Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Fireforx Hijack Victim


  • This topic is locked This topic is locked
3 replies to this topic

#1 thorazine

thorazine

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 13 December 2010 - 07:24 PM

Standard google redirects and "invalid compression" errors. It also won't let me copy and paste the address into the bar if Ive tried to go there via clicking a search result. Twice, now, I've had google act normally, only to search for somethign else, later, and have it start redirecting again.

I've run AVG free, spybot, superantispyware, malwarebytes, adaware, OTL, and microsoft security essentials, all to no avail. If one of them finds something, it's never the hijacker. In order, here are my HJT, GMER, and DDS logs.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:09:13 PM, on 12/12/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Users\USHP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoimagesave 2010-12-03 01;16;16.exe
C:\Users\USHP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\closetab 2010-12-03 01;16;16.exe
C:\Users\USHP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\procexp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\USHP\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuze.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuze.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [mylbx] C:\Program Files\My Lockbox\mylbx.exe /a
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFY...BSAEUAR"&"inst=NwA3AC0ANQAwADgANQA4ADUANwAyADYALQBGAEwAKwA5AC0ARgA5AE0ANwBBACsANQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQA"&"prod=90"&"ver=9.0.872
O4 - HKCU\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
O4 - HKCU\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-723604815-3559583531-1998031125-1000\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'USHP')
O4 - S-1-5-21-723604815-3559583531-1998031125-1000 Startup: autoimagesave 2010-12-03 01;16;16.exe (User 'USHP')
O4 - S-1-5-21-723604815-3559583531-1998031125-1000 Startup: closetab 2010-12-03 01;16;16.exe (User 'USHP')
O4 - S-1-5-21-723604815-3559583531-1998031125-1000 Startup: procexp.exe (User 'USHP')
O4 - S-1-5-21-723604815-3559583531-1998031125-1000 User Startup: autoimagesave 2010-12-03 01;16;16.exe (User 'USHP')
O4 - S-1-5-21-723604815-3559583531-1998031125-1000 User Startup: closetab 2010-12-03 01;16;16.exe (User 'USHP')
O4 - S-1-5-21-723604815-3559583531-1998031125-1000 User Startup: procexp.exe (User 'USHP')
O4 - Global Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 10143 bytes



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-13 16:12:16
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK2555GSX rev.FG002C
Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kflyrpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x8FFA23A8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcCreatePort [0x8FFA2C46]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x8FFA1E2E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8FF9B4DE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8FFB9BD0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x8FFA28EE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8FFB616C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8FFB6588]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8FFBDF32]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8FFB69F0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x8FFA2A40]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8FF9C320]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8FFBB5B4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8FFBAEB4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8FFB4FBC]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadDriver [0x8FF94822]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8FFBBF8A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x8FFBC1BC]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x8FFBC656]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0x8FFBE2E4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8FF9BE62]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x8FFB81D4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8FFBD3DC]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8FFBC914]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x8FFA19CE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8FFBD026]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8FFA20E0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8FF9C720]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0x8FF93EEE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8FFBA5E0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x8FFB7262]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x8FFB6F9E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0x8FF94C68]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A81579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AA5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82AAD748 8 Bytes [A8, 23, FA, 8F, 46, 2C, FA, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 2DC 82AAD7DC 4 Bytes [2E, 1E, FA, 8F]
.text ntkrnlpa.exe!RtlSidHashLookup + 2F8 82AAD7F8 4 Bytes [DE, B4, F9, 8F]
.text ntkrnlpa.exe!RtlSidHashLookup + 308 82AAD808 4 Bytes [D0, 9B, FB, 8F]
.text ntkrnlpa.exe!RtlSidHashLookup + 324 82AAD824 4 Bytes [EE, 28, FA, 8F]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[3328] Explorer.EXE 0011317E 2 Bytes [0C, 16] {OR AL, 0x16}
.text C:\Windows\Explorer.EXE[3328] Explorer.EXE 00113190 14 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...]
.text C:\Windows\Explorer.EXE[3328] kernel32.dll!CreateProcessInternalW 757B42AE 5 Bytes JMP 00417207
.text C:\Program Files\PeerBlock\peerblock.exe[3520] kernel32.dll!SetUnhandledExceptionFilter 757B3142 5 Bytes JMP 009583E0 C:\Program Files\PeerBlock\peerblock.exe (PeerBlock/PeerBlock, LLC)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5472] ntdll.dll!LdrLoadDll 76F1F585 5 Bytes JMP 012613F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [8FFA78A6] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [8FFA70B4] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [8FFA580A] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [8FFA725E] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [8FFA725E] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [8FFA78A6] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [8FFA70B4] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [8FFA580A] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [8FFA725E] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [8FFA580A] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [8FFA78A6] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [8FFA70B4] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{4605ECC2-FEEA-11DF-858A-806E6F6E6963} 435117384

