Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reinfection after scans report successful removal of Trojans/Rootkit


  • This topic is locked This topic is locked
16 replies to this topic

#1 geeceem

geeceem

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 22 December 2010 - 04:06 PM

Greetings,

I've picked up a couple of bugs. First symptom was fake virus alert. I tried to close using Task Manager, but didn't succeed. Then Task Manager quit and Start Menu blew out--filled with data filenames etc. I tried to run MBAM but couldn't find it, so rebooted into Safe Mode and ran MBAM quick scan. Found Trojans, etc. MBAM log:

Scan type: Quick scan
Objects scanned: 192386
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\xnvsvgjlmc.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\ckbapr.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\Dad\application data\Adobe\plugs\kb30287125.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Dad\application data\Adobe\plugs\kb30328734.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Dad\Desktop\system tool 2011.lnk (Rogue.SystemTool) -> Quarantined and deleted successfully.

Rebooted and opened IE and almost immediately got a redirect. Rebooted into Safe Mode and did full scan with the following results:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/21/2010 8:27:39 PM
mbam-log-2010-12-21 (20-27-39).txt

Scan type: Full scan (C:\|)
Objects scanned: 354830
Time elapsed: 40 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\xnvsvgjlmc.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\jpenk06501\jpenk06501.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\program files\porrasturvat - stair dismount\msvcp60.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\program files\truck dismount\msvcp60.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\program files\truck dismount\msvcrt.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0145748.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0146755.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0146756.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0146757.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

Suspicious, I then downloaded GMER and tried to run a scan in Safe Mode, but my window size changes in Safe Mode and I can't access the "Save" button. The last entries on the screen reported suspicious entries on HD0, so I downloaded TDSSKiller, ran it, and got the following log:

2010/12/21 23:31:20.0171 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/21 23:31:20.0171 ================================================================================
2010/12/21 23:31:20.0171 SystemInfo:
2010/12/21 23:31:20.0171
2010/12/21 23:31:20.0171 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/21 23:31:20.0171 Product type: Workstation
2010/12/21 23:31:20.0171 ComputerName: BOBERABBI
2010/12/21 23:31:20.0171 UserName: Dad
2010/12/21 23:31:20.0171 Windows directory: C:\WINDOWS
2010/12/21 23:31:20.0171 System windows directory: C:\WINDOWS
2010/12/21 23:31:20.0171 Processor architecture: Intel x86
2010/12/21 23:31:20.0171 Number of processors: 1
2010/12/21 23:31:20.0171 Page size: 0x1000
2010/12/21 23:31:20.0171 Boot type: Normal boot
2010/12/21 23:31:20.0171 ================================================================================
2010/12/21 23:31:20.0687 Initialize success
2010/12/21 23:31:27.0921 ================================================================================
2010/12/21 23:31:27.0921 Scan started
2010/12/21 23:31:27.0921 Mode: Manual;
2010/12/21 23:31:27.0921 ================================================================================
2010/12/21 23:31:28.0593 A3AB (7bb07b8f835ed36f98598cf85f6e6c08) C:\WINDOWS\system32\DRIVERS\A3AB.sys
2010/12/21 23:31:28.0796 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
2010/12/21 23:31:28.0953 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/21 23:31:29.0046 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/21 23:31:29.0203 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
2010/12/21 23:31:29.0375 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/12/21 23:31:29.0468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/21 23:31:29.0546 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/21 23:31:29.0671 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
2010/12/21 23:31:29.0796 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
2010/12/21 23:31:29.0921 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
2010/12/21 23:31:30.0000 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
2010/12/21 23:31:30.0140 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
2010/12/21 23:31:30.0312 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
2010/12/21 23:31:30.0406 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
2010/12/21 23:31:30.0515 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
2010/12/21 23:31:30.0656 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
2010/12/21 23:31:30.0828 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
2010/12/21 23:31:30.0968 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
2010/12/21 23:31:31.0140 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
2010/12/21 23:31:31.0296 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/21 23:31:31.0421 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/21 23:31:31.0546 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/21 23:31:31.0718 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/21 23:31:31.0890 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
2010/12/21 23:31:32.0000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/21 23:31:32.0156 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
2010/12/21 23:31:32.0250 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/21 23:31:32.0343 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
2010/12/21 23:31:32.0421 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/21 23:31:32.0546 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/21 23:31:32.0656 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/21 23:31:32.0906 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
2010/12/21 23:31:32.0984 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
2010/12/21 23:31:33.0078 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
2010/12/21 23:31:33.0203 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
2010/12/21 23:31:33.0343 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/21 23:31:33.0468 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/21 23:31:33.0625 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/21 23:31:33.0750 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/21 23:31:33.0890 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/21 23:31:34.0000 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
2010/12/21 23:31:34.0187 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/21 23:31:34.0296 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/21 23:31:34.0406 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2010/12/21 23:31:34.0531 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/21 23:31:34.0609 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/21 23:31:34.0843 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/21 23:31:35.0203 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/21 23:31:35.0312 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/21 23:31:35.0437 FsUsbExDisk (790a4ca68f44be35967b3df61f3e4675) C:\WINDOWS\system32\FsUsbExDisk.SYS
2010/12/21 23:31:35.0609 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/21 23:31:35.0671 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/21 23:31:35.0828 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/21 23:31:35.0906 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/21 23:31:36.0062 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/21 23:31:36.0187 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
2010/12/21 23:31:36.0390 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/21 23:31:36.0500 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/21 23:31:36.0593 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
2010/12/21 23:31:36.0687 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/21 23:31:36.0812 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2010/12/21 23:31:36.0890 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2010/12/21 23:31:37.0000 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2010/12/21 23:31:37.0093 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2010/12/21 23:31:37.0234 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2010/12/21 23:31:37.0390 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2010/12/21 23:31:37.0515 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2010/12/21 23:31:37.0609 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2010/12/21 23:31:37.0781 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2010/12/21 23:31:37.0875 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2010/12/21 23:31:38.0046 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/12/21 23:31:38.0203 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/21 23:31:38.0390 InCDfs (537afe18b4565d3af035aadfe6fbf2a7) C:\WINDOWS\system32\drivers\InCDfs.sys
2010/12/21 23:31:38.0468 InCDPass (11c9b8e2d0c4f114f6ada1e5bf4e14e7) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
2010/12/21 23:31:38.0578 InCDrec (5ae4209516f3183e81e7193e3ff30bf8) C:\WINDOWS\system32\drivers\InCDrec.sys
2010/12/21 23:31:38.0734 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
2010/12/21 23:31:38.0843 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
2010/12/21 23:31:38.0937 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/21 23:31:39.0015 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/21 23:31:39.0125 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/21 23:31:39.0265 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/21 23:31:39.0453 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/21 23:31:39.0531 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/21 23:31:39.0640 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/21 23:31:39.0765 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/21 23:31:39.0890 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/21 23:31:39.0984 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/21 23:31:40.0109 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/21 23:31:40.0281 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/21 23:31:40.0390 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/21 23:31:40.0468 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/12/21 23:31:40.0609 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/21 23:31:40.0734 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/21 23:31:40.0812 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/12/21 23:31:40.0906 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
2010/12/21 23:31:41.0109 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2010/12/21 23:31:41.0281 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2010/12/21 23:31:41.0500 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/21 23:31:41.0609 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/21 23:31:41.0703 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/21 23:31:41.0812 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/21 23:31:41.0953 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/21 23:31:42.0062 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/21 23:31:42.0187 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/21 23:31:42.0281 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/21 23:31:42.0468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/21 23:31:42.0593 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/21 23:31:42.0703 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/21 23:31:42.0859 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/21 23:31:42.0968 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/21 23:31:43.0062 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/21 23:31:43.0187 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/21 23:31:43.0515 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/21 23:31:43.0609 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/21 23:31:43.0812 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/21 23:31:43.0937 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/21 23:31:44.0140 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/21 23:31:44.0234 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/21 23:31:44.0375 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2010/12/21 23:31:44.0515 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/12/21 23:31:44.0609 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/21 23:31:44.0718 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/21 23:31:44.0796 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/21 23:31:44.0921 pccsmcfd (175cc28dcf819f78caa3fbd44ad9e52a) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2010/12/21 23:31:45.0015 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/21 23:31:45.0109 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/21 23:31:45.0171 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/21 23:31:45.0500 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
2010/12/21 23:31:45.0640 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
2010/12/21 23:31:45.0812 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/21 23:31:45.0906 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/21 23:31:46.0015 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/21 23:31:46.0125 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/21 23:31:46.0281 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2010/12/21 23:31:46.0359 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
2010/12/21 23:31:46.0515 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
2010/12/21 23:31:46.0578 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
2010/12/21 23:31:46.0671 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
2010/12/21 23:31:46.0734 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
2010/12/21 23:31:46.0796 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/21 23:31:46.0906 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/21 23:31:47.0015 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/21 23:31:47.0125 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/21 23:31:47.0281 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/21 23:31:47.0421 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/21 23:31:47.0593 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/21 23:31:47.0750 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/21 23:31:47.0875 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/21 23:31:48.0062 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/21 23:31:48.0218 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/21 23:31:48.0500 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/21 23:31:48.0625 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/21 23:31:48.0734 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/21 23:31:48.0875 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/21 23:31:49.0125 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
2010/12/21 23:31:49.0281 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys
2010/12/21 23:31:49.0421 snapman (b6aa9bbff890ffea333ffe81d0b888ff) C:\WINDOWS\system32\DRIVERS\snapman.sys
2010/12/21 23:31:49.0578 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
2010/12/21 23:31:49.0687 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/21 23:31:49.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/21 23:31:49.0937 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/21 23:31:50.0093 sscdbus (d6870895fe46a464a19141440eb6cc1e) C:\WINDOWS\system32\DRIVERS\sscdbus.sys
2010/12/21 23:31:50.0187 sscdmdfl (0fe167362e4689b716cdc8d93adedda8) C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
2010/12/21 23:31:50.0296 sscdmdm (55a15707e32b6709242ad127e62ca55a) C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
2010/12/21 23:31:50.0421 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/21 23:31:50.0578 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/21 23:31:50.0687 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
2010/12/21 23:31:50.0796 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
2010/12/21 23:31:50.0906 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
2010/12/21 23:31:50.0968 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
2010/12/21 23:31:51.0125 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/21 23:31:51.0250 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/21 23:31:51.0406 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/21 23:31:51.0500 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/21 23:31:51.0625 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/21 23:31:51.0734 TIEHDUSB (a1124ebc672aa3ae1b327096c1dcc346) C:\WINDOWS\system32\drivers\tiehdusb.sys
2010/12/21 23:31:51.0859 tifsfilter (b84b82c0cbeb1b0d7eb7a946bade5830) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2010/12/21 23:31:51.0953 timounter (74711884439bdf9ccf446c79cb05fac0) C:\WINDOWS\system32\DRIVERS\timntr.sys
2010/12/21 23:31:53.0171 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2010/12/21 23:31:53.0265 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
2010/12/21 23:31:53.0359 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/21 23:31:53.0421 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
2010/12/21 23:31:53.0578 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/21 23:31:53.0703 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/21 23:31:53.0812 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/21 23:31:53.0921 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/21 23:31:54.0093 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/21 23:31:54.0140 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/21 23:31:54.0218 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/21 23:31:54.0312 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/21 23:31:54.0406 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/21 23:31:54.0531 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/21 23:31:54.0625 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
2010/12/21 23:31:54.0750 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
2010/12/21 23:31:54.0875 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/21 23:31:54.0968 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/21 23:31:55.0187 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/21 23:31:55.0515 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2010/12/21 23:31:55.0656 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/21 23:31:55.0734 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/21 23:31:55.0890 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
2010/12/21 23:31:56.0015 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
2010/12/21 23:31:56.0093 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/21 23:31:56.0093 ================================================================================
2010/12/21 23:31:56.0093 Scan finished
2010/12/21 23:31:56.0093 ================================================================================
2010/12/21 23:31:56.0125 Detected object count: 1
2010/12/21 23:32:10.0875 \HardDisk0 - will be cured after reboot
2010/12/21 23:32:10.0875 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/21 23:32:13.0187 Deinitialize success

