Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan dropper and bloodhoundvirus


  • This topic is locked This topic is locked
23 replies to this topic

#1 maxson

maxson

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 10 January 2011 - 04:54 AM

DDS (Ver_10-12-12.02) - NTFSx86
Run by glen at 2:29:45.57 on Mon 01/10/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.185 [GMT -6:00]

AV: Norton 360 Online *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! antivirus 4.8.1368 [VPS 100914-1] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton 360 Online *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IProsetMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
G:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.derekprince.org/
uWindow Title = Windows Internet Explorer By Glen
uInternet Settings,ProxyOverride = <local>
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wireless configuration utility hw.14.lnk - c:\program files\trendnet\tew-424ub\WlanCU.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\progra~1\speedb~1\sblsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: WB - c:\program files\stardock\mycolors\fastload.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 68.169.80.16 www.stolengfs.com
Hosts: 207.46.30.24 qwest.live.com
Hosts: 65.55.57.251 go.microsoft.com
Hosts: 65.55.57.251 go.microsoft.com
Hosts: 65.55.57.251 go.microsoft.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hack\applic~1\mozilla\firefox\profiles\sncqbv0u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.derekprince.org/site/PageServer?pagename=mainpage
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\hack\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\documents and settings\hack\application data\mozilla\firefox\profiles\sncqbv0u.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\hack\application data\mozilla\firefox\profiles\sncqbv0u.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\hack\application data\mozilla\firefox\profiles\sncqbv0u.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Strata RELOADED: stratareloaded@addons.mozilla.org - %profile%\extensions\stratareloaded@addons.mozilla.org
FF - Ext: ToolbarButtons: {03B08592-E5B4-45ff-A0BE-C1D975458688} - %profile%\extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688}
FF - Ext: Custom Download Manager: {04b56b3f-c4f4-48ba-9ea1-30e04fb7d829} - %profile%\extensions\{04b56b3f-c4f4-48ba-9ea1-30e04fb7d829}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: SmoothWheel (mozdev.org): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: SmoothWheel (AMO): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: MozXP: {ADA51547-FEF6-4b2c-8E96-EE45BDF53DE1} - %profile%\extensions\{ADA51547-FEF6-4b2c-8E96-EE45BDF53DE1}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\hack\application data\idm\idmmzcc3

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

R0 AFPAnsi;Alfa File Protector Ansi;c:\windows\system32\drivers\AFPAnsi.sys [2011-1-5 43936]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-9-27 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-9-27 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-9-27 501888]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2010-11-30 95320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R1 SuperMounter;SuperMounter;c:\windows\system32\drivers\supermounter.sys [2011-1-5 11264]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-9-27 116784]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-1-7 110240]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-9-16 10448]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-9-27 126392]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2010-9-25 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2010-9-25 185640]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [2010-12-9 52096]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-31 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20101231.001\IDSXpx86.sys [2011-1-1 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110104.035\NAVENG.SYS [2011-1-5 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110104.035\NAVEX15.SYS [2011-1-5 1360760]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;\??\c:\program files\tuneup utilities 2011\tuneuputilitiesdriver32.sys --> c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-21 20560]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-11-11 27064]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [2011-1-7 215040]
S4 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-8-21 114768]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-10 135664]
S4 SuperRam;SuperRam Memory Service;c:\program files\pgware\superram\superramservice.exe --> c:\program files\pgware\superram\SuperRamService.exe [?]
S4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;"c:\program files\tuneup utilities 2011\tuneuputilitiesservice32.exe" --> c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [?]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]

