Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Problem


  • This topic is locked This topic is locked
11 replies to this topic

#1 lbt15

lbt15

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 10 March 2011 - 09:12 PM

I'm not sure if this it the right place for this. I'm new to the site, but I'll repost somewhere is this is the wrong spot.

I've been fighting with some kind of virus for over a month now. I keep updated on Spybot S & D, avast! Free, Ad-Aware, Malwarebytes' Anti-Malware, and McAfee and usually run a scan on each of them everyday. They've all helped with problems before, but none of them have been able to kill this.

My computer is a Windows Vista, and the only browser I use/have installed is Internet Explorer. I'm having troubles with redirects when I use a search engine. It can be anyone of the ones out there, all of them redirect my window when I click on a link. Usually it's to a white screen with a web address of www.google-analytics.com or something similar and then a moment later it redirects to a random webpage, like YellowPages.com.

This virus also appears to be letting in other problems, ones that are pretty common that I can solve manually or one of my programs will easily pick up and remove, but it is a nuisance and they pop up nearly every other day. I've also gotten one or two advanced ones that have locked me out from the computer and I've had to go through Safe Mode to get rid of it.

I've followed dozens of online guides to rid yourself of similar problems, like checking your hosts file, clearing your cache, and several internet options, to no avail. I've installed Hitman Pro 3.5 and TDSS Killer and neither was able to solve it.

A family friend who is a technician once installed CCleaner and Hijack This, but never returned to solve the problem. I ran CCleaner and Hijack This, and I'll include the log from Hijack This below.

A number of sites with solutions that didn't work for me suggested running ComboFix, so I've come here to see if this is what I need to do next, and if I do, instructions on how to use it. I'm not by far a computer technician, but I'm learning and trying to understand more of how it works to help me in the future.

Anyway, I don't know if the Hijack This log will help, but maybe it can give someone a head start to helping me.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:36:14 PM, on 3/10/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19019)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Rebecca\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ylcf.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101103181505.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O3 - Toolbar: Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [PSUNMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
O4 - HKLM\..\Run: [Panda Security URL Filtering] "C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: skype-ie-addon-data - (no CLSID) - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CloudAvUpdater - Unknown owner - C:\Windows\system32\GroupPolicy\Machine\Scripts\Shutdown\PanBE24.tmp\setup.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11555 bytes


Let me know what else I can do. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:20 AM

Posted 10 March 2011 - 09:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a64bit machine please run the following tool and post its log.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 lbt15

lbt15
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 10 March 2011 - 09:50 PM

Thank you, that was an extremely quick reply.

I believe I should have the original Windows CD/DVD around somewhere. I didn't set up this computer, but I know the person who did most likely kept everything it came with.

One thing I forgot to mention about my problem and I hope is pretty clear and straight forward: it's not just search engine links, but any link that I click anywhere on any site. Pretty much every time I click, my page is redirected or a pop up opens with the same pattern of the blank screen and then a redirect to a random website.

