting
NVIDIA Drivers
Octoshape add-in for Adobe Flash Player
OutlookAddinSetup
PaperPort Image Printer
Picasa 3
picasa2flickr
QualXServ Service Agreement
QuickSet
QuickTime
RealPlayer
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
RSIGuard Stretch Edition
ScanSoft PaperPort 11
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Sigma REALmagic MPEG-4 Video Codec
Skype Toolbars
Skype™ 4.2
SMPlayer 0.6.7
SyncToy 2.1 (x86)
TBS WMP Plug-in
The KMPlayer (remove only)
TweetDeck
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Viewpoint Media Player
VLC media player 1.1.5
VUE 3.0 beta3b11
WIDCOMM Bluetooth Software 6.0.1.3100
Windows Media Player Firefox Plugin
WinRAR archiver
Write-N-Cite

3. MBRCheck log

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 1720
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 181):
0x82E13000 \SystemRoot\system32\ntkrnlpa.exe
0x83223000 \SystemRoot\system32\halmacpi.dll
0x80BA1000 \SystemRoot\system32\kdcom.dll
0x8B03F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8B0B7000 \SystemRoot\system32\PSHED.dll
0x8B0C8000 \SystemRoot\system32\BOOTVID.dll
0x8B0D0000 \SystemRoot\system32\CLFS.SYS
0x8B112000 \SystemRoot\system32\CI.dll
0x8B214000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8B285000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8B293000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x8B2DB000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x8B2E4000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x8B2EC000 \SystemRoot\system32\DRIVERS\pci.sys
0x8B316000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x8B321000 \SystemRoot\System32\drivers\partmgr.sys
0x8B332000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x8B342000 \SystemRoot\System32\drivers\volmgrx.sys
0x8B38D000 \SystemRoot\system32\DRIVERS\intelide.sys
0x8B394000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8B3A2000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8B3AA000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8B3B5000 \SystemRoot\System32\drivers\mountmgr.sys
0x8B3CB000 \SystemRoot\system32\DRIVERS\pciide.sys
0x8B418000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x8B4D6000 \SystemRoot\system32\DRIVERS\atapi.sys
0x8B4DF000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8B502000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8B50B000 \SystemRoot\system32\drivers\fltmgr.sys
0x8B53F000 \SystemRoot\system32\drivers\fileinfo.sys
0x8B550000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8B634000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8B763000 \SystemRoot\System32\Drivers\msrpc.sys
0x8B78E000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8B7A1000 \SystemRoot\System32\Drivers\cng.sys
0x8B600000 \SystemRoot\System32\drivers\pcw.sys
0x8B60E000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8B839000 \SystemRoot\system32\drivers\ndis.sys
0x8B8F0000 \SystemRoot\system32\drivers\NETIO.SYS
0x8B92E000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8BA38000 \SystemRoot\System32\drivers\tcpip.sys
0x8BB81000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8B953000 \SystemRoot\system32\DRIVERS\timntr.sys
0x8BBB2000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8BC24000 \SystemRoot\system32\DRIVERS\tdrpm174.sys
0x8BD10000 \SystemRoot\System32\Drivers\spldr.sys
0x8BD18000 \SystemRoot\system32\DRIVERS\snman380.sys
0x8BD38000 \SystemRoot\System32\drivers\rdyboost.sys
0x8BD65000 \SystemRoot\System32\Drivers\mup.sys
0x8BD75000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8BD7D000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8BDAF000 \SystemRoot\system32\DRIVERS\disk.sys
0x8BDC0000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x910FB000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x9111A000 \SystemRoot\System32\Drivers\Null.SYS
0x91121000 \SystemRoot\System32\Drivers\Beep.SYS
0x91128000 \SystemRoot\System32\drivers\vga.sys
0x91134000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x91155000 \SystemRoot\System32\drivers\watchdog.sys
0x91162000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x9116A000 \SystemRoot\system32\drivers\rdpencdd.sys
0x91172000 \SystemRoot\system32\drivers\rdprefmp.sys
0x9117A000 \SystemRoot\System32\Drivers\Msfs.SYS
0x91185000 \SystemRoot\System32\Drivers\Npfs.SYS
0x91193000 \SystemRoot\system32\DRIVERS\tdx.sys
0x911AA000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8B559000 \SystemRoot\system32\drivers\afd.sys
0x911B5000 \SystemRoot\System32\DRIVERS\netbt.sys
0x911E7000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x91000000 \SystemRoot\system32\DRIVERS\pacer.sys
0x911EE000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8BDF2000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8BC00000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8BC13000 \SystemRoot\system32\DRIVERS\termdd.sys
0x9101F000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8B5B3000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8BBF1000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8BA00000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8BA0A000 \SystemRoot\System32\drivers\discache.sys
0x8BA16000 \SystemRoot\System32\Drivers\dfsc.sys
