Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Vista Recovery & TDSS Rootkit


  • This topic is locked This topic is locked
11 replies to this topic

#1 vodkaparrot

vodkaparrot

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 20 May 2011 - 12:21 PM

Hello all

I had a really bad infection with Windows Vista Recovery & a browser redirect (some sort of TDSS Rootkit, I think)

I tried to get rid of it myself and it all seems OK but I was wondering if somebody could just check that I did it right, thanks.

I've done a HJT log if that helps -



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:12:06, on 20/05/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\FreeAlarmClock\FreeAlarmClock.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [ACTSchedulerUI] "C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe" -Dfalse
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDc2OTU2MDY2LUZQOTIrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEMrMS1GMTBNMTBEKzI"&"prod=90"&"ver=10.0.1204
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [FreeAC] C:\Program Files\FreeAlarmClock\FreeAlarmClock.exe -autorun
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NETGEAR WNA3100 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillforms
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Input Director Vista Service (IDVistaService) - Unknown owner - C:\Program Files\Input Director\IDVistaService.exe
O23 - Service: Input Director Service (InputDirector) - Unknown owner - C:\Program Files\Input Director\IDWinService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WSWNA3100 - Unknown owner - C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe

--
End of file - 10592 bytes

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 28 May 2011 - 05:10 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 28 May 2011 - 02:12 PM

Hello Elise

Here we go.....