=============== Created Last 30 ================

2011-01-09 11:33:57 -------- d-----w- C:\90259361620902cc7d
2011-01-08 02:31:58 215040 ----a-w- c:\windows\system32\drivers\RTL8187B.sys
2011-01-08 02:31:44 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-01-08 02:31:26 -------- d-----w- c:\windows\OPTIONS
2011-01-08 02:31:25 -------- d-----w- c:\program files\TRENDnet
2011-01-08 02:29:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-08 02:28:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-08 02:28:48 -------- d-----w- c:\docume~1\hack\applic~1\SUPERAntiSpyware.com
2011-01-08 02:27:24 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-01-08 02:08:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 02:08:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 01:53:35 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2011-01-08 01:53:35 36224 ----a-w- c:\windows\system32\drivers\an983.sys
2011-01-08 01:39:16 110240 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2011-01-05 19:14:38 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-01-05 08:47:16 44000 ----a-w- c:\windows\system32\drivers\AFPUni.sys
2011-01-05 08:47:16 43936 ----a-w- c:\windows\system32\drivers\AFPAnsi.sys
2011-01-05 08:47:16 11264 ----a-w- c:\windows\system32\drivers\supermounter.sys
2011-01-05 08:47:14 261120 ----a-w- c:\windows\system32\SuperMenuHook.dll
2011-01-05 08:47:14 261120 ----a-w- c:\windows\system32\baksm.dat
2011-01-05 08:47:13 5964800 ----a-w- c:\windows\system32\vbsbak.dat
2011-01-05 08:47:11 6144 ----a-w- c:\windows\system32\SuperRes.dll
2011-01-05 08:47:10 89088 ----a-w- c:\windows\system32\Shreder.dll
2011-01-05 08:47:10 73728 ----a-w- c:\windows\system32\smh.dat
2011-01-05 08:47:10 56 ----a-w- c:\windows\system32\vb6sock.dll
2011-01-05 08:47:06 -------- d-----w- c:\program files\SuperLogix
2011-01-04 14:31:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2011-01-01 05:42:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-31 11:59:12 -------- d-----w- c:\docume~1\hack\applic~1\DisplayTune
2010-12-31 11:55:17 62009 ----a-w- c:\windows\system32\wpfb_nv4_disp.dll
2010-12-31 11:53:52 17136 ----a-w- c:\windows\system32\drivers\PdiPorts.sys
2010-12-31 11:52:57 487424 ----a-w- c:\windows\msvcp70.dll
2010-12-31 11:52:57 344064 ----a-w- c:\windows\msvcr70.dll
2010-12-31 11:52:54 1392671 ----a-w- c:\windows\msvbvm60.dll
2010-12-31 11:52:36 -------- d-----w- c:\program files\common files\Portrait Displays
2010-12-28 19:05:18 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2010-12-28 19:05:18 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2010-12-28 17:26:51 -------- d-----w- c:\docume~1\hack\applic~1\MSNInstaller
2010-12-28 16:11:47 70144 --sha-r- c:\windows\system32\vssvcv.dll
2010-12-28 05:46:10 87608 ----a-w- c:\docume~1\hack\applic~1\inst.exe
2010-12-28 05:46:10 47360 ----a-w- c:\docume~1\hack\applic~1\pcouffin.sys
2010-12-28 05:45:45 -------- d-----w- c:\program files\DVDFab 8
2010-12-16 18:19:05 -------- d-----w- C:\N360_BACKUP
2010-12-16 18:16:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\{C3243856-7746-4A05-8837-51A28C1CDD82}
2010-12-16 18:15:16 -------- d-----w- c:\docume~1\hack\locals~1\applic~1\Downloaded Installations
2010-12-16 14:57:21 -------- d-----w- c:\program files\common files\Stardock
2010-12-16 14:57:10 58672 ----a-w- c:\windows\system32\wbload.dll
2010-12-16 14:57:10 42288 ----a-w- c:\windows\system32\wbsys.dll
2010-12-16 10:35:39 -------- d-----w- c:\docume~1\hack\applic~1\Stardock
2010-12-16 10:21:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Stardock
2010-12-16 10:09:35 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{19DFF2E9-B443-44CA-AB80-E968934E1428}
2010-12-16 10:07:56 -------- d-----w- c:\docume~1\hack\locals~1\applic~1\PackageAware
2010-12-16 09:53:48 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{1C533CDB-BAC7-4600-B3DE-0B628D9AC643}
2010-12-13 04:01:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\{F0489EF2-D393-4114-85BA-A94D71D89543}
2010-12-11 11:35:43 -------- d-----w- c:\docume~1\hack\applic~1\Philips
2010-12-11 11:30:24 -------- d-----w- c:\docume~1\hack\locals~1\applic~1\Philips-Songbird
2010-12-11 11:30:24 -------- d-----w- c:\docume~1\hack\applic~1\Philips-Songbird