Rebooted, ran scan again. Came up clean. MBAM also came up clean.

Then ran an ESET scan and it found the following:

C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2209\A0147828.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\WINDOWS\ukupomubaraxonug.dll a variant of Win32/Cimag.FK trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\$NtServicePackUninstall$\ptfmoc.bak1 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\$NtServicePackUninstall$\ptfmoc.bak2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\$NtServicePackUninstall$\ptfmoc.ini2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\AppPatch\ptfmoc.bak1 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\AppPatch\ptfmoc.bak2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\AppPatch\ptfmoc.ini2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\Help\starter\rccfm.bak1 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\Help\starter\rccfm.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\REPAIR\elopi.bak1 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined


That was all yesterday. Booted up today and ran another full scan with TDSSKiller, which found nothing. Full scan with MBAM, however, gave the following:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5376

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/22/2010 3:19:59 PM
mbam-log-2010-12-22 (15-19-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 348970
Time elapsed: 2 hour(s), 43 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Jake\local settings\application data\wildtangent\Cdacache\00\23\D2.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Jake\local settings\application data\wildtangent\Cdacache\00\23\D3.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Mom\application data\apple computer\syncservices\Local\conflicts\unresolvedcount (Malware.Trace) -> Quarantined and deleted successfully.
c:\program files\wildtangent\LFS\Scripts\GameData.log (Malware.Trace) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0147767.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0147765.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0147766.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0147768.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0147775.exe (Rogue.FakeHDD.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2209\A0147776.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.


TDRSSKiller still coming up clean, but boot-up process complains that the following DLL cannot be located:

ukupomubaraxonug.dll.

Looks like a real wing-dinger to me.

Here is the DDS text with our wing-dinger right in there:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Dad at 15:38:07.60 on Wed 12/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.158 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\PNUpdate.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.takomapark.info/staff/library/index.html
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch =
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Cjisitadumokaba] rundll32.exe "c:\windows\ckbapr.dll",Startup
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [vdrdpup] c:\windows\system32\rundll32 c:\windows\system32\vdrdpup.dll,RegisterVirtualChannel
mRun: [MaxBlastMonitor.exe] c:\program files\maxtor\maxblast\MaxBlastMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\maxtor\maxblast\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [pnuprdp] c:\windows\system32\rundll32 c:\windows\system32\pnuprdp.dll,RegisterVirtualChannel
mRun: [pnupica] c:\windows\system32\rundll32 c:\windows\system32\pnupica6.dll,RegisterVirtualChannel
mRun: [NPSStartup]
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Tsasatecuxise] rundll32.exe "c:\windows\ukupomubaraxonug.dll",Startup
dRun: [Microsoft Update] wuammgr32.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000} - c:\program files\visualroute lite edition\vrie.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://deercamera.viewnetcam.com:60015/kxhcm10.ocx
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://preview.evite.com/js/ImageUploader5.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} - hxxp://66.230.107.28:2222/home/SonySncRz30View.cab
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://webcam.truckeetahoeairport.com/dcsclictrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://bryds3.viewnetcam.com:40000/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38149.6352893518
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.verizon.net/checkmypc/includes/MotivePreQual.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.6.146.146:8333/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: mfccr - c:\windows\help\starter\mfccr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\default.vou\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.takomapark.info/staff/
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\opera\program\plugins\npjpi160_20.dll
FF - plugin: c:\program files\opera\program\plugins\npoji610.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-3-26 233472]
R2 PNUpdate;Provision Networks Update Service;c:\windows\system32\pnupdate.exe -run --> c:\windows\system32\PNUpdate.exe -RUN [?]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2008-5-1 472832]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-3-26 36608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-20 135664]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Normandy;Normandy SR2; [x]

=============== Created Last 30 ================

2010-12-22 14:29:26 -------- d-----w- c:\program files\ESET
2010-12-22 01:37:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-22 01:37:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-22 00:17:09 0 ----a-w- c:\windows\Hnofevi.bin
2010-12-22 00:17:05 -------- d-----w- c:\docume~1\dad\locals~1\applic~1\{C71B057C-7349-44C5-9E15-3F4B9B5A7C53}
2010-12-22 00:15:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\jPeNk06501
2010-12-21 15:09:46 -------- d-----w- c:\docume~1\dad\applic~1\PCDr
2010-12-20 21:42:40 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6c570b8a-0124-468b-9884-4cbe34ce307f}\mpengine.dll
2010-12-18 18:47:17 -------- d-----w- c:\program files\iPod
2010-12-18 18:46:58 -------- d-----w- c:\program files\iTunes
2010-12-15 15:39:46 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 15:38:50 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

============= FINISH: 15:39:21.28 ===============

And here is the ARK.