Attached File  Attach.zip   2.69KB   0 downloads

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by DELLWORK at 19:59:06 on 2011-05-28
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3325.1651 [GMT 1:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Input Director\IDWinService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Input Director\InputDirectorSessionHelper.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\FreeAlarmClock\FreeAlarmClock.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\DELLWORK\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [FreeAC] c:\program files\freealarmclock\FreeAlarmClock.exe -autorun
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [ACTSchedulerUI] "c:\program files\act\act for windows\Act.Scheduler.UI.exe" -Dfalse
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDc2OTU2MDY2LUZQOTIrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEMrMS1GMTBNMTBEKzI"&"prod=90"&"ver=10.0.1204
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 3 (0x3)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dellwork\appdata\roaming\mozilla\firefox\profiles\ujurkk7w.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\dellwork\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-12 64288]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2011-4-10 21728]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-10 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-10 307928]
R2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-3-16 176128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-10 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-3-10 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-3-10 42184]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 InputDirector;Input Director Service;c:\program files\input director\IDWinService.exe [2010-2-1 36864]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-5-20 1153368]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2008-9-3 5120]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-4-20 7772160]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-4-20 243712]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2011-4-10 699896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2011-4-10 278528]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-15 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 IDVistaService;Input Director Vista Service;c:\program files\input director\IDVistaService.exe [2009-2-8 13824]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 2151128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-05-28 16:26:54 -------- d-----w- c:\users\dellwork\appdata\local\{CDDAF18F-69B4-48F6-816C-67258655EFBF}
2011-05-28 16:24:34 -------- d-----w- c:\users\dellwork\appdata\local\Apple Computer
2011-05-28 00:16:40 -------- d-----w- c:\users\dellwork\appdata\local\{EB03DFD8-B06C-436C-AB0F-F3A728A719AA}
2011-05-27 12:16:16 -------- d-----w- c:\users\dellwork\appdata\local\{A3C6D9DA-178B-4EFA-87D4-59CBEFCDD6A3}
2011-05-27 11:18:58 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5fea29e1-040d-4c99-8bc9-ce0eb51e4067}\mpengine.dll
2011-05-27 00:15:37 -------- d-----w- c:\users\dellwork\appdata\local\{C5279C98-709B-4244-8F26-C27828FCFE7B}
2011-05-26 12:15:12 -------- d-----w- c:\users\dellwork\appdata\local\{45DA0404-EB3C-43AA-A280-BA62A503AFB4}
2011-05-26 11:40:51 -------- d-----w- c:\program files\ESET
2011-05-26 11:28:45 -------- d-----w- c:\programdata\InstallMate
2011-05-26 11:28:45 -------- d-----w- c:\program files\BillP Studios
2011-05-26 11:15:46 -------- d-----w- c:\program files\Amazon
2011-05-26 00:14:35 -------- d-----w- c:\users\dellwork\appdata\local\{B7995AF8-13F4-4BBA-BCBA-4656AB93008A}
2011-05-25 12:13:46 -------- d-----w- c:\users\dellwork\appdata\local\{39E98395-03EF-4686-8F6E-6D2189487DDE}
2011-05-24 22:59:28 -------- d-----w- c:\users\dellwork\appdata\local\{12513ADB-8F93-4218-A434-0F85A657B47C}
2011-05-24 12:47:35 -------- d-----w- c:\program files\uTorrent
2011-05-24 12:46:36 -------- d-----w- c:\users\dellwork\appdata\roaming\uTorrent
2011-05-24 12:44:43 -------- d-----w- c:\program files\PeerBlock
2011-05-24 09:44:20 -------- d-----w- c:\users\dellwork\appdata\local\{2E552D0B-985B-44A3-94EF-6C9F54CE7D32}