==================== Find3M ====================

2010-12-09 16:23:18 658552 ----a-w- c:\windows\system32\ncs2dmix.dll
2010-12-09 16:23:10 514168 ----a-w- c:\windows\system32\accesor.dll
2010-12-09 16:01:36 134776 ----a-w- c:\windows\system32\ncs2instutility.dll
2010-12-09 15:44:40 1901176 ----a-w- c:\windows\system32\ncscolib.dll
2010-11-29 19:48:26 183296 ----a-w- c:\windows\system32\Ncs2Setp.dll
2010-11-24 22:42:21 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-11-24 22:42:21 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-22 00:34:39 36734 ----a-w- c:\windows\system32\OggDSuninst.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-10 08:59:55 19657194 ----a-w- c:\docume~1\alluse~1\applic~1\vlc-1.1.4-win32.exe
2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-26 04:08:09 737280 ----a-w- c:\windows\iun6002.exe
2010-10-16 04:45:33 448 ----a-w- c:\program files\1015201023453303.bat

============= FINISH: 2:31:17.50 ===============
my norton 360 found two high risk trojans also a fake re-direct9 these things jacked up my network I tried two new network cards and a new eathernet cable and my provider says I show up running full band with and no modem trouble somthing is preventing me to connect qwest trouble shot for an hour and then told me seems you might have a virus so I dont know thanks for helping me.Attached File  Attach.txt   22.77KB   2 downloadsAttached File  ark.txt   8.52KB   1 downloads

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 AM

Posted 15 January 2011 - 02:25 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 maxson

maxson
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 17 January 2011 - 06:10 PM

hello gringo I will be doing as instructed this evening it is Monday Nite I will post what you have directed by Tuesday also I am able to connect now to internet something was stacked I guess in the index or something like that qwest my provider assisted in this but I am still being redirected on any page I go so I believe something is still infected I will no longer be doing anything else unless instructed to do so I will send these logs that you have instructed to you by Tuesday thank you for your help

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 AM

Posted 17 January 2011 - 06:32 PM

ok thanks for letting me know



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 maxson

maxson
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 19 January 2011 - 10:47 AM

Attached File  Report.txt   35.49KB   1 downloadsAttached File  DDS.txt   20.18KB   2 downloadsAttached File  Attach.txt   23.14KB   2 downloadshope I have posted these correctly let me thanks



DDS (Ver_10-12-12.02) - NTFSx86
Run by glen at 9:34:18.26 on Wed 01/19/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.192 [GMT -6:00]

AV: Norton 360 Online *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! antivirus 4.8.1368 [VPS 100914-1] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton 360 Online *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IProsetMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TweakRAM\TweakRAM.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Documents and Settings\Hack\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.derekprince.org/
uWindow Title = Windows Internet Explorer By Glen
uInternet Settings,ProxyOverride = <local>
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [TweakRAM] c:\program files\tweakram\TweakRAM.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: WB - c:\program files\stardock\mycolors\fastload.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hack\applic~1\mozilla\firefox\profiles\sncqbv0u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.derekprince.org/site/PageServer?pagename=daily_devotional
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\hack\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\documents and settings\hack\application data\mozilla\firefox\profiles\sncqbv0u.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Strata RELOADED: stratareloaded@addons.mozilla.org - %profile%\extensions\stratareloaded@addons.mozilla.org
FF - Ext: Custom Download Manager: {04b56b3f-c4f4-48ba-9ea1-30e04fb7d829} - %profile%\extensions\{04b56b3f-c4f4-48ba-9ea1-30e04fb7d829}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: MozXP: {ADA51547-FEF6-4b2c-8E96-EE45BDF53DE1} - %profile%\extensions\{ADA51547-FEF6-4b2c-8E96-EE45BDF53DE1}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\hack\application data\idm\idmmzcc2