GMER in regular mode gives BSOD, so no log. What next?

Attached Files


Edited by geeceem, 22 December 2010 - 04:16 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:24 AM

Posted 22 December 2010 - 11:45 PM

Hello geeceem,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 geeceem

geeceem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 23 December 2010 - 09:49 AM

Grateful thanks for your help. I was hoping this would be a quick cure, but it may not be. Here goes: Rkill log:

Rkill was run on 12/23/2010 at 8:40:47.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Brownie\brpjp04a.exe


Rkill completed on 12/23/2010 at 8:41:09.

I then ran Combofix, which installed the Recovery Console and ran through 50 steps in about 10 minutes or so. However, I got the BSOD when Combofix rebooted. The error was "Bad Pool Header" "STOP: 0x00000019 (0x00000020,0x8226B400, 0x8226B818, 0x1A8300D)"

I manually rebooted and got the following DLL error complaints: "ukupomubaraxonug.dll Specified module could not be found" and "ckbapr.dll Specified module could not be found."

I'm unable to locate the Combofix log or a file named combofix.txt. It's not on the desktop and not in the root directory (C:\) that I could see. (There is a Combofix icon of some sort in the root directory, but when I click on it, it appears to be a mirror of "My Computer".) I tried a document title search but found nothing. Where might it be hiding?

I'm able to access these forums without difficulty. No redirects or pop-ups. I am wary of using this computer beyond that until I'm reasonably confident that it's clean. Thanks again.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:24 AM

Posted 23 December 2010 - 10:04 PM

Hello,

Go ahead and run Combofix again it should give us a log that has last run stuff in it also.
This time run Combofix in safemode.


Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 geeceem

geeceem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 23 December 2010 - 10:49 PM

Ah, better:

ComboFix 10-12-22.05 - Dad 12/23/2010 22:16:59.2.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.282 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dad\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Dad\Application Data\Adobe\plugs
c:\documents and settings\Dad\GoToAssistDownloadHelper.exe
c:\documents and settings\Dad\Start Menu\Programs\System Tool
c:\documents and settings\Dad\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\windows\BackUp
c:\windows\BackUp\S\50828000.DAT
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\patch.exe
c:\windows\system32\Oeminfo.ini
c:\windows\system32\Temp

.
((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))
.

2010-12-23 13:33 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E78E9F9D-2DF0-4D86-9A5B-26FA3DACCCE4}\mpengine.dll
2010-12-22 14:29 . 2010-12-22 14:29 -------- d-----w- c:\program files\ESET
2010-12-22 01:37 . 2010-12-22 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-22 01:37 . 2010-12-22 01:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-12-22 01:37 . 2010-12-22 01:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-22 01:36 . 2010-12-22 01:36 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-12-22 00:17 . 2010-12-22 14:18 0 ----a-w- c:\windows\Hnofevi.bin
2010-12-22 00:17 . 2010-12-22 00:17 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\{C71B057C-7349-44C5-9E15-3F4B9B5A7C53}
2010-12-22 00:15 . 2010-12-22 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\jPeNk06501
2010-12-21 15:20 . 2010-12-21 15:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SupportSoft
2010-12-21 15:09 . 2010-12-21 15:11 -------- d-----w- c:\documents and settings\Dad\Application Data\PCDr
2010-12-18 18:47 . 2010-12-18 18:47 -------- d-----w- c:\program files\iPod
2010-12-18 18:46 . 2010-12-18 18:48 -------- d-----w- c:\program files\iTunes
2010-12-15 15:39 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 15:38 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2009-09-02 02:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-09-02 02:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2002-08-29 11:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-10 04:33 . 2010-05-01 18:45 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-06 00:26 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2002-08-29 11:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2002-08-29 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2002-08-29 11:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2009-10-02 18:00 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-28 20:44 . 2009-06-04 21:48 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-28 20:44 . 2007-11-10 14:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2002-08-09 13:45 . 2008-08-15 02:34 98304 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-02-09 1265714]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-20 180269]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2004-03-02 71680]
"MaxBlastMonitor.exe"="c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [2007-04-20 1169720]
"AcronisTimounterMonitor"="c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe" [2007-04-20 1945712]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [2007-04-20 149024]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"pnuprdp"="c:\windows\system32\pnuprdp.dll" [2007-01-11 114688]
"pnupica"="c:\windows\system32\pnupica6.dll" [2007-04-03 118784]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
path=c:\documents and settings\Mom\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-03-05 23:41 98304 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1136344782\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
2007-05-02 23:00 55368 ----a-w- c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-20 18:49 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Juno\\bin\\juno.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Common Files\\AOL\\1136344782\\ee\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1136344782\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S2 FsUsbExService;FsUsbExService;c:\windows\SYSTEM32\FsUsbExService.Exe [3/26/2010 7:45 PM 233472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/20/2009 6:36 PM 135664]
S2 PNUpdate;Provision Networks Update Service;c:\windows\system32\PNUpdate.exe -RUN --> c:\windows\system32\PNUpdate.exe -RUN [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [5/1/2008 4:13 PM 472832]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\SYSTEM32\FsUsbExDisk.Sys [3/26/2010 7:45 PM 36608]
S3 Normandy;Normandy SR2; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-12-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 00:09]

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 23:35]

2010-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 23:35]

2010-12-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-12-24 c:\windows\Tasks\User_Feed_Synchronization-{7FF363A3-1755-4A64-9FA5-050581E35799}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.takomapark.info/staff/library/index.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://deercamera.viewnetcam.com:60015/kxhcm10.ocx
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://webcam.truckeetahoeairport.com/dcsclictrl.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.6.146.146:8333/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\default.vou\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.takomapark.info/staff/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Cjisitadumokaba - c:\windows\ckbapr.dll
HKLM-Run-NPSStartup - (no file)
HKLM-Run-Tsasatecuxise - c:\windows\ukupomubaraxonug.dll
HKU-Default-Run-Microsoft Update - wuammgr32.exe
Notify-mfccr - c:\windows\Help\starter\mfccr.dll
AddRemove-CCleaner - f:\cclean\CCleaner\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-23 22:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-274365698-922090000-4268213735-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(280)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-23 22:38:39
ComboFix-quarantined-files.txt 2010-12-24 03:38

Pre-Run: 121,910,251,520 bytes free
Post-Run: 122,050,768,896 bytes free

- - End Of File - - D30553DD4A645DD2AC273D757717A069

Boot-up is now clearly faster with the naughty DLL calls gone, although I'm briefly seeing an extra screen at the beginning, which I presume has to do with the Recovery Console boot option.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:24 AM

Posted 24 December 2010 - 12:24 AM

Hello,

You log looks good now. We have a little cleanup and final checking to make sure nothing else is there of leftover.
The extra screen you see at start up is recovery console. That is a good Utility to have on board your machine.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\Hnofevi.bin

Folder::
c:\documents and settings\All Users\Application Data\jPeNk06501
Driver::
PNUpdate
Normandy

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 geeceem

geeceem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 24 December 2010 - 02:46 PM

Uh-oh. Because I had originally run Combofix in Safe mode, I assumed that I should run the CFScript.txt/Combofix script in Safe mode as well.

While running the CFScript.txt/Combofix script in Safe mode (Stage 4), I got the message "PEV.exe has encountered a problem and needs to close" and the standard MS bug report form. I declined to send info to MS.

