Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan mannn!


  • This topic is locked This topic is locked
25 replies to this topic

#1 AndyMan315

AndyMan315

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:09:03 AM

Posted 22 March 2011 - 03:03 PM

A link to my OP is >>HERE<< so you can get an idea of my problem. That being said, here are the requested logs and attachments (KEEP IN MIND ALL OF THESE ARE RUN IN SAFE-MODE IF THAT MAKES A DIFFERENCE)

DDS Log!!


.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Andrew at 11:20:33.75 on Tue 03/22/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3517.2441 [GMT -4:00]
.
AV: ESET Smart Security 4.0 *Disabled/Outdated* {CB0F8167-5331-BA19-698E-64816B6801A5}
AV: Norton 360 *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: ESET Smart Security 4.0 *Disabled/Outdated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: ESET Personal firewall *Disabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Users\Andrew\Downloads\dds(3).scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\kp89i73u.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://jfgaming.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49576
FF - prefs.js: network.proxy.type - 4
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\kp89i73u.default\extensions\battlefieldplay4free@ea.com\plugins\npBP4FUpdater.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 4.0 beta 12\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Battlefield Play4Free: battlefieldplay4free@ea.com - %profile%\extensions\battlefieldplay4free@ea.com
FF - Ext: Yahoo! Mail Notifier: {89f8dde0-010a-11da-8cd6-0800200c9a66} - %profile%\extensions\{89f8dde0-010a-11da-8cd6-0800200c9a66}
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-9-23 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-9-23 173104]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-2-27 208552]
S1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-10 800376]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-9-23 501888]
S1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110316.001\IDSvix86.sys [2011-3-16 353912]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-9-23 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys [2010-9-23 339504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-16 135336]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-16 269480]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-16 61960]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-3-22 67584]
S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-8-17 20072]
S2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-9-11 38240]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\fabs.exe /disableui --> c:\program files\common files\magix services\database\bin\FABS.exe [?]
S2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-9-23 126392]
S2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2010-10-9 17984]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-3 102448]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-3-1 122984]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-17 1343400]
S4 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-9-11 735960]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;"c:\program files\common files\magix services\database\bin\fbserver.exe" --> c:\program files\common files\magix services\database\bin\fbserver.exe [?]
S4 Gizmo Central;Gizmo Central;c:\program files\gizmo\gservice.exe [2010-3-2 31856]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-9 136176]
S4 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-11-8 91456]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-2 1153368]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-1-7 378984]
S4 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-3-1 2296696]
S4 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-2-27 2320920]
.
=============== Created Last 30 ================
.
2011-03-22 15:12:07 -------- d-----w- c:\users\andrew\appdata\local\Safe mirror
2011-03-22 15:11:53 -------- d-----w- c:\program files\Cobian Backup 10
2011-03-20 21:39:37 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-17 01:39:21 -------- d-----w- c:\users\andrew\appdata\roaming\Avira
2011-03-17 01:33:56 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-17 01:33:55 -------- d-----w- c:\program files\Avira
2011-03-17 01:33:55 -------- d-----w- c:\progra~2\Avira
2011-03-08 00:31:35 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 12
2011-03-05 03:18:08 -------- d-----w- c:\users\andrew\appdata\roaming\TeamViewer
2011-03-02 22:44:41 4277016 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\updateablemarkup-2\markup.dll
2011-03-02 16:50:20 737072 ----a-w- c:\progra~2\microsoft\ehome\packages\sportsv2\sportstemplatecore-4\Microsoft.MediaCenter.Sports.UI.dll
2011-03-02 15:49:21 4277016 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\updateablemarkup-3\markup.dll
2011-03-02 15:17:30 5360464 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-03-02 15:17:28 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{512228ae-394c-438c-ab28-2200aeaf10af}\mpengine.dll
2011-03-02 15:17:21 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-03-02 15:17:17 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-03-02 14:48:25 42776 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\dsm-2\StartResources.dll
2011-03-02 13:37:30 42776 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\dsm\StartResources.dll
2011-03-02 13:37:26 539968 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2011-03-01 16:34:00 -------- d-----w- c:\progra~2\NVIDIA Corporation
2011-03-01 16:33:38 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-03-01 16:33:38 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-03-01 16:33:38 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-01 16:33:38 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll
2011-03-01 16:33:38 4941928 ----a-w- c:\windows\system32\nvcuda.dll
2011-03-01 16:33:38 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
2011-03-01 16:33:38 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-03-01 16:33:38 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
2011-03-01 16:33:38 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-03-01 16:33:38 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-03-01 16:33:38 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
2011-03-01 16:33:37 1965672 ----a-w- c:\windows\system32\nvapi.dll
2011-03-01 15:53:38 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-03-01 15:53:37 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-03-01 15:53:37 107520 ----a-w- c:\windows\system32\cdd.dll
2011-03-01 15:20:41 837224 ----a-w- c:\windows\system32\nvgenco32hda.dll
2011-03-01 15:20:41 26216 ----a-w- c:\windows\system32\nvhdap32.dll
2011-03-01 15:20:41 122984 ----a-w- c:\windows\system32\drivers\nvhda32v.sys
2011-02-26 17:44:32 -------- d-----w- c:\program files\iPod
2011-02-26 17:44:31 -------- d-----w- c:\program files\iTunes
2011-02-26 17:41:57 -------- d-----w- c:\program files\Bonjour
2011-02-24 01:51:15 -------- d-----w- c:\program files\EA Games
2011-02-24 01:40:02 229682 ----a-w- c:\windows\system32\nfsWorldTime06.scr
2011-02-24 01:38:45 10232411 ----a-w- c:\windows\system32\nfsForestRiverHD.scr
2011-02-24 01:38:45 -------- d-----w- c:\program files\NewFreeScreensavers
.
==================== Find3M ====================
.
2011-03-16 10:23:16 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-03-14 23:56:04 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-02-24 02:07:05 138056 ----a-w- c:\users\andrew\appdata\roaming\PnkBstrK.sys
2011-02-24 02:06:42 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-02-09 01:40:12 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-02-09 01:40:11 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 02:06:34 3597416 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-08 02:06:14 2620520 ----a-w- c:\windows\system32\nvsvc.dll
2011-01-08 02:06:02 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-01-08 02:06:02 608872 ----a-w- c:\windows\system32\nvvsvc.exe
2011-01-08 02:06:02 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
============= FINISH: 11:20:51.09 ===============