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

R0 AFPAnsi;Alfa File Protector Ansi;c:\windows\system32\drivers\AFPAnsi.sys [2011-1-15 43936]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-9-27 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-9-27 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-19 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-9-27 501888]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2010-11-30 95320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67656]
R1 SuperMounter;SuperMounter;c:\windows\system32\drivers\supermounter.sys [2011-1-15 11264]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-9-27 116784]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-1-7 110240]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-9-16 10448]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-7 363344]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-9-27 126392]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2010-9-25 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2010-9-25 185640]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-12-14 1517376]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [2010-12-9 52096]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-31 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110117.001\IDSXpx86.sys [2011-1-19 341944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-7 20952]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110118.017\NAVENG.SYS [2011-1-19 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110118.017\NAVEX15.SYS [2011-1-19 1360760]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-11-29 10064]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-21 20560]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-11-11 27064]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]
S4 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-8-21 114768]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-10 135664]
S4 SuperRam;SuperRam Memory Service;c:\program files\pgware\superram\superramservice.exe --> c:\program files\pgware\superram\SuperRamService.exe [?]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]

=============== Created Last 30 ================

2011-01-18 03:37:21 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-01-17 23:46:23 -------- d-----w- c:\windows\Bejeweled 3
2011-01-17 23:46:23 -------- d-----w- c:\program files\Bejeweled 3
2011-01-16 05:19:08 -------- d-----w- c:\program files\TweakRAM
2011-01-15 18:03:46 44000 ----a-w- c:\windows\system32\drivers\AFPUni.sys
2011-01-15 18:03:46 43936 ----a-w- c:\windows\system32\drivers\AFPAnsi.sys
2011-01-15 18:03:46 11264 ----a-w- c:\windows\system32\drivers\supermounter.sys
2011-01-15 18:03:45 261120 ----a-w- c:\windows\system32\baksm.dat
2011-01-15 18:03:44 5964800 ----a-w- c:\windows\system32\vbsbak.dat
2011-01-15 18:03:44 261120 ----a-w- c:\windows\system32\SuperMenuHook.dll
2011-01-15 18:03:41 89088 ----a-w- c:\windows\system32\Shreder.dll
2011-01-15 18:03:41 73728 ----a-w- c:\windows\system32\smh.dat
2011-01-15 18:03:41 6144 ----a-w- c:\windows\system32\SuperRes.dll
2011-01-15 18:03:41 56 ----a-w- c:\windows\system32\vb6sock.dll
2011-01-14 07:17:22 -------- d-----w- C:\NVIDIA
2011-01-14 07:01:29 -------- d-----w- c:\program files\Intel Desktop Board Audio Driver
2011-01-14 06:13:21 -------- d-----w- c:\program files\Driver-Soft
2011-01-12 22:01:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-12 22:01:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-01-09 11:33:57 -------- d-----w- C:\90259361620902cc7d
2011-01-08 02:29:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-08 02:28:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-08 02:28:48 -------- d-----w- c:\docume~1\hack\applic~1\SUPERAntiSpyware.com
2011-01-08 02:27:24 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-01-08 02:08:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 02:08:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 01:53:35 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2011-01-08 01:53:35 36224 ----a-w- c:\windows\system32\drivers\an983.sys
2011-01-08 01:39:16 110240 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2011-01-05 08:47:06 -------- d-----w- c:\program files\SuperLogix
2011-01-04 14:31:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2011-01-01 05:42:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-31 11:59:12 -------- d-----w- c:\docume~1\hack\applic~1\DisplayTune
2010-12-31 11:55:17 62009 ----a-w- c:\windows\system32\wpfb_nv4_disp.dll
2010-12-31 11:53:52 17136 ----a-w- c:\windows\system32\drivers\PdiPorts.sys
2010-12-31 11:52:57 487424 ----a-w- c:\windows\msvcp70.dll
2010-12-31 11:52:57 344064 ----a-w- c:\windows\msvcr70.dll
2010-12-31 11:52:54 1392671 ----a-w- c:\windows\msvbvm60.dll
2010-12-31 11:52:36 -------- d-----w- c:\program files\common files\Portrait Displays
2010-12-28 19:05:18 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2010-12-28 19:05:18 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2010-12-28 17:26:51 -------- d-----w- c:\docume~1\hack\applic~1\MSNInstaller
2010-12-28 16:11:47 70144 --sha-r- c:\windows\system32\vssvcv.dll
2010-12-28 05:46:10 87608 ----a-w- c:\docume~1\hack\applic~1\inst.exe
2010-12-28 05:46:10 47360 ----a-w- c:\docume~1\hack\applic~1\pcouffin.sys
2010-12-28 05:45:45 -------- d-----w- c:\program files\DVDFab 8