The Combofix script then completed and rebooted, but it did not reboot into Safe mode. Given the strenuous instructions in the display that I was not to interfere with the rebooting, I let it boot normally and then logged into my account, which was the same account I was running in Safe mode (I know, I know).

Combofix generated a log, and then BOOM: BSOD. "Bad pool error". I found the log not in the root but in the Combofix directory and here it is:

--------------------------------

ComboFix 10-12-24.01 - Dad 12/24/2010 14:14:05.3.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.267 [GMT -5:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\All Users\Documents\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\Hnofevi.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\jPeNk06501
c:\documents and settings\All Users\Application Data\jPeNk06501\jPeNk06501
C:\Documents and Settings\Dad\Local Settings\Application Data\{C71B057C-7349-44C5-9E15-3F4B9B5A7C53}
C:\Documents and Settings\Dad\Local Settings\Application Data\{C71B057C-7349-44C5-9E15-3F4B9B5A7C53}\chrome.manifest
C:\Documents and Settings\Dad\Local Settings\Application Data\{C71B057C-7349-44C5-9E15-3F4B9B5A7C53}\chrome\content\_cfg.js
C:\Documents and Settings\Dad\Local Settings\Application Data\{C71B057C-7349-44C5-9E15-3F4B9B5A7C53}\chrome\content\overlay.xul
C:\Documents and Settings\Dad\Local Settings\Application Data\{C71B057C-7349-44C5-9E15-3F4B9B5A7C53}\install.rdf
c:\windows\Hnofevi.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PNUPDATE
-------\Service_Normandy
-------\Service_PNUpdate


((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))
.

2010-12-23 13:33:57 . 2010-11-10 04:33:37 6273872 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E78E9F9D-2DF0-4D86-9A5B-26FA3DACCCE4}\mpengine.dll
2010-12-22 14:29:26 . 2010-12-22 14:29:26 -------- d-----w- C:\Program Files\ESET
2010-12-22 01:37:48 . 2010-12-22 01:37:48 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-22 01:37:47 . 2010-12-22 01:37:47 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-12-22 01:37:39 . 2010-12-22 01:37:54 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-12-22 01:36:29 . 2010-12-22 01:36:29 -------- d-sh--w- C:\Documents and Settings\Administrator\PrivacIE
2010-12-21 15:20:43 . 2010-12-21 15:20:43 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft
2010-12-21 15:09:46 . 2010-12-21 15:11:36 -------- d-----w- C:\Documents and Settings\Dad\Application Data\PCDr
2010-12-18 18:47:17 . 2010-12-18 18:47:17 -------- d-----w- C:\Program Files\iPod
2010-12-18 18:46:58 . 2010-12-18 18:48:24 -------- d-----w- C:\Program Files\iTunes
2010-12-15 15:39:46 . 2010-11-02 15:17:02 40960 ------w- C:\WINDOWS\system32\dllcache\ndproxy.sys
2010-12-15 15:38:50 . 2010-10-11 14:59:30 45568 ------w- C:\WINDOWS\system32\dllcache\wab.exe
2010-11-29 22:38:30 . 2010-11-29 22:38:30 94208 ----a-w- C:\WINDOWS\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 . 2010-11-29 22:38:30 69632 ----a-w- C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09:00 . 2009-09-02 02:32:35 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08:40 . 2009-09-02 02:32:34 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-11-18 18:12:44 . 2002-08-29 11:00:00 81920 ----a-w- C:\WINDOWS\system32\isign32.dll
2010-11-10 04:33:37 . 2010-05-01 18:45:41 6273872 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-06 00:26:58 . 2004-02-06 22:05:06 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-11-06 00:26:58 . 2002-08-29 11:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2010-11-06 00:26:58 . 2002-08-29 11:00:00 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2010-11-03 12:25:54 . 2004-08-04 05:59:57 385024 ----a-w- C:\WINDOWS\system32\html.iec
2010-11-02 15:17:02 . 2002-08-29 11:00:00 40960 ----a-w- C:\WINDOWS\system32\drivers\ndproxy.sys
2010-10-28 13:13:22 . 2002-08-29 11:00:00 290048 ----a-w- C:\WINDOWS\system32\atmfd.dll
2010-10-26 13:25:00 . 2002-08-29 11:00:00 1853312 ----a-w- C:\WINDOWS\system32\win32k.sys
2010-10-19 20:51:33 . 2009-10-02 18:00:37 222080 ------w- C:\WINDOWS\system32\MpSigStub.exe
2010-09-28 20:44:52 . 2009-06-04 21:48:26 4184352 ----a-w- C:\WINDOWS\system32\usbaaplrc.dll
2010-09-28 20:44:52 . 2007-11-10 14:33:09 41984 ----a-w- C:\WINDOWS\system32\drivers\usbaapl.sys
2008-08-16 21:42:36 . 2008-08-16 21:42:36 13112 ----a-w- C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42:02 . 2008-08-16 21:42:02 70456 ----a-w- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42:12 . 2008-08-16 21:42:12 91448 ----a-w- C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42:08 . 2008-08-16 21:42:08 20800 ----a-w- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43:00 . 2008-08-16 21:43:00 206136 ----a-w- C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42:10 . 2008-08-16 21:42:10 31032 ----a-w- C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42:32 . 2008-08-16 21:42:32 40248 ----a-w- C:\Program Files\mozilla firefox\plugins\icalogon.dll
2008-05-21 12:41:08 . 2008-05-21 12:41:08 479232 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41:08 . 2008-05-21 12:41:08 548864 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41:08 . 2008-05-21 12:41:08 626688 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58:54 . 2008-06-05 17:58:54 648504 ----a-w- C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42:04 . 2008-08-16 21:42:04 23864 ----a-w- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
2002-08-09 13:45:06 . 2008-08-15 02:34:00 98304 ----a-w- C:\Program Files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-20 18:49:02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-27 01:47:34 204800]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-02-09 04:06:34 1265714]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 08:59:24 122880]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 13:35:40 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 13:32:24 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 13:36:20 114688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-20 23:30:02 180269]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 16:59:46 124520]
"vdrdpup"="C:\WINDOWS\system32\vdrdpup.dll" [2004-03-02 14:15:48 71680]
"MaxBlastMonitor.exe"="C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [2007-04-20 12:59:30 1169720]
"AcronisTimounterMonitor"="C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe" [2007-04-20 13:09:58 1945712]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe" [2007-04-20 13:03:08 149024]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 22:17:16 47904]
"pnuprdp"="C:\WINDOWS\system32\pnuprdp.dll" [2007-01-11 22:18:20 114688]
"pnupica"="C:\WINDOWS\system32\pnupica6.dll" [2007-04-03 14:48:10 118784]
"MSSE"="c:\Program Files\Microsoft Security Essentials\msseces.exe" [2010-09-15 08:34:02 1094224]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2010-03-17 20:55:42 1565696]
"BrStsWnd"="C:\Program Files\Brownie\BrstsWnd.exe" [2008-01-08 13:28:02 864256]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 08:47:04 35760]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-11-29 22:38:18 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-12-13 22:16:18 421160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\PROGRA~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 18:57:20 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 17:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21:41 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
backup=C:\WINDOWS\pss\OpenOffice.org 3.0.lnkStartup
path=C:\Documents and Settings\Mom\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07:44 932288 ----a-r- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47:04 35760 ----a-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-03-05 23:41:02 98304 ----a-w- C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12:16 15360 ----a-w- C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24:16 50760 ----a-w- C:\Program Files\Common Files\AOL\1136344782\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41:10 49152 ----a-w- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16:18 421160 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12:28 1695232 ----a-w- C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38:18 421888 ----a-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
2007-05-02 23:00:36 55368 ----a-w- C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-20 18:49:02 68856 ----a-w- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Juno\\bin\\juno.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Opera\\opera.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136344782\\ee\\aim6.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136344782\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25:48 PM 12872]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41:30 PM 67656]
R2 FsUsbExService;FsUsbExService;C:\WINDOWS\SYSTEM32\FsUsbExService.Exe [3/26/2010 7:45:28 PM 233472]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\SYSTEM32\DRIVERS\A3AB.sys [5/1/2008 4:13:34 PM 472832]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\SYSTEM32\FsUsbExDisk.Sys [3/26/2010 7:45:28 PM 36608]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [12/20/2009 6:36:02 PM 135664]
S2 WinDefend;Windows Defender;C:\Program Files\Windows Defender\MsMpEng.exe [11/3/2006 6:19:58 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-12-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50:20 . 2009-10-22 15:50:20]