DDS Logfile:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Rebecca at 20:23:31.19 on Thu 03/10/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.885 [GMT -6:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10n_ActiveX.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Rebecca\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ylcf.org/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101103181505.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [<NO NAME>]
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Panda Security URL Filtering] "c:\programdata\panda security url filtering\Panda_URL_Filtering.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-11 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-9-9 386840]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-11 293968]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-9-9 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-9-9 164840]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsla0fa6ff1;MpKsla0fa6ff1;c:\programdata\microsoft\microsoft antimalware\definition updates\{21d20142-0466-4733-aac3-0858e4fce478}\MpKsla0fa6ff1.sys [2011-3-10 28752]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-12-16 126536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-11 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-12-11 51280]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-11 40384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-19 21504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1405384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-9 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-9 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-9 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-9 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-9-9 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-9-9 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-9-9 141792]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-12-16 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-12-16 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-12-16 99400]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-12-16 111176]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-12-16 113736]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-10-17 1153368]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-9-9 55840]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15232]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-9 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-9 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-9-9 313288]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S2 CloudAvUpdater;CloudAvUpdater;c:\windows\system32\grouppolicy\machine\scripts\shutdown\panbe24.tmp\setup.exe [2011-3-8 739136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-3 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-9 84264]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-9-19 21504]
.
=============== Created Last 30 ================
.
2011-03-10 18:12:11 72 ----a-w- c:\windows\RAVTC.TMP
2011-03-10 12:44:15 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{21d20142-0466-4733-aac3-0858e4fce478}\MpKsla0fa6ff1.sys
2011-03-09 17:39:07 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 17:39:05 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 17:39:04 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 17:39:03 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 17:38:49 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 17:38:46 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 16:59:04 -------- d-----w- c:\program files\iPod
2011-03-09 16:58:50 -------- d-----w- c:\program files\iTunes
2011-03-09 15:18:06 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{21d20142-0466-4733-aac3-0858e4fce478}\mpengine.dll
2011-03-08 18:12:08 739136 ----a-w- c:\windows\system32\grouppolicy\machine\scripts\shutdown\panbe24.tmp\setup.exe
2011-03-08 18:12:07 -------- d-----w- c:\windows\system32\grouppolicy\machine\scripts\shutdown\PanBE24.tmp
2011-03-08 14:33:15 -------- d-----w- C:\TOY_STORY_3
2011-03-08 14:27:33 -------- d-----w- c:\users\rebecca\appdata\local\Geckofx
2011-03-08 14:24:53 -------- d-----w- c:\program files\AviSynth 2.5
2011-03-08 14:23:12 -------- d-----w- c:\program files\Red Kawa
2011-03-08 13:56:33 -------- d-----w- c:\program files\DVD Decrypter
2011-03-05 19:03:33 -------- d-----w- c:\users\rebecca\appdata\local\Sunbelt Software
2011-03-05 18:13:34 -------- d-----w- c:\users\rebecca\appdata\roaming\Panda Security
2011-03-05 18:13:28 -------- d-----w- c:\users\rebecca\appdata\roaming\SurfSecret Privacy Suite
2011-03-05 18:12:35 -------- d-----w- c:\users\rebecca\appdata\local\panda2_0dn
2011-03-05 18:12:23 -------- d-----w- c:\progra~2\Panda Security URL Filtering
2011-03-05 18:10:40 -------- d-----w- c:\program files\Panda Security
2011-03-05 18:10:40 -------- d-----w- c:\progra~2\Panda Security
2011-03-05 13:57:40 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{392312a9-2a40-4c34-8838-d2e3fbe7e054}\gapaengine.dll
2011-03-05 13:57:27 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-04 02:52:07 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-04 02:50:46 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-03-03 20:01:10 -------- d-----w- c:\users\rebecca\appdata\roaming\Uniblue
2011-03-03 20:00:37 -------- dc-h--w- c:\progra~2\{DE8EABB5-1C85-4410-A68D-79BD8A4518F4}
2011-03-03 20:00:32 -------- d-----w- c:\program files\Uniblue
2011-03-03 19:59:58 -------- d-----w- c:\users\rebecca\appdata\local\PackageAware
2011-03-03 19:58:37 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-03-03 19:53:32 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-03 19:53:29 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-03-03 19:53:08 -------- d-----w- c:\progra~2\Hitman Pro
2011-03-01 13:34:48 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{5bd537d4-ddb3-40dd-a657-ac28e00405dd}\mpengine.dll
2011-02-24 13:24:31 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-18 22:36:58 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-16 00:46:02 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-02-16 00:46:02 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-02-16 00:44:10 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-02-16 00:42:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-02-16 00:42:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-02-16 00:42:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-02-16 00:42:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-02-16 00:42:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-02-16 00:42:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-02-16 00:42:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-02-16 00:31:34 -------- d-----w- c:\program files\Bonjour
2011-02-09 14:21:27 2039808 ----a-w- c:\windows\system32\win32k.sys
2011-02-09 14:21:21 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-02-09 14:21:20 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 14:21:20 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-09 14:21:16 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2011-03-05 19:06:14 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 20:06:36 38848 ----a-w- c:\windows\avastSS.scr
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-17 00:39:53 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-13 17:51:52 37376 ----a-w- c:\windows\system32\libusb0.dll
.
============= FINISH: 20:30:46.21 ===============

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:20 AM

Posted 10 March 2011 - 11:31 PM

Hello lbt15,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


We have alot of things we need to do before we can start cleaning your machine. These have to be done first then we will start cleaning. If we don't so these things we are wasting our time.