==================== Find3M ====================

2010-12-09 16:23:18 658552 ----a-w- c:\windows\system32\ncs2dmix.dll
2010-12-09 16:01:36 134776 ----a-w- c:\windows\system32\ncs2instutility.dll
2010-12-09 15:44:40 1901176 ----a-w- c:\windows\system32\ncscolib.dll
2010-11-29 19:48:26 183296 ----a-w- c:\windows\system32\Ncs2Setp.dll
2010-11-24 22:42:21 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-11-24 22:42:21 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-22 00:34:39 36734 ----a-w- c:\windows\system32\OggDSuninst.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-13 00:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 22:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-10 08:59:55 19657194 ----a-w- c:\docume~1\alluse~1\applic~1\vlc-1.1.4-win32.exe
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-26 04:08:09 737280 ----a-w- c:\windows\iun6002.exe
2010-10-16 04:45:33 448 ----a-w- c:\program files\1015201023453303.bat

============= FINISH: 9:37:43.70 ===============

Edited by gringo_pr, 19 January 2011 - 11:09 AM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 AM

Posted 19 January 2011 - 11:10 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 maxson

maxson
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 19 January 2011 - 06:38 PM

hello Gringo I did as instructed I did disable Norton 360 and the smart firewall but when I ran combofix it said real time scanner still running but it had the red x on it saying it was disabled so I went ahead and ran it combofix said do this at your risk but everything was to my knowledge hope that didn't have any bearing on the fix then when it rebooted my maslwarebytes and superspyware tried to run but I think I disabled them in time to complete the log I don't know let me know what you think in your opinion I did get some software online through some torrents so let me know if I should just uninstall any of these if you see any issues with the log thank you for your help let me know where to donate also let me know what this means as far as my computer issue thanks everything seems to be running good now haven't tried GoogleAttached File  log.txt   27.65KB   1 downloads default page to see if I am still being redirected I will try and let you know thanks Glen.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 AM

Posted 19 January 2011 - 07:12 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:multiple Anti Virus programs:

It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

AV: avast! antivirus
AV: Norton 360 Online


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove one of them.




:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

DDS::
uInternet Settings,ProxyOverride = <local>


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 maxson

maxson
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 19 January 2011 - 08:51 PM

Hey Gringo I didn't do anything yet I only thought I had Norton running only I did have avast running about 6-8 months ago but every once in awhile I would get some crazy error couldn't load avast something when I would use my Microsoft one note program and when I would see what drivers I had running that thing for avast would always be there how do I get rid of the avast its not in my add or remove programs in the control panel so I don't know how in the he** to get this thing off of here like I said I only have Norton 360 through my provider qwest I thought and I run malwarebytes pro for scan and superspyware for scans but the only anti-virus program I thought I was running was Norton 360 so should I continue with what you have directed in last post or should we do something else before I do that I haven't done anything yet?

#10 maxson

maxson
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 19 January 2011 - 11:22 PM

I went ahead and ran that CFScript that you instructed also I noticed in the log it said avast disabled/updated or somethingAttached File  CFScript_log.txt   25.31KB   2 downloads to that effect I didn't disable anything named avast I don't know where this is coming from can we get rid of it somehow? but here is what combfix log came up with after I dropped the CFScript into it Glen.

ComboFix 11-01-19.01 - glen 01/19/2011 21:43:55.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.441 [GMT -6:00]
Running from: c:\documents and settings\Hack\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Hack\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100914-1] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton 360 Online *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Online *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\etc\lmhosts

.
((((((((((((((((((((((((( Files Created from 2010-12-20 to 2011-01-20 )))))))))))))))))))))))))))))))
.