2011-05-23 21:34:01 -------- d-----w- c:\users\dellwork\appdata\local\{B569AD13-B55C-4523-8CA3-E838F8C7D359}
2011-05-23 09:32:42 -------- d-----w- c:\users\dellwork\appdata\local\{64AEC4FC-4145-460C-9FE2-77C24AB70C4E}
2011-05-22 14:47:49 -------- d-----w- c:\users\dellwork\appdata\local\{43D8FF36-79B3-4C2F-8AC8-5E1E166F96C0}
2011-05-21 13:43:06 -------- d-----w- c:\users\dellwork\appdata\local\{4D7BEE08-D1A6-4007-A4E0-81B5DEB3B39C}
2011-05-21 00:22:49 -------- d-----w- c:\users\dellwork\appdata\local\{B6F070BD-9879-4D22-B212-EEF4D48C0A4D}
2011-05-20 17:11:33 388096 ----a-r- c:\users\dellwork\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-20 17:11:31 -------- d-----w- c:\program files\Trend Micro
2011-05-20 16:47:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-20 14:46:05 -------- d-----w- c:\users\dellwork\DoctorWeb
2011-05-20 14:30:10 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-20 14:19:47 -------- d-----w- c:\users\dellwork\appdata\local\temp
2011-05-20 14:08:07 98816 ----a-w- c:\windows\sed.exe
2011-05-20 14:08:07 89088 ----a-w- c:\windows\MBR.exe
2011-05-20 14:08:07 256512 ----a-w- c:\windows\PEV.exe
2011-05-20 14:08:07 161792 ----a-w- c:\windows\SWREG.exe
2011-05-20 13:34:31 -------- d-----w- c:\program files\Sophos
2011-05-20 13:27:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-20 13:27:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-20 12:21:53 -------- d-----w- c:\users\dellwork\appdata\local\{FC9F87DE-AFE3-4256-A5F1-1FFAFC3BAA33}
2011-05-20 11:30:59 -------- d-----w- c:\users\dellwork\appdata\roaming\WinSent Messenger
2011-05-20 10:13:26 -------- d-----w- c:\windows\system32\MpEngineStore
2011-05-20 01:24:26 -------- d-----w- c:\users\dellwork\appdata\local\{F832C69F-BA2C-4F5C-A1B8-C3A816A073E3}
2011-05-20 00:36:11 -------- d-----w- C:\SpybotBootCD
2011-05-19 23:38:42 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-05-19 20:24:54 -------- d-----w- c:\programdata\Kaspersky Lab
2011-05-19 20:09:15 -------- d-----w- c:\windows\PIF
2011-05-19 17:09:44 -------- d-----w- c:\users\dellwork\appdata\roaming\SUPERAntiSpyware.com
2011-05-19 17:09:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-05-19 17:09:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-19 16:44:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-19 13:23:34 -------- d-----w- c:\users\dellwork\appdata\local\{CA45BC25-0917-49C2-8956-F37BC8B5621E}
2011-05-18 22:18:32 -------- d-----w- c:\users\dellwork\appdata\local\{668C7F5D-3265-429E-B6A2-1E981A9403BA}
2011-05-18 10:17:45 -------- d-----w- c:\users\dellwork\appdata\local\{9F52D783-B37A-4B7A-9674-600ABCE1D9E5}
2011-05-17 19:51:24 -------- d-----w- c:\users\dellwork\appdata\local\{A09F6463-5984-41A9-AEF4-71798D55FA50}
2011-05-17 07:51:01 -------- d-----w- c:\users\dellwork\appdata\local\{31370502-7685-41DE-9313-226DD762ADAC}
2011-05-16 19:40:46 -------- d-----w- c:\users\dellwork\appdata\local\{A6CC4871-6014-4C70-837F-5C6043E2684C}
2011-05-16 07:40:19 -------- d-----w- c:\users\dellwork\appdata\local\{FB6C4A9C-BC82-4DB4-8842-028CAD6AB0FF}
2011-05-16 00:51:59 -------- d-----w- c:\users\dellwork\appdata\local\{15A36751-C154-4C8D-9C7F-F67517554A9D}
2011-05-15 12:51:34 -------- d-----w- c:\users\dellwork\appdata\local\{BDF0AD80-4F2E-4146-81EC-F7B148979FA3}
2011-05-14 17:02:53 -------- d-----w- c:\users\dellwork\appdata\local\{105B03CE-E3ED-436F-94EE-BFA6F8704D48}
2011-05-13 22:33:32 -------- d-----w- c:\users\dellwork\appdata\local\{A1BD4E6A-EDF7-4E7A-A94E-4BCF73F4668E}
2011-05-13 10:33:08 -------- d-----w- c:\users\dellwork\appdata\local\{82C27468-D78E-4A4B-8518-8FD18ECC1693}
2011-05-12 22:19:08 -------- d-----w- c:\users\dellwork\appdata\local\{A575C1AD-AD6C-4A6B-BB0B-7D941196AD0C}
2011-05-12 10:18:44 -------- d-----w- c:\users\dellwork\appdata\local\{2B7461F2-8644-442D-BF53-B8671D820551}
2011-05-11 22:19:09 -------- d-----w- c:\users\dellwork\appdata\local\{EBF681A3-4EB6-45CC-8153-34C405098095}
2011-05-11 10:54:01 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-11 10:18:47 -------- d-----w- c:\users\dellwork\appdata\local\{F01B1969-CE62-4BA1-AC26-02088349F405}
2011-05-10 22:45:37 -------- d-----w- c:\program files\FreeAlarmClock
2011-05-10 22:18:12 -------- d-----w- c:\users\dellwork\appdata\local\{A4DC81F1-FB40-4145-8B8F-1C3B62F0702E}
