Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ntdevice.exe virus


  • This topic is locked This topic is locked
28 replies to this topic

#1 debshemphill

debshemphill

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 04 February 2011 - 03:48 PM

Upon startup, the following error shows up on the desktop: "c:\windows\system32\ntdevice.exe. Windows cannot find c:\windows\system 32\ntdevice.exe. Make sure you typed the name correctly and then try again. To search for a file, click the Start button and then click Search." This has completely slowed my computer down and the hard drive light is constantly on. You can hear it processing something even when no one is using the system. The computer takes a couple of minutes to respond to a single click or when opening a window. Also, I disabled Avira to make things speed up a bit, but upon following your preparation guide for use before posting, after the system reboot, Avira reactivated itself and found the following errors: ... \pizda_ntload.dll... TR/Opache.D.24 and Tr/Opache.D.15. I clicked "remove." I also got a blue screen the first time I tried to open "gmer.exe". I got a "not responding" the second time I tried to open gmer.exe. And finally, the third time, it worked. Sorry, I don't remember the error on the blue screen. I hope this helps! Thanks for your time, I truly appreciate it! :lmao:The attachment part of your program is not accepting my attachments. It keeps telling me "upload skipped (error IO). What should I do? I have the files on my desktop waiting. Thanks for your help!


DDS (Ver_10-12-12.02) - NTFSx86
Run by Hemphill at 13:36:50.54 on Fri 02/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.523 [GMT -5:00]

AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Hemphill\Desktop\Computer Fixes + Misc\dds.scr
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
mWinlogon: Shell=explorer.exe c:\windows\system32\ntdevice.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: TTB000000 Class: {62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} - c:\windows\COUPON~1.DLL
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\program files\iwin games\iWinGamesHookIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: CouponBar: {5bed3930-2e9e-76d8-bacc-80df2188d455} - c:\windows\CouponsBar.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [rundll32] c:\windows\system32\ntdevice.exe
dRunOnce: [RunNarrator] Narrator.exe
IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hemphill\applic~1\mozilla\firefox\profiles\0vt7xrpm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2866295&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2866295&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=panda1_0yatb&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency3.5.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency3.6.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\textlinks@playsushi.com\components\PlaySushiFF.dll
FF - component: c:\program files\panda security\panda id protect\firefox\components\FFKeypad.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\hemphill\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{abad4342-3fda-4ccf-80ac-b6d0eecaca07}\plugins\npvivoxvoiceplugin.dll
FF - plugin: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\runtime@panda3d.org\platform\winnt_x86-msvc\plugins\nppanda3d.dll
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
FF - Ext: Manage Folders: firefox-managefolders@googlecode.com - %profile%\extensions\firefox-managefolders@googlecode.com
FF - Ext: Unsorted Bookmarks Folder Menu: UnsortedBookmarksMenu@alice - %profile%\extensions\UnsortedBookmarksMenu@alice
FF - Ext: Shareaholic: firefox-extension@shareaholic.com - %profile%\extensions\firefox-extension@shareaholic.com
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Vivox Voice Plugin: {ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07} - %profile%\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
FF - Ext: Vivox Web Voice Plugin: {ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07} - %profile%\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
FF - Ext: Illimitux: illimitux@illimitux.net - %profile%\extensions\illimitux@illimitux.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Panda3D Game Engine Plug-In: runtime@panda3d.org - %profile%\extensions\runtime@panda3d.org
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}
FF - Ext: PlaySushi TextLinks : textlinks@playsushi.com - %profile%\extensions\textlinks@playsushi.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Elf 1.15 Community Toolbar: {b9d63c58-90cc-428b-8d3b-cbb88eb07e7e} - %profile%\extensions\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Panda Identity Protect: widgetruntime@surfsecret.com - c:\program files\panda security\panda id protect\Firefox
FF - Ext: iWinGames Plugin: {98e34367-8df7-42b4-837b-20b892ff0849} - c:\program files\iwin games\firefox
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\hemphill\application data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-28 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-1-29 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-1-29 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-1-29 29776]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-28 61960]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\mosumac.sys --> c:\windows\system32\drivers\MOSUMAC.SYS [?]

=============== Created Last 30 ================

2011-01-31 22:58:08 -------- d-----w- c:\program files\Alex Feinman
2011-01-29 21:50:26 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2011-01-28 20:29:00 -------- d-----w- c:\docume~1\hemphill\applic~1\Avira
2011-01-28 19:44:06 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-28 19:42:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-01-28 19:42:56 -------- d-----w- c:\program files\Avira