2011-01-18 03:37 . 2011-01-18 03:38 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-01-17 23:46 . 2011-01-18 23:03 -------- d-----w- c:\program files\Bejeweled 3
2011-01-17 23:46 . 2011-01-17 23:46 -------- d-----w- c:\windows\Bejeweled 3
2011-01-16 05:19 . 2011-01-16 05:19 -------- d-----w- c:\program files\TweakRAM
2011-01-15 18:03 . 2008-02-24 22:17 11264 ----a-w- c:\windows\system32\drivers\supermounter.sys
2011-01-15 18:03 . 2007-03-12 03:39 44000 ----a-w- c:\windows\system32\drivers\AFPUni.sys
2011-01-15 18:03 . 2007-03-12 03:39 43936 ----a-w- c:\windows\system32\drivers\AFPAnsi.sys
2011-01-15 18:03 . 2008-12-18 04:09 261120 ----a-w- c:\windows\system32\baksm.dat
2011-01-15 18:03 . 2010-05-25 12:15 5964800 ----a-w- c:\windows\system32\vbsbak.dat
2011-01-15 18:03 . 2008-12-18 04:09 261120 ----a-w- c:\windows\system32\SuperMenuHook.dll
2011-01-15 18:03 . 2008-02-28 15:43 56 ----a-w- c:\windows\system32\vb6sock.dll
2011-01-15 18:03 . 2003-10-17 04:56 6144 ----a-w- c:\windows\system32\SuperRes.dll
2011-01-15 18:03 . 2003-10-11 16:24 89088 ----a-w- c:\windows\system32\Shreder.dll
2011-01-15 18:03 . 2003-09-07 04:32 73728 ----a-w- c:\windows\system32\smh.dat
2011-01-14 07:17 . 2011-01-14 07:17 -------- d-----w- C:\NVIDIA
2011-01-14 07:01 . 2011-01-14 07:01 -------- d-----w- c:\program files\Intel Desktop Board Audio Driver
2011-01-14 06:13 . 2011-01-14 06:13 -------- d-----w- c:\program files\Driver-Soft
2011-01-12 22:01 . 2011-01-13 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-01-12 22:01 . 2011-01-12 22:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-09 11:33 . 2011-01-09 11:41 -------- d-----w- C:\90259361620902cc7d
2011-01-08 02:29 . 2011-01-08 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-01-08 02:28 . 2011-01-14 23:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-08 02:28 . 2011-01-08 02:28 -------- d-----w- c:\documents and settings\Hack\Application Data\SUPERAntiSpyware.com
2011-01-08 02:27 . 2011-01-08 02:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-01-08 02:08 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 02:08 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 01:53 . 2008-04-14 08:05 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2011-01-08 01:53 . 2008-04-14 08:05 36224 ----a-w- c:\windows\system32\drivers\an983.sys
2011-01-08 01:39 . 2010-10-25 14:42 110240 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2011-01-05 08:47 . 2011-01-15 18:03 -------- d-----w- c:\program files\SuperLogix
2011-01-05 03:12 . 2011-01-05 03:12 -------- d-----w- c:\program files\Microsoft Silverlight
2011-01-04 14:31 . 2011-01-04 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2011-01-01 05:42 . 2011-01-13 00:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-31 11:59 . 2011-01-01 00:28 -------- d-----w- c:\documents and settings\Hack\Application Data\DisplayTune
2010-12-31 11:55 . 2010-12-31 11:55 62009 ----a-w- c:\windows\system32\wpfb_nv4_disp.dll
2010-12-31 11:53 . 2010-04-16 21:34 17136 ----a-w- c:\windows\system32\drivers\PdiPorts.sys
2010-12-31 11:52 . 2002-01-05 10:40 487424 ----a-w- c:\windows\msvcp70.dll
2010-12-31 11:52 . 2002-01-05 10:37 344064 ----a-w- c:\windows\msvcr70.dll
2010-12-31 11:52 . 2004-08-04 07:56 1392671 ----a-w- c:\windows\msvbvm60.dll
2010-12-31 11:52 . 2011-01-01 06:32 -------- d-----w- c:\program files\Common Files\Portrait Displays
2010-12-28 19:05 . 2010-12-14 20:35 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2010-12-28 19:05 . 2010-12-14 20:31 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2010-12-28 17:26 . 2010-12-28 17:26 -------- d-----w- c:\documents and settings\Hack\Application Data\MSNInstaller
2010-12-28 16:11 . 2010-12-28 16:11 70144 --sha-r- c:\windows\system32\vssvcv.dll
2010-12-28 14:14 . 2010-12-29 22:10 -------- d-----w- c:\documents and settings\Hack\Application Data\vlc
2010-12-28 05:46 . 2010-12-28 05:46 47360 ----a-w- c:\documents and settings\Hack\Application Data\pcouffin.sys
2010-12-28 05:46 . 2010-12-28 05:46 -------- d-----w- c:\documents and settings\Hack\Application Data\Vso
2010-12-28 05:45 . 2011-01-19 02:03 -------- d-----w- c:\program files\DVDFab 8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-07 10:55 . 2010-10-27 00:24 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-12-28 05:46 . 2010-09-18 19:30 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-12-09 16:23 . 2010-12-09 16:23 658552 ----a-w- c:\windows\system32\ncs2dmix.dll
2010-12-09 16:01 . 2010-12-09 16:01 134776 ----a-w- c:\windows\system32\ncs2instutility.dll
2010-12-09 15:44 . 2010-12-09 15:44 1901176 ----a-w- c:\windows\system32\ncscolib.dll
2010-12-04 02:35 . 2010-12-09 19:29 52096 ----a-w- c:\windows\system32\drivers\dvdfab.sys
2010-11-29 19:48 . 2010-11-29 19:48 183296 ----a-w- c:\windows\system32\Ncs2Setp.dll
2010-11-26 18:38 . 2010-11-30 18:28 95320 ----a-w- c:\windows\system32\drivers\idmtdi.sys
2010-11-24 22:42 . 2010-08-22 04:40 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-24 22:42 . 2007-03-12 02:24 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-11-22 00:34 . 2010-11-22 00:34 36734 ----a-w- c:\windows\system32\OggDSuninst.exe
2010-11-18 18:12 . 2010-08-10 22:06 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-13 00:53 . 2010-08-21 19:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 22:34 . 2010-08-21 19:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-12 00:44 . 2010-11-12 00:44 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-09 14:52 . 2008-04-14 08:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-08 22:57 . 2010-11-08 22:57 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-11-06 00:26 . 2008-07-12 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-04-23 00:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-23 00:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2008-07-12 19:09 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 08:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-29 20:54 . 2010-10-29 20:54 53248 ----a-r- c:\documents and settings\Hack\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-10-28 13:13 . 2008-04-14 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 12:46 . 2010-10-28 12:46 30368 ----a-w- c:\windows\system32\drivers\iqvw32.sys
2010-10-26 13:25 . 2008-04-14 08:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-26 04:08 . 2010-10-26 04:08 737280 ----a-w- c:\windows\iun6002.exe
2010-10-16 04:45 . 2010-10-16 04:45 448 ----a-w- c:\program files\1015201023453303.bat
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-01-19_23.05.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-11 15:34 . 2011-01-20 00:46 1536 c:\windows\system32\TrueSoft.dat
- 2010-08-11 15:34 . 2011-01-17 23:33 1536 c:\windows\system32\TrueSoft.dat
+ 2011-01-01 11:35 . 2011-01-20 01:19 1744 c:\windows\system32\d3d9caps.dat
- 2011-01-01 11:35 . 2011-01-19 14:25 1744 c:\windows\system32\d3d9caps.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2010-11-30 17:01 66144 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-14 2424560]
"TweakRAM"="c:\program files\TweakRAM\TweakRAM.exe" [2010-03-18 1101824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2001-08-18 86016]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-21 443728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-16 5562368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2009-09-29 16:20 30000 ----a-w- c:\program files\Stardock\MyColors\fastload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 08:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-12-09 19:28 1226608 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-05-16 17:47 1495040 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare]
2010-01-16 18:30 206120 ----a-w- c:\program files\Qwest\Quickcare\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qwest Personal Digital Vault]
2009-12-18 18:58 1064808 ----a-w- c:\program files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-12-12 21:51 395640 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"TuneUp.UtilitiesSvc"=2 (0x2)
"ose"=3 (0x3)
"LightScribeService"=2 (0x2)
"gupdate"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe"
"DVDFab Passkey"="c:\program files\DVDFab Passkey\DVDFabPasskey.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" -atboottime
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"QuickCare"=c:\program files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"nwiz"=nwiz.exe /install
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yamicsoft\\WinXP Manager\\WinXP Manager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14736:TCP"= 14736:TCP:BitComet 14736 TCP
"14736:UDP"= 14736:UDP:BitComet 14736 UDP