1.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove all but 1 of the following Lavasoft Ad-Watch Live! Anti-Virus or Microsoft Security Essentials or McAfee Anti-Virus and Anti-Spyware or avast! Antivirus or AV: Panda Cloud Antivirus *Enabled/Updated

2.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

3.
Download Bootkit Remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose Select All.
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.

3.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

4.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Uniblue RegistryBooster
Java™ SE Runtime Environment 6


Additional instructions can be found here if needed.

5.
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

Things to include in your next reply::
Bootkit Remover log
MBRCheck log
A new DDS log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 lbt15

lbt15
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 11 March 2011 - 12:29 PM

Alright, I went through all of the new steps. Here are the logs.


Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`82000000
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 1520
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 152):
0x82E10000 \SystemRoot\system32\ntkrnlpa.exe
0x831CA000 \SystemRoot\system32\hal.dll
0x80407000 \SystemRoot\system32\kdcom.dll
0x8040E000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8047E000 \SystemRoot\system32\PSHED.dll
0x8048F000 \SystemRoot\system32\BOOTVID.dll
0x80497000 \SystemRoot\system32\CLFS.SYS
0x804D8000 \SystemRoot\system32\CI.dll
0x80603000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8067F000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8068C000 \SystemRoot\system32\drivers\acpi.sys
0x806D2000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806DB000 \SystemRoot\system32\drivers\msisadrv.sys
0x806E3000 \SystemRoot\system32\drivers\pci.sys
0x8070A000 \SystemRoot\System32\drivers\partmgr.sys
0x80719000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8071C000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80726000 \SystemRoot\system32\drivers\volmgr.sys
0x80735000 \SystemRoot\System32\drivers\volmgrx.sys
0x8077F000 \SystemRoot\system32\DRIVERS\intelide.sys
0x80786000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x80794000 \SystemRoot\system32\drivers\pciide.sys
0x8079B000 \SystemRoot\System32\drivers\mountmgr.sys
0x88A0C000 \SystemRoot\system32\drivers\iastorv.sys
0x88AAC000 \SystemRoot\system32\drivers\iastor.sys
0x88B6A000 \SystemRoot\system32\drivers\atapi.sys
0x88B72000 \SystemRoot\system32\drivers\ataport.SYS
0x88B90000 \SystemRoot\system32\drivers\fltmgr.sys
0x88BC2000 \SystemRoot\system32\drivers\fileinfo.sys
0x88BD2000 \SystemRoot\system32\DRIVERS\Lbd.sys
0x88BE1000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x88C0B000 \SystemRoot\System32\Drivers\ksecdd.sys
0x88C7C000 \SystemRoot\system32\drivers\ndis.sys
0x88D87000 \SystemRoot\system32\drivers\msrpc.sys
0x88DB2000 \SystemRoot\system32\drivers\NETIO.SYS
0x88E00000 \SystemRoot\System32\drivers\tcpip.sys
0x88EED000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x89003000 \SystemRoot\System32\Drivers\Ntfs.sys
0x89113000 \SystemRoot\system32\drivers\volsnap.sys
0x8914C000 \SystemRoot\System32\Drivers\spldr.sys
0x89154000 \SystemRoot\System32\Drivers\mup.sys
0x89163000 \SystemRoot\System32\drivers\ecache.sys
0x8918A000 \SystemRoot\system32\drivers\disk.sys
0x8919B000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x891BC000 \SystemRoot\system32\drivers\crcdisk.sys
0x891D2000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x891DD000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x891E6000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8D60F000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8D20D000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8D2AD000 \SystemRoot\System32\drivers\watchdog.sys
0x8D2B9000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8D2C4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8D302000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8D311000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8DC03000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x8DC89000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0x8DC99000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8DCA9000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8DCB7000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8DCD1000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x8DCDF000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x8DCF3000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x8DD44000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8DD57000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8DD82000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8DD84000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8DD8F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8DD9A000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8DDB2000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8DDB8000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8DDBC000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8DDC5000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D39E000 \SystemRoot\system32\DRIVERS\storport.sys