2010-12-24 C:\WINDOWS\Tasks\Google Software Updater.job
- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 22:56:21 . 2009-03-23 00:09:40]

2010-12-24 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-12-20 23:36:02 . 2009-12-20 23:35:58]

2010-12-24 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-12-20 23:36:02 . 2009-12-20 23:35:58]

2010-12-24 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40:42 . 2010-03-26 01:40:42]

2010-12-24 C:\WINDOWS\Tasks\User_Feed_Synchronization-{7FF363A3-1755-4A64-9FA5-050581E35799}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 16:58:32 . 2009-03-08 08:31:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.takomapark.info/staff/library/index.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://deercamera.viewnetcam.com:60015/kxhcm10.ocx
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://webcam.truckeetahoeairport.com/dcsclictrl.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.6.146.146:8333/activex/AMC.cab
FF - ProfilePath - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\default.vou\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.takomapark.info/staff/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
Given that it was a unique script tailored for a unique situation, I didn't want to try to rerun it or do anything else, even though I suspect that the BSOD might have been related to booting back up normally rather than into Safe Mode. I'll await further instructions/clarification.

Thanks.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:24 AM

Posted 24 December 2010 - 03:48 PM

Hello,

The CfScript ran ok.

1.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

2.
We need to check your hard disk for errors.

To check the volume for errors:
  • Click start and then My Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
*NOTE: This scan could take along time to complete, but let it finish.

3.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\system32\vdrdpup.dll
C:\WINDOWS\system32\pnuprdp.dll
C:\WINDOWS\system32\pnupica6.dll

Please post back the results of the scan in your next post.

Things to include in your next reply:;
MBAM log
JOtti Results
A new DDS log
How is your machine running now in Normal Mode

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 geeceem

geeceem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 24 December 2010 - 04:15 PM

MBAM Quick scan w/latest update came back clean. Checkdisk gave me the message that it would start upon reboot, so I rebooted. A window briefly appeared in which the NTFS file system was identified, then the screen went black and then Windows booted what appeared to be normally. I see no indication that CHKDSK is actually running. How do I tell?

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:24 AM

Posted 24 December 2010 - 05:45 PM

How is your system running in Normal mode? Did you run Chkdsk in normal mode? Please submit those files to JOTTI and run this command

Goto Start>Run IN the command box copy and paste the following:

chkdsk c:/f/r

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 geeceem

geeceem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 24 December 2010 - 09:06 PM

OK. Jotti found nothing in any of the three files. CHKDSK worked OK from the Command line. Here is the log:

Checking file system on C:
The type of the file system is NTFS.
Volume label is Local Disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 969 unused index entries from index $SII of file 0x9.
Cleaning up 969 unused index entries from index $SDH of file 0x9.
Cleaning up 969 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

156224092 KB total disk space.
37329612 KB in 164457 files.
71320 KB in 17034 indexes.
0 KB in bad sectors.
311756 KB in use by the system.
65536 KB occupied by the log file.
118511404 KB available on disk.

4096 bytes in each allocation unit.
39056023 total allocation units on disk.
29627851 allocation units available on disk.

Internal Info:
20 9c 03 00 ff c4 02 00 f3 23 04 00 00 00 00 00 ........#......
cb 1c 00 00 02 00 00 00 31 0b 00 00 00 00 00 00 ........1.......
ac f6 ca 05 00 00 00 00 98 aa 51 9d 00 00 00 00 ..........Q.....
24 fa 81 14 00 00 00 00 c8 1c 4f 0d 05 00 00 00 $.........O.....
06 1c 1f 9b 05 00 00 00 06 14 51 61 0b 00 00 00 ..........Qa....
99 9e 36 00 00 00 00 00 a0 38 07 00 69 82 02 00 ..6......8..i...
00 00 00 00 00 30 6b e6 08 00 00 00 8a 42 00 00 .....0k......B..

Windows has finished checking your disk.
Please wait while your computer restarts.

-----------------------------------------------------

Here is the latest DDS log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Dad at 20:59:42.71 on Fri 12/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.103 [GMT -5:00]

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.takomapark.info/staff/library/index.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [vdrdpup] c:\windows\system32\rundll32 c:\windows\system32\vdrdpup.dll,RegisterVirtualChannel
mRun: [MaxBlastMonitor.exe] c:\program files\maxtor\maxblast\MaxBlastMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\maxtor\maxblast\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [pnuprdp] c:\windows\system32\rundll32 c:\windows\system32\pnuprdp.dll,RegisterVirtualChannel
mRun: [pnupica] c:\windows\system32\rundll32 c:\windows\system32\pnupica6.dll,RegisterVirtualChannel
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000} - c:\program files\visualroute lite edition\vrie.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://deercamera.viewnetcam.com:60015/kxhcm10.ocx
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://preview.evite.com/js/ImageUploader5.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} - hxxp://66.230.107.28:2222/home/SonySncRz30View.cab
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://webcam.truckeetahoeairport.com/dcsclictrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://bryds3.viewnetcam.com:40000/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38149.6352893518
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.verizon.net/checkmypc/includes/MotivePreQual.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.6.146.146:8333/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\default.vou\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.takomapark.info/staff/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-3-26 233472]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2008-5-1 472832]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-3-26 36608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-20 135664]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2010-12-24 19:10:23 -------- d-----w- C:\ComboFix
2010-12-23 13:47:28 -------- d-sha-r- C:\cmdcons
2010-12-23 13:43:04 98816 ----a-w- c:\windows\sed.exe
2010-12-23 13:43:04 89088 ----a-w- c:\windows\MBR.exe
2010-12-23 13:43:04 256512 ----a-w- c:\windows\PEV.exe
2010-12-23 13:43:04 161792 ----a-w- c:\windows\SWREG.exe
2010-12-23 13:33:57 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{e78e9f9d-2df0-4d86-9a5b-26fa3daccce4}\mpengine.dll
2010-12-22 14:29:26 -------- d-----w- c:\program files\ESET
2010-12-22 01:37:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-22 01:37:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-21 15:09:46 -------- d-----w- c:\docume~1\dad\applic~1\PCDr
2010-12-18 18:47:17 -------- d-----w- c:\program files\iPod
2010-12-18 18:46:58 -------- d-----w- c:\program files\iTunes
2010-12-15 15:39:46 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 15:38:50 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