---- Files - GMER 1.0.15 ----

89600 bytes
File C:\lkb 0 bytes
File C:\Program Files\Passware 0 bytes
File C:\Program Files\Passware\Passware Kit 0 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary 0 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary\Arabic.dic 4361216 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary\Dutch.dic 2843648 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary\English.dic 1440768 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary\French.dic 1925120 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary\German.dic 2077184 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary\Italian.dic 2293760 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary\Portuguese.dic 1515008 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary\Russian.dic 1666560 bytes
File C:\Program Files\Passware\Passware Kit\Dictionary\Spanish.dic 4348928 bytes
File C:\Program Files\Passware\Passware Kit\PasswareKit.chm 4548716 bytes
File C:\Program Files\Passware\Passware Kit\PasswareKitEnterprise.exe 52420128 bytes executable
File C:\Program Files\Passware\Passware Kit\Samples 0 bytes
File C:\Program Files\Passware\Passware Kit\Samples\excel.xls 29184 bytes
File C:\Program Files\Passware\Passware Kit\Samples\powerpoint.ppt 10752 bytes
File C:\Program Files\Passware\Passware Kit\Samples\sample-passwords.txt 620 bytes
File C:\Program Files\Passware\Passware Kit\Samples\word.doc 24064 bytes
File C:\Program Files\Passware\Passware Kit\tacc 0 bytes
File C:\Program Files\Passware\Passware Kit\tacc\algorithms 0 bytes
File C:\Program Files\Passware\Passware Kit\tacc\algorithms\taccAlg_Office2007_9_1_0100.dll 438272 bytes executable
File C:\Program Files\Passware\Passware Kit\tacc\algorithms\taccAlg_PGP_Disk_v6_7_1_0090.dll 352256 bytes executable
File C:\Program Files\Passware\Passware Kit\tacc\algorithms\taccAlg_PGP_Message_5_1_0090.dll 659456 bytes executable
File C:\Program Files\Passware\Passware Kit\tacc\algorithms\taccAlg_PGP_SDA_8_1_0090.dll 348160 bytes executable
File C:\Program Files\Passware\Passware Kit\tacc\algorithms\taccAlg_WinRAR_4_1_0090.dll 352256 bytes executable
File C:\Program Files\Passware\Passware Kit\tacc\algorithms\taccAlg_WinZip9_3_1_0080.dll 466944 bytes executable
File C:\Program Files\Passware\Passware Kit\tacc\taccapi.dll



DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 16:16:20.48 on Mon 12/13/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3003.930 [GMT -8:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Pro Firewall *Enabled* {EE2E17FA-9876-3544-62EC-0405AD5FFB20}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Users\USHP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoimagesave 2010-12-03 01;16;16.exe
C:\Users\USHP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\closetab 2010-12-03 01;16;16.exe
C:\Users\USHP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\procexp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Users\USHP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\capslock.exe
C:\Users\USHP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dblclick.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\AUDIODG.EXE
C:\Users\USHP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BatteryAlert.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Users\USHP\AppData\Local\Temp\Rar$EX00.064\gmer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\USHP\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
uRunOnce: [mctadmin] c:\windows\system32\mctadmin.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [BBMon] "c:\users\ushp\appdata\roaming\microsoft\windows\start menu\programs\startup\BatteryAlert.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANQAwADgANQA4ADUANwAyADYALQBGAEwAKwA5AC0ARgA5AE0ANwBBACsANQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQA"&"prod=90"&"ver=9.0.872
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: FilterAdministratorToken = 1 (0x1)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
mPolicies-system: DontDisplayLockedUserId = 3 (0x3)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
TCP: {DDB77865-4A09-4AAD-BD10-8BB73A98CDAB} = 68.87.69.150,68.87.85.102
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: acaptuser32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2010-12-9 41912]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-12 1153368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-5-26 122368]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-12-3 19568]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

=============== Created Last 30 ================

2010-12-13 03:38:38 301568 ----a-w- c:\windows\system32\cmd.execf
2010-12-13 03:02:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-13 03:02:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-13 03:02:28 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-13 03:02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-13 02:34:01 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-12-13 02:33:53 132608 ----a-w- c:\windows\system32\cabview.dll
2010-12-13 02:30:15 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{c2544789-29d4-45e1-9076-7306cb71f3db}\mpengine.dll
2010-12-12 23:38:43 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-12 13:08:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-12 13:08:44 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-12 12:58:46 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-12-12 12:58:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-12 09:40:29 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-12 02:23:37 -------- d-----w- c:\program files\Lavasoft
2010-12-11 02:00:18 -------- d-----w- c:\program files\iPod
2010-12-11 02:00:17 -------- d-----w- c:\program files\iTunes
2010-12-11 01:59:32 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2010-12-11 01:59:32 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2010-12-11 01:59:32 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2010-12-11 01:59:32 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2010-12-11 01:59:32 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2010-12-11 01:59:32 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2010-12-11 01:59:32 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2010-12-11 01:58:34 -------- d-----w- c:\program files\Bonjour
2010-12-10 20:58:04 129784 ------w- c:\windows\system32\pxafs.dll
2010-12-10 04:20:04 -------- d-----w- c:\progra~2\RICOH
2010-12-10 04:19:20 -------- d-----w- C:\z46138L6
2010-12-09 22:14:08 41912 ----a-w- c:\windows\system32\drivers\FSPFltd.sys
2010-12-09 22:14:07 -------- d-----w- c:\program files\My Lockbox
2010-12-08 20:20:26 -------- d--h--w- C:\$AVG
2010-12-05 05:35:06 240128 ----a-w- c:\windows\system32\COMCTL32.oca
2010-12-05 05:33:38 266752 ----a-w- c:\windows\system32\MSCOMCTL.oca
2010-12-05 05:26:21 -------- d-----w- c:\program files\Web Publish
2010-12-05 05:26:11 -------- d-----w- c:\windows\msapps
2010-12-05 05:24:35 -------- d-----w- c:\program files\common files\Macrovision Shared
2010-12-05 05:24:01 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-12-05 04:08:43 398848 ----a-w- c:\windows\system32\TVWizudlg.exe
2010-12-05 04:08:43 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2010-12-05 04:05:12 997912 ----a-w- c:\windows\system32\igxpun.exe
2010-12-05 04:05:12 -------- d-----w- c:\windows\system32\Lang
2010-12-05 04:04:57 -------- d-----w- C:\Intel
2010-12-04 08:20:30 -------- d-----w- c:\program files\VideoLAN
2010-12-04 08:06:17 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-12-04 08:05:47 -------- d-----w- c:\windows\PCHEALTH
2010-12-04 08:05:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-12-04 08:04:41 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-12-04 08:03:55 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-12-04 07:35:36 -------- d-----w- c:\progra~2\Azureus
2010-12-04 07:34:23 -------- d-----w- c:\program files\Vuze
2010-12-04 07:34:23 -------- d-----w- c:\program files\common files\i4j_jres
2010-12-04 07:34:18 -------- d-----w- c:\program files\Conduit
2010-12-04 07:34:10 -------- d-----w- c:\program files\ConduitEngine
2010-12-04 07:33:53 -------- d-----w- c:\program files\Vuze_Remote
2010-12-04 04:06:01 -------- d-----w- c:\windows\system32\appmgmt
2010-12-04 04:01:34 -------- d-----w- c:\program files\PowerISO
2010-12-03 20:28:14 -------- d-----w- c:\windows\Internet Logs
2010-12-03 20:25:37 -------- d-----w- c:\program files\AVG
2010-12-03 20:25:36 -------- d-----w- c:\progra~2\avg9
2010-12-03 20:17:54 -------- d-----r- c:\program files\Skype
2010-12-03 20:10:59 -------- d-----w- c:\windows\pss
2010-12-03 20:03:38 -------- d-----w- c:\program files\PeerBlock
2010-12-03 19:57:13 -------- d-----w- c:\progra~2\Digsby
2010-12-03 19:56:46 -------- d-----w- c:\program files\Digsby
2010-12-03 19:48:51 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-03 19:48:51 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-12-03 19:48:36 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-03 19:48:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-12-03 19:48:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-12-03 19:48:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-12-03 19:48:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-12-03 19:48:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-12-03 19:48:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-12-03 19:48:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-12-03 19:46:56 -------- d-sh--w- c:\windows\Installer
2010-12-03 19:46:15 -------- d-----w- c:\program files\CONEXANT
2010-12-03 19:45:14 -------- d-----w- c:\program files\Synaptics
2010-12-03 19:44:58 -------- d-----w- C:\SWSETUP
2010-12-03 15:32:18 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{e77c5eb1-6ca0-4f0e-a008-b468d9941553}\mpengine.dll
2010-12-03 15:32:17 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-03 14:43:20 -------- d-----w- c:\windows\system32\wbem\Performance
2010-12-03 14:39:43 -------- d-sh--w- C:\Recovery
2010-12-03 14:32:51 -------- d-----w- c:\windows\Panther
2010-12-03 14:32:36 -------- d-sh--w- C:\Boot