GMER Log!

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-22 16:01:49
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HDS721010CLA332 rev.JP4OA39C
Running: gmer.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\uxldapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8267F599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 826A3F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Users\Andrew\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Users\Andrew\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[164] ntdll.dll!LdrLoadDll 7794F585 5 Bytes JMP 00E5003A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1904] USER32.dll!TrackPopupMenu 75EE4B3B 5 Bytes JMP 6BD46373 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000064 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


UPDATE!

I attempted to reboot and start in normal mode...and it worked! For about 5 minutes...and then it went to a BSOD (Something I forgot to mention it has been doing somewhat frequently recently in normal mode**) and everytime it booted to normal after that it only lasted moments before the BSOD again. Also the Checkdisk went through on one of the reboots and deleted a ton of files as well as rediscovered some others... Thanks!

Attached is a GMER log that i was FINALLY able to run in normal mode after days of trying to get my PC to not crash within 5 minutes of loading everything.

I have been asked to post here.


GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-24 16:22:50
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Hitachi_HDS721010CLA332 rev.JP4OA39C
Running: gmer.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\uxldapoc.sys


---- System - GMER 1.0.15 ----

SSDT 87A6C888 ZwAlertResumeThread
SSDT 87A61048 ZwAlertThread
SSDT 87D10B88 ZwAllocateVirtualMemory
SSDT 874D0B20 ZwAlpcConnectPort
SSDT 87B9C048 ZwAssignProcessToJobObject
SSDT 87D15940 ZwCreateMutant
SSDT 87D19290 ZwCreateSymbolicLinkObject
SSDT 87D0E528 ZwCreateThread
SSDT 87D196E0 ZwCreateThreadEx
SSDT 87B99F10 ZwDebugActiveProcess
SSDT 87D10D60 ZwDuplicateObject
SSDT 87D105E8 ZwFreeVirtualMemory
SSDT 87A6F048 ZwImpersonateAnonymousToken
SSDT 87A6D048 ZwImpersonateThread
SSDT 874CA048 ZwLoadDriver
SSDT 87D10488 ZwMapViewOfSection
SSDT 87A716E0 ZwOpenEvent
SSDT 87D10FC0 ZwOpenProcess
SSDT 876D27C8 ZwOpenProcessToken
SSDT 87A7EA08 ZwOpenSection
SSDT 87D10EB0 ZwOpenThread
SSDT 87D19E00 ZwProtectVirtualMemory
SSDT 87A5EA50 ZwResumeThread
SSDT 876D8048 ZwSetContextThread
SSDT 87D10270 ZwSetInformationProcess
SSDT 87A7F048 ZwSetSystemInformation
SSDT 87A72990 ZwSuspendProcess
SSDT 87704048 ZwSuspendThread
SSDT 876D2540 ZwTerminateProcess
SSDT 87701048 ZwTerminateThread
SSDT 876D4C98 ZwUnmapViewOfSection
SSDT 87D108B8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83249599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8326DF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 83275734 8 Bytes [88, C8, A6, 87, 48, 10, A6, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 8327574C 4 Bytes [88, 0B, D1, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 83275758 4 Bytes [20, 0B, 4D, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 832757AC 4 Bytes [48, C0, B9, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 83275828 4 Bytes [40, 59, D1, 87]
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73C72494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73C55624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73C556E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73C7250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73C68573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73C64D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73C650CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73C651A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73C666D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73C682CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73C68819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73C6907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73C6E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3260] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73C64C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\ACPI_HAL \Device\00000062 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:276] 874BC930