============= FINISH: 21:00:46.25 ===============

And here is the latest DDS attach file:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/11/2003 3:04:40 PM
System Uptime: 12/24/2010 8:30:56 PM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 113.028 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2134: 10/20/2010 10:41:10 PM - System Checkpoint
RP2135: 10/21/2010 9:44:11 AM - Software Distribution Service 3.0
RP2136: 10/22/2010 10:01:10 AM - Software Distribution Service 3.0
RP2137: 10/23/2010 10:28:41 AM - Software Distribution Service 3.0
RP2138: 10/24/2010 11:01:35 AM - System Checkpoint
RP2139: 10/24/2010 1:15:42 PM - Software Distribution Service 3.0
RP2140: 10/25/2010 8:47:44 PM - Software Distribution Service 3.0
RP2141: 10/26/2010 8:50:06 PM - Software Distribution Service 3.0
RP2142: 10/27/2010 10:08:48 PM - System Checkpoint
RP2143: 10/28/2010 9:43:42 AM - Software Distribution Service 3.0
RP2144: 10/29/2010 9:44:27 AM - System Checkpoint
RP2145: 10/29/2010 12:09:31 PM - Software Distribution Service 3.0
RP2146: 10/30/2010 12:53:56 PM - Software Distribution Service 3.0
RP2147: 10/31/2010 2:22:34 PM - Software Distribution Service 3.0
RP2148: 11/1/2010 10:30:55 PM - Software Distribution Service 3.0
RP2149: 11/2/2010 10:39:19 PM - Software Distribution Service 3.0
RP2150: 11/4/2010 9:58:28 AM - Software Distribution Service 3.0
RP2151: 11/5/2010 12:40:38 PM - Software Distribution Service 3.0
RP2152: 11/6/2010 4:03:48 PM - Software Distribution Service 3.0
RP2153: 11/7/2010 5:11:56 PM - Software Distribution Service 3.0
RP2154: 11/8/2010 2:07:31 PM - Software Distribution Service 3.0
RP2155: 11/9/2010 2:57:35 PM - Software Distribution Service 3.0
RP2156: 11/10/2010 2:05:42 PM - Software Distribution Service 3.0
RP2157: 11/10/2010 7:58:30 PM - Software Distribution Service 3.0
RP2158: 11/11/2010 8:09:24 PM - System Checkpoint
RP2159: 11/12/2010 8:25:49 AM - Software Distribution Service 3.0
RP2160: 11/13/2010 9:43:00 AM - Software Distribution Service 3.0
RP2161: 11/14/2010 10:09:10 AM - Software Distribution Service 3.0
RP2162: 11/15/2010 11:11:52 AM - System Checkpoint
RP2163: 11/15/2010 12:36:13 PM - Software Distribution Service 3.0
RP2164: 11/16/2010 4:41:10 PM - Software Distribution Service 3.0
RP2165: 11/17/2010 6:08:28 PM - Software Distribution Service 3.0
RP2166: 11/18/2010 6:46:23 PM - System Checkpoint
RP2167: 11/19/2010 9:48:55 AM - Software Distribution Service 3.0
RP2168: 11/20/2010 10:02:32 AM - Software Distribution Service 3.0
RP2169: 11/21/2010 10:23:11 AM - Software Distribution Service 3.0
RP2170: 11/22/2010 10:28:08 AM - System Checkpoint
RP2171: 11/22/2010 4:32:48 PM - Software Distribution Service 3.0
RP2172: 11/23/2010 5:56:00 PM - Software Distribution Service 3.0
RP2173: 11/24/2010 7:50:53 PM - System Checkpoint
RP2174: 11/25/2010 9:24:16 AM - Software Distribution Service 3.0
RP2175: 11/26/2010 1:39:06 PM - Software Distribution Service 3.0
RP2176: 11/27/2010 2:11:50 PM - System Checkpoint
RP2177: 11/28/2010 12:47:59 PM - Software Distribution Service 3.0
RP2178: 11/29/2010 1:20:58 PM - Software Distribution Service 3.0
RP2179: 11/30/2010 1:51:41 PM - System Checkpoint
RP2180: 12/1/2010 9:59:58 AM - Software Distribution Service 3.0
RP2181: 12/2/2010 10:55:38 AM - System Checkpoint
RP2182: 12/3/2010 8:41:04 AM - Software Distribution Service 3.0
RP2183: 12/4/2010 12:33:19 PM - Software Distribution Service 3.0
RP2184: 12/5/2010 2:38:49 PM - Software Distribution Service 3.0
RP2185: 12/6/2010 2:31:33 PM - Software Distribution Service 3.0
RP2186: 12/7/2010 5:02:31 PM - System Checkpoint
RP2187: 12/8/2010 10:30:20 AM - Software Distribution Service 3.0
RP2188: 12/9/2010 11:19:14 AM - System Checkpoint
RP2189: 12/9/2010 12:42:28 PM - Software Distribution Service 3.0
RP2190: 12/10/2010 12:50:36 PM - Software Distribution Service 3.0
RP2191: 12/11/2010 7:38:58 PM - Software Distribution Service 3.0
RP2192: 12/12/2010 8:04:57 PM - System Checkpoint
RP2193: 12/12/2010 10:58:44 PM - Software Distribution Service 3.0
RP2194: 12/14/2010 9:49:58 AM - Software Distribution Service 3.0
RP2195: 12/15/2010 10:45:46 AM - Software Distribution Service 3.0
RP2196: 12/15/2010 11:07:21 AM - Software Distribution Service 3.0
RP2197: 12/15/2010 1:04:45 PM - Removed Opera 10.62.
RP2198: 12/15/2010 1:05:14 PM - Installed Opera 10.63.
RP2199: 12/16/2010 1:39:46 PM - System Checkpoint
RP2200: 12/16/2010 4:05:24 PM - Software Distribution Service 3.0
RP2201: 12/17/2010 4:59:52 PM - System Checkpoint
RP2202: 12/17/2010 10:54:04 PM - Software Distribution Service 3.0
RP2203: 12/19/2010 12:58:54 PM - Software Distribution Service 3.0
RP2204: 12/20/2010 1:06:07 PM - System Checkpoint
RP2205: 12/20/2010 4:42:21 PM - Software Distribution Service 3.0
RP2206: 12/21/2010 10:16:38 AM - Removed Dell Support Center (Support Software).
RP2207: 12/21/2010 10:36:24 AM - Removed Dell Support Center (Support Software).
RP2208: 12/21/2010 10:41:43 AM - Removed Dell Support Center (Support Software).
RP2209: 12/21/2010 10:46:28 AM - Removed DellSupport.
RP2210: 12/22/2010 12:45:29 PM - System Checkpoint
RP2211: 12/23/2010 8:33:35 AM - Software Distribution Service 3.0
RP2212: 12/24/2010 4:27:44 PM - System Checkpoint

==== Installed Programs ======================

3D Groove Playback Engine
Acoustica CD/DVD Label Maker
Acoustica Effects Pack
Ad-aware 6 Personal
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Adobe Shockwave Player 11
AOL Uninstaller (Choose which Products to Remove)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AXIS Media Control Embedded
Banctec Service Agreement
BCM V.92 56K Modem
Bonjour
Brother HL-2140
BufferChm
Citrix XenApp Web Plugin
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_PrintOnCDConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
Dell Solution Center
Destinations
DeviceManagementQFolder
DIGOpt
DIGReqEx
DING!
DivX
DivX Player
DjVu Browser Plug-in 3.5
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
DS21Patch
EOL Universal Printer Client
EPSON Printer Software
ESET Online Scanner v3
eSupportQFolder
Eudora
EZNEC Demo v. 5.0
FullDPAppQFolder
Google Earth
Google Update Helper
Google Updater
GSpot Codec Information Appliance
Help and Support Customization
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HoverIP v1.0 beta
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Scanjet G3010 7.0
HP Software Update
HP Solution Center 7.0
hpg3010
hpg3010QFolder
HPProductAssistant
InCD
InstantShareDevices
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Explorer Default Page
iPhone Configuration Utility
ISO Recorder
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java Auto Updater
Java™ 6 Update 20
Juno
Learn2 Player (Uninstall Only)
Lizardtech DjVu Control (autoinstall)
Lizardtech Express View Browser Plug-in
Malwarebytes' Anti-Malware
MathPlayer
Maxtor MaxBlast
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft PowerPoint Viewer 97
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MMANA-GAL 1.2
MobileMe Control Panel
Modem Helper
Mozilla Firefox (3.0.9)
Mp3tag v2.44
MSN
MSN Encarta Plus Support Files
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NeroVision Express
Nikon View 6
OCR Software by I.R.I.S 7.0
OpenOffice.org 3.1
Opera 10.63
OptionalContentQFolder
PanoStandAlone
PC Connectivity Solution
Personal Ancestral File 5
Personal Ancestral File Companion 5.2
PhotoGallery
Plaxo Toolbar for Windows
Pocket Tanks 1.00b
Porrasturvat - Stair Dismount
Print-IT Client 5.6 (Release 7)
QuickTime
RandMap
RealPlayer
Safari
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
SamsungConnectivityCableDriver
Sansa Updater
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shockwave
Sibelius Scorch (ActiveX Only)
SkinsHP1
SlideShow
SlideShowMusic
Snapshot Viewer
SolutionCenter
Sonic_PrimoSDK
Sony Ericsson Communications Suite
Spin It Again
Spybot - Search & Destroy
Spybot - Search & Destroy 1.3
Startup Manager 2.4.2
SUPERAntiSpyware
TerraExplorer
The Sims Deluxe Edition
TI Connect 1.5
TripStalker
Truck Dismount (remove only)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URGE
Verizon Help and Support Tool
VisualRoute Lite Edition
Vz In Home Agent
WebFldrs XP
WebReg
Windows Defender
Windows Defender Signatures
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 11
Yahoo! Photos Easy Upload Tool
Yahoo! Photos Print-at-Home Tool