2011-05-10 10:17:36 -------- d-----w- c:\users\dellwork\appdata\local\{E5AD4D8C-8716-4465-B642-4835F1313E79}
2011-05-09 22:17:01 -------- d-----w- c:\users\dellwork\appdata\local\{39AA6175-7381-4D52-9279-A9AABBA4C1FD}
2011-05-09 10:16:01 -------- d-----w- c:\users\dellwork\appdata\local\{C1720419-8FAB-470D-A7B7-D36F7CD6271A}
2011-05-08 20:01:54 -------- d-----w- c:\program files\WinDirStat
2011-05-08 17:08:59 -------- d-----w- c:\program files\CCleaner
2011-05-08 15:50:31 -------- d-----w- c:\users\dellwork\appdata\local\{34B9DABB-402D-4A9E-AE06-162F160B25BA}
2011-05-07 10:40:08 -------- d-----w- c:\users\dellwork\appdata\local\{088DCE6B-2636-44C8-911E-2BD9EC10E86D}
2011-05-06 10:24:24 -------- d-----w- c:\users\dellwork\appdata\local\{310CC957-BCB2-4A69-8F07-A9E1A95B69A2}
2011-05-05 22:23:45 -------- d-----w- c:\users\dellwork\appdata\local\{F422BC8C-A78B-49F0-9C81-C01DB5E3B7B4}
2011-05-05 10:23:22 -------- d-----w- c:\users\dellwork\appdata\local\{AEF1FD2A-BEE0-4029-A789-CB63CE5C4453}
2011-05-04 22:22:47 -------- d-----w- c:\users\dellwork\appdata\local\{561A5ABD-048B-4016-A0E0-F4021C3837A3}
2011-05-04 10:22:10 -------- d-----w- c:\users\dellwork\appdata\local\{41141E62-D7A6-4310-83F2-1CDB4AC902E3}
2011-05-03 13:34:17 -------- d-----w- c:\users\dellwork\appdata\local\{C198B6F3-DF1A-49AA-A96F-FEE22FBFB495}
2011-05-03 01:33:42 -------- d-----w- c:\users\dellwork\appdata\local\{263E390B-40C2-4C4F-97CF-86B3C8FC94B0}
2011-05-01 15:09:01 -------- d-----w- c:\program files\LastPass
2011-05-01 14:43:50 -------- d-----w- c:\users\dellwork\appdata\local\{A936A3E4-2D85-4B56-9A04-AFDEB776DB4C}
2011-04-29 10:05:58 -------- d-----w- c:\users\dellwork\appdata\local\{B0E8D6AD-80AB-4510-9D5A-C07E426DD88C}
2011-04-28 21:40:10 -------- d-----w- c:\users\dellwork\appdata\local\{A91938A7-3B8B-4A97-956E-4C1771CB781D}
.
==================== Find3M ====================
.
2011-05-28 16:24:42 1004 --sha-w- c:\programdata\KGyGaAvL.sys
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 11:59:44 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-04-20 01:43:42 7772160 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-04-20 01:09:20 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-04-20 01:09:06 676864 ----a-w- c:\windows\system32\aticfx32.dll
2011-04-20 01:07:04 17693184 ----a-w- c:\windows\system32\atioglxx.dll
2011-04-20 01:05:08 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-04-20 01:04:38 393216 ----a-w- c:\windows\system32\atieclxx.exe
2011-04-20 01:04:08 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2011-04-20 01:02:58 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2011-04-20 01:02:44 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2011-04-20 01:02:32 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-04-20 01:02:24 15872 ----a-w- c:\windows\system32\atimuixx.dll
2011-04-20 01:02:18 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-04-20 00:59:22 4161536 ----a-w- c:\windows\system32\atidxx32.dll
2011-04-20 00:46:16 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-04-20 00:46:04 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-04-20 00:42:06 6389760 ----a-w- c:\windows\system32\aticaldd.dll
2011-04-20 00:40:16 1923584 ----a-w- c:\windows\system32\atiumdmv.dll
2011-04-20 00:38:06 4286464 ----a-w- c:\windows\system32\atiumdag.dll
2011-04-20 00:30:38 4056576 ----a-w- c:\windows\system32\atiumdva.dll
2011-04-20 00:27:00 52736 ----a-w- c:\windows\system32\coinst.dll
2011-04-20 00:23:06 262144 ----a-w- c:\windows\system32\atiadlxx.dll
2011-04-20 00:22:54 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-04-20 00:22:42 32768 ----a-w- c:\windows\system32\atigktxx.dll
2011-04-20 00:22:10 243712 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-04-20 00:21:40 31232 ----a-w- c:\windows\system32\atiuxpag.dll
2011-04-20 00:21:26 29184 ----a-w- c:\windows\system32\atiu9pag.dll
2011-04-20 00:21:02 37376 ----a-w- c:\windows\system32\atitmpxx.dll
2011-04-20 00:20:52 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-04-20 00:13:30 52736 ----a-w- c:\windows\system32\atimpc32.dll
2011-04-20 00:13:30 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:13 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:35:36 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
.
============= FINISH: 19:59:36.80 ===============