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\sys_drv.dat 7028 bytes
File C:\Windows\System32\sys_drv_2.dat 6024 bytes
File C:\Windows\System32\WinFLdrv.sys 17984 bytes executable <-- ROOTKIT !!!
File C:\Users\Andrew\AppData\Roaming\systemfl.$dk 990 bytes

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\WinFLdrv.sys [AUTO] WinFLdrv <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

EDIT: Topics and posts merged ~BP

Attached Files


Edited by Budapest, 24 March 2011 - 04:17 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 PM

Posted 28 March 2011 - 01:32 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.
We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note - if you get the following warning, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Click on Cancel, then Accept.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:09:03 AM

Posted 28 March 2011 - 03:05 PM

I will run that scan in about 45 minutes but may I note that I have deleted the application Folder Lock and that may be what GMER found in its log after I researched that. But yes I will get those scans to you (from normal mode I hope) very soon, thanks!!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 PM

Posted 28 March 2011 - 03:08 PM

Okay, thank you for letting me know.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:09:03 AM

Posted 28 March 2011 - 03:50 PM

Attached are the DDS "Attach" and "Rootkit Unhooker" Log. Also pasted is my DDS log...

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Andrew at 16:07:55.10 on Mon 03/28/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3517.2701 [GMT -4:00]
.
AV: ESET Smart Security 4.0 *Disabled/Outdated* {CB0F8167-5331-BA19-698E-64816B6801A5}
AV: Norton 360 *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: ESET Smart Security 4.0 *Disabled/Outdated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: ESET Personal firewall *Disabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Andrew\Desktop\VIRUS REMOVAL STUFF!!!\dds(4).scr
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\kp89i73u.default\
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\kp89i73u.default\extensions\battlefieldplay4free@ea.com\plugins\npBP4FUpdater.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 4.0 beta 12\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Battlefield Play4Free: battlefieldplay4free@ea.com - %profile%\extensions\battlefieldplay4free@ea.com
FF - Ext: Yahoo! Mail Notifier: {89f8dde0-010a-11da-8cd6-0800200c9a66} - %profile%\extensions\{89f8dde0-010a-11da-8cd6-0800200c9a66}
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-9-23 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-9-23 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-10 800376]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-9-23 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110317.005\IDSvix86.sys [2011-3-22 353912]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-9-23 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys [2010-9-23 339504]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-3-22 67584]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-8-17 20072]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-9-11 38240]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-9-23 126392]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-2-27 208552]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-3-22 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-3-1 122984]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\fabs.exe /disableui --> c:\program files\common files\magix services\database\bin\FABS.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-17 1343400]
S4 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-9-11 735960]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;"c:\program files\common files\magix services\database\bin\fbserver.exe" --> c:\program files\common files\magix services\database\bin\fbserver.exe [?]
S4 Gizmo Central;Gizmo Central;c:\program files\gizmo\gservice.exe [2010-3-2 31856]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-9 136176]
S4 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-11-8 91456]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-2 1153368]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-1-7 378984]
S4 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-3-1 2296696]
S4 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-2-27 2320920]
.
=============== Created Last 30 ================
.
2011-03-25 20:58:17 -------- d-----w- c:\users\andrew\appdata\roaming\SUPERAntiSpyware.com
2011-03-22 20:39:22 -------- d-sh--w- C:\found.000
2011-03-22 15:12:07 -------- d-----w- c:\users\andrew\appdata\local\Safe mirror
2011-03-22 15:11:53 -------- d-----w- c:\program files\Cobian Backup 10
2011-03-20 21:39:37 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-08 00:31:35 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 12
2011-03-05 03:18:08 -------- d-----w- c:\users\andrew\appdata\roaming\TeamViewer
2011-03-02 22:44:41 4277016 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\updateablemarkup-2\markup.dll
2011-03-02 16:50:20 737072 ----a-w- c:\progra~2\microsoft\ehome\packages\sportsv2\sportstemplatecore-4\Microsoft.MediaCenter.Sports.UI.dll
2011-03-02 15:49:21 4277016 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\updateablemarkup-3\markup.dll
2011-03-02 15:17:30 5360464 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-03-02 15:17:28 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{512228ae-394c-438c-ab28-2200aeaf10af}\mpengine.dll
2011-03-02 15:17:21 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-03-02 15:17:17 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-03-02 14:48:25 42776 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\dsm-2\StartResources.dll
2011-03-02 13:37:30 42776 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\dsm\StartResources.dll
2011-03-02 13:37:26 539968 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2011-03-01 16:34:00 -------- d-----w- c:\progra~2\NVIDIA Corporation
2011-03-01 16:33:38 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-03-01 16:33:38 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-03-01 16:33:38 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-01 16:33:38 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll
2011-03-01 16:33:38 4941928 ----a-w- c:\windows\system32\nvcuda.dll
2011-03-01 16:33:38 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
2011-03-01 16:33:38 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-03-01 16:33:38 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
2011-03-01 16:33:38 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-03-01 16:33:38 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-03-01 16:33:38 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
2011-03-01 16:33:37 1965672 ----a-w- c:\windows\system32\nvapi.dll
2011-03-01 15:53:38 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-03-01 15:53:37 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-03-01 15:53:37 107520 ----a-w- c:\windows\system32\cdd.dll
2011-03-01 15:20:41 837224 ----a-w- c:\windows\system32\nvgenco32hda.dll
2011-03-01 15:20:41 26216 ----a-w- c:\windows\system32\nvhdap32.dll
2011-03-01 15:20:41 122984 ----a-w- c:\windows\system32\drivers\nvhda32v.sys
.
==================== Find3M ====================
.
2011-03-16 10:23:16 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-03-14 23:56:04 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-02-24 02:07:05 138056 ----a-w- c:\users\andrew\appdata\roaming\PnkBstrK.sys
2011-02-24 02:06:42 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-02-09 01:40:12 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-02-09 01:40:11 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 02:06:34 3597416 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-08 02:06:14 2620520 ----a-w- c:\windows\system32\nvsvc.dll
2011-01-08 02:06:02 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-01-08 02:06:02 608872 ----a-w- c:\windows\system32\nvvsvc.exe
2011-01-08 02:06:02 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
============= FINISH: 16:10:15.11 ===============