0x8DDF4000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D3DF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D200000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x88FC6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D600000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x88FE9000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x88BEA000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x88DED000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8DC00000 \SystemRoot\system32\DRIVERS\swenum.sys
0x807AB000 \SystemRoot\system32\DRIVERS\ks.sys
0x8D3F6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x807D5000 \SystemRoot\system32\DRIVERS\umbus.sys
0x805B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x807E2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8E405000 \SystemRoot\system32\drivers\stwrt.sys
0x8E458000 \SystemRoot\system32\drivers\portcls.sys
0x8E485000 \SystemRoot\system32\drivers\drmk.sys
0x8E4AA000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x8E4E7000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x8E607000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8E6BB000 \SystemRoot\system32\drivers\modem.sys
0x8E6C8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8E6D1000 \SystemRoot\System32\Drivers\Null.SYS
0x8E6D8000 \SystemRoot\System32\Drivers\Beep.SYS
0x8E6DF000 \SystemRoot\System32\drivers\vga.sys
0x8E6EB000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8E70C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8E714000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8E71C000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8E727000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8E735000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8E73E000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8E754000 \SystemRoot\system32\DRIVERS\smb.sys
0x8E768000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8E79A000 \SystemRoot\system32\drivers\afd.sys
0x8E7E2000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8E5EA000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8E7EB000 \SystemRoot\system32\DRIVERS\netbios.sys
0x805ED000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8E800000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8E83C000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8E846000 \SystemRoot\System32\Drivers\dfsc.sys
0x8E85D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8E874000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0x8E8AE000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0x8E8B0000 \SystemRoot\system32\DRIVERS\udfs.sys
0x8E8EB000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8E8F8000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x98830000 \SystemRoot\System32\win32k.sys
0x8E9B6000 \SystemRoot\System32\drivers\Dxapi.sys
0x8E9C0000 \SystemRoot\system32\DRIVERS\monitor.sys
0x98A50000 \SystemRoot\System32\TSDDD.dll
0x98A70000 \SystemRoot\System32\cdd.dll
0x8E9CF000 \SystemRoot\system32\drivers\luafv.sys
0x88F08000 \SystemRoot\system32\drivers\spsys.sys
0xAAC04000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xAAC14000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xAAC3E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAAC48000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xAAC5B000 \SystemRoot\system32\drivers\HTTP.sys
0xAACC8000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAACE5000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAACFE000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAAD13000 \SystemRoot\system32\drivers\mrxdav.sys
0xAAD34000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAAD53000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAAD8C000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAADA4000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAE20D000 \SystemRoot\System32\DRIVERS\srv.sys
0xAE273000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xAE275000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAE279000 \SystemRoot\system32\drivers\peauth.sys
0xAE357000 \SystemRoot\System32\Drivers\fastfat.SYS
0xAE37F000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAE389000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAE395000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xAE39D000 \??\C:\Users\Rebecca\AppData\Local\Temp\mbr.sys
0x77A90000 \Windows\System32\ntdll.dll