==================== Find3M ====================

2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-20 17:30:18 7292104 ----a-w- c:\program files\Install_AIM.exe
2010-09-08 03:39:32 511968 ----a-w- c:\program files\sdsetup.exe
2010-09-08 00:30:20 350715595 ----a-w- c:\program files\Smokin_Guns_1.0.exe
2010-08-10 20:46:42 136768 ----a-w- c:\program files\Retrogamer.exe
2010-02-09 23:00:07 448040 ----a-w- c:\program files\CouponActivator.exe
2009-09-03 18:06:18 8302304 ------w- c:\program files\yahoo_firefox_3.5.2_setup_us.exe
2009-07-04 13:57:53 1045536 -c----w- c:\program files\DriverDetective.exe
2009-07-04 13:40:04 39640024 -c----w- c:\program files\A140509_enu_xp.exe
2009-06-26 10:19:34 39242464 -c----w- c:\program files\AVSVideoConverter.exe
2009-05-28 11:17:25 2959376 -c----w- c:\program files\dotnetfx35setup.exe
2009-05-22 00:35:01 74302760 -c----w- c:\program files\iTunesSetup.exe
2009-05-21 01:54:47 16509288 -c----w- c:\program files\LimeWireWin.exe
2009-05-12 00:07:49 25740144 -c----w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-04-13 05:12:12 6641432 -c----w- c:\program files\rminstall.exe
2009-04-13 05:07:38 7796200 -c----w- c:\program files\asc-setup.exe
2009-04-11 03:59:55 7002350 -c----w- c:\program files\documentbackupsetup.exe
2009-04-06 22:08:20 702806 -c----w- c:\program files\bmkbuddy.exe
2009-04-06 03:12:08 91160 -c----w- c:\program files\ReimageRepair.exe
2009-04-02 18:44:59 3496632 -c----w- c:\program files\Shockwave_Installer_Slim.exe
2009-03-31 06:13:16 11018168 -c----w- c:\program files\ASAPUtilities_setup_4-2-10.exe
2009-03-31 05:58:57 4909440 -c----w- c:\program files\Silverlight.2.0.exe
2009-03-31 05:57:57 480816 -c----w- c:\program files\Sounds.EXE
2009-03-31 05:07:36 318904 -c----w- c:\program files\wmpfirefoxplugin.exe
2009-03-23 05:17:02 774744 -c----w- c:\program files\SetupGamevance.exe
2009-03-23 04:54:50 3184816 -c----w- c:\program files\ccsetup217.exe
2009-03-21 06:53:48 8726528 -c----w- c:\program files\Scorch525NetscapeInstaller.msi
2009-03-20 03:05:39 476696 -c----w- c:\program files\RealPlayer11GOLD.exe
2009-03-18 03:02:49 228852088 -c----w- c:\program files\office2007sp1-kb936982-fullfile-en-us.exe
2009-03-16 21:50:31 21878064 -c----w- c:\program files\QuickTimeInstaller.exe
2009-03-16 21:43:21 3145608 -c----w- c:\program files\rcsetup124.exe
2009-03-15 03:06:30 1878888 -c----w- c:\program files\install_flash_player.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-22FJA0 rev.13.03G13 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x861DAEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85711872; SUB DWORD [EBP-0x4], 0x8571112e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86250AB8]
3 CLASSPNP[0xF7616FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000067[0x863ABF18]
5 ACPI[0xF758D620] -> nt!IofCallDriver[0x804E37D5] -> [0x8610D030]
[0x86166220] -> IRP_MJ_CREATE -> 0x861DAEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-22FJA0______________________13.03G13#4457572d4143434a353130393233203120202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x861DAAEA
user & kernel MBR OK
sectors 78165358 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:52:43.64 ===============

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:36 AM

Posted 04 February 2011 - 04:21 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 debshemphill

debshemphill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 04 February 2011 - 05:05 PM

Thanks for responding so quickly! I have received your reply and will attempt to perform the combofix later this evening when everyone is off the internet. Can't take the internet down at this time, because of self employed business. I will post later tonight!

#4 debshemphill

debshemphill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 05 February 2011 - 12:18 AM

Hello Noviciate: I ran the ComboFix. It took about an hour. It ran into a problem in the first try - "combofix has detected the presence of rootkit activity and needs to reboot the computer." It also showed something about rootkit TLD3. After it rebotted, it didn't go to the desktop but was preparing to run and then finally completed about an hour later. The computer is still having the same problem as before with the slow running and taking a couple of minutes to respond. I am posting the log:

ComboFix 11-01-31.02 - Hemphill 02/04/2011 23:08:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.594 [GMT -5:00]
Running from: c:\documents and settings\Hemphill\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Hemphill\g2mdlhlpx.exe
c:\documents and settings\Hemphill\My Documents\My Documents.url
C:\Microsoft
c:\program files\iWin Games\iWinGamesHookIE.dll
c:\program files\PlaySushi\PSTExt.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\Thumbs.db
c:\windows\XSxS

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-01-05 to 2011-02-05 )))))))))))))))))))))))))))))))
.

