Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Not Remove B6F867EB-F092-4C5E-ACA0-F30547DC3874


  • This topic is locked This topic is locked
16 replies to this topic

#1 GeoHew

GeoHew

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 14 January 2011 - 01:12 PM

EDIT: Moved to proper forum,Virus, Trojan, Spyware, and Malware Removal Logs ~~ MOD boopme

I have been trying to clear up an isse with Google Search Redirects - and following the directions from my virus software company has failed to clean up my system. After all I have been instructed to do, I am now receiving a blue screen of death; have found a "update" in add/remove programs that says "unable to remove"; system is running very slowly; HiJack This shows nulls, missing files etc.


Virus/Firewall Software: F-Secure 2011
Operating System: Windows XP Professional
Prior Action(s) Taken:

1. Ran full system scan w/F-Secure 2011 - results said system had no infection
2. Review F-Secure Log/Action Files - indicated that the following was identified but failed to be removed;
Kazy, Beminin, Trojan, or Backdoor.Php.Nst.B (two instances)
3. F-Secure instructed me to download and run the following:

GMER: Scan froze and stopped on C:\My ini - system was turned off at power switch; Second attempted scan froze the system again forcing power reboot. Attempted to run GMER in safe mode and received a blue screen of death. I abandoned running GMER scan and was unable to produce a scan log file with this software.

HiJack This: Ran scan, generated log file and forwarded to F-Secure

Sysinternals Autoruns: Ran scan and forwarded log fle to F-Secure

Backlight - Software downloaded and installed, and began running immediately without my clicking on the settings as instruted by F-Secure. This program ran for an extended period of time and then syste crashed giving another blue scree of deat listing out the following id numbers:

0x0000000A; 0x000000087; 0x000000001C; 0x804Fa276

Unable to obtain log file - scan with this software abandoned


4. Unblocked item via F-Secure firewall - I had blocked items via the firewall in F-Secure, I unblocked all of those

5. Windows Firewal - within windows firewall there were an untold number of items shown as excluded - my apologies, I do not remember what they were at this point but they were repetative and I could not tie them back to any software so I removed them within windows firewall - also my settings were originally placed to not run windows firewall as I was using the firewall within my F-Secure so I was confused that windows firewall showed as active. At this point, windows firewall is set to off and F-Secures is set to on.

6. F-Secure Rescue CD - instructed to download and burn ISO file to create a resuce CD - change the boot sequence of my system to CD first - and then run the rescue cd - rescue cd would not run under any condition

7. Error(s) indicated that Adobe Reader/Updates was corrupted so I attempted to use the repair option and then uninstalled/reinstalled my Adobe 6.0 software. I processed the repair function on all of the Adobe updates that were on my system. I uninstalled Adobe 2.0 thinking that I had the newer version and it was no longer needed.

System crashed yesterday and I powered down - on the blue screen same refference information,this time I transcribed the entire message:

A problem has been deteced and windows ahs been shut down to prevent damage to your computer.

RQL_NOT_LESS_OR_EQUAL

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardare or software is property installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you need.

If problems continiue, diable or remove any newly installted hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disable coponents, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Informaiton:

**STOP: (0x0000000A (0x0000001c. 0c0000000, 0x804FA276)

Beginning dump of physical memory
Physical memory dump complete
Contact your system administrator or technical support group for further assistance.

NEW HIJACK THIS LOG BELOW:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:10:53 AM, on 1/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSHDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://register.starband.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aghewett.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; StarBand Version 4.0.0.2; FBSMTWB; GTB0.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; StarBand Version 4.0.0.2; .NET4.0C; .NET4.0E; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; StarBand Version 4.0.0.2)" -"http://awfulgames.com/games/runner/"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - Trusted Zone: http://www.aghewett.com
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: http://www.gaar.com
O15 - Trusted Zone: *.rapmls.com
O15 - Trusted Zone: http://www.whisperingrange.com
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {25336921-03F9-11CF-8FD0-00AA00686F13} (Microsoft HTML Document 6.0) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/32.70/uploader2.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197413103640
O16 - DPF: {6DE617B8-49C0-40F8-8118-D2C3741F1C28} (SetTrustedSitesControl.clsReg) - http://medialaxj.rapmls.com/tools/MlsToTrusted/rapmls/SetTrustedSitesControl.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177006967484
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rebac.webex.com/client/T26L/nbr/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

--
End of file - 13849 bytes

Please help me and thanks in advance for any assistance you may lend.

Edited by boopme, 14 January 2011 - 04:12 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 PM

Posted 19 January 2011 - 04:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 GeoHew

GeoHew
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 21 January 2011 - 01:55 PM

Thanks for the response. At this point, I think that I have my missing files issue resolved with the exception of a two softwares which I am unable to find. I am more or less back at my begininning point - I am getting a browser redirect when doing google searches. My F-Secure scans say that my system is clean, but am still getting the re-direct on search engines. The issue regarding my F-Secure failing to delete identified virus/trojan infections has not been resolved so I am not sure if those are still on my system or not.

I will download and run the item you suggested above and post back to this area if you feel that this scan is the correct thing to do. Thanks again in advance for you assistance - I appreciate your willingness to help those of us that are technically challenged :)

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 PM

Posted 21 January 2011 - 07:08 PM

Change of plan. Please run TDSSKiller and let's look for a rootkit here

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 GeoHew

GeoHew
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 23 January 2011 - 07:12 PM

Here is the log file - the scan did report a virus but I didn't write it down. Let me know what you think.