Processes (total 66):
0 System Idle Process
4 System
440 C:\Windows\System32\smss.exe
516 csrss.exe
560 C:\Windows\System32\wininit.exe
572 csrss.exe
604 C:\Windows\System32\services.exe
616 C:\Windows\System32\lsass.exe
624 C:\Windows\System32\lsm.exe
664 C:\Windows\System32\winlogon.exe
820 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\svchost.exe
1016 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\svchost.exe
1072 C:\Windows\System32\svchost.exe
1180 C:\Windows\System32\audiodg.exe
1208 C:\Windows\System32\svchost.exe
1228 C:\Windows\System32\SLsvc.exe
1268 C:\Windows\System32\svchost.exe
1456 C:\Windows\System32\svchost.exe
1576 C:\Windows\System32\WLTRYSVC.EXE
1588 C:\Windows\System32\BCMWLTRY.EXE
1596 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1888 C:\Windows\System32\spoolsv.exe
1932 C:\Windows\System32\svchost.exe
2036 C:\Windows\System32\taskeng.exe
372 C:\Windows\System32\dwm.exe
468 C:\Windows\explorer.exe
864 C:\Windows\System32\taskeng.exe
2068 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2184 C:\Program Files\iTunes\iTunesHelper.exe
2212 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2228 C:\Program Files\Windows Media Player\wmpnscfg.exe
2308 C:\Program Files\Bonjour\mDNSResponder.exe
2376 C:\PROGRA~1\McAfee\SITEAD~1\McSACore.exe
2480 C:\Windows\System32\svchost.exe
2528 C:\Windows\System32\rundll32.exe
2628 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
2728 C:\Windows\System32\stacsv.exe
2764 C:\Windows\System32\svchost.exe
2800 C:\Windows\System32\svchost.exe
2848 C:\Windows\System32\SearchIndexer.exe
2876 C:\Windows\System32\drivers\XAudio.exe
3392 C:\Program Files\Internet Explorer\iexplore.exe
3524 unsecapp.exe
3708 WmiPrvSE.exe
3744 C:\Program Files\Windows Media Player\wmpnetwk.exe
3964 C:\Program Files\Internet Explorer\iexplore.exe
1032 C:\Program Files\iPod\bin\iPodService.exe
3348 C:\Windows\System32\svchost.exe
2916 C:\Windows\System32\wbem\unsecapp.exe
3640 C:\Windows\System32\Macromed\Flash\FlashUtil10n_ActiveX.exe
2176 C:\Windows\System32\rundll32.exe
3412 C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
3552 C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
1772 C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
1984 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
3072 C:\Windows\servicing\TrustedInstaller.exe
1452 C:\Windows\System32\notepad.exe
3008 C:\Windows\System32\notepad.exe
2576 taskeng.exe
3100 RacAgent.exe
3616 dllhost.exe
876 dllhost.exe
644 C:\Users\Rebecca\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`82000000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`02000000 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHW2160BH, Rev: 0085001C