2011-01-31 22:58 . 2011-01-31 22:58 -------- d-----w- c:\program files\Alex Feinman
2011-01-29 21:50 . 2011-01-29 21:50 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2011-01-28 20:29 . 2011-01-28 20:29 -------- d-----w- c:\documents and settings\Hemphill\Application Data\Avira
2011-01-28 19:44 . 2010-12-13 13:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-28 19:44 . 2010-12-13 13:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-28 19:44 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-28 19:44 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-28 19:42 . 2011-01-28 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-01-28 19:42 . 2011-01-28 19:42 -------- d-----w- c:\program files\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-20 17:30 . 2010-09-20 17:30 7292104 ----a-w- c:\program files\Install_AIM.exe
2010-09-08 03:39 . 2010-02-11 01:57 511968 ----a-w- c:\program files\sdsetup.exe
2010-09-08 00:30 . 2010-10-01 15:36 350715595 ----a-w- c:\program files\Smokin_Guns_1.0.exe
2010-08-10 20:46 . 2010-10-01 15:36 136768 ----a-w- c:\program files\Retrogamer.exe
2010-02-09 23:00 . 2010-02-09 23:00 448040 ----a-w- c:\program files\CouponActivator.exe
2009-09-03 18:06 . 2009-09-03 18:06 8302304 ------w- c:\program files\yahoo_firefox_3.5.2_setup_us.exe
2009-07-04 13:57 . 2009-07-04 13:48 1045536 -c----w- c:\program files\DriverDetective.exe
2009-07-04 13:40 . 2009-07-04 13:39 39640024 -c----w- c:\program files\A140509_enu_xp.exe
2009-06-26 10:19 . 2009-06-26 10:18 39242464 -c----w- c:\program files\AVSVideoConverter.exe
2009-05-28 11:17 . 2009-05-28 11:17 2959376 -c----w- c:\program files\dotnetfx35setup.exe
2009-05-22 00:35 . 2009-05-22 00:35 74302760 -c----w- c:\program files\iTunesSetup.exe
2009-05-21 01:54 . 2009-05-21 01:54 16509288 -c----w- c:\program files\LimeWireWin.exe
2009-05-12 00:07 . 2009-05-12 00:07 25740144 -c----w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-04-13 05:12 . 2009-04-13 05:12 6641432 -c----w- c:\program files\rminstall.exe
2009-04-13 05:07 . 2009-04-05 17:13 7796200 -c----w- c:\program files\asc-setup.exe
2009-04-11 03:59 . 2009-04-11 03:59 7002350 -c----w- c:\program files\documentbackupsetup.exe
2009-04-06 22:08 . 2009-04-06 22:08 702806 -c----w- c:\program files\bmkbuddy.exe
2009-04-06 03:12 . 2009-04-06 03:12 91160 -c----w- c:\program files\ReimageRepair.exe
2009-04-02 18:44 . 2009-04-02 18:45 3496632 -c----w- c:\program files\Shockwave_Installer_Slim.exe
2009-03-31 06:13 . 2009-03-31 06:13 11018168 -c----w- c:\program files\ASAPUtilities_setup_4-2-10.exe
2009-03-31 05:58 . 2009-03-31 05:58 4909440 -c----w- c:\program files\Silverlight.2.0.exe
2009-03-31 05:57 . 2009-03-31 05:57 480816 -c----w- c:\program files\Sounds.EXE
2009-03-31 05:07 . 2009-03-31 05:07 318904 -c----w- c:\program files\wmpfirefoxplugin.exe
2009-03-23 05:17 . 2009-03-23 05:17 774744 -c----w- c:\program files\SetupGamevance.exe
2009-03-23 04:54 . 2009-03-23 04:54 3184816 -c----w- c:\program files\ccsetup217.exe
2009-03-21 06:53 . 2009-03-21 06:53 8726528 -c----w- c:\program files\Scorch525NetscapeInstaller.msi
2009-03-20 03:05 . 2009-03-20 03:05 476696 -c----w- c:\program files\RealPlayer11GOLD.exe
2009-03-18 03:02 . 2009-03-18 02:59 228852088 -c----w- c:\program files\office2007sp1-kb936982-fullfile-en-us.exe
2009-03-16 21:50 . 2009-03-16 21:50 21878064 -c----w- c:\program files\QuickTimeInstaller.exe
2009-03-16 21:43 . 2009-03-16 21:43 3145608 -c----w- c:\program files\rcsetup124.exe
2009-03-15 03:06 . 2009-03-15 03:06 1878888 -c----w- c:\program files\install_flash_player.exe
2009-03-10 14:30 . 2009-03-10 14:30 5817072 -c----w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2010-06-15 13:46 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-06-15 86696]

[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet k series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet k series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet k series) - 1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 19:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 05:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2009-02-11 16:25 50472 ------w- c:\program files\AOL 9.5\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
2003-05-08 16:34 69632 ------w- c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2010-04-13 20:09 39816 ----a-w- c:\program files\Citrix\GoToMeeting\456\g2mstart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-11-06 17:33 41264 ----a-w- c:\program files\Common Files\aol\1237493549\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-07-15 13:42 2943896 -c--a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2003-05-05 13:57 143360 ------w- c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ------w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-15 03:05 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-20 03:07 198160 ------w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
"Bonjour Service"=2 (0x2)
"SvcOnlineArmor"=3 (0x3)
"PnkBstrA"=2 (0x2)
"OAcat"=2 (0x2)
"gupdate"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WTouchService"=2 (0x2)
"TabletServicePen"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\UrbanTerror\\ioUrbanTerror.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Panda Security\\Panda ID Protect\\Panda ID Protect.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Smokin' Guns\\smokinguns.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avcenter.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58352:TCP"= 58352:TCP:*:Disabled:Pando Media Booster
"58352:UDP"= 58352:UDP:*:Disabled:Pando Media Booster
"56608:TCP"= 56608:TCP:*:Disabled:Pando Media Booster
"56608:UDP"= 56608:UDP:*:Disabled:Pando Media Booster