2011/01/23 17:02:11.0374 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53
2011/01/23 17:02:11.0374 ================================================================================
2011/01/23 17:02:11.0374 SystemInfo:
2011/01/23 17:02:11.0374
2011/01/23 17:02:11.0374 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/23 17:02:11.0374 Product type: Workstation
2011/01/23 17:02:11.0374 ComputerName: HEWETT
2011/01/23 17:02:11.0374 UserName: Edwina Hewett
2011/01/23 17:02:11.0374 Windows directory: C:\WINDOWS
2011/01/23 17:02:11.0374 System windows directory: C:\WINDOWS
2011/01/23 17:02:11.0374 Processor architecture: Intel x86
2011/01/23 17:02:11.0374 Number of processors: 2
2011/01/23 17:02:11.0374 Page size: 0x1000
2011/01/23 17:02:11.0374 Boot type: Normal boot
2011/01/23 17:02:11.0374 ================================================================================
2011/01/23 17:02:11.0859 Initialize success
2011/01/23 17:02:14.0780 ================================================================================
2011/01/23 17:02:14.0780 Scan started
2011/01/23 17:02:14.0780 Mode: Manual;
2011/01/23 17:02:14.0780 ================================================================================
2011/01/23 17:02:17.0780 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/01/23 17:02:18.0202 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/23 17:02:18.0624 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/23 17:02:19.0077 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/01/23 17:02:19.0859 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/23 17:02:20.0312 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/23 17:02:20.0827 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/01/23 17:02:21.0202 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/01/23 17:02:21.0499 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/01/23 17:02:21.0843 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/01/23 17:02:22.0312 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/01/23 17:02:22.0624 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/01/23 17:02:23.0015 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/01/23 17:02:23.0390 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/01/23 17:02:23.0749 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/01/23 17:02:24.0124 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/01/23 17:02:24.0468 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/01/23 17:02:24.0874 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/01/23 17:02:25.0421 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/23 17:02:25.0812 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/23 17:02:26.0812 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/23 17:02:27.0468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/23 17:02:27.0874 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/23 17:02:28.0234 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/23 17:02:28.0905 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\Drivers\BrScnUsb.sys
2011/01/23 17:02:29.0280 BrSerIf (d48c13f4a409aee8dafaddac81e34557) C:\WINDOWS\system32\Drivers\BrSerIf.sys
2011/01/23 17:02:29.0734 BrUsbSer (8fa0ac830a8312912a3aa0c0431cba0d) C:\WINDOWS\system32\Drivers\BrUsbSer.sys
2011/01/23 17:02:30.0515 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/01/23 17:02:31.0109 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/23 17:02:31.0468 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/23 17:02:31.0843 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/01/23 17:02:32.0155 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/23 17:02:32.0546 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/23 17:02:32.0874 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/23 17:02:33.0671 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/01/23 17:02:33.0999 CompFilter (216f2c5cd4b5858d9a80a09a5479562b) C:\WINDOWS\system32\DRIVERS\lvbusflt.sys
2011/01/23 17:02:34.0343 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/01/23 17:02:34.0671 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/01/23 17:02:35.0046 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/01/23 17:02:35.0702 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/23 17:02:36.0312 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/23 17:02:36.0984 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/23 17:02:37.0327 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/23 17:02:37.0718 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/23 17:02:38.0046 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/01/23 17:02:38.0405 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/23 17:02:38.0765 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/01/23 17:02:38.0968 F-Secure Filter (1309d76247fdaf4a469cb79db2328a1b) C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys
2011/01/23 17:02:39.0109 F-Secure Gatekeeper (ba3a72b0d43954f8a92c6d896183017d) C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys
2011/01/23 17:02:39.0249 F-Secure HIPS (adf12d222dcc220229f9f46cdac1d668) C:\Program Files\F-Secure\HIPS\drivers\fshs.sys
2011/01/23 17:02:39.0327 F-Secure Recognizer (38541495fc4fcc8ed6b164435691bb9f) C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys
2011/01/23 17:02:39.0749 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/23 17:02:40.0155 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/23 17:02:40.0546 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/23 17:02:40.0890 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/23 17:02:41.0296 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/23 17:02:41.0968 fsbts (0e3e5d0486c4e2128b9f0e1c2fd410c4) C:\WINDOWS\system32\Drivers\fsbts.sys
2011/01/23 17:02:42.0312 FSFW (1733e0e03cd848482bc608f484eb7a62) C:\WINDOWS\system32\drivers\fsdfw.sys
2011/01/23 17:02:42.0718 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/23 17:02:43.0140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/23 17:02:43.0499 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/23 17:02:43.0859 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/23 17:02:44.0218 GUSBFILTER (2805911f69be18d366dfdd571f565757) C:\WINDOWS\system32\DRIVERS\gusbfilter.sys
2011/01/23 17:02:44.0499 GUSBNET (eb6370ba0f4b3fd261b47935e1f9f80a) C:\WINDOWS\system32\DRIVERS\gusbnet.sys
2011/01/23 17:02:44.0890 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/23 17:02:45.0249 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/23 17:02:45.0577 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/01/23 17:02:45.0937 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/01/23 17:02:46.0249 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/01/23 17:02:46.0546 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/01/23 17:02:46.0968 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/01/23 17:02:47.0624 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/01/23 17:02:48.0312 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/23 17:02:48.0702 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/01/23 17:02:48.0984 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/01/23 17:02:49.0312 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/23 17:02:49.0687 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/23 17:02:49.0999 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/01/23 17:02:50.0296 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/23 17:02:50.0905 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/23 17:02:51.0249 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/23 17:02:51.0546 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/23 17:02:51.0905 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/23 17:02:52.0312 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/23 17:02:52.0734 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/23 17:02:53.0109 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/23 17:02:53.0499 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/23 17:02:53.0905 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/23 17:02:54.0218 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/23 17:02:54.0827 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/23 17:02:55.0218 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/23 17:02:56.0515 LxrJD31d (3f6f7993ae46aded2db2886ed3080c80) C:\WINDOWS\system32\Drivers\LxrJD31d.sys
2011/01/23 17:02:56.0890 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/01/23 17:02:57.0234 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/23 17:02:57.0671 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/23 17:02:58.0062 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/01/23 17:02:58.0390 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/23 17:02:58.0765 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/23 17:02:59.0093 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/23 17:02:59.0530 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2011/01/23 17:02:59.0984 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/01/23 17:03:00.0390 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/23 17:03:01.0234 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/23 17:03:01.0859 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/23 17:03:02.0187 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/23 17:03:02.0484 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/23 17:03:02.0827 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/23 17:03:03.0234 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/23 17:03:03.0687 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/23 17:03:04.0562 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/23 17:03:05.0030 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/23 17:03:05.0546 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/23 17:03:05.0937 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/23 17:03:06.0296 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/23 17:03:06.0609 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/23 17:03:07.0015 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/23 17:03:07.0374 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/23 17:03:07.0796 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/23 17:03:08.0234 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/23 17:03:08.0952 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/23 17:03:09.0468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/23 17:03:10.0062 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/01/23 17:03:10.0437 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/23 17:03:11.0265 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/23 17:03:12.0030 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/23 17:03:12.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/23 17:03:12.0780 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/23 17:03:13.0140 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/23 17:03:13.0609 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/23 17:03:13.0968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/23 17:03:14.0765 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/23 17:03:15.0171 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/23 17:03:16.0968 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/01/23 17:03:17.0421 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/01/23 17:03:17.0812 Point32 (e4910ce9d882bf825979fcf4636a9bd8) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/01/23 17:03:18.0234 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/23 17:03:18.0718 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/23 17:03:19.0077 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/23 17:03:19.0577 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/23 17:03:19.0937 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/01/23 17:03:20.0359 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/01/23 17:03:20.0796 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/01/23 17:03:21.0437 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/01/23 17:03:21.0796 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/01/23 17:03:22.0202 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/23 17:03:22.0562 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/23 17:03:22.0937 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/23 17:03:23.0280 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/23 17:03:23.0687 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/23 17:03:24.0093 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/23 17:03:24.0515 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/23 17:03:24.0921 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/23 17:03:25.0280 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/23 17:03:25.0655 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/01/23 17:03:26.0077 SDDMI2 (8edd7b9e4a4b4c16e2dab9188caa861b) C:\WINDOWS\system32\DDMI2.sys
2011/01/23 17:03:26.0780 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/23 17:03:27.0390 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/23 17:03:27.0812 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/23 17:03:28.0140 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/23 17:03:28.0859 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/01/23 17:03:29.0827 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/23 17:03:30.0327 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/01/23 17:03:30.0734 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/01/23 17:03:31.0280 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/23 17:03:31.0702 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/23 17:03:32.0171 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/23 17:03:32.0874 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
2011/01/23 17:03:33.0577 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/23 17:03:33.0905 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/23 17:03:34.0296 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/23 17:03:34.0593 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/01/23 17:03:34.0968 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/01/23 17:03:35.0405 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/01/23 17:03:35.0796 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/01/23 17:03:36.0124 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/23 17:03:36.0640 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/23 17:03:37.0077 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/23 17:03:37.0499 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/23 17:03:37.0812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/23 17:03:38.0171 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/01/23 17:03:38.0546 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/23 17:03:38.0890 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/01/23 17:03:39.0374 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/23 17:03:40.0062 USB28xxBGA (f0e0bd77c255c95d317cd69c2e8efb92) C:\WINDOWS\system32\DRIVERS\emBDA.sys
2011/01/23 17:03:40.0562 USB28xxOEM (925e82ffe06a37799e5cb486528ed835) C:\WINDOWS\system32\DRIVERS\emOEM.sys
2011/01/23 17:03:41.0077 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/23 17:03:41.0484 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/23 17:03:41.0859 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/23 17:03:42.0234 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/23 17:03:42.0655 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/23 17:03:43.0046 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/23 17:03:43.0390 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/23 17:03:43.0780 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/23 17:03:44.0140 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/01/23 17:03:44.0499 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/23 17:03:44.0812 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/01/23 17:03:45.0155 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/01/23 17:03:45.0468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/23 17:03:45.0780 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/23 17:03:46.0499 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/01/23 17:03:47.0374 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/23 17:03:47.0921 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/01/23 17:03:48.0530 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/01/23 17:03:48.0843 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/23 17:03:49.0202 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/23 17:03:49.0546 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/23 17:03:49.0890 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/23 17:03:49.0984 ================================================================================
2011/01/23 17:03:49.0984 Scan finished
2011/01/23 17:03:49.0984 ================================================================================
2011/01/23 17:03:56.0468 Deinitialize success