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 28 May 2011 - 02:34 PM

Hi, I see you have run Combofix. Please post me the log you'll find at c:\combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 28 May 2011 - 04:45 PM

Hi Elise

Here we go....




ComboFix 11-05-19.01 - DELLWORK 20/05/2011 15:13:32.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3325.2347 [GMT 1:00]
Running from: c:\users\DELLWORK\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\DELLWORK\AppData\Roaming\1001_Nights_The_Adventures_Of_Sindbad.exe
c:\users\DELLWORK\Documents\Readiris.DUS
c:\users\DELLWORK\GoToAssistDownloadHelper.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
.
.
2011-05-20 14:19 . 2011-05-20 14:19 -------- d-----w- c:\users\DELLWORK\AppData\Local\temp
2011-05-20 14:19 . 2011-05-20 14:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-20 13:34 . 2011-05-20 13:34 -------- d-----w- c:\program files\Sophos
2011-05-20 13:27 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-19 13:23 . 2011-05-19 13:23 -------- d-----w- c:\users\DELLWORK\AppData\Local\{CA45BC25-0917-49C2-8956-F37BC8B5621E}
2011-05-18 22:18 . 2011-05-18 22:18 -------- d-----w- c:\users\DELLWORK\AppData\Local\{668C7F5D-3265-429E-B6A2-1E981A9403BA}
2011-05-18 10:17 . 2011-05-18 10:17 -------- d-----w- c:\users\DELLWORK\AppData\Local\{9F52D783-B37A-4B7A-9674-600ABCE1D9E5}
2011-05-17 19:51 . 2011-05-17 19:51 -------- d-----w- c:\users\DELLWORK\AppData\Local\{A09F6463-5984-41A9-AEF4-71798D55FA50}
2011-05-17 07:51 . 2011-05-17 07:51 -------- d-----w- c:\users\DELLWORK\AppData\Local\{31370502-7685-41DE-9313-226DD762ADAC}
2011-05-16 19:40 . 2011-05-16 19:40 -------- d-----w- c:\users\DELLWORK\AppData\Local\{A6CC4871-6014-4C70-837F-5C6043E2684C}
2011-05-16 07:40 . 2011-05-16 07:40 -------- d-----w- c:\users\DELLWORK\AppData\Local\{FB6C4A9C-BC82-4DB4-8842-028CAD6AB0FF}
2011-05-16 00:51 . 2011-05-16 00:52 -------- d-----w- c:\users\DELLWORK\AppData\Local\{15A36751-C154-4C8D-9C7F-F67517554A9D}
2011-05-15 12:51 . 2011-05-15 12:51 -------- d-----w- c:\users\DELLWORK\AppData\Local\{BDF0AD80-4F2E-4146-81EC-F7B148979FA3}
2011-05-14 17:02 . 2011-05-14 17:03 -------- d-----w- c:\users\DELLWORK\AppData\Local\{105B03CE-E3ED-436F-94EE-BFA6F8704D48}
2011-05-13 22:33 . 2011-05-13 22:33 -------- d-----w- c:\users\DELLWORK\AppData\Local\{A1BD4E6A-EDF7-4E7A-A94E-4BCF73F4668E}
2011-05-13 10:33 . 2011-05-13 10:33 -------- d-----w- c:\users\DELLWORK\AppData\Local\{82C27468-D78E-4A4B-8518-8FD18ECC1693}
2011-05-12 22:19 . 2011-05-12 22:19 -------- d-----w- c:\users\DELLWORK\AppData\Local\{A575C1AD-AD6C-4A6B-BB0B-7D941196AD0C}
2011-05-12 10:18 . 2011-05-12 10:18 -------- d-----w- c:\users\DELLWORK\AppData\Local\{2B7461F2-8644-442D-BF53-B8671D820551}
2011-05-11 22:19 . 2011-05-11 22:19 -------- d-----w- c:\users\DELLWORK\AppData\Local\{EBF681A3-4EB6-45CC-8153-34C405098095}
2011-05-11 10:54 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-11 10:18 . 2011-05-11 10:18 -------- d-----w- c:\users\DELLWORK\AppData\Local\{F01B1969-CE62-4BA1-AC26-02088349F405}
2011-05-10 22:45 . 2011-05-20 20:59 -------- d-----w- c:\program files\FreeAlarmClock
2011-05-10 22:18 . 2011-05-10 22:18 -------- d-----w- c:\users\DELLWORK\AppData\Local\{A4DC81F1-FB40-4145-8B8F-1C3B62F0702E}
2011-05-10 10:17 . 2011-05-10 10:17 -------- d-----w- c:\users\DELLWORK\AppData\Local\{E5AD4D8C-8716-4465-B642-4835F1313E79}
2011-05-09 22:17 . 2011-05-09 22:17 -------- d-----w- c:\users\DELLWORK\AppData\Local\{39AA6175-7381-4D52-9279-A9AABBA4C1FD}
2011-05-09 10:16 . 2011-05-09 10:16 -------- d-----w- c:\users\DELLWORK\AppData\Local\{C1720419-8FAB-470D-A7B7-D36F7CD6271A}
2011-05-08 20:01 . 2011-05-20 20:59 -------- d-----w- c:\program files\WinDirStat
2011-05-08 17:08 . 2011-05-20 20:59 -------- d-----w- c:\program files\CCleaner
2011-05-08 17:06 . 2011-05-20 20:59 -------- d-----w- c:\program files\7-Zip
2011-05-08 15:50 . 2011-05-08 15:50 -------- d-----w- c:\users\DELLWORK\AppData\Local\{34B9DABB-402D-4A9E-AE06-162F160B25BA}
2011-05-07 10:40 . 2011-05-07 10:40 -------- d-----w- c:\users\DELLWORK\AppData\Local\{088DCE6B-2636-44C8-911E-2BD9EC10E86D}
2011-05-06 10:24 . 2011-05-06 10:24 -------- d-----w- c:\users\DELLWORK\AppData\Local\{310CC957-BCB2-4A69-8F07-A9E1A95B69A2}
2011-05-05 22:23 . 2011-05-05 22:23 -------- d-----w- c:\users\DELLWORK\AppData\Local\{F422BC8C-A78B-49F0-9C81-C01DB5E3B7B4}
2011-05-05 10:23 . 2011-05-05 10:23 -------- d-----w- c:\users\DELLWORK\AppData\Local\{AEF1FD2A-BEE0-4029-A789-CB63CE5C4453}
2011-05-04 22:22 . 2011-05-04 22:22 -------- d-----w- c:\users\DELLWORK\AppData\Local\{561A5ABD-048B-4016-A0E0-F4021C3837A3}
2011-05-04 10:22 . 2011-05-04 10:22 -------- d-----w- c:\users\DELLWORK\AppData\Local\{41141E62-D7A6-4310-83F2-1CDB4AC902E3}
2011-05-03 13:34 . 2011-05-03 13:34 -------- d-----w- c:\users\DELLWORK\AppData\Local\{C198B6F3-DF1A-49AA-A96F-FEE22FBFB495}
2011-05-03 01:33 . 2011-05-03 01:33 -------- d-----w- c:\users\DELLWORK\AppData\Local\{263E390B-40C2-4C4F-97CF-86B3C8FC94B0}
2011-05-01 15:09 . 2011-05-20 20:59 -------- d-----w- c:\program files\LastPass
2011-05-01 14:43 . 2011-05-01 14:44 -------- d-----w- c:\users\DELLWORK\AppData\Local\{A936A3E4-2D85-4B56-9A04-AFDEB776DB4C}
2011-04-29 10:05 . 2011-04-29 10:06 -------- d-----w- c:\users\DELLWORK\AppData\Local\{B0E8D6AD-80AB-4510-9D5A-C07E426DD88C}