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/29/2010 2:23 PM 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/29/2010 2:23 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/29/2010 2:23 PM 29776]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [5/4/2010 7:36 AM 129928]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [10/9/2010 11:17 AM 74624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/28/2011 2:44 PM 135336]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [9/27/2010 10:36 AM 176408]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/30/2010 12:47 PM 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 5:39 PM 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/30/2010 12:46 PM 97032]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 12:46 PM 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [5/12/2010 9:58 AM 110920]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\DRIVERS\MOSUMAC.SYS --> c:\windows\system32\DRIVERS\MOSUMAC.SYS [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [10/5/2010 5:48 AM 16168]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/1/2009 3:48 PM 133104]
S4 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [1/29/2010 2:23 PM 1282248]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/8/2010 6:17 PM 691696]
S4 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [1/29/2010 2:23 PM 3431112]
S4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [10/5/2010 5:48 AM 4497704]
S4 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [10/5/2010 5:50 AM 113448]
.
Contents of the 'Scheduled Tasks' folder

2011-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 20:48]

2011-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 20:48]

2011-02-04 c:\windows\Tasks\WinUtilities Disk Cleaner.job
- c:\program files\WinUtilities\ToolDiskCleaner.exe [2009-11-06 05:17]

2011-02-04 c:\windows\Tasks\WinUtilities History Cleaner.job
- c:\program files\WinUtilities\ToolHistoryCleaner.exe [2009-11-06 05:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Hemphill\Application Data\Mozilla\Firefox\Profiles\0vt7xrpm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2866295&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2866295&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=panda1_0yatb&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
FF - Ext: Manage Folders: firefox-managefolders@googlecode.com - %profile%\extensions\firefox-managefolders@googlecode.com
FF - Ext: Unsorted Bookmarks Folder Menu: UnsortedBookmarksMenu@alice - %profile%\extensions\UnsortedBookmarksMenu@alice
FF - Ext: Shareaholic: firefox-extension@shareaholic.com - %profile%\extensions\firefox-extension@shareaholic.com
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Vivox Voice Plugin: {ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07} - %profile%\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
FF - Ext: Vivox Web Voice Plugin: {ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07} - %profile%\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
FF - Ext: Illimitux: illimitux@illimitux.net - %profile%\extensions\illimitux@illimitux.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Panda3D Game Engine Plug-In: runtime@panda3d.org - %profile%\extensions\runtime@panda3d.org
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}
FF - Ext: PlaySushi TextLinks : textlinks@playsushi.com - %profile%\extensions\textlinks@playsushi.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Elf 1.15 Community Toolbar: {b9d63c58-90cc-428b-8d3b-cbb88eb07e7e} - %profile%\extensions\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Panda Identity Protect: widgetruntime@surfsecret.com - c:\program files\Panda Security\Panda ID Protect\Firefox
FF - Ext: iWinGames Plugin: {98e34367-8df7-42b4-837b-20b892ff0849} - c:\program files\iWin Games\firefox
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Hemphill\Application Data\Move Networks
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{19A0F032-27D7-4227-BBB5-51AA9E5904F5} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
MSConfigStartUp-cfhrllyf - c:\documents and settings\Hemphill\Local Settings\Application Data\qmamsb\vufqsftav.exe
MSConfigStartUp-DoubleSafety - c:\program files\Backup Programs\DoubleSafety\DoubleSafety.exe
MSConfigStartUp-Gamevance - c:\program files\Gamevance\gamevance32.exe
MSConfigStartUp-Software Informer - c:\program files\Software Informer\softinfo.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-CCleaner - c:\program files\CCleaner\uninst.exe
AddRemove-Folder Marker_is1 - c:\program files\Folder MarkerHome\unins000.exe
AddRemove-Pen Tablet Driver - c:\program files\Tablet\Pen\Remove.exe
AddRemove-phonics2 - D:\setup.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-Wacom WebTabletPlugin for IE - c:\program files\TabletPlugins\ieUninstall.exe
AddRemove-Wacom WebTabletPlugin for Netscape - c:\program files\TabletPlugins\npUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-04 23:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2972)
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
.
**************************************************************************
.
Completion time: 2011-02-04 23:59:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-05 04:59

Pre-Run: 4,759,441,408 bytes free
Post-Run: 5,294,473,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A383DC6B30B8154EB166A6D8C7A756B3

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:36 AM

Posted 05 February 2011 - 03:51 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#6 debshemphill

debshemphill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 05 February 2011 - 05:22 PM

:cold: Hi! It's cold here and still snowing. That's when it is easiest to fix a stupid fouled-up computer. I downloaded TDSSKILLER and ran it. It scanned in 23 seconds or so and reported no infections. So what next? BTW, computer is responding a "bit" faster and seems to not be "thinking" so much. That's put a bit of a smile on my face! Here's a copy of the txt file -