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 PM

Posted 23 January 2011 - 07:52 PM

Please run Combofix at this point so we can clear out anything left over

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 PM

Posted 26 January 2011 - 07:45 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#8 GeoHew

GeoHew
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 26 January 2011 - 08:24 PM

Sorry for not responding sooner - I will review and proceed with your directions and post again afterward.


Thanks again.

#9 GeoHew

GeoHew
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 27 January 2011 - 04:28 PM

Here is the log file from Combo Fix:

ComboFix 11-01-25.05 - Edwina Hewett 01/26/2011 19:04:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.522 [GMT -7:00]
Running from: c:\documents and settings\Edwina Hewett\Desktop\ComboFix.exe
AV: F-Secure Internet Security 2011 10.50 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2011 10.50 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Edwina Hewett\g2mdlhlpx.exe
c:\documents and settings\Edwina Hewett\GoToAssistDownloadHelper.exe
C:\Documents
c:\program files\Fast Browser Search
c:\program files\Search Guard PlusU
c:\program files\Search Guard PlusU\SGPU.ico
c:\program files\Search Guard PlusU\sgpUpdater.exe
c:\program files\Search Guard PlusU\sgpUpdater.xml
c:\program files\Search Guard PlusU\sgpUpdaters.exe
c:\program files\Search Guard PlusU\uninstalSGPU.exe
c:\program files\SGPSA
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\Cache
c:\windows\system32\gotomon.log
c:\windows\system32\Packet.dll
c:\windows\system32\spool\prtprocs\w32x86\GoToPrintProcessor.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-12-27 to 2011-01-27 )))))))))))))))))))))))))))))))
.