0x8B9D6000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8B800000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x91025000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0x8B3D2000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8B826000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x91C39000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x9258A000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x9160F000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x916C6000 \SystemRoot\System32\drivers\dxgmms1.sys
0x916FF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x9170A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x91755000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x91764000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x92A3F000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x92CA6000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x92CB0000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0x92CC1000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x92CED000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x92D06000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x92D14000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x92D28000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x92D79000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x92D91000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x92DBD000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x92DCA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x92DD7000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x92DDD000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x92DE1000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x92DEA000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x92DF7000 \SystemRoot\system32\DRIVERS\serscan.sys
0x92A00000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x92A12000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x92A2A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x91783000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x917A5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x917BD000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x917D4000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x92A35000 \SystemRoot\system32\DRIVERS\swenum.sys
0x9258C000 \SystemRoot\system32\DRIVERS\ks.sys
0x917EB000 \SystemRoot\system32\DRIVERS\umbus.sys
0x97628000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x9766C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9767D000 \SystemRoot\system32\drivers\stwrt.sys
0x976D2000 \SystemRoot\system32\drivers\portcls.sys
0x97701000 \SystemRoot\system32\drivers\drmk.sys
0x9771A000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x81E29000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x81F2C000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x81FE0000 \SystemRoot\system32\drivers\modem.sys
0x98C50000 \SystemRoot\System32\win32k.sys
0x81FED000 \SystemRoot\System32\drivers\Dxapi.sys
0x81E00000 \SystemRoot\System32\Drivers\crashdmp.sys
0x91027000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x81E0D000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x97757000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x81E1E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9776E000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0x81E20000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0x98EB0000 \SystemRoot\System32\TSDDD.dll
0x98EE0000 \SystemRoot\System32\cdd.dll
0x977B3000 \SystemRoot\system32\drivers\luafv.sys
0x977CE000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x977E3000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0x97600000 \SystemRoot\system32\drivers\WudfPf.sys
0x977ED000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x99438000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9947E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9948E000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x994A1000 \SystemRoot\system32\drivers\HTTP.sys
0x99526000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9953F000 \SystemRoot\System32\drivers\mpsdrv.sys
0x99551000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x99574000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x995AF000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x995E2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x9D83F000 \SystemRoot\system32\drivers\peauth.sys
0x9D8D6000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9D8E0000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9D901000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9D90E000 \SystemRoot\system32\DRIVERS\xaudio.sys
0x9D916000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9D965000 \SystemRoot\System32\DRIVERS\srv.sys
0x9D9B6000 \SystemRoot\System32\Drivers\fastfat.SYS
0xAD0A7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAD196000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xAD17D000 \SystemRoot\system32\DRIVERS\monitor.sys
0x76FF0000 \Windows\System32\ntdll.dll
0x47F50000 \Windows\System32\smss.exe
0x77230000 \Windows\System32\apisetschema.dll
0x00AD0000 \Windows\System32\autochk.exe
0x77150000 \Windows\System32\user32.dll
0x76FC0000 \Windows\System32\imagehlp.dll
0x76EC0000 \Windows\System32\wininet.dll
0x76DF0000 \Windows\System32\msctf.dll
0x76D50000 \Windows\System32\usp10.dll
0x76D00000 \Windows\System32\gdi32.dll
0x760B0000 \Windows\System32\shell32.dll
0x76020000 \Windows\System32\oleaut32.dll
0x75FC0000 \Windows\System32\difxapi.dll
0x77130000 \Windows\System32\sechost.dll
0x75F40000 \Windows\System32\comdlg32.dll