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [9/27/2010 6:50 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [9/27/2010 6:50 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/19/2011 8:28 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [9/27/2010 6:50 AM 501888]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [11/30/2010 12:28 PM 95320]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 67656]
R1 SuperMounter;SuperMounter;c:\windows\system32\drivers\supermounter.sys [1/15/2011 12:03 PM 11264]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [9/27/2010 6:50 AM 116784]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [1/7/2011 7:39 PM 110240]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [9/16/2010 6:52 PM 10448]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/7/2011 8:08 PM 363344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [9/27/2010 6:50 AM 126392]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 11:07 AM 503080]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [9/25/2010 8:48 PM 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [9/25/2010 8:48 PM 185640]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [12/14/2010 2:33 PM 1517376]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [12/9/2010 1:29 PM 52096]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/31/2010 2:00 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110117.001\IDSXpx86.sys [1/19/2011 8:29 AM 341944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/7/2011 8:08 PM 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [11/29/2010 7:27 PM 10064]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/21/2010 10:40 PM 20560]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [11/11/2010 7:07 AM 27064]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S4 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/21/2010 10:40 PM 114768]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 9:19 AM 135664]
S4 SuperRam;SuperRam Memory Service;c:\program files\PGWARE\SuperRam\SuperRamService.exe --> c:\program files\PGWARE\SuperRam\SuperRamService.exe [?]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 20:18 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 15:18]