2011-04-28 21:40 . 2011-04-28 21:40 -------- d-----w- c:\users\DELLWORK\AppData\Local\{A91938A7-3B8B-4A97-956E-4C1771CB781D}
2011-04-28 08:37 . 2011-04-28 08:37 -------- d-----w- c:\users\DELLWORK\AppData\Local\{215B7C30-4D55-4063-8925-F2B976EF1EAE}
2011-04-27 20:36 . 2011-04-27 20:36 -------- d-----w- c:\users\DELLWORK\AppData\Local\{E67984B8-1387-4AAA-8013-AE0C0377C8BF}
2011-04-27 08:36 . 2011-04-27 08:36 -------- d-----w- c:\users\DELLWORK\AppData\Local\{F6C34C25-1FA2-4651-8395-9A3118B1D400}
2011-04-26 17:58 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-26 17:58 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-26 17:58 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-26 08:18 . 2011-04-26 08:18 -------- d-----w- c:\users\DELLWORK\AppData\Local\{0AF2BA6C-00C5-4D4C-81D6-88CC117E8945}
2011-04-25 20:17 . 2011-04-25 20:17 -------- d-----w- c:\users\DELLWORK\AppData\Local\{D537542E-07E4-4BE4-A912-1E891CE72D88}
2011-04-23 10:12 . 2011-04-23 10:13 -------- d-----w- c:\users\DELLWORK\AppData\Local\{4C3E1830-DD25-4F54-8024-8484962D94FB}
2011-04-22 20:46 . 2011-04-22 20:46 -------- d-----w- c:\users\DELLWORK\AppData\Local\{4E29700F-4B85-4B6A-BD02-1ABECBD6ED6F}
2011-04-22 08:45 . 2011-04-22 08:45 -------- d-----w- c:\users\DELLWORK\AppData\Local\{9BC8A600-0B7D-4609-B1CC-2C2E74905F4D}
2011-04-21 10:22 . 2011-04-21 10:22 -------- d-----w- c:\users\DELLWORK\AppData\Local\{E1DA6153-EECE-4701-A87F-B23572539D5D}
2011-04-20 21:43 . 2011-04-20 21:43 -------- d-----w- c:\users\DELLWORK\AppData\Local\{3EF2862A-BFCD-4244-B748-4BA43F0871C9}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-17 09:09 . 2010-07-27 08:58 199 ----a-w- c:\users\DELLWORK\AppData\Local\orgit.bat
2011-05-10 12:10 . 2011-03-10 14:51 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-03-10 14:51 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-03-10 14:52 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-03-10 14:52 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-03-10 14:52 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2011-03-10 14:52 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-03-10 14:52 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2011-03-10 14:52 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-06 13:59 . 2011-04-06 13:59 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-06 13:59 . 2011-04-06 13:59 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-06 13:59 . 2011-04-06 13:59 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-06 13:59 . 2011-04-06 13:59 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-06 13:59 . 2011-04-06 13:59 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-06 13:59 . 2011-04-06 13:59 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-06 13:59 . 2011-04-06 13:59 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-06 13:59 . 2011-04-06 13:59 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-06 13:59 . 2011-04-06 13:59 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-06 13:59 . 2011-04-06 13:59 367104 ----a-w- c:\windows\system32\html.iec
2011-04-06 13:59 . 2011-04-06 13:59 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-06 13:59 . 2011-04-06 13:59 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-06 13:59 . 2011-04-06 13:59 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-06 13:59 . 2011-04-06 13:59 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-06 13:59 . 2011-04-06 13:59 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-06 13:59 . 2011-04-06 13:59 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-04-06 13:59 . 2011-04-06 13:59 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-04-06 13:59 . 2011-04-06 13:59 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-06 13:59 . 2011-04-06 13:59 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-06 13:59 . 2011-04-06 13:59 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-06 13:59 . 2011-04-06 13:59 101888 ----a-w- c:\windows\system32\admparse.dll
2011-03-10 17:03 . 2011-04-13 18:19 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-13 18:19 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-09 08:21 . 2011-03-09 08:21 7723008 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-03-09 04:19 . 2011-03-09 04:19 17397248 ----a-w- c:\windows\system32\atioglxx.dll
2011-03-09 03:57 . 2011-03-09 03:57 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2011-03-09 03:56 . 2010-08-04 00:54 679424 ----a-w- c:\windows\system32\aticfx32.dll
2011-03-09 03:53 . 2011-03-09 03:53 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-03-09 03:53 . 2009-03-16 19:27 393216 ----a-w- c:\windows\system32\atieclxx.exe
2011-03-09 03:52 . 2009-03-16 19:27 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2011-03-09 03:51 . 2011-03-09 03:51 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2011-03-09 03:51 . 2011-03-09 03:51 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2011-03-09 03:51 . 2011-03-09 03:51 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-03-09 03:51 . 2011-03-09 03:51 15872 ----a-w- c:\windows\system32\atimuixx.dll
2011-03-09 03:51 . 2011-03-09 03:51 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-03-09 03:48 . 2011-01-26 22:49 4277760 ----a-w- c:\windows\system32\atidxx32.dll