==== Event Viewer Messages From Past Week ========

12/24/2010 2:32:56 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 82617a90, parameter3 82617ea8, parameter4 1a830001.
12/24/2010 2:18:17 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2458.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
12/23/2010 9:04:14 AM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 8226b400, parameter3 8226b818, parameter4 1a830001.
12/23/2010 10:12:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/23/2010 10:12:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
12/23/2010 10:12:12 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
12/23/2010 10:12:12 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/23/2010 10:12:12 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/23/2010 10:12:12 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/23/2010 10:12:12 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/23/2010 10:12:12 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2010 3:32:43 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 8274c478, parameter3 8274cca0, parameter4 1b050006.
12/21/2010 8:35:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/21/2010 8:31:26 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 Fips intelppm MpFilter
12/21/2010 7:54:00 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.2197.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
12/21/2010 7:53:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/21/2010 7:44:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
12/21/2010 7:42:07 PM, error: Service Control Manager [7034] - The InCD Helper service terminated unexpectedly. It has done this 1 time(s).
12/21/2010 7:42:06 PM, error: Service Control Manager [7034] - The Provision Networks Update Service service terminated unexpectedly. It has done this 1 time(s).
12/21/2010 7:42:06 PM, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).
12/21/2010 7:42:06 PM, error: Service Control Manager [7034] - The FsUsbExService service terminated unexpectedly. It has done this 1 time(s).
12/21/2010 7:42:06 PM, error: Service Control Manager [7034] - The Acronis Scheduler2 Service service terminated unexpectedly. It has done this 1 time(s).
12/21/2010 7:42:06 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
12/21/2010 7:42:06 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/21/2010 7:40:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440
12/21/2010 7:29:39 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Microsoft Antimalware Service service to connect.
12/21/2010 7:29:39 PM, error: Service Control Manager [7000] - The Microsoft Antimalware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/21/2010 7:26:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
12/21/2010 7:26:16 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/21/2010 7:25:18 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
12/21/2010 11:26:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/21/2010 10:45:37 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
12/21/2010 10:09:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter SASDIFSV SASKUTIL

==== End Of File ===========================

Given that this is an older Dell computer already on its second hard drive, I wouldn't be surprised if there is other hardware that is getting a little dodgey. In the meantime, I'll go ahead with the requested ESET scan to see if it shows anything.

#12 geeceem

geeceem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 24 December 2010 - 11:27 PM

Well, this is really annoying: the ESET scan completed and said it found two threats. It didn't give me a log or identify them. There was no "List of Found Threats" button or any option to export anything. The choice I had was to go to a screen that gave me the "suggestion" that I buy the full version, and then I could see no way to return to the scan screen. The only ESET.txt file I can find on my computer is one that was created when I scanned with ESET on 12/22. What now?

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:24 AM

Posted 25 December 2010 - 01:44 AM

Hello,

Your DDS log looks good. Lets update some stuff and try a couple other scanners.

1.
New Adobe Reader Installation:
  • Go here and click on the Download button to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.


2.
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


3.
Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

4.
Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh DDS log.

Things to include in your next reply:
BitDefender log
Kaspersky log
A new DDS log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 geeceem

geeceem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 25 December 2010 - 04:45 PM

No shortage of unpleasant surprises:

1) Adobe Reader update failed during download. "Can't write into directory C:\Documents and Settings\All Users\ApplicationData\NOS\GP_GUI_Adobe\\getPlusPlus.css"

"Get PlusPlus error
Catastrophic failure"

2) BitDefender found two things, but then threw me a curve: I saved the log but apparently wasn't paying attention to the format, so it was in ASCII but full of HTML codes. I've had to save it as a generic file because the BF upload function won't accept the original. So here it is. The format is likely different from what you are used to seeing:

BitDefender Online Scanner
Scan report generated at: Sat, Dec 25, 2010 - 14:03:39
Scan path: A:\;C:\;D:\;E:\;


Statistics




Time


02:40:02




Files


589706




Folders


17694




Boot Sectors


0




Archives


10859




Packed Files


16995








Results




Identified Viruses


2




Infected Files


49




Suspect Files


0




Warnings


0




Disinfected


0




Deleted Files


49








Engines Info




Virus Definitions


6494973




Engine build


AVCORE v2.1 Windows/i386 11.0.0.42 (Oct 18 2010)




Scan plugins


18




Archive plugins


44




Unpack plugins


10




E-mail plugins


6




System plugins


4








Scan Settings




First Action


Disinfect




Second Action


Delete




Heuristics


Yes




Enable Warnings


Yes




Scanned Extensions


*;




Exclude Extensions







Scan Emails


Yes




Scan Archives


Yes




Scan Packed


Yes




Scan Files


Yes




Scan Boot


Yes





Scanned File


Status


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{18142FB9-3172-4A45-98A4-D826DEDDC395}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{18142FB9-3172-4A45-98A4-D826DEDDC395}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{23C130C8-076F-46D8-A724-59B3D3C3B92A}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{23C130C8-076F-46D8-A724-59B3D3C3B92A}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2759EDDA-9C85-4F65-B3DC-F1F258E53187}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2759EDDA-9C85-4F65-B3DC-F1F258E53187}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2B55BC23-4B87-4C92-B891-9E4E5F7A47D6}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2B55BC23-4B87-4C92-B891-9E4E5F7A47D6}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2B7661AA-023C-4118-B6A6-8332FE8A9AE8}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2B7661AA-023C-4118-B6A6-8332FE8A9AE8}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2E0AF2C5-D607-408E-8F84-8B799EAF1972}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2E0AF2C5-D607-408E-8F84-8B799EAF1972}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{43104C04-9AFD-4A7C-861E-8200944C2DF6}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{43104C04-9AFD-4A7C-861E-8200944C2DF6}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{458D1F63-E37A-4729-A5A3-9BA47E036AA2}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{458D1F63-E37A-4729-A5A3-9BA47E036AA2}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{4A8D51B7-44BC-4D0B-9136-7C9F48726353}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{4A8D51B7-44BC-4D0B-9136-7C9F48726353}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{522EFA05-B129-4E37-B0EB-E4734D96B53B}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{522EFA05-B129-4E37-B0EB-E4734D96B53B}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5255845D-7C41-46BB-A31A-CAB64954658B}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5255845D-7C41-46BB-A31A-CAB64954658B}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{55831CEB-91B6-408E-A137-494F4A9E2419}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{55831CEB-91B6-408E-A137-494F4A9E2419}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{57A63C69-0715-4A1D-A7C0-1233859E6771}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{57A63C69-0715-4A1D-A7C0-1233859E6771}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6585397A-6D13-472C-B207-7B4C5B7407A8}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6585397A-6D13-472C-B207-7B4C5B7407A8}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6A4C3A18-0F98-4C76-91EE-58E81B5735E9}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6A4C3A18-0F98-4C76-91EE-58E81B5735E9}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{785A2F41-845D-4F34-9B48-125C37B89125}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{785A2F41-845D-4F34-9B48-125C37B89125}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{78EBF363-BBA3-4AA1-A0F9-BB7FD09AEDA4}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{78EBF363-BBA3-4AA1-A0F9-BB7FD09AEDA4}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{90247AF4-CB8B-47C5-A0A1-44973EFB41D8}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{90247AF4-CB8B-47C5-A0A1-44973EFB41D8}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{93502382-97FB-4EDE-8CF9-71B058EC6E3E}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{93502382-97FB-4EDE-8CF9-71B058EC6E3E}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A6AA9816-5C27-48D1-A617-853312D0BA4E}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A6AA9816-5C27-48D1-A617-853312D0BA4E}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C5190581-81E8-4E06-859D-964B5412F3FF}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C5190581-81E8-4E06-859D-964B5412F3FF}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CD071203-18B9-4085-B1D5-866A1A00C1B7}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CD071203-18B9-4085-B1D5-866A1A00C1B7}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D13BD699-38D4-4A0D-A339-232FECB18B18}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D13BD699-38D4-4A0D-A339-232FECB18B18}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DE20A686-A731-44C6-B9F5-60E17F4470C6}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DE20A686-A731-44C6-B9F5-60E17F4470C6}