Processes (total 82):
0 System Idle Process
4 System
416 C:\Windows\System32\smss.exe
544 csrss.exe
612 C:\Windows\System32\wininit.exe
620 csrss.exe
660 C:\Windows\System32\services.exe
676 C:\Windows\System32\lsass.exe
684 C:\Windows\System32\lsm.exe
796 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\nvvsvc.exe
920 C:\Windows\System32\svchost.exe
980 C:\Windows\System32\svchost.exe
1012 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\svchost.exe
1112 C:\Windows\System32\audiodg.exe
1156 C:\Windows\System32\svchost.exe
1204 C:\Program Files\Dell\DellDock\DockLogin.exe
1276 C:\Windows\System32\svchost.exe
1356 C:\Windows\System32\winlogon.exe
1512 C:\Windows\System32\spoolsv.exe
1540 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1560 C:\Windows\System32\svchost.exe
1692 C:\Windows\System32\nvvsvc.exe
1732 C:\Windows\System32\AEstSrv.exe
1756 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1784 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1812 C:\Program Files\Bonjour\mDNSResponder.exe
1860 C:\Windows\System32\svchost.exe
1900 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1972 C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
1992 C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
2000 C:\Windows\System32\conhost.exe
392 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
464 C:\Windows\System32\stacsv.exe
524 C:\Windows\System32\svchost.exe
904 C:\Program Files\Viewpoint\Common\ViewpointService.exe
1236 C:\Windows\System32\WLTRYSVC.EXE
2092 C:\Windows\System32\drivers\XAudio.exe
2124 C:\Windows\System32\BCMWLTRY.EXE
2396 C:\Windows\System32\taskhost.exe
2472 C:\Windows\System32\dwm.exe
2608 C:\Windows\explorer.exe
2700 C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
2956 C:\Program Files\DellTPad\Apoint.exe
2964 C:\Windows\OEM02Mon.exe
2984 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2992 C:\Windows\System32\WLTRAY.EXE
3044 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
3152 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
3168 C:\Windows\System32\rundll32.exe
3200 C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe
3232 C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe
3248 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
3428 C:\Program Files\iTunes\iTunesHelper.exe
3596 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3676 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
3732 C:\Users\Jesse\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
3752 C:\Program Files\RSIGuard\RSIGuard.exe
3772 C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
1444 C:\Program Files\iPod\bin\iPodService.exe
2220 C:\Windows\System32\SearchIndexer.exe
4284 C:\Windows\System32\svchost.exe
4644 C:\Windows\System32\svchost.exe
5024 C:\Program Files\Windows Media Player\wmpnetwk.exe
5084 C:\Program Files\DellTPad\ApMsgFwd.exe
5252 C:\Program Files\DellTPad\hidfind.exe
5284 C:\Program Files\DellTPad\ApntEx.exe
5344 C:\Windows\System32\conhost.exe
5896 C:\Windows\System32\svchost.exe
3468 C:\Windows\System32\SearchProtocolHost.exe
2344 C:\Windows\System32\taskeng.exe
4556 C:\Windows\System32\taskeng.exe
5180 C:\Users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe
2104 WmiPrvSE.exe
1328 C:\Windows\System32\wscript.exe
3280 C:\Windows\System32\SearchFilterHost.exe
5504 dllhost.exe
5328 dllhost.exe
3144 C:\Users\Jesse\Desktop\MBRCheck.exe
3180 C:\Windows\System32\conhost.exe
5768 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`85f00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`05f00000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEVT-75ZCT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:47 AM

Posted 23 December 2010 - 04:19 AM

Hi oso101,


Thanks for your patience with me.