2011-03-09 03:34 . 2011-03-09 03:34 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-03-09 03:34 . 2011-03-09 03:34 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-03-09 03:32 . 2011-03-09 03:32 5618688 ----a-w- c:\windows\system32\aticaldd.dll
2011-03-09 03:30 . 2008-07-04 02:21 4294656 ----a-w- c:\windows\system32\atiumdag.dll
2011-03-09 03:18 . 2009-03-16 18:41 258048 ----a-w- c:\windows\system32\atiadlxx.dll
2011-03-09 03:17 . 2011-03-09 03:17 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-03-09 03:17 . 2011-03-09 03:17 32768 ----a-w- c:\windows\system32\atigktxx.dll
2011-03-09 03:17 . 2011-03-09 03:17 239616 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-03-09 03:17 . 2011-01-26 22:12 31232 ----a-w- c:\windows\system32\atiuxpag.dll
2011-03-09 03:16 . 2010-08-04 00:14 28672 ----a-w- c:\windows\system32\atiu9pag.dll
2011-03-09 03:16 . 2010-08-04 00:14 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2011-03-09 03:16 . 2011-03-09 03:16 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-03-09 03:11 . 2010-08-04 00:23 52736 ----a-w- c:\windows\system32\coinst.dll
2011-03-09 02:42 . 2011-03-09 02:42 1912832 ----a-w- c:\windows\system32\atiumdmv.dll
2011-03-09 02:34 . 2011-03-09 02:34 3471872 ----a-w- c:\windows\system32\atiumdva.dll
2011-03-09 02:18 . 2011-03-09 02:18 52736 ----a-w- c:\windows\system32\atimpc32.dll
2011-03-09 02:18 . 2011-03-09 02:18 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2011-03-03 15:42 . 2011-04-13 18:19 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-26 17:58 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-26 17:58 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-26 17:58 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-26 17:58 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-13 18:19 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-13 18:19 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-24 12:20 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-24 12:20 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-24 12:20 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-13 18:19 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-13 18:19 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-13 18:19 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-13 18:19 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-01 18:06 . 2011-03-23 22:50 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-11-10 4240760]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"FreeAC"="c:\program files\FreeAlarmClock\FreeAlarmClock.exe" [2011-02-21 1348424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-14 4452352]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-07-31 28672]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2008-07-31 393216]
"ACTSchedulerUI"="c:\program files\ACT\Act for Windows\Act.Scheduler.UI.exe" [2008-07-31 499712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"WinSent Messenger"="c:\program files\WinSent Messenger\winsent.exe" [2011-03-15 602112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-9 805392]
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-4-10 4562944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [2010-01-12 278528]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 IDVistaService;Input Director Vista Service;c:\program files\Input Director\IDVistaService.exe [2009-02-08 13824]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-05-16 2151128]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\10C3.tmp [x]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 21728]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-18 717296]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2008-07-31 81920]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-03-09 176128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
S2 InputDirector;Input Director Service;c:\program files\Input Director\IDWinService.exe [2010-02-01 36864]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2006-11-22 5120]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-03-09 7723008]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-03-09 239616]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-939189520-3738189094-4030656897-1001Core.job
- c:\users\DELLWORK\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 19:45]
.
2011-05-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-939189520-3738189094-4030656897-1001UA.job
- c:\users\DELLWORK\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 19:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Farm Frenzy 3 Russian Roulette 1.0 - c:\program files\Alawar Entertainment\Farm Frenzy 3 Russian Roulette\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-20 15:24
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\10C3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3196)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Input Director\InputDirectorSessionHelper.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\RtHDVCpl.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-20 15:31:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-20 14:31
.
Pre-Run: 225,365,139,456 bytes free
Post-Run: 224,680,140,800 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 7CA70F8AB1497FCB600499190D3A988D