2011/02/05 17:03:46.0984 3088 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/05 17:03:47.0312 3088 ================================================================================
2011/02/05 17:03:47.0312 3088 SystemInfo:
2011/02/05 17:03:47.0312 3088
2011/02/05 17:03:47.0312 3088 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/05 17:03:47.0312 3088 Product type: Workstation
2011/02/05 17:03:47.0312 3088 ComputerName: COMPAQ
2011/02/05 17:03:47.0312 3088 UserName: Hemphill
2011/02/05 17:03:47.0312 3088 Windows directory: C:\WINDOWS
2011/02/05 17:03:47.0312 3088 System windows directory: C:\WINDOWS
2011/02/05 17:03:47.0312 3088 Processor architecture: Intel x86
2011/02/05 17:03:47.0312 3088 Number of processors: 1
2011/02/05 17:03:47.0312 3088 Page size: 0x1000
2011/02/05 17:03:47.0312 3088 Boot type: Normal boot
2011/02/05 17:03:47.0312 3088 ================================================================================
2011/02/05 17:03:47.0671 3088 Initialize success
2011/02/05 17:03:52.0375 2892 ================================================================================
2011/02/05 17:03:52.0375 2892 Scan started
2011/02/05 17:03:52.0375 2892 Mode: Manual;
2011/02/05 17:03:52.0375 2892 ================================================================================
2011/02/05 17:03:54.0203 2892 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/05 17:03:54.0328 2892 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/05 17:03:54.0453 2892 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/02/05 17:03:54.0531 2892 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/05 17:03:54.0656 2892 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/05 17:03:55.0156 2892 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/05 17:03:55.0296 2892 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/05 17:03:55.0484 2892 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/05 17:03:55.0609 2892 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/05 17:03:55.0703 2892 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/02/05 17:03:55.0843 2892 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/02/05 17:03:55.0984 2892 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/02/05 17:03:56.0140 2892 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/05 17:03:56.0265 2892 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/05 17:03:56.0453 2892 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/05 17:03:56.0562 2892 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/05 17:03:56.0671 2892 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/05 17:03:57.0062 2892 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/05 17:03:57.0218 2892 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/05 17:03:57.0375 2892 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/05 17:03:57.0500 2892 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/05 17:03:57.0593 2892 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/05 17:03:57.0718 2892 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2011/02/05 17:03:57.0859 2892 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2011/02/05 17:03:57.0953 2892 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
2011/02/05 17:03:58.0062 2892 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2011/02/05 17:03:58.0203 2892 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/05 17:03:58.0359 2892 drvmcdb (f41619ae216b51d68dda163805eefaa9) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/02/05 17:03:58.0437 2892 drvnddm (b295700e684ed1984db1d6be40354421) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/02/05 17:03:58.0578 2892 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/05 17:03:58.0796 2892 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/05 17:03:58.0921 2892 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/05 17:03:59.0000 2892 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/05 17:03:59.0140 2892 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/05 17:03:59.0234 2892 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/02/05 17:03:59.0359 2892 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/05 17:03:59.0468 2892 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/05 17:03:59.0609 2892 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/02/05 17:03:59.0671 2892 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/05 17:03:59.0828 2892 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/05 17:03:59.0968 2892 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/05 17:04:00.0234 2892 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/05 17:04:00.0375 2892 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/02/05 17:04:00.0562 2892 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/05 17:04:00.0750 2892 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/05 17:04:00.0875 2892 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/05 17:04:00.0968 2892 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/02/05 17:04:01.0078 2892 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/05 17:04:01.0140 2892 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/05 17:04:01.0265 2892 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/05 17:04:01.0390 2892 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/05 17:04:01.0500 2892 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/05 17:04:01.0609 2892 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/05 17:04:01.0937 2892 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/05 17:04:02.0046 2892 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/05 17:04:02.0187 2892 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/05 17:04:02.0421 2892 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/05 17:04:02.0562 2892 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/05 17:04:02.0765 2892 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/05 17:04:02.0890 2892 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/05 17:04:03.0000 2892 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/05 17:04:03.0171 2892 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/05 17:04:03.0343 2892 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/05 17:04:03.0546 2892 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/05 17:04:03.0640 2892 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/05 17:04:03.0750 2892 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/05 17:04:03.0828 2892 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/05 17:04:03.0953 2892 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/05 17:04:04.0046 2892 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/05 17:04:04.0218 2892 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/05 17:04:04.0343 2892 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/05 17:04:04.0390 2892 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/05 17:04:04.0437 2892 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/05 17:04:04.0562 2892 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/05 17:04:04.0640 2892 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/05 17:04:04.0812 2892 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/05 17:04:04.0984 2892 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/05 17:04:05.0093 2892 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/05 17:04:05.0250 2892 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/05 17:04:05.0328 2892 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/05 17:04:05.0437 2892 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/05 17:04:05.0562 2892 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/02/05 17:04:05.0734 2892 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/02/05 17:04:05.0890 2892 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/02/05 17:04:06.0000 2892 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