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows Vista MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Rebecca at 11:22:22.03 on Fri 03/11/2011
Internet Explorer: 8.0.6001.19019
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\progra~1\mcafee\sitead~1\McSACore.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10n_ActiveX.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
C:\Users\Rebecca\Desktop\dds.scr
C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ylcf.org/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? cpuz134;cpuz134
R? gupdate;Google Update Service (gupdate)
R? Lavasoft Kernexplorer;Lavasoft helper driver
R? nosGetPlusHelper;getPlus® Helper 3004
R? SBSDWSCService;SBSD Security Center Service
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? FontCache;Windows Font Cache Service
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
S? Lbd;Lbd
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
.
=============== Created Last 30 ================
.
2011-03-11 16:46:42 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{8d8badb3-2b2c-4211-a4ea-4221128bef9d}\mpengine.dll
2011-03-11 15:23:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-09 17:39:07 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 17:39:05 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 17:39:04 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 17:39:03 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 17:38:49 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 17:38:46 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 16:59:04 -------- d-----w- c:\program files\iPod
2011-03-09 16:58:50 -------- d-----w- c:\program files\iTunes
2011-03-08 14:33:15 -------- d-----w- C:\TOY_STORY_3
2011-03-08 14:27:33 -------- d-----w- c:\users\rebecca\appdata\local\Geckofx
2011-03-08 14:24:53 -------- d-----w- c:\program files\AviSynth 2.5
2011-03-08 14:23:12 -------- d-----w- c:\program files\Red Kawa
2011-03-08 13:56:33 -------- d-----w- c:\program files\DVD Decrypter
2011-03-05 19:03:33 -------- d-----w- c:\users\rebecca\appdata\local\Sunbelt Software
2011-03-05 18:13:34 -------- d-----w- c:\users\rebecca\appdata\roaming\Panda Security
2011-03-05 18:13:28 -------- d-----w- c:\users\rebecca\appdata\roaming\SurfSecret Privacy Suite
2011-03-05 18:10:40 -------- d-----w- c:\program files\Panda Security
2011-03-05 18:10:40 -------- d-----w- c:\progra~2\Panda Security
2011-03-04 02:50:46 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-03-03 20:01:10 -------- d-----w- c:\users\rebecca\appdata\roaming\Uniblue
2011-03-03 19:59:58 -------- d-----w- c:\users\rebecca\appdata\local\PackageAware
2011-03-03 19:58:37 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-03-03 19:53:32 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-03 19:53:29 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-03-03 19:53:08 -------- d-----w- c:\progra~2\Hitman Pro
2011-02-24 13:24:31 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-18 22:36:58 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-16 00:46:02 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-02-16 00:46:02 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-02-16 00:44:10 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-02-16 00:42:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-02-16 00:42:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-02-16 00:42:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-02-16 00:42:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-02-16 00:42:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-02-16 00:42:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-02-16 00:42:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-02-16 00:31:34 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-03-05 19:06:14 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-13 17:51:52 37376 ----a-w- c:\windows\system32\libusb0.dll
.
============= FINISH: 11:26:23.81 ===============

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:20 AM

Posted 11 March 2011 - 04:57 PM

Hello,

Let's begin to start cleaning your machine. :whistle:


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

3.
Is your computer connected to the internet through a router? If so we need to reset the router.
How to reset your router.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 lbt15

lbt15
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 11 March 2011 - 09:23 PM

All right, I was trying to disable Ad-Aware Ad-Watch Live! as were the instructions from the link you gave me, which were:

AD-AWARE AD-WATCH in Ad-Aware Anniversary Edition (and Pro version)

Start Ad-Aware

Click the Ad-Watch tab

Click the Settings button

Ensure all highlighted options bellow are unchecked:(some settings may be used or changed only in the Pro version)

Under the General tab

Processes Protection

Registry Protection

Network Protection

Under the Detection Layers tab:
Spyware heuristics

AntiVirus engine


OK your way out, and close the main Ad-Aware window.

Shut down Ad-Aware and Ad-Watch Live! by right clicking on the system tray icon, and selecting Exit Ad-Aware.

OK the change.


But, like when they said (some settings may be used or changed only in the Pro version), it won't let me uncheck two items:Registry Protection and Network Protection. I have Ad-Aware Free, so I don't know if there's any way to change this. Should I just uninstall Ad-Aware? Or am I missing something?

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:20 AM

Posted 12 March 2011 - 12:01 AM

Hello,

It will be ok to run the tools. Just ignore any warnings about adaware running.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 lbt15

lbt15
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 12 March 2011 - 07:35 AM

All right, TDSS Killer didn't find anything/create a log, so here's the one from ComboFix. I'm still getting redirected.