2011-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 15:18]

2011-01-13 c:\windows\Tasks\Optimization Wizard.job
- c:\program files\Yamicsoft\WinXP Manager\OptimizationWizard.exe [2009-02-23 17:57]

2011-01-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1580436667-1644491937-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

2011-01-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1580436667-1644491937-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

2011-01-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1580436667-1644491937-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

2011-01-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1580436667-1644491937-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

2011-01-16 c:\windows\Tasks\WinXP Manager Live Update.job
- c:\program files\Yamicsoft\WinXP Manager\LiveUpdate.exe [2007-09-22 06:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.derekprince.org/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
FF - ProfilePath - c:\documents and settings\Hack\Application Data\Mozilla\Firefox\Profiles\sncqbv0u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.derekprince.org/site/PageServer?pagename=daily_devotional
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Strata RELOADED: stratareloaded@addons.mozilla.org - %profile%\extensions\stratareloaded@addons.mozilla.org
FF - Ext: Custom Download Manager: {04b56b3f-c4f4-48ba-9ea1-30e04fb7d829} - %profile%\extensions\{04b56b3f-c4f4-48ba-9ea1-30e04fb7d829}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: MozXP: {ADA51547-FEF6-4b2c-8E96-EE45BDF53DE1} - %profile%\extensions\{ADA51547-FEF6-4b2c-8E96-EE45BDF53DE1}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\Hack\Application Data\IDM\idmmzcc2
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-19 22:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-1580436667-1644491937-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F03\4&268d196d&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\8&23ad9fe&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1488)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\Stardock\MyColors\fastload.dll
.
Completion time: 2011-01-19 22:13:51
ComboFix-quarantined-files.txt 2011-01-20 04:13
ComboFix2.txt 2011-01-19 23:16
ComboFix3.txt 2010-09-13 07:50
ComboFix4.txt 2010-09-13 07:14
ComboFix5.txt 2011-01-20 03:38

Pre-Run: 340,804,075,520 bytes free
Post-Run: 340,777,422,848 bytes free

- - End Of File - - 0C8810C1D5BAF113A264E5B52FF15896

Edited by gringo_pr, 20 January 2011 - 12:45 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 AM

Posted 20 January 2011 - 12:50 PM

I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

SecCenter::
AV: avast! antivirus 4.8.1368 [VPS 100914-1] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 maxson

maxson
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 20 January 2011 - 08:39 PM

cant find the log to this I ran there all dated 1-19-2011 should have been one 1-20-2011 should I run this again or not I dont know what happened

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 AM

Posted 20 January 2011 - 09:20 PM

yes run it again in the way that I asked in the reply
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 maxson

maxson
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 20 January 2011 - 09:53 PM

OK ran it again I think it went to temp somewhereAttached File  secondCFScript_log.txt   25.47KB   1 downloads couldn't find the first one here is the second thanks for patience Gringo

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 AM

Posted 20 January 2011 - 10:04 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users