2011/02/05 17:04:06.0156 2892 OADevice (57b641cd45e3dbd784aba7174724f4e0) C:\WINDOWS\system32\drivers\OADriver.sys
2011/02/05 17:04:06.0296 2892 OAmon (f21b332dab65c9601267d8fc8c04899b) C:\WINDOWS\system32\drivers\OAmon.sys
2011/02/05 17:04:06.0375 2892 OAnet (5577a7f637f02621cb643f0f470872fc) C:\WINDOWS\system32\drivers\OAnet.sys
2011/02/05 17:04:06.0531 2892 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/05 17:04:06.0625 2892 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/05 17:04:06.0750 2892 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/05 17:04:06.0843 2892 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/05 17:04:07.0015 2892 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/02/05 17:04:07.0140 2892 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/05 17:04:07.0546 2892 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/05 17:04:07.0656 2892 PSINAflt (469943fb4398df5662dd5d06193c0bb0) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys
2011/02/05 17:04:07.0734 2892 PSINFile (b573f1ee01046612576907bb08ad8e6f) C:\WINDOWS\system32\DRIVERS\PSINFile.sys
2011/02/05 17:04:07.0875 2892 PSINKNC (51b0bab73ec899399e5d6034105d6f21) C:\WINDOWS\system32\DRIVERS\psinknc.sys
2011/02/05 17:04:07.0953 2892 PSINProc (d3730032f61fca2d2ae6a2daf90347b1) C:\WINDOWS\system32\DRIVERS\PSINProc.sys
2011/02/05 17:04:08.0062 2892 PSINProt (47345c84b45003d4b5975cda5f026787) C:\WINDOWS\system32\DRIVERS\PSINProt.sys
2011/02/05 17:04:08.0171 2892 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/05 17:04:08.0296 2892 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/05 17:04:08.0390 2892 pxrts (08e05099803eb0bff278bc58fda52115) C:\WINDOWS\system32\drivers\pxrts.sys
2011/02/05 17:04:08.0781 2892 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/05 17:04:08.0906 2892 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/05 17:04:08.0984 2892 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/05 17:04:09.0078 2892 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/05 17:04:09.0171 2892 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/05 17:04:09.0312 2892 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/05 17:04:09.0406 2892 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/05 17:04:09.0546 2892 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/05 17:04:09.0656 2892 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/05 17:04:09.0875 2892 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/05 17:04:09.0937 2892 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/05 17:04:10.0015 2892 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/05 17:04:10.0171 2892 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/05 17:04:10.0406 2892 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
2011/02/05 17:04:10.0609 2892 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/05 17:04:10.0750 2892 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\System32\Drivers\sptd.sys
2011/02/05 17:04:10.0921 2892 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/05 17:04:11.0046 2892 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/05 17:04:11.0203 2892 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/02/05 17:04:11.0296 2892 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/02/05 17:04:11.0406 2892 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/02/05 17:04:11.0500 2892 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/05 17:04:11.0609 2892 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/05 17:04:11.0906 2892 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/05 17:04:12.0093 2892 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/05 17:04:12.0234 2892 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/05 17:04:12.0312 2892 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/05 17:04:12.0453 2892 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/05 17:04:12.0562 2892 tfsnboio (2aceb9567639ff2db9d862104a80227a) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/02/05 17:04:12.0625 2892 tfsncofs (d9f936eac2a6d55e3de87bedff8137a9) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/02/05 17:04:12.0718 2892 tfsndrct (0fd9805bc047ada2cff540d4b7fa71fb) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/02/05 17:04:12.0765 2892 tfsndres (f8b907198e2540a4a340f1e6775f7b71) C:\WINDOWS\system32\dla\tfsndres.sys
2011/02/05 17:04:12.0875 2892 tfsnifs (fb11349b31346290d098941f0216cc45) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/02/05 17:04:12.0953 2892 tfsnopio (1994265f3a90e23a9434bba687f1a069) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/02/05 17:04:13.0031 2892 tfsnpool (0b3d2bd550aa63bfd25ae8c5afbf7f76) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/02/05 17:04:13.0093 2892 tfsnudf (716edddba259a2d699332df95301edda) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/02/05 17:04:13.0203 2892 tfsnudfa (a8ee7bbdd0b8c01e38221d0dca2e7aaa) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/02/05 17:04:13.0421 2892 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
2011/02/05 17:04:13.0546 2892 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/05 17:04:13.0687 2892 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/05 17:04:13.0843 2892 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/02/05 17:04:13.0921 2892 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/05 17:04:14.0031 2892 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/05 17:04:14.0109 2892 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/05 17:04:14.0218 2892 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/05 17:04:14.0312 2892 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/05 17:04:14.0406 2892 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/05 17:04:14.0625 2892 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/05 17:04:14.0781 2892 wacmoumonitor (8724531219ae3f9e3729012b61dce527) C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys
2011/02/05 17:04:14.0859 2892 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2011/02/05 17:04:15.0000 2892 wacomvhid (51d580f30d1a1f2ea4965af6abc2bcb2) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2011/02/05 17:04:15.0078 2892 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/05 17:04:15.0203 2892 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/02/05 17:04:15.0312 2892 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/02/05 17:04:15.0500 2892 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/05 17:04:15.0718 2892 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/02/05 17:04:15.0796 2892 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/05 17:04:15.0937 2892 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/05 17:04:16.0046 2892 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/05 17:04:16.0156 2892 xusb21 (a640c90b007762939507c28a021be3b3) C:\WINDOWS\system32\DRIVERS\xusb21.sys
2011/02/05 17:04:16.0234 2892 ================================================================================
2011/02/05 17:04:16.0234 2892 Scan finished
2011/02/05 17:04:16.0234 2892 ================================================================================