2011-01-21 00:11 . 2011-01-21 00:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-16 17:29 . 2011-01-16 17:29 -------- d-----w- c:\program files\Carbonite
2011-01-16 17:29 . 2011-01-16 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Carbonite
2011-01-15 19:05 . 2011-01-15 19:05 37027 ----a-w- c:\windows\atmoUn.exe
2011-01-08 03:20 . 2011-01-08 03:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-01-08 00:50 . 2011-01-08 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2011-01-08 00:44 . 2011-01-08 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-01-07 22:10 . 2011-01-07 22:10 388096 ----a-r- c:\documents and settings\Edwina Hewett\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-06 00:06 . 2011-01-06 00:06 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-06 00:05 . 2011-01-06 00:05 -------- d-----w- c:\program files\Common Files\xing shared
2011-01-06 00:05 . 2011-01-06 00:05 -------- d-----w- c:\program files\Real
2011-01-05 23:53 . 2011-01-05 23:53 -------- d-----w- c:\program files\Common Files\Skype
2011-01-04 00:04 . 2011-01-06 00:05 -------- d-----w- c:\program files\real(2)
2011-01-03 23:50 . 2011-01-03 23:49 73728 ------w- c:\windows\system32\javacpl.cpl
2011-01-03 23:50 . 2011-01-03 23:49 472808 ------w- c:\windows\system32\deployJava1.dll
2011-01-03 21:42 . 2011-01-03 21:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 12:52 . 2010-10-03 16:53 42664 ------w- c:\windows\system32\drivers\fsbts.sys
2010-11-30 00:38 . 2010-11-30 00:38 94208 ------w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38 . 2010-11-30 00:38 69632 ------w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-08-11 22:12 81920 ------w- c:\windows\system32\isign32.dll
2010-11-10 02:47 . 2010-11-10 02:47 195168 ------w- c:\windows\system32\lvci13101216.dll
2010-11-10 02:47 . 2010-11-10 02:47 416352 ------w- c:\windows\system32\lvcodec2.dll
2010-11-10 02:46 . 2010-11-10 02:46 20704 ------w- c:\windows\system32\drivers\lvbusflt.sys
2010-11-09 14:52 . 2004-08-11 22:00 249856 ------w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2006-10-17 19:57 1991680 ------w- c:\windows\system32\iertutil(2)(3).dll
2010-11-06 00:26 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet(2)(2).dll
2010-11-06 00:26 . 2004-08-11 22:00 1210880 ------w- c:\windows\system32\urlmon(2)(2).dll
2010-11-06 00:26 . 2004-08-11 22:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2006-10-27 22:09 11080704 ------w- c:\windows\system32\ieframe(2)(3).dll
2010-11-03 12:25 . 2004-08-11 22:00 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-11 22:00 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-01-13 06:40 750736 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-01-13 06:40 750736 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-01-13 06:40 750736 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-20 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-10-03 1654440]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-10-03 200360]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-08 864256]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-01-13 931472]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-19 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-29 14:57 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 21:04 40960 -c--a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 20:46 57393 -c--a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 16:22 155648 -c--a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"8320:TCP"= 8320:TCP:Services
"8321:TCP"= 8321:TCP:Services
"3228:TCP"= 3228:TCP:*:Disabled:Services
"4956:TCP"= 4956:TCP:Services
"8741:TCP"= 8741:TCP:Services
"8742:TCP"= 8742:TCP:Services
"6461:TCP"= 6461:TCP:Services
"6462:TCP"= 6462:TCP:Services
"7147:TCP"= 7147:TCP:Services
"7148:TCP"= 7148:TCP:Services
"5883:TCP"= 5883:TCP:Services
"5884:TCP"= 5884:TCP:Services
"3508:TCP"= 3508:TCP:Services
"5516:TCP"= 5516:TCP:Services
"2288:TCP"= 2288:TCP:Services
"3076:TCP"= 3076:TCP:Services
"5134:TCP"= 5134:TCP:Services
"8768:TCP"= 8768:TCP:Services
"7524:TCP"= 7524:TCP:Services
"7523:TCP"= 7523:TCP:Services
"8149:TCP"= 8149:TCP:Services
"8150:TCP"= 8150:TCP:Services
"3234:TCP"= 3234:TCP:*:Disabled:Services
"2367:TCP"= 2367:TCP:Services
"7615:TCP"= 7615:TCP:Services
"7616:TCP"= 7616:TCP:Services
"3553:TCP"= 3553:TCP:Services
"5606:TCP"= 5606:TCP:Services
"1991:TCP"= 1991:TCP:Services
"2482:TCP"= 2482:TCP:Services
"7976:TCP"= 7976:TCP:Services
"7977:TCP"= 7977:TCP:Services
"9039:TCP"= 9039:TCP:Services
"9040:TCP"= 9040:TCP:Services
"4242:TCP"= 4242:TCP:Services
"6984:TCP"= 6984:TCP:Services
"3697:TCP"= 3697:TCP:Services
"5894:TCP"= 5894:TCP:Services
"4789:TCP"= 4789:TCP:Services
"8078:TCP"= 8078:TCP:Services
"9087:TCP"= 9087:TCP:Services
"9088:TCP"= 9088:TCP:Services
"3586:TCP"= 3586:TCP:Services
"5672:TCP"= 5672:TCP:Services
"7010:TCP"= 7010:TCP:Services
"7011:TCP"= 7011:TCP:Services
"9229:TCP"= 9229:TCP:Services
"9228:TCP"= 9228:TCP:Services
"6804:TCP"= 6804:TCP:Services
"6805:TCP"= 6805:TCP:Services
"8961:TCP"= 8961:TCP:Services
"8962:TCP"= 8962:TCP:Services
"6023:TCP"= 6023:TCP:Services
"6024:TCP"= 6024:TCP:Services
"7886:TCP"= 7886:TCP:Services
"7885:TCP"= 7885:TCP:Services
"7679:TCP"= 7679:TCP:Services
"7680:TCP"= 7680:TCP:Services
"8085:TCP"= 8085:TCP:Services
"8086:TCP"= 8086:TCP:Services
"4976:TCP"= 4976:TCP:Services