ComboFix 11-03-11.02 - Rebecca 03/12/2011 6:16.1.2 - x86
Running from: c:\users\Rebecca\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-12 to 2011-03-12 )))))))))))))))))))))))))))))))
.
.
2011-03-12 12:22 . 2011-03-12 12:23 -------- d-----w- c:\users\Rebecca\AppData\Local\temp
2011-03-12 12:22 . 2011-03-12 12:22 -------- d-----w- c:\users\Rebecca Theall\AppData\Local\temp
2011-03-12 12:22 . 2011-03-12 12:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-11 16:46 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D8BADB3-2B2C-4211-A4EA-4221128BEF9D}\mpengine.dll
2011-03-11 15:23 . 2011-03-11 15:23 -------- d-----w- c:\program files\Common Files\Java
2011-03-11 15:23 . 2011-03-11 15:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-11 14:22 . 2011-03-11 14:23 -------- d-----w- c:\programdata\WinZip
2011-03-10 17:47 . 2011-03-10 17:47 -------- d-----w- c:\programdata\WindowsSearch
2011-03-09 17:39 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 17:39 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 17:39 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 17:39 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 17:38 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 17:38 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 16:59 . 2011-03-09 16:59 -------- d-----w- c:\program files\iPod
2011-03-09 16:58 . 2011-03-09 17:01 -------- d-----w- c:\program files\iTunes
2011-03-08 14:33 . 2011-03-08 14:33 -------- d-----w- C:\TOY_STORY_3
2011-03-08 14:27 . 2011-03-08 14:27 -------- d-----w- c:\users\Rebecca\AppData\Local\Geckofx
2011-03-08 14:24 . 2011-03-08 14:25 -------- d-----w- c:\program files\AviSynth 2.5
2011-03-08 14:23 . 2011-03-08 14:23 -------- d-----w- c:\program files\Red Kawa
2011-03-08 13:56 . 2011-03-08 13:56 -------- d-----w- c:\program files\DVD Decrypter
2011-03-05 20:16 . 2011-03-06 13:43 -------- d-----w- c:\programdata\NOS
2011-03-05 20:16 . 2011-03-05 20:16 -------- d-----w- c:\program files\NOS
2011-03-05 19:03 . 2011-03-05 19:03 -------- d-----w- c:\users\Rebecca\AppData\Local\Sunbelt Software
2011-03-05 18:13 . 2011-03-05 18:13 -------- d-----w- c:\users\Rebecca\AppData\Roaming\Panda Security
2011-03-05 18:13 . 2011-03-05 18:13 -------- d-----w- c:\users\Rebecca\AppData\Roaming\SurfSecret Privacy Suite
2011-03-05 18:10 . 2011-03-11 14:08 -------- d-----w- c:\program files\Panda Security
2011-03-05 18:10 . 2011-03-05 18:10 -------- d-----w- c:\programdata\Panda Security
2011-03-04 02:50 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-03-03 20:01 . 2011-03-03 20:01 -------- d-----w- c:\users\Rebecca\AppData\Roaming\Uniblue
2011-03-03 19:59 . 2011-03-03 19:59 -------- d-----w- c:\users\Rebecca\AppData\Local\PackageAware
2011-03-03 19:58 . 2011-03-03 19:58 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-03-03 19:53 . 2011-03-11 11:56 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-03 19:53 . 2011-03-03 19:53 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-03-03 19:53 . 2011-03-03 19:58 -------- d-----w- c:\programdata\Hitman Pro
2011-02-24 13:24 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-18 22:36 . 2011-02-18 22:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2011-02-18 22:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-16 00:46 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-02-16 00:46 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-02-16 00:44 . 2011-02-16 00:45 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-02-16 00:42 . 2011-02-16 00:42 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-02-16 00:42 . 2011-02-16 00:42 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-02-16 00:42 . 2011-02-16 00:42 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-02-16 00:42 . 2011-02-16 00:42 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-02-16 00:42 . 2011-02-16 00:42 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-02-16 00:42 . 2011-02-16 00:42 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-02-16 00:42 . 2011-02-16 00:42 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-02-16 00:41 . 2011-02-16 00:42 -------- d-----w- c:\program files\QuickTime
2011-02-16 00:38 . 2011-02-16 00:38 -------- d-----w- c:\program files\Apple Software Update
2011-02-16 00:31 . 2011-02-16 00:31 -------- d-----w- c:\program files\Bonjour
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-05 19:06 . 2010-12-12 02:21 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-02-02 23:11 . 2010-02-25 03:48 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-09 14:20 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 14:20 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 14:20 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 14:20 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 14:20 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08 . 2011-02-09 14:20 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:07 . 2011-02-09 14:20 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 14:20 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 14:20 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 14:20 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 14:20 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 14:20 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 14:20 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 14:20 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 14:20 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 14:20 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 14:20 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 14:20 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-02-09 14:20 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 14:20 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 14:20 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 14:20 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 14:20 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 14:20 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 14:20 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 14:20 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-02-09 14:20 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-02-09 14:20 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-02-09 14:19 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 14:19 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 14:21 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55 . 