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:36 AM

Posted 05 February 2011 - 05:55 PM

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#8 debshemphill

debshemphill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 05 February 2011 - 08:15 PM

Hi! I ran the mbam.exe and performed the scan. I removed the selected infections as requested. I also ran the DDS again and am posting that log. I don't know if you want the attach.txt file. I did not include it in this post, but will post if you need it. The DDS seemed to complete faster than the first time I ran it a couple of days ago. After the scans were finished, I rebooted. I checked the Task Manager, and "Iwintrusted.exe" was still there, even though I believe it was caught in malware scan and then removed. I don't see any evidence of the ntdevice.exe listing in the Task Manager. That's a good thing! The computer seems to have settled down and is responding a whole lot better than before. It's not "thinking" any more and it is responding to simple requests much better. Thank you for your help thus far! It's been wonderful. Here is the mbam log first and then second the DDS log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5686

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/5/2011 7:23:01 PM
mbam-log-2011-02-05 (19-23-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 225382
Time elapsed: 54 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\adver_id (Malware.Trace) -> Value: adver_id -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Hemphill\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com (PUP.PlaySushi) -> Quarantined and deleted successfully.
c:\documents and settings\Hemphill\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome (PUP.PlaySushi) -> Quarantined and deleted successfully.
c:\documents and settings\Hemphill\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components (PUP.PlaySushi) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Hemphill\my documents\setupplaysushi(2).exe (PUP.PlaySushi) -> Quarantined and deleted successfully.
c:\program files\retrogamer.exe (Adware.Iwon) -> Quarantined and deleted successfully.
c:\program files\windows nt\shell.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\pizda_bkurl.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Hemphill\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome.manifest (PUP.PlaySushi) -> Quarantined and deleted successfully.
c:\documents and settings\Hemphill\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\install.rdf (PUP.PlaySushi) -> Quarantined and deleted successfully.
c:\documents and settings\Hemphill\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome\pstextlinks.jar (PUP.PlaySushi) -> Quarantined and deleted successfully.
c:\documents and settings\Hemphill\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\playsushiff.dll (PUP.PlaySushi) -> Quarantined and deleted successfully.
c:\documents and settings\Hemphill\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\pstextlinks.xpt (PUP.PlaySushi) -> Quarantined and deleted successfully.


DDS.txt


DDS (Ver_10-12-12.02) - NTFSx86
Run by Hemphill at 19:47:08.07 on Sat 02/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.567 [GMT -5:00]

AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
C:\Documents and Settings\Hemphill\Desktop\BleepingComputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
uURLSearchHooks: H - No File
mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [RunNarrator] Narrator.exe
IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hemphill\applic~1\mozilla\firefox\profiles\0vt7xrpm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2866295&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2866295&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=panda1_0yatb&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency3.5.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency3.6.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\textlinks@playsushi.com\components\PlaySushiFF.dll
FF - component: c:\program files\panda security\panda id protect\firefox\components\FFKeypad.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\hemphill\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{abad4342-3fda-4ccf-80ac-b6d0eecaca07}\plugins\npvivoxvoiceplugin.dll
FF - plugin: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\hemphill\application data\mozilla\firefox\profiles\0vt7xrpm.default\extensions\runtime@panda3d.org\platform\winnt_x86-msvc\plugins\nppanda3d.dll
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
FF - Ext: Manage Folders: firefox-managefolders@googlecode.com - %profile%\extensions\firefox-managefolders@googlecode.com
FF - Ext: Unsorted Bookmarks Folder Menu: UnsortedBookmarksMenu@alice - %profile%\extensions\UnsortedBookmarksMenu@alice
FF - Ext: Shareaholic: firefox-extension@shareaholic.com - %profile%\extensions\firefox-extension@shareaholic.com
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Vivox Voice Plugin: {ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07} - %profile%\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
FF - Ext: Vivox Web Voice Plugin: {ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07} - %profile%\extensions\{ABAD4342-3FDA-4ccf-80AC-B6D0EECACA07}
FF - Ext: Illimitux: illimitux@illimitux.net - %profile%\extensions\illimitux@illimitux.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Panda3D Game Engine Plug-In: runtime@panda3d.org - %profile%\extensions\runtime@panda3d.org
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}
FF - Ext: PlaySushi TextLinks : textlinks@playsushi.com - %profile%\extensions\textlinks@playsushi.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Elf 1.15 Community Toolbar: {b9d63c58-90cc-428b-8d3b-cbb88eb07e7e} - %profile%\extensions\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Panda Identity Protect: widgetruntime@surfsecret.com - c:\program files\panda security\panda id protect\Firefox
FF - Ext: iWinGames Plugin: {98e34367-8df7-42b4-837b-20b892ff0849} - c:\program files\iwin games\firefox
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\hemphill\application data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-28 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-1-29 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-1-29 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-1-29 29776]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-5-4 129928]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-10-9 74624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-28 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-28 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-28 61960]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2010-9-27 176408]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-4-30 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-4-30 97032]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-5-12 110920]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\mosumac.sys --> c:\windows\system32\drivers\MOSUMAC.SYS [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-10-5 16168]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-1 133104]
S4 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2010-1-29 1282248]
S4 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2010-1-29 3431112]
S4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-10-5 4497704]
S4 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-10-5 113448]

=============== Created Last 30 ================

2011-02-05 23:14:23 -------- d-----w- c:\docume~1\hemphill\applic~1\Malwarebytes
2011-02-05 23:14:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-05 23:14:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-05 23:14:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-05 23:14:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-05 03:48:33 -------- d-sha-r- C:\cmdcons
2011-02-05 03:44:29 98816 ----a-w- c:\windows\sed.exe
2011-02-05 03:44:29 89088 ----a-w- c:\windows\MBR.exe
2011-02-05 03:44:29 256512 ----a-w- c:\windows\PEV.exe
2011-02-05 03:44:29 161792 ----a-w- c:\windows\SWREG.exe
2011-01-31 22:58:08 -------- d-----w- c:\program files\Alex Feinman
2011-01-29 21:50:26 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2011-01-28 20:29:00 -------- d-----w- c:\docume~1\hemphill\applic~1\Avira
2011-01-28 19:44:06 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-28 19:42:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-01-28 19:42:56 -------- d-----w- c:\program files\Avira