Do you have Windows 7 installation DVD ?

If the answer is "YES" please do this:



First, Boot from your Windows 7 installation DVD.

Wait for Windows 7 to Load Files

Next, the Language Screen will come up. Just click on Next.

Now you will see the Windows 7 Installation Screen.

DO NOT CHOOSE Install Now

Instead, towards the bottom left of the window you will see.

· What to know before installing Windows

· Repair your Computer

Choose and click on Repair your Computer

Posted Image

You will then come to the System Recovery Options. Choose Microsoft Windows 7 from the list. Then click Next.

You will now have the option to choose which Recovery Tools you wish to use.

This list provides details to the five tools that can help you repair your Windows 7 installation

We need this one:

Command Prompt

Posted Image

Opens the Command Prompt window:

At the next prompt type in bootrec.exe /fixmbr then hit Enter.

Posted Image

Then it should go to the next prompt.

At this point type in exit.

http://www.bleepingcomputer.com/tutorials/windows-7-recovery-environment-command-prompt/



You appear to be a competent user, so you shouldn't have too much trouble with it. I suggest printing out the instructions while you work through it for reference.



Please post back with a fresh MBRcheck logfile.



Let me know what comes back. Do you still experience the problems described in the title of your topic ?


IMPORTANT NOTE:
If you do not have an installation DVD please skip the steps above and let me know.
We will try something else.



Regards,
Georgi

cXfZ4wS.png


#12 oso101

oso101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 23 December 2010 - 09:21 AM

Hi Georgi,

Thank you again for the help. Unfortunately, I do not have the installation CD. I purchased Windows 7 online and installed it by downloading, and never received a CD. I do still have my product key, so perhaps I could download the necessary installation file again?

#13 oso101

oso101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 23 December 2010 - 09:27 AM

Also, to answer your other question, I no longer am having the IE popup ads or the Google search redirects. In fact, they stopped before you first responded to my post and began helping me. Is it possible that the issue was solved just through Windows Update or my antivirus program, or is the infection still present but not causing symptoms?

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:47 AM

Posted 23 December 2010 - 06:53 PM

Hi oso101,



Also, to answer your other question, I no longer am having the IE popup ads or the Google search redirects. In fact, they stopped before you first responded to my post and began helping me. Is it possible that the issue was solved just through Windows Update or my antivirus program, or is the infection still present but not causing symptoms?




I want to check if your MBR is infected, there are some traces in the log showing that. :wink:



Please verify that you can access the Recovery Environment.
To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option 'Repair your computer' is available please hard reboot your computer and report to me your success. Do not proceed!!!
Posted Image



Now please do this. You will need a USB drive.


Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) - please note that if you do not see sbd1 simply remove then replace the USB while xPud is running and it will then appear!
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type dd if=/dev/sda of=MBRbackup.zip bs=512 count=1
  • Press Enter
  • After it has finished a report will be located on your USB drive named MBRbackup.zip
  • Remove the USB drive and insert back in your working computer and navigate to MBRbackup.zip

    Please note - all text entries are case sensitive
  • Please click this link-->Virustotal
  • When the Virustotal page has finished loading, click the Browse button and navigate to MBRbackup.zip and click Submit.
  • Please post back the results of the scan in your next post.
  • Then, attach the MBRbackup.zip in your next reply.