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 29 May 2011 - 02:07 AM

Hi, you had a nasty rootkit on your computer. Although it is cleaned successfully, please read the following:

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AdAware or Avast.


Finally, please rerun DDS and post me attach.txt (it will be minimized when the scan finishes).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 29 May 2011 - 06:45 AM

Hello Elise

Thanks, I did suspect as much. Don't worry about it then, I can't afford to have this particular computer at risk so I will just reformat the disc and start again. To be honest I was going to do some upgrading on it anyway as I want to put a SSD or VRaptor Hard Drive in there for Apps. It will just give me the time to have a bit of a play under the hood. I have other computers to play with while its out of action so I will be fine. Thanks for your help with this I do appreciate it.

All the best,

Adam

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 29 May 2011 - 07:03 AM

Hi Adam, please let me know if you have any additional questions. If not, I'll close this topic. Find below some general prevention advice.

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 29 May 2011 - 07:08 AM

Hello Elise

I do have one last question, this PC is a DELL with a separate partition that houses a recovery utility. I could reinstall windows from it or I could just wipe the whole disc and start again, what would you do?

Sorry to put you on the spot.

Adam

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 29 May 2011 - 08:17 AM

If you have Recovery disks, I would use them, just to be on the safe side, but since Dell's recovery partition is hidden for Windows, I wouldn't worry about it being compromised.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 29 May 2011 - 08:25 AM

Hello Elise

Thanks but I think I've decided to do an overhaul on the OS as well, I've got to check a few drivers for compatibility but as long as it all checks out I'm probably going to move to Win 7 64bit.

Thanks for the time on this, take care.

Adam

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 29 May 2011 - 08:26 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users