==================== Find3M ====================

2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-20 17:30:18 7292104 ----a-w- c:\program files\Install_AIM.exe
2010-09-08 03:39:32 511968 ----a-w- c:\program files\sdsetup.exe
2010-09-08 00:30:20 350715595 ----a-w- c:\program files\Smokin_Guns_1.0.exe
2010-02-09 23:00:07 448040 ----a-w- c:\program files\CouponActivator.exe
2009-09-03 18:06:18 8302304 ------w- c:\program files\yahoo_firefox_3.5.2_setup_us.exe
2009-07-04 13:57:53 1045536 -c----w- c:\program files\DriverDetective.exe
2009-07-04 13:40:04 39640024 -c----w- c:\program files\A140509_enu_xp.exe
2009-06-26 10:19:34 39242464 -c----w- c:\program files\AVSVideoConverter.exe
2009-05-28 11:17:25 2959376 -c----w- c:\program files\dotnetfx35setup.exe
2009-05-22 00:35:01 74302760 -c----w- c:\program files\iTunesSetup.exe
2009-05-21 01:54:47 16509288 -c----w- c:\program files\LimeWireWin.exe
2009-05-12 00:07:49 25740144 -c----w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-04-13 05:12:12 6641432 -c----w- c:\program files\rminstall.exe
2009-04-13 05:07:38 7796200 -c----w- c:\program files\asc-setup.exe
2009-04-11 03:59:55 7002350 -c----w- c:\program files\documentbackupsetup.exe
2009-04-06 22:08:20 702806 -c----w- c:\program files\bmkbuddy.exe
2009-04-06 03:12:08 91160 -c----w- c:\program files\ReimageRepair.exe
2009-04-02 18:44:59 3496632 -c----w- c:\program files\Shockwave_Installer_Slim.exe
2009-03-31 06:13:16 11018168 -c----w- c:\program files\ASAPUtilities_setup_4-2-10.exe
2009-03-31 05:58:57 4909440 -c----w- c:\program files\Silverlight.2.0.exe
2009-03-31 05:57:57 480816 -c----w- c:\program files\Sounds.EXE
2009-03-31 05:07:36 318904 -c----w- c:\program files\wmpfirefoxplugin.exe
2009-03-23 05:17:02 774744 -c----w- c:\program files\SetupGamevance.exe
2009-03-23 04:54:50 3184816 -c----w- c:\program files\ccsetup217.exe
2009-03-21 06:53:48 8726528 -c----w- c:\program files\Scorch525NetscapeInstaller.msi
2009-03-20 03:05:39 476696 -c----w- c:\program files\RealPlayer11GOLD.exe
2009-03-18 03:02:49 228852088 -c----w- c:\program files\office2007sp1-kb936982-fullfile-en-us.exe
2009-03-16 21:50:31 21878064 -c----w- c:\program files\QuickTimeInstaller.exe
2009-03-16 21:43:21 3145608 -c----w- c:\program files\rcsetup124.exe
2009-03-15 03:06:30 1878888 -c----w- c:\program files\install_flash_player.exe

============= FINISH: 19:49:08.73 ===============

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:36 AM

Posted 06 February 2011 - 02:36 PM

Good evening. :)

I checked the Task Manager, and "Iwintrusted.exe" was still there, even though I believe it was caught in malware scan and then removed.

Which scanner was this?

So long, and thanks for all the fish.

 

 


#10 debshemphill

debshemphill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 06 February 2011 - 02:55 PM

Hello. The mbam scanner. c:\program files\retrogamer.exe (Adware.Iwon) -> Quarantined and deleted successfully. At least I thought that this was the file that was loading the iwintrusted.exe file. In any event, iwintrusted.exe still loads and today, the computer is back to being really slow. I removed the Advare Antivirus because it was the most recent download before any of this "thinking" and slow responding happened to the computer. If I turn off the Panda Antivirus program, stop the iwintrusted.exe file in the task manager, then the computer at least responds more quickly. Any thoughts? Thanks for your help.

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:36 AM

Posted 06 February 2011 - 03:49 PM

When you ran DDS it should have created a second file called Attach.txt. I'd like a copy, whether you let me have the original, or run DDS again and create a new one is up to you.

So long, and thanks for all the fish.

 

 


#12 debshemphill

debshemphill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 06 February 2011 - 05:38 PM

Attached File  Attach 2-5-11.txt   7.8KB   4 downloads

Here it is, hope it helps!

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:36 AM

Posted 06 February 2011 - 06:48 PM

Have you installed any software from this site: http://www.iwin.com/

So long, and thanks for all the fish.

 

 


#14 debshemphill

debshemphill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 06 February 2011 - 09:50 PM

Hey... sorry it's taken me so long to respond. Ended up with a migraine headache. There are several users of this pc, but no one remembers visiting or downloading anything from iwin.com.

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:36 AM

Posted 07 February 2011 - 04:40 PM

Good evening. :)

OK, so we'll remove the associated files, but be aware that this app looks like the price of some free software and if you remove the app. you disable the software - i'm not sure what that software is, but I doubt it's critical!

1) Open Firefox, go to Tools > Add-ons > Extensions, locate iWinGames Plugin and uninstall it..

2) Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

Driver::
iWinTrusted

Folder::
c:\program files\iwin games


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before, and a description of how the PC is behaving.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users