"8452:TCP"= 8452:TCP:Services
"2525:TCP"= 2525:TCP:Services
"3550:TCP"= 3550:TCP:Services
"1602:TCP"= 1602:TCP:Services
"1704:TCP"= 1704:TCP:Services
"9055:TCP"= 9055:TCP:Services
"9054:TCP"= 9054:TCP:Services
"3147:TCP"= 3147:TCP:Services
"4794:TCP"= 4794:TCP:Services
"5398:TCP"= 5398:TCP:Services
"9296:TCP"= 9296:TCP:Services
"4385:TCP"= 4385:TCP:Services
"7270:TCP"= 7270:TCP:Services
"8830:TCP"= 8830:TCP:Services
"5165:TCP"= 5165:TCP:Services
"9773:TCP"= 9773:TCP:Services
"9774:TCP"= 9774:TCP:Services
"8711:TCP"= 8711:TCP:Services
"8712:TCP"= 8712:TCP:Services
"4649:TCP"= 4649:TCP:Services
"7798:TCP"= 7798:TCP:Services
"5540:TCP"= 5540:TCP:Services
"9580:TCP"= 9580:TCP:Services
"3040:TCP"= 3040:TCP:Services
"4580:TCP"= 4580:TCP:Services
"8554:TCP"= 8554:TCP:Services
"8555:TCP"= 8555:TCP:Services
"3178:TCP"= 3178:TCP:Services
"4856:TCP"= 4856:TCP:Services
"4024:TCP"= 4024:TCP:Services
"6548:TCP"= 6548:TCP:Services
"1681:TCP"= 1681:TCP:Services
"1862:TCP"= 1862:TCP:Services
"4790:TCP"= 4790:TCP:Services
"8080:TCP"= 8080:TCP:Services
"4524:TCP"= 4524:TCP:Services
"7548:TCP"= 7548:TCP:Services
"4178:TCP"= 4178:TCP:Services
"6856:TCP"= 6856:TCP:Services
"8430:TCP"= 8430:TCP:Services
"8431:TCP"= 8431:TCP:Services
"9945:TCP"= 9945:TCP:Services
"7242:TCP"= 7242:TCP:Services
"7243:TCP"= 7243:TCP:Services
"2007:TCP"= 2007:TCP:Services
"2514:TCP"= 2514:TCP:Services
"5586:TCP"= 5586:TCP:Services
"9672:TCP"= 9672:TCP:Services
"6273:TCP"= 6273:TCP:Services
"6274:TCP"= 6274:TCP:Services
"5339:TCP"= 5339:TCP:Services
"9178:TCP"= 9178:TCP:Services
"9071:TCP"= 9071:TCP:Services
"9070:TCP"= 9070:TCP:Services
"7369:TCP"= 7369:TCP:Services
"7370:TCP"= 7370:TCP:Services
"8458:TCP"= 8458:TCP:Services
"9742:TCP"= 9742:TCP:Services
"9743:TCP"= 9743:TCP:Services
"9101:TCP"= 9101:TCP:Services
"9102:TCP"= 9102:TCP:Services
"8929:TCP"= 8929:TCP:Services
"8930:TCP"= 8930:TCP:Services
"2274:TCP"= 2274:TCP:Services
"3048:TCP"= 3048:TCP:Services
"8947:TCP"= 8947:TCP:Services
"8948:TCP"= 8948:TCP:Services
"5916:TCP"= 5916:TCP:Services
"5915:TCP"= 5915:TCP:Services
"8304:TCP"= 8304:TCP:Services
"8305:TCP"= 8305:TCP:Services
"7636:TCP"= 7636:TCP:Services
"7637:TCP"= 7637:TCP:Services
"9290:TCP"= 9290:TCP:Services
"9291:TCP"= 9291:TCP:Services
"6009:TCP"= 6009:TCP:Services
"6010:TCP"= 6010:TCP:Services
"5960:TCP"= 5960:TCP:Services
"5961:TCP"= 5961:TCP:Services
"3055:TCP"= 3055:TCP:Services
"4610:TCP"= 4610:TCP:Services
"7306:TCP"= 7306:TCP:Services
"7305:TCP"= 7305:TCP:Services
"1661:TCP"= 1661:TCP:Services
"1822:TCP"= 1822:TCP:Services
"3118:TCP"= 3118:TCP:Services
"4736:TCP"= 4736:TCP:Services
"4337:TCP"= 4337:TCP:Services
"7174:TCP"= 7174:TCP:Services
"2424:TCP"= 2424:TCP:Services
"1962:TCP"= 1962:TCP:Services
"2663:TCP"= 2663:TCP:Services
"3826:TCP"= 3826:TCP:Services
"6630:TCP"= 6630:TCP:Services
"4065:TCP"= 4065:TCP:Services
"3320:TCP"= 3320:TCP:*:Disabled:Services
"5140:TCP"= 5140:TCP:Services
"1534:TCP"= 1534:TCP:*:Disabled:Services
"1568:TCP"= 1568:TCP:*:Disabled:Services
"5969:TCP"= 5969:TCP:Services
"5970:TCP"= 5970:TCP:Services
"2628:TCP"= 2628:TCP:Services
"3756:TCP"= 3756:TCP:Services
"3361:TCP"= 3361:TCP:*:Disabled:Services
"5222:TCP"= 5222:TCP:Services
"5689:TCP"= 5689:TCP:Services
"9878:TCP"= 9878:TCP:Services
"6190:TCP"= 6190:TCP:Services
"3845:TCP"= 3845:TCP:Services
"9110:TCP"= 9110:TCP:Services
"9111:TCP"= 9111:TCP:Services
"9827:TCP"= 9827:TCP:Services
"9828:TCP"= 9828:TCP:Services
"7436:TCP"= 7436:TCP:Services
"7437:TCP"= 7437:TCP:Services
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"1052:TCP"= 1052:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [10/3/2010 9:53 AM 42664]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [10/3/2010 9:52 AM 81800]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [10/3/2010 9:52 AM 71496]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/11/2004 3:00 PM 14336]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [10/3/2010 9:51 AM 130728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [10/3/2010 9:52 AM 63992]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 9:03 PM 135664]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [11/9/2010 7:46 PM 20704]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\EDWINA~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\EDWINA~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S3 GUSBFILTER;Gilat USB Adapter Filter;c:\windows\system32\drivers\gusbfilter.sys [11/17/2002 9:57 AM 3124]
S3 GUSBNET;Satellite Modem 360 USB Driver;c:\windows\system32\drivers\gusbnet.sys [11/17/2002 9:57 AM 39572]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 3:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe --> c:\program files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [10/3/2010 9:51 AM 40872]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [10/3/2010 9:51 AM 26280]
S4 GFUFBSFQQZU;GFUFBSFQQZU;c:\docume~1\EDWINA~1\LOCALS~1\Temp\GFUFBSFQQZU.exe --> c:\docume~1\EDWINA~1\LOCALS~1\Temp\GFUFBSFQQZU.exe [?]
S4 IXY;IXY;c:\docume~1\EDWINA~1\LOCALS~1\Temp\IXY.exe --> c:\docume~1\EDWINA~1\LOCALS~1\Temp\IXY.exe [?]
S4 XCUANZWGHF;XCUANZWGHF;c:\docume~1\EDWINA~1\LOCALS~1\Temp\XCUANZWGHF.exe --> c:\docume~1\EDWINA~1\LOCALS~1\Temp\XCUANZWGHF.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2011-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2011-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 04:03]