2011-01-12 20:08 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-21 00:09 . 2010-11-13 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-11-13 00:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 06:27 . 2011-02-09 14:19 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22 . 2011-02-09 14:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22 . 2011-02-09 14:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22 . 2011-02-09 14:19 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 06:22 . 2011-02-09 14:19 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 05:25 . 2011-02-09 14:19 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48 . 2011-02-09 14:19 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47 . 2011-02-09 14:19 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-15 00:45 . 2010-12-15 00:46 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-14 14:49 . 2011-01-12 20:08 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-13 17:51 . 2010-12-13 17:51 37376 ----a-w- c:\windows\system32\libusb0.dll
2010-12-13 17:51 . 2010-12-13 17:51 21504 ----a-w- c:\windows\system32\drivers\libusb0.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^IM-me.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\IM-me.lnk
backup=c:\windows\pss\IM-me.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-03-21 19:33 1548288 ----a-w- c:\windows\System32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentTransferWMDetector.exe]
2009-07-30 21:05 497000 ----a-w- c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-07-30 19:40 16384 ----a-w- c:\dell\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-05-16 06:24 154392 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-05-16 06:24 138008 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 17:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-21 00:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-21 00:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-05-10 09:01 36864 ----a-w- c:\windows\OEM02Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-05-16 06:24 133912 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-06-25 05:17 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 15:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Speech Recognition]
2008-01-19 07:33 49664 ----a-w- c:\windows\Speech\Common\sapisvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-13 20:26 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-04-28 00:35 857648 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 0041431299882452mcinstcleanup;McAfee Application Installer Cleanup (0041431299882452);c:\windows\TEMP\004143~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-03 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\McSACore.exe [2010-11-24 88176]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 cpuz134;cpuz134;c:\users\Rebecca\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-03-05 1405384]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-03-05 15232]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-03 19:38]
.
2011-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-03 19:38]
.
2011-03-11 c:\windows\Tasks\Norton Security Scan for Rebecca.job
- c:\program files\Norton Security Scan\Engine\3.0.1.8\Nss.exe [2011-01-12 14:06]
.
2011-03-11 c:\windows\Tasks\User_Feed_Synchronization-{7BF31CA1-2109-460C-90DE-07ACD536FCC6}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ylcf.org/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 06:23
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-12 06:25:41
ComboFix-quarantined-files.txt 2011-03-12 12:25
.
Pre-Run: 82,634,780,672 bytes free
Post-Run: 82,561,560,576 bytes free
.
- - End Of File - - C5A737F90956F9881839A2B385BC70C6

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:20 AM

Posted 12 March 2011 - 11:08 AM

Hello,

Your log looks pretty good just some orphan entries and some leftover stuff.


1.
Do you connect to the internet using a router? If so we need to reset that router.
How to reset your router.


2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

File::
c:\windows\Tasks\Norton Security Scan for Rebecca.job
c:\program files\Norton Security Scan\Engine\3.0.1.8\Nss.exe

Folder::
c:\users\Rebecca\AppData\Local\Sunbelt Software
c:\users\Rebecca\AppData\Roaming\Panda Security
c:\users\Rebecca\AppData\Roaming\SurfSecret Privacy Suite
c:\program files\Panda Security
c:\programdata\Panda Security
c:\users\Rebecca\AppData\Roaming\Uniblue

Domains::

DDS::
uStart Page = hxxp://ylcf.org/
uInternet Settings,ProxyOverride = *.local

Driver::
0041431299882452mcinstcleanup

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"=-

Reglock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply::
Combofix.txt
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:20 AM

Posted 15 March 2011 - 07:06 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:20 AM

Posted 18 March 2011 - 09:44 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users