==================== Find3M ====================


============= FINISH: 16:17:06.97 ===============

BC AdBot (Login to Remove)

 


#2 thorazine

thorazine
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 15 December 2010 - 09:52 PM

Following the suggestions on other forums, I removed the R3 and O15 entries of HJT, but to no avail. Occasionally, it likes to redirect links clicked from within websites. I always know when its active because the r/o bytes for firefox skyrocket. I also appear to be getting quite a number of hung processes. It started with firefox, which I thought could be due to a conflict with ZoneAlarm, but others have started hanging as well. Generally, this is after firefox, messengers (digsby, skype), etc, stop being able to access the internet. IRM on office documents also refuses to connect. Everything is still connected, but when I try to navigate to a page, nothing happens. Doesn't even return an error. The status bar remains at zero and it perpetually attempts to lookup whatever page I've requested. Rebooting fixes this problem. after several reboots, I tried logging off, using shutdown /l /f, and had bizarre results. When I logged back in, according to process explorer, all my previously running applications were still running, using the same amounts of memory, etc. I looked at the boot file, and nothing seems out of the ordinary. I was going to include it just to be sure, but it returns an error when I try to export it, saying it cant be copied because it's being used by another process.

I have discovered a workaround, however, to the search problem, via clicking the cached link on google. It works for the most part. Unfortuately, the norepro problem has been a major issue. The only behavior that I've been able to consistently reproduce is having things appear to be fine upon the first instance of firefox after a new profile is selected. If firefox crashes - which it has a tendency to do (I'm guessing o to a partial install of the virus?) - or is deliberately closed, upon its next instance, the virus is up and running again. I can switch back and forth between 2 profiles all day long, but the grace period only lasts until the browser is closed.

Edited by thorazine, 16 December 2010 - 09:06 AM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:03 PM

Posted 22 December 2010 - 09:55 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:03 PM

Posted 27 December 2010 - 08:02 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users