2011-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 04:03]

2011-01-27 c:\windows\Tasks\User_Feed_Synchronization-{708628E3-7FAC-4753-822B-FA0301CB2B49}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aghewett.com/
uInternet Settings,ProxyServer = http=127.0.0.1:9877
uInternet Settings,ProxyOverride = <local>;*.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Trusted Zone: aghewett.com\www
Trusted Zone: blogger.com\www
Trusted Zone: facebook.com\login
Trusted Zone: fnismls.com
Trusted Zone: gaar.com\www
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
Trusted Zone: rapmls.com
Trusted Zone: secureserver.net\email
Trusted Zone: thepartnershipfcu.net\www
Trusted Zone: whisperingrange.com\www
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {6DE617B8-49C0-40F8-8118-D2C3741F1C28} - hxxp://medialaxj.rapmls.com/tools/MlsToTrusted/rapmls/SetTrustedSitesControl.dll
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-type32 - c:\program files\Microsoft IntelliType Pro\type32.exe
HKLM-Run-IntelliPoint - c:\program files\Microsoft IntelliPoint\point32.exe
HKLM-Run-DMXLauncher - c:\program files\Roxio\Media Experience\DMXLauncher.exe
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
AddRemove-Shockwave - c:\windows\system32\Macromed\SHOCKW~2\UNWISE.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-xampp - c:\xampp\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-26 19:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3338782660-2688582444-1751220596-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3338782660-2688582444-1751220596-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-3338782660-2688582444-1751220596-1005)
@Allowed: (Read) (S-1-5-21-3338782660-2688582444-1751220596-1005)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(704)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(2700)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\windows\system32\WPDShServiceObj.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\windows\system32\dllhost.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\stsystra.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Common\FSLAUNCH.EXE
.
**************************************************************************
.
Completion time: 2011-01-26 19:36:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-27 02:36

Pre-Run: 65,883,275,264 bytes free
Post-Run: 67,098,378,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DA04AE4CA7824466E0C703FDE594EA39

Thanks again very much for your assistance.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 PM

Posted 27 January 2011 - 07:38 PM

You're welcome. We need to rerun Combofix to remove some other bad software

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\docume~1\EDWINA~1\LOCALS~1\Temp\GFUFBSFQQZU.exe
c:\docume~1\EDWINA~1\LOCALS~1\Temp\IXY.exe
c:\docume~1\EDWINA~1\LOCALS~1\Temp\XCUANZWGHF.exe

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:9877
uInternet Settings,ProxyOverride = <local>;*.local

Driver::
GFUFBSFQQZU
IXY
XCUANZWGHF


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 GeoHew

GeoHew
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 28 January 2011 - 08:46 PM

Thanks again mOle - I ran ComboFix it did update itself as you expected. While CF was running, the following error message popped up;

PEV.cfexe The instruction at 0x0072068 referenced memory at 0x0072068. The memory could not be "read" Click OK to termiante the program.

I clicked OK and CF continued to run. Below is the last log file from that run. Also, I am getting the blue screen of death now that gives the following message (this was prior to running the last CF as directed and has not re-occured yet);

DRIVER_IRQL_NOT_LESS_OR_EQUAL location id number was 0x00000D1

CF Log Below;

ComboFix 11-01-28.01 - Edwina Hewett 01/28/2011 17:42:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.493 [GMT -7:00]
Running from: c:\documents and settings\Edwina Hewett\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edwina Hewett\Desktop\CFScript.txt
AV: F-Secure Internet Security 2011 10.50 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2011 10.50 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}

FILE ::
"c:\docume~1\EDWINA~1\LOCALS~1\Temp\GFUFBSFQQZU.exe"
"c:\docume~1\EDWINA~1\LOCALS~1\Temp\IXY.exe"
"c:\docume~1\EDWINA~1\LOCALS~1\Temp\XCUANZWGHF.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GFUFBSFQQZU
-------\Legacy_IXY
-------\Legacy_XCUANZWGHF
-------\Service_GFUFBSFQQZU
-------\Service_IXY
-------\Service_XCUANZWGHF


((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))
.

