Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Started w/ Dropper-gen,FakeSysdef-J,Java:Agent-BM,PUP-gen,Malware-gen,Delf-DNW Mufanom

  • This topic is locked This topic is locked
3 replies to this topic

#1 mankx


  • Members
  • 2 posts
  • Local time:05:09 AM

Posted 04 January 2011 - 07:02 PM

Started with a video site that launched the JAVA updater. Before I could slam the router shut, a bogus antivirus alert that I was infected & had to "activate" the software to clean it (with my credit card info of course).
I started running AVAST scan, but the virus kept overpopping. I could not shut down bogus app faster than it opened windows. It closed Task Manager as fast as I could open it. I jumped on Avast Bootscan.
Original scan culprits looked like:
  • bIfJg06511.exe [L] Win32:Dropper-gen
  • 3GTL3WMY\setup[1].exe [L] Win32:FakeSysdef-J
  • System Tool 2011.lnk [L] LNK:Lnkbaddst-S
  • bIfJg06511\trzC..tmp is infected by Win32:Dropper-gen [Drp]
  • KAVS.class is infected by Java:Agent-BM [Expl],
  • pizdi..class is infected by Java:Agent-BM [Expl],
  • A0061358.exe is infected by Win32:PUP-gen [PUP],
  • WIN32\Data.Cab|>F1271_dwhwizrd.exe is infected by Win32:Malware-gen,
  • Win32:Delf-DNW [Trj],
  • owaqotoli.dll (possible random name)
  • Trojan-Downloader.Mufanom
Next rescan found a random named exe in "app data/adobe/plugs/ and a restore point infected with Win32:Hiloti-Y
I repeated scans until no sign of virus. Downloaded latest Avast version & updates, and Adaware 9.
I ran Ad Aware & found a random named dll file in c:\windows\ infected with : Win32.TrojanDownloader.Mufanom/A
Ran multiple scans-still many infections, cleaning all until Avast's APPLY button grayed out.
Downloaded SUPERANTISPYWARE and DR WEB. Ran both. Cleaned where I could.
Avast still shows infections in memory, but Apply still not available.
Process: aawservice.exe memory block: Win95:CIH 1.x (all others Win32:xxx)Nimda-O, Small-GWM, VB-EU, WinSpy-CK, BHO-GH
Process: superantispyware.ext memory block: (all Win32:xxx) Agent-ZRP, Vundo-gen61, Zlob-RF, Agent-ADVJ, Pakes-AWH, Tiny-ADY
Process: teatimer.exe mem block: JS:ScriptSH-inf

I disabled CD emulation with DEFOGGER, ran DDS & GMER.
(GMER does a scan on startup. I scanned w/ IAT/EAT unchecked & it ran endlessly through C:, so not sure file is correct. Attaching both)

Thanks for your help!!


hijackthis.log (pre Defogger , DDS, & GMER)
hijackthis startuplist.txt


DDS (Ver_10-12-12.02) - NTFSx86
Run by Dent at 13:16:26.28 on Tue 01/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.465 [GMT -8:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\Alwil Antivirus Software\Avast5\AvastSvc.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
E:\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\X-Rite\Devices\Services\xritedeviced.exe
C:\Program Files\X-Rite\Devices\Services\ColorMunki\ColorMunkiDeviceService.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
E:\Alwil Antivirus Software\Avast5\avastUI.exe
C:\Program Files\Lexmark\ErrorApp\LMab1err.exe
C:\Program Files\AquaSnap\AquaSnap.Daemon.exe
E:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
E:\ColorMunki Photo\Tools\ColorMunki Photo Tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\Mozilla Firefox\firefox.exe
E:\Mozilla Firefox\plugin-container.exe
E:\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Dent\Desktop\virus stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\spybot - search & destroy\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [LMab1err] c:\program files\lexmark\errorapp\LMab1err.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AquaSnap] c:\program files\aquasnap\AquaSnap.Daemon.exe
uRun: [SpybotSD TeaTimer] e:\spybot - search & destroy\TeaTimer.exe
uRun: [AdobeBridge]
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SUPERAntiSpyware] e:\superantispyware\SUPERAntiSpyware.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Adobe Reader Speed Launcher] "e:\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [avast5] "e:\alwil antivirus software\avast5\avastUI.exe" /nogui
mRunOnce: [WIAWizardMenu] RUNDLL32.EXE c:\windows\system32\sti_ci.dll,WiaCreateWizardMenu
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\colorm~1.lnk - e:\colormunki photo\gamma\CalibrationLoader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\colorm~2.lnk - e:\colormunki photo\tools\ColorMunki Photo Tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - e:\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: StartMenuLogoff = 1 (0x1)
uPolicies-explorer: NoLogoff = 01000000
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: StartMenuLogoff = 1 (0x1)
IE: E&xport to Microsoft Excel - e:\micros~1\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\spybot - search & destroy\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191803214671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - e:\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: !SASWinLogon - e:\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\superantispyware\SASSEH.DLL
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dent\applic~1\mozilla\firefox\profiles\pjmjejjh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.woot.com/|http://www.hashspace.com/profile/RubMyBuns
FF - component: c:\documents and settings\dent\application data\mozilla\firefox\profiles\pjmjejjh.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\winnt_x86-msvc\components\outwit-3.5.dll
FF - component: c:\documents and settings\dent\application data\mozilla\firefox\profiles\pjmjejjh.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\winnt_x86-msvc\components\outwit-3.6.dll
FF - plugin: c:\documents and settings\dent\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: e:\adobe\reader 8.0\reader\browser\nppdf32.dll
FF - plugin: e:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: e:\divx\divx web player\npdivx32.dll
FF - plugin: e:\mozill~1\plugins\np_gp.dll
FF - Ext: Smart Bookmarks Bar: smartbookmarksbar@remy.juteau - %profile%\extensions\smartbookmarksbar@remy.juteau
FF - Ext: YouPlayer: youplayer@addons.mozilla.org - %profile%\extensions\youplayer@addons.mozilla.org
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: Favicon Picker 2: {446c03e0-2c35-11db-a98b-0800200c9a66} - %profile%\extensions\{446c03e0-2c35-11db-a98b-0800200c9a66}
FF - Ext: Save Image in Folder: {5e594888-3e8e-47da-b2c6-b0b545112f84} - %profile%\extensions\{5e594888-3e8e-47da-b2c6-b0b545112f84}
FF - Ext: History Submenus: {7102aba3-045c-4ec2-b921-46d87636d84b} - %profile%\extensions\{7102aba3-045c-4ec2-b921-46d87636d84b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: CoolPreviews : {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} - %profile%\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: ToolbarButtons: {03B08592-E5B4-45ff-A0BE-C1D975458688} - %profile%\extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Advertising Cookie Opt-out: optout@google.com - %profile%\extensions\optout@google.com
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Aardvark: aardvark@rob.brown - %profile%\extensions\aardvark@rob.brown
FF - Ext: Outwit Images: outwit-images@outwit.com - %profile%\extensions\outwit-images@outwit.com
FF - Ext: OutWit Kernel: {5fb1186a-3398-4c47-b579-0f2eee222ad1} - %profile%\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}
FF - Ext: Better Facebook!: betterfacebook@mattkruse.com - %profile%\extensions\betterfacebook@mattkruse.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - e:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {7A51A2A8-6F7E-4C9C-A166-6BFBEEED2CCD} - c:\documents and settings\dent\local settings\application data\{7A51A2A8-6F7E-4C9C-A166-6BFBEEED2CCD}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\dent\application data\Move Networks

FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-6 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-9-17 293968]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-17 17744]
R2 avast! Antivirus;avast! Antivirus;e:\alwil antivirus software\avast5\AvastSvc.exe [2010-10-29 40384]
R2 ColorMunkiService;X-Rite Device ColorMunki;c:\program files\x-rite\devices\services\colormunki\ColorMunkiDeviceService.exe [2010-1-6 147968]
R2 IS360service;IS360service;e:\iobit\iobit security 360\is360srv.exe [2010-4-6 312152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-24 91456]
R2 xritedeviced;X-Rite Device Manager;c:\program files\x-rite\devices\services\xritedeviced.exe [2010-1-6 130048]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-9-20 30560]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-18 136176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-11-14 6016]
S3 colormunki;colormunki;c:\windows\system32\drivers\colormunki.sys [2010-1-6 29184]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-11-14 19968]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-11-14 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-11-14 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-11-14 9472]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-1-11 332928]
S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\SPIXNEW.SYS [2002-3-7 95528]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2009-6-19 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2009-6-19 44928]
S3 usbnerd;Cardio Perfect PRO-Link USB;c:\windows\system32\drivers\usbisoch.sys [2008-6-18 48680]
S3 usbnerdcl;Cardio Perfect PRO-Link firmware loader;c:\windows\system32\drivers\UsbNrdCL.sys [2008-6-18 26152]

=============== Created Last 30 ================

2011-01-04 21:16:25 98816 ----a-w- c:\temp\a3.tmp\SED.DAT
2011-01-04 21:16:25 89088 ----a-w- c:\temp\a3.tmp\MBR.DAT
2011-01-04 21:16:25 518144 ----a-w- c:\temp\a3.tmp\SWREG.DAT
2011-01-04 21:16:25 256512 ----a-w- c:\temp\a3.tmp\PEV.DAT
2011-01-04 19:01:56 355056 ----a-w- c:\temp\SSUPDATE.EXE
2011-01-04 17:08:52 -------- d-----w- c:\docume~1\dent\applic~1\SUPERAntiSpyware.com
2011-01-04 17:08:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-04 10:44:32 -------- d-----w- c:\documents and settings\dent\DoctorWeb
2011-01-04 08:38:48 -------- d-----w- c:\program files\ESET
2011-01-03 23:34:44 -------- d-----w- c:\docume~1\dent\locals~1\applic~1\Sunbelt Software
2011-01-03 23:33:56 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-03 23:33:43 -------- d-----w- c:\program files\Lavasoft
2011-01-03 10:24:40 -------- d-----w- c:\docume~1\dent\locals~1\applic~1\{7A51A2A8-6F7E-4C9C-A166-6BFBEEED2CCD}
2010-12-30 11:07:06 0 ----a-w- c:\windows\Jtepunolif.bin
2010-12-19 08:09:51 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-19 08:09:19 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-12-31 20:06:36 38848 ----a-w- c:\windows\avastSS.scr
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-14 22:41:02 685056 ----a-w- c:\windows\isRS-000.tmp
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 13:17:04.90 ===============

Attached Files

BC AdBot (Login to Remove)


#2 oneof4


  • Malware Response Team
  • 3,779 posts
  • Gender:Male
  • Location:The Collective
  • Local time:09:09 AM

Posted 09 January 2011 - 10:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

We need to create an OTL Report

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

We also need a log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning

Best Regards,

Best Regards,

#3 oneof4


  • Malware Response Team
  • 3,779 posts
  • Gender:Male
  • Location:The Collective
  • Local time:09:09 AM

Posted 17 January 2011 - 12:51 PM

Do you still need help?

Best Regards,

#4 thcbytes


  • Malware Response Team
  • 14,790 posts
  • Gender:Male
  • Local time:08:09 AM

Posted 24 January 2011 - 04:15 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users