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 PM

Posted 28 March 2011 - 03:58 PM

I see some malware leftovers here, so lets start to remove them. :)

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:09:03 AM

Posted 28 March 2011 - 04:31 PM

Well...I have the log for you but unfortunately it caused a problem. Now whenever I attempt to open ANY program in normal mode (Including firefox) I get the message "Illegal operation attempted on a Registry Key that has been marked for deletion." So now I am in safe-mode awaiting further instruction :). Thanks!

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 PM

Posted 29 March 2011 - 04:36 AM

Please restart your computer once and then see if the problem is still there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:09:03 AM

Posted 29 March 2011 - 06:27 AM

Restarting it once solved the error messages but I had to restart it two more times to get the internet to work in normal mode. Still not making much sense to me...I am not a complete networking newbie either...lol

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 PM

Posted 29 March 2011 - 07:28 AM

Hello again,

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either ESET Smart Security or Norton 360.


At this point, what problems do you still have left?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:09:03 AM

Posted 29 March 2011 - 11:29 AM

I am aware of the threats of P2P programs and I do not personally use them, my roommates do but I uninstalled it and they know not to use it.

At this point the only issue I have is still when my PC reboots for any reason I have no internet upon reconnecting. I have internet because I can use chat programs and whatnot but I have no way of opening say "google.com" or anything like that. I cannot further update my driver because there are no network drivers that are the same as mine (I could try to install a whole new one) and this problem still is resolved by restarting the computer one or two times...


Utorrent isn't in my list of programs to add/remove, I thought I had removed it before. I will go into it's folder tonight after work and use it's uninstall icon. Thanks.

Edited by AndyMan315, 29 March 2011 - 12:21 PM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 PM

Posted 29 March 2011 - 12:56 PM

Did this problem only start after combofix was run, or also before?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:09:03 AM

Posted 29 March 2011 - 01:07 PM

Actually I have been suffering this issue for months :P. Should I post up a new topic in the networking section? May be my onboard net adapter is crappy and I need a whole new one from intel's website! I really appreciate all your help in making my PC back to normal!

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 PM

Posted 29 March 2011 - 01:16 PM

How are you connected to the internet (router, cable modem...)?

Have you tried to download the drivers from the manufacturers website, uninstall the drivers completely and then reinstall them?

If you are not sure what drivers to download, please let me know what the manufacturer/make/model/number of your computer is.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:09:03 AM

Posted 29 March 2011 - 01:30 PM

Well I am currently connected directly from the cable modem but usually through a router I just happen to not have it connected during this time, but I get the same issue regardless. I plan to download new drivers from Intel's website later. I have a custom built PC with an Intel DH55HC LGA 1156 HDMI ATX mother board :).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users