Regards,
Georgi

cXfZ4wS.png


#15 oso101

oso101
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 23 December 2010 - 07:33 PM

Ok, to respond to your three requests:

1. The "Repair your computer" option is available when I press F8 while booting
2. The text of the VirusTotal scan is below. There was no option to export a report, so I just copied and pasted the results. The format is a bit hard to read - sorry.
3. MBRbackup.zip is attached

Also, I am going on vacation tomorrow morning and will not have access to my computer until I return on January 5. I can continue to work on it tonight, but starting tomorrow, it will be turned off until January 5. Hopefully we can start where we left off then - please don't close the topic! Thanks you again!

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: MBRbackup.zip
Submission date: 2010-12-24 00:27:51 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.24.00 2010.12.23 -
AntiVir 7.11.0.153 2010.12.23 -
Antiy-AVL 2.0.3.7 2010.12.23 -
Avast 4.8.1351.0 2010.12.23 -
Avast5 5.0.677.0 2010.12.23 -
AVG 9.0.0.851 2010.12.24 -
BitDefender 7.2 2010.12.24 -
CAT-QuickHeal 11.00 2010.12.23 -
ClamAV 0.96.4.0 2010.12.24 -
Command 5.2.11.5 2010.12.23 -
Comodo 7166 2010.12.23 -
DrWeb 5.0.2.03300 2010.12.24 -
Emsisoft 5.1.0.1 2010.12.23 -
eSafe 7.0.17.0 2010.12.22 -
eTrust-Vet 36.1.8057 2010.12.23 -
F-Prot 4.6.2.117 2010.12.23 -
F-Secure 9.0.16160.0 2010.12.24 -
Fortinet 4.2.254.0 2010.12.23 -
GData 21 2010.12.24 -
Ikarus T3.1.1.90.0 2010.12.23 -
Jiangmin 13.0.900 2010.12.22 -
K7AntiVirus 9.74.3330 2010.12.23 -
Kaspersky 7.0.0.125 2010.12.24 -
McAfee 5.400.0.1158 2010.12.24 -
McAfee-GW-Edition 2010.1C 2010.12.23 -
Microsoft 1.6402 2010.12.23 -
NOD32 5728 2010.12.23 -
Norman 6.06.12 2010.12.23 -
nProtect 2010-12-23.02 2010.12.23 -
Panda 10.0.2.7 2010.12.23 -
PCTools 7.0.3.5 2010.12.23 -
Prevx 3.0 2010.12.24 -
Rising 22.79.02.04 2010.12.23 -
Sophos 4.60.0 2010.12.24 -
SUPERAntiSpyware 4.40.0.1006 2010.12.23 -
Symantec 20101.3.0.103 2010.12.24 -
TheHacker 6.7.0.1.104 2010.12.21 -
TrendMicro 9.120.0.1004 2010.12.23 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.24 -
VBA32 3.12.14.2 2010.12.23 -
VIPRE 7797 2010.12.24 -
ViRobot 2010.12.23.4216 2010.12.23 -
VirusBuster 13.6.110.0 2010.12.23 -
Additional informationShow all
MD5 : ef63cb4f320383bcae0ea550f18069fc
SHA1 : ad601c332b5133368925ad6b20ec4badb72c5192
SHA256: 0ae7bc52cee72693c31367986381dc0c4aa7e7defb89f12f37194f5f3792040b
ssdeep: 12:cdm6lc1EBclMPAlBvyStYcWLTiSQyu/Wmsa:cdmOETuYmjvivy93a
File size : 512 bytes
First seen: 2010-12-24 00:27:51
Last seen : 2010-12-24 00:27:51
TrID:
Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
ExifTool:
file metadata
AudioBitrate: 96000
AudioLayer: 1
ChannelMode: Single Channel
CopyrightFlag: True
Duration: 0.04 s (approx)
Emphasis: None
FileSize: 512 bytes
FileType: MP3
MIMEType: audio/mpeg
MPEGAudioVersion: 2.5
ModeExtension: Bands 12-31
OriginalMedia: False
SampleRate: 12000
VT Community
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team
Add your comment... Remember tha

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users