2011-01-21 00:11 . 2011-01-21 00:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-16 17:29 . 2011-01-16 17:29 -------- d-----w- c:\program files\Carbonite
2011-01-16 17:29 . 2011-01-16 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Carbonite
2011-01-15 19:05 . 2011-01-15 19:05 37027 ----a-w- c:\windows\atmoUn.exe
2011-01-08 03:20 . 2011-01-08 03:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-01-08 00:50 . 2011-01-08 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2011-01-08 00:44 . 2011-01-08 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-01-07 22:10 . 2011-01-07 22:10 388096 ----a-r- c:\documents and settings\Edwina Hewett\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-06 00:06 . 2011-01-06 00:06 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-06 00:05 . 2011-01-06 00:05 -------- d-----w- c:\program files\Common Files\xing shared
2011-01-06 00:05 . 2011-01-06 00:05 -------- d-----w- c:\program files\Real
2011-01-05 23:53 . 2011-01-05 23:53 -------- d-----w- c:\program files\Common Files\Skype
2011-01-04 00:04 . 2011-01-06 00:05 -------- d-----w- c:\program files\real(2)
2011-01-03 23:50 . 2011-01-03 23:49 73728 ------w- c:\windows\system32\javacpl.cpl
2011-01-03 23:50 . 2011-01-03 23:49 472808 ------w- c:\windows\system32\deployJava1.dll
2011-01-03 21:42 . 2011-01-03 21:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 12:52 . 2010-10-03 16:53 42664 ------w- c:\windows\system32\drivers\fsbts.sys
2010-11-30 00:38 . 2010-11-30 00:38 94208 ------w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38 . 2010-11-30 00:38 69632 ------w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-08-11 22:12 81920 ------w- c:\windows\system32\isign32.dll
2010-11-10 02:47 . 2010-11-10 02:47 195168 ------w- c:\windows\system32\lvci13101216.dll
2010-11-10 02:47 . 2010-11-10 02:47 416352 ------w- c:\windows\system32\lvcodec2.dll
2010-11-10 02:46 . 2010-11-10 02:46 20704 ------w- c:\windows\system32\drivers\lvbusflt.sys
2010-11-09 14:52 . 2004-08-11 22:00 249856 ------w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2006-10-17 19:57 1991680 ------w- c:\windows\system32\iertutil(2)(3).dll
2010-11-06 00:26 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet(2)(2).dll
2010-11-06 00:26 . 2004-08-11 22:00 1210880 ------w- c:\windows\system32\urlmon(2)(2).dll
2010-11-06 00:26 . 2004-08-11 22:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2006-10-27 22:09 11080704 ------w- c:\windows\system32\ieframe(2)(3).dll
2010-11-03 12:25 . 2004-08-11 22:00 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-11 22:00 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-01-13 06:40 750736 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-01-13 06:40 750736 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-01-13 06:40 750736 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-20 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-10-03 1654440]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-10-03 200360]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-08 864256]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-01-13 931472]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-19 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-29 14:57 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 21:04 40960 -c--a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 20:46 57393 -c--a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 16:22 155648 -c--a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"8320:TCP"= 8320:TCP:Services
"8321:TCP"= 8321:TCP:Services
"3228:TCP"= 3228:TCP:*:Disabled:Services
"4956:TCP"= 4956:TCP:Services
"8741:TCP"= 8741:TCP:Services
"8742:TCP"= 8742:TCP:Services
"6461:TCP"= 6461:TCP:Services
"6462:TCP"= 6462:TCP:Services
"7147:TCP"= 7147:TCP:Services
"7148:TCP"= 7148:TCP:Services
"5883:TCP"= 5883:TCP:Services
"5884:TCP"= 5884:TCP:Services
"3508:TCP"= 3508:TCP:Services
"5516:TCP"= 5516:TCP:Services
"2288:TCP"= 2288:TCP:Services
"3076:TCP"= 3076:TCP:Services
"5134:TCP"= 5134:TCP:Services
"8768:TCP"= 8768:TCP:Services
"7524:TCP"= 7524:TCP:Services
"7523:TCP"= 7523:TCP:Services
"8149:TCP"= 8149:TCP:Services
"8150:TCP"= 8150:TCP:Services
"3234:TCP"= 3234:TCP:*:Disabled:Services
"2367:TCP"= 2367:TCP:Services
"7615:TCP"= 7615:TCP:Services
"7616:TCP"= 7616:TCP:Services
"3553:TCP"= 3553:TCP:Services
"5606:TCP"= 5606:TCP:Services
"1991:TCP"= 1991:TCP:Services
"2482:TCP"= 2482:TCP:Services
"7976:TCP"= 7976:TCP:Services
"7977:TCP"= 7977:TCP:Services
"9039:TCP"= 9039:TCP:Services
"9040:TCP"= 9040:TCP:Services
"4242:TCP"= 4242:TCP:Services
"6984:TCP"= 6984:TCP:Services
"3697:TCP"= 3697:TCP:Services
"5894:TCP"= 5894:TCP:Services
"4789:TCP"= 4789:TCP:Services
"8078:TCP"= 8078:TCP:Services
"9087:TCP"= 9087:TCP:Services
"9088:TCP"= 9088:TCP:Services
"3586:TCP"= 3586:TCP:Services
"5672:TCP"= 5672:TCP:Services
"7010:TCP"= 7010:TCP:Services
"7011:TCP"= 7011:TCP:Services
"9229:TCP"= 9229:TCP:Services
"9228:TCP"= 9228:TCP:Services
"6804:TCP"= 6804:TCP:Services
"6805:TCP"= 6805:TCP:Services
"8961:TCP"= 8961:TCP:Services
"8962:TCP"= 8962:TCP:Services
"6023:TCP"= 6023:TCP:Services
"6024:TCP"= 6024:TCP:Services
"7886:TCP"= 7886:TCP:Services
"7885:TCP"= 7885:TCP:Services
"7679:TCP"= 7679:TCP:Services
"7680:TCP"= 7680:TCP:Services
"8085:TCP"= 8085:TCP:Services
"8086:TCP"= 8086:TCP:Services
"4976:TCP"= 4976:TCP:Services
"8452:TCP"= 8452:TCP:Services
"2525:TCP"= 2525:TCP:Services
"3550:TCP"= 3550:TCP:Services
"1602:TCP"= 1602:TCP:Services
"1704:TCP"= 1704:TCP:Services
"9055:TCP"= 9055:TCP:Services
"9054:TCP"= 9054:TCP:Services
"3147:TCP"= 3147:TCP:Services
"4794:TCP"= 4794:TCP:Services
"5398:TCP"= 5398:TCP:Services
"9296:TCP"= 9296:TCP:Services
"4385:TCP"= 4385:TCP:Services
"7270:TCP"= 7270:TCP:Services
"8830:TCP"= 8830:TCP:Services
"5165:TCP"= 5165:TCP:Services
"9773:TCP"= 9773:TCP:Services
"9774:TCP"= 9774:TCP:Services
"8711:TCP"= 8711:TCP:Services
"8712:TCP"= 8712:TCP:Services
"4649:TCP"= 4649:TCP:Services
"7798:TCP"= 7798:TCP:Services
"5540:TCP"= 5540:TCP:Services
"9580:TCP"= 9580:TCP:Services
"3040:TCP"= 3040:TCP:Services
"4580:TCP"= 4580:TCP:Services
"8554:TCP"= 8554:TCP:Services
"8555:TCP"= 8555:TCP:Services
"3178:TCP"= 3178:TCP:Services
"4856:TCP"= 4856:TCP:Services
"4024:TCP"= 4024:TCP:Services
"6548:TCP"= 6548:TCP:Services
"1681:TCP"= 1681:TCP:Services
"1862:TCP"= 1862:TCP:Services
"4790:TCP"= 4790:TCP:Services
"8080:TCP"= 8080:TCP:Services
"4524:TCP"= 4524:TCP:Services
"7548:TCP"= 7548:TCP:Services
"4178:TCP"= 4178:TCP:Services
"6856:TCP"= 6856:TCP:Services
"8430:TCP"= 8430:TCP:Services
"8431:TCP"= 8431:TCP:Services
"9945:TCP"= 9945:TCP:Services
"7242:TCP"= 7242:TCP:Services
"7243:TCP"= 7243:TCP:Services
"2007:TCP"= 2007:TCP:Services
"2514:TCP"= 2514:TCP:Services
"5586:TCP"= 5586:TCP:Services
"9672:TCP"= 9672:TCP:Services
"6273:TCP"= 6273:TCP:Services
"6274:TCP"= 6274:TCP:Services
"5339:TCP"= 5339:TCP:Services
"9178:TCP"= 9178:TCP:Services
"9071:TCP"= 9071:TCP:Services
"9070:TCP"= 9070:TCP:Services
"7369:TCP"= 7369:TCP:Services
"7370:TCP"= 7370:TCP:Services
"8458:TCP"= 8458:TCP:Services
"9742:TCP"= 9742:TCP:Services
"9743:TCP"= 9743:TCP:Services
"9101:TCP"= 9101:TCP:Services
"9102:TCP"= 9102:TCP:Services
"8929:TCP"= 8929:TCP:Services
"8930:TCP"= 8930:TCP:Services
"2274:TCP"= 2274:TCP:Services
"3048:TCP"= 3048:TCP:Services
"8947:TCP"= 8947:TCP:Services
"8948:TCP"= 8948:TCP:Services
"5916:TCP"= 5916:TCP:Services
"5915:TCP"= 5915:TCP:Services
"8304:TCP"= 8304:TCP:Services
"8305:TCP"= 8305:TCP:Services
"7636:TCP"= 7636:TCP:Services
"7637:TCP"= 7637:TCP:Services
"9290:TCP"= 9290:TCP:Services
"9291:TCP"= 9291:TCP:Services
"6009:TCP"= 6009:TCP:Services
"6010:TCP"= 6010:TCP:Services
"5960:TCP"= 5960:TCP:Services
"5961:TCP"= 5961:TCP:Services
"3055:TCP"= 3055:TCP:Services
"4610:TCP"= 4610:TCP:Services
"7306:TCP"= 7306:TCP:Services
"7305:TCP"= 7305:TCP:Services
"1661:TCP"= 1661:TCP:Services
"1822:TCP"= 1822:TCP:Services
"3118:TCP"= 3118:TCP:Services
"4736:TCP"= 4736:TCP:Services
"4337:TCP"= 4337:TCP:Services
"7174:TCP"= 7174:TCP:Services
"2424:TCP"= 2424:TCP:Services
"1962:TCP"= 1962:TCP:Services
"2663:TCP"= 2663:TCP:Services
"3826:TCP"= 3826:TCP:Services
"6630:TCP"= 6630:TCP:Services
"4065:TCP"= 4065:TCP:Services
"3320:TCP"= 3320:TCP:*:Disabled:Services
"5140:TCP"= 5140:TCP:Services
"1534:TCP"= 1534:TCP:*:Disabled:Services
"1568:TCP"= 1568:TCP:*:Disabled:Services
"5969:TCP"= 5969:TCP:Services
"5970:TCP"= 5970:TCP:Services
"2628:TCP"= 2628:TCP:Services
"3756:TCP"= 3756:TCP:Services
"3361:TCP"= 3361:TCP:*:Disabled:Services
"5222:TCP"= 5222:TCP:Services
"5689:TCP"= 5689:TCP:Services
"9878:TCP"= 9878:TCP:Services
"6190:TCP"= 6190:TCP:Services
"3845:TCP"= 3845:TCP:Services
"9110:TCP"= 9110:TCP:Services
"9111:TCP"= 9111:TCP:Services
"9827:TCP"= 9827:TCP:Services
"9828:TCP"= 9828:TCP:Services
"7436:TCP"= 7436:TCP:Services
"7437:TCP"= 7437:TCP:Services
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"1043:TCP"= 1043:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [10/3/2010 9:53 AM 42664]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [10/3/2010 9:52 AM 81800]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [10/3/2010 9:52 AM 71496]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/11/2004 3:00 PM 14336]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [10/3/2010 9:51 AM 130728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [10/3/2010 9:52 AM 63992]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 9:03 PM 135664]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [11/9/2010 7:46 PM 20704]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\EDWINA~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\EDWINA~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S3 GUSBFILTER;Gilat USB Adapter Filter;c:\windows\system32\drivers\gusbfilter.sys [11/17/2002 9:57 AM 3124]
S3 GUSBNET;Satellite Modem 360 USB Driver;c:\windows\system32\drivers\gusbnet.sys [11/17/2002 9:57 AM 39572]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 3:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe --> c:\program files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [10/3/2010 9:51 AM 40872]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [10/3/2010 9:51 AM 26280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2011-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 04:03]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 04:03]