Deleted


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{FBAFB8E2-6985-42B4-9412-764973514CB0}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{FBAFB8E2-6985-42B4-9412-764973514CB0}

Deleted


C:\Documents and Settings\Jake\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{02922335-8E54-4F42-9616-7E9E47852A4E}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Jake\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{02922335-8E54-4F42-9616-7E9E47852A4E}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0122BC46-531E-4067-93A4-5C3A8BBC2200}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0122BC46-531E-4067-93A4-5C3A8BBC2200}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{03CE26E9-00BD-43B0-8EB2-988604D3D8EB}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{03CE26E9-00BD-43B0-8EB2-988604D3D8EB}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0B87B0B2-E557-426E-9EB8-7CC685569670}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0B87B0B2-E557-426E-9EB8-7CC685569670}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{100BB026-A007-4F92-8C99-C543F8A177D1}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{100BB026-A007-4F92-8C99-C543F8A177D1}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1EC35255-B5F0-4163-87EC-7BB558D19585}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1EC35255-B5F0-4163-87EC-7BB558D19585}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{30D21E5B-F039-4D75-8E0D-C2816068E9BB}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{30D21E5B-F039-4D75-8E0D-C2816068E9BB}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{330D1311-67A0-456D-9099-A5674E7B7684}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{330D1311-67A0-456D-9099-A5674E7B7684}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3CF75207-7730-4D26-B5FF-189C259FE43A}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3CF75207-7730-4D26-B5FF-189C259FE43A}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5CBBE3D2-11F2-42E2-ADEA-51FF9A095F46}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5CBBE3D2-11F2-42E2-ADEA-51FF9A095F46}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5D1E409E-303D-4806-A4FF-AD2301540599}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5D1E409E-303D-4806-A4FF-AD2301540599}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{600C42E0-6F4A-4258-B5AE-37112EC14259}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{600C42E0-6F4A-4258-B5AE-37112EC14259}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8D312F7B-CCA8-457B-B842-C2967B912679}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8D312F7B-CCA8-457B-B842-C2967B912679}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{94D5384B-2A26-4B1B-923C-5A7CD78D7E46}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{94D5384B-2A26-4B1B-923C-5A7CD78D7E46}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B02DF305-79B9-453B-BAB7-079231A05EB0}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B02DF305-79B9-453B-BAB7-079231A05EB0}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C96B57FF-B531-4052-AC3B-783969DFB652}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C96B57FF-B531-4052-AC3B-783969DFB652}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CDFDAF0B-2837-4556-ACFF-30A9CCC0559C}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CDFDAF0B-2837-4556-ACFF-30A9CCC0559C}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D9579608-F688-406C-BB64-C6CCFC542E5D}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D9579608-F688-406C-BB64-C6CCFC542E5D}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{ECC1434C-6A16-47F7-8E17-417ED49D4080}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{ECC1434C-6A16-47F7-8E17-417ED49D4080}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EEA489C2-F1C0-46DA-9894-9687E9B61D19}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EEA489C2-F1C0-46DA-9894-9687E9B61D19}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EEA75A70-5158-4A70-9BF8-29C54020EEF4}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EEA75A70-5158-4A70-9BF8-29C54020EEF4}

Deleted


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F6A733F4-12AE-4350-A05D-63F6582023CA}

Infected with: Trojan.Qhost.R


C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F6A733F4-12AE-4350-A05D-63F6582023CA}

Deleted


C:\Program Files\SanDisk\Sansa Updater\sansaupdater.exe

Infected with: Trojan.Generic.1713071


C:\Program Files\SanDisk\Sansa Updater\sansaupdater.exe

Deleted


C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2216\A0152817.exe

Infected with: Trojan.Generic.1713071


C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2216\A0152817.exe

Deleted


-------------------

3) Kaspersky online scanner refused to execute, with the following message:

Update has failed The program could not be
started. Please close the window of Kaspersky Online Scanner 7.0 and start the
program again from the web site of Kaspersky Lab. Successful updating of
Kaspersky Online Scanner 7.0 and scanning of your computer requires
uninterrupted Internet connection. Please make sure that the Internet connection
is established. [ERROR: Anti-virus database was updated after license
expiry].

I'm not sure what happened here. I'm unaware of any service interruption, nor do I remember ever having Kaspersky installed on my machine. I think I did the online scan once, but that was long, long ago.
---------------------

Here is DDS again:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Dad at 16:24:06.95 on Sat 12/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.106 [GMT -5:00]

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.takomapark.info/staff/library/index.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [vdrdpup] c:\windows\system32\rundll32 c:\windows\system32\vdrdpup.dll,RegisterVirtualChannel
mRun: [MaxBlastMonitor.exe] c:\program files\maxtor\maxblast\MaxBlastMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\maxtor\maxblast\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [pnuprdp] c:\windows\system32\rundll32 c:\windows\system32\pnuprdp.dll,RegisterVirtualChannel
mRun: [pnupica] c:\windows\system32\rundll32 c:\windows\system32\pnupica6.dll,RegisterVirtualChannel
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000} - c:\program files\visualroute lite edition\vrie.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://deercamera.viewnetcam.com:60015/kxhcm10.ocx
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://preview.evite.com/js/ImageUploader5.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} - hxxp://66.230.107.28:2222/home/SonySncRz30View.cab
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://webcam.truckeetahoeairport.com/dcsclictrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://bryds3.viewnetcam.com:40000/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38149.6352893518
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.verizon.net/checkmypc/includes/MotivePreQual.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.6.146.146:8333/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\default.vou\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.takomapark.info/staff/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-3-26 233472]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2008-5-1 472832]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-3-26 36608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-20 135664]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2002-8-29 14336]

=============== Created Last 30 ================

2010-12-25 21:12:33 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{27361d6d-8595-482b-8b4b-691ed8c577e4}\mpengine.dll
2010-12-25 16:11:34 -------- d-----w- c:\program files\Sun
2010-12-25 16:11:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-25 15:54:14 35136 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll
2010-12-24 19:10:23 -------- d-----w- C:\ComboFix
2010-12-23 13:47:28 -------- d-sha-r- C:\cmdcons
2010-12-23 13:43:04 98816 ----a-w- c:\windows\sed.exe
2010-12-23 13:43:04 89088 ----a-w- c:\windows\MBR.exe
2010-12-23 13:43:04 256512 ----a-w- c:\windows\PEV.exe
2010-12-23 13:43:04 161792 ----a-w- c:\windows\SWREG.exe
2010-12-22 14:29:26 -------- d-----w- c:\program files\ESET
2010-12-22 01:37:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-22 01:37:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-21 15:09:46 -------- d-----w- c:\docume~1\dad\applic~1\PCDr
2010-12-18 18:47:17 -------- d-----w- c:\program files\iPod
2010-12-18 18:46:58 -------- d-----w- c:\program files\iTunes
2010-12-15 15:39:46 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 15:38:50 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-12-25 16:11:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

============= FINISH: 16:25:16.43 ===============


I'm still able to access the BP forums and Yahoo but am refraining from using this computer very much until I have a better handle on what's going on.

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:24 AM

Posted 26 December 2010 - 02:48 AM

Hello, geeceem.
Congratulations! You now appear clean! :cool:


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".



Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.



Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.


As for Adobe you may have to Uninstall the version of Adobe Reader you have now then try to install the new version.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users