2011-01-29 c:\windows\Tasks\User_Feed_Synchronization-{708628E3-7FAC-4753-822B-FA0301CB2B49}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aghewett.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Trusted Zone: aghewett.com\www
Trusted Zone: blogger.com\www
Trusted Zone: docuhost-net.com\www
Trusted Zone: facebook.com\login
Trusted Zone: fnismls.com
Trusted Zone: gaar.com\www
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
Trusted Zone: rapmls.com
Trusted Zone: secureserver.net\email
Trusted Zone: thepartnershipfcu.net\www
Trusted Zone: whisperingrange.com\www
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {6DE617B8-49C0-40F8-8118-D2C3741F1C28} - hxxp://medialaxj.rapmls.com/tools/MlsToTrusted/rapmls/SetTrustedSitesControl.dll
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 18:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3338782660-2688582444-1751220596-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3338782660-2688582444-1751220596-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-3338782660-2688582444-1751220596-1005)
@Allowed: (Read) (S-1-5-21-3338782660-2688582444-1751220596-1005)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(700)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\windows\system32\dllhost.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\fxssvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\stsystra.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\windows\system32\wscntfy.exe
c:\program files\F-Secure\Common\FSLAUNCH.EXE
.
**************************************************************************
.
Completion time: 2011-01-28 18:14:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-29 01:14
ComboFix2.txt 2011-01-27 02:36

Pre-Run: 66,982,342,656 bytes free
Post-Run: 66,941,992,960 bytes free

- - End Of File - - 624C2B74B539EB34AD02227201090066

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 PM

Posted 28 January 2011 - 09:11 PM

The BSOD won't return. Combofix had to hack out three drivers and services which should not be on your system. The temporary files were already gone.

Please run ESET and let's scan for infected files, etc

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#13 GeoHew

GeoHew
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 29 January 2011 - 07:02 PM

Here is the log from the EScan

C:\Documents and Settings\Edwina Hewett\Application Data\Sun\Java\Deployment\cache\6.0\17\74992AD1-7BAC6D9A.0 multiple threats deleted - quarantined
C:\Documents and Settings\Edwina Hewett\Application Data\Sun\Java\Deployment\cache\6.0\26\75c2959a-45ca34a0 multiple threats deleted - quarantined
C:\Documents and Settings\Edwina Hewett\Application Data\Sun\Java\Deployment\cache\6.0\27\63f65c1b-498de530 multiple threats deleted - quarantined
C:\Documents and Settings\Edwina Hewett\Application Data\Sun\Java\Deployment\cache\6.0\52\4e78d0f4-614ccd22 multiple threats deleted - quarantined

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:27 PM

Posted 29 January 2011 - 08:14 PM

Just Java cache items so nothing live. How's the machine behaving now?
Posted Image
m0le is a proud member of UNITE

#15 GeoHew

GeoHew
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 30 January 2011 - 11:02 AM

Seems to be acting better - is that java cache something that I should be dumping and if so how does one do that? Also, do you have an opinion or recomendation regarding virus software? If that is something you are not allowed to comment on I understand, but I can say that I far from pleased with my current vendor - tried to work through this with them fo 3 weeks prior to contacting you folks. Thank you again so very much for all of your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users