Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects me in IE8 IE9 Firefox, Chrome will not load


  • This topic is locked This topic is locked
14 replies to this topic

#1 gsf1969

gsf1969

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 31 May 2011 - 08:59 PM

I have this nasty redirect issue and have no clue how to remove it. Below is a copy of my DDS log. Basically whenever I type in a google search and I click on the link I am redirected to a different search page or a different product. About a week ago I got a Window Defender virus or something and I used system restore to go back to an earlier date. Skype will not load nor will Chrome.

GMER crashes when I try to run it.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by Greg at 18:39:29 on 2011-05-31
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2011.855 [GMT -7:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_0cefa6767c6211ec\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_0cefa6767c6211ec\aestsrv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Users\Greg\AppData\Local\Google\Update\1.3.21.53\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Greg\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=192.168.97.1:3128;https=192.168.97.1:3128;socks=192.168.97.1:1080
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: PE_IE_Helper Class: {0941c58f-e461-4e03-bd7d-44c27392ade1} - c:\program files\ibm\lotus forms\viewer\3.5\PEhelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\users\greg\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AprvRemoveLegacyExcelKeys] "c:\program files\approveit\support\tools\aprvclean.exe" -k hkcu software\microsoft\office\excel\addins\OfficeAddIn.OfficeAddIn
mRun: [AprvRemoveLegacyWordKeys] "c:\program files\approveit\support\tools\aprvclean.exe" -k hkcu software\microsoft\office\word\addins\OfficeAddIn.OfficeAddIn
mRun: [ApproveItForOfficeSetup] "c:\program files\approveit\support\tools\approveitforofficesetup.exe " /1 /p "c:\program files\approveit\"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\users\greg\appdata\roaming\micros~1\windows\startm~1\programs\startup\setup_~1.lnk - c:\users\greg\desktop\virus removal tool\setup_9.0.0.722_01.06.2011_02-44\startup.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\approv~1.lnk - c:\windows\installer\{4e01b649-0023-4eb5-9263-57de317c3418}\Icon9557F1BC1.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\greg\appdata\roaming\mozilla\firefox\profiles\8x3ghx4g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmfv.dll
FF - plugin: c:\program files\win7codecs\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\win7codecs\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\greg\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 79490772;79490772 Boot Guard Driver;c:\windows\system32\drivers\79490772.sys [2011-5-31 37392]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 79490771;79490771;c:\windows\system32\drivers\79490771.sys [2011-5-31 128016]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-7-12 54112]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 setup_9.0.0.722_01.06.2011_02-44drv;setup_9.0.0.722_01.06.2011_02-44drv;c:\windows\system32\drivers\7949077.sys [2011-5-31 311312]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_0cefa6767c6211ec\AEstSrv.exe [2010-6-5 81920]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 NSHE;Guardant Emulator Driver;c:\windows\system32\drivers\NSHE.SYS [2010-3-17 97792]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-4-22 1768376]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-12 102448]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-6-15 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-6-3 174720]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2010-1-6 57856]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-3-20 32408]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-5 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
.
=============== Created Last 30 ================
.
2011-06-01 00:43:28 -------- d-----w- c:\programdata\Kaspersky Lab
2011-06-01 00:39:37 37392 ----a-w- c:\windows\system32\drivers\79490772.sys
2011-06-01 00:39:37 311312 ----a-w- c:\windows\system32\drivers\7949077.sys
2011-06-01 00:39:37 128016 ----a-w- c:\windows\system32\drivers\79490771.sys
2011-05-31 23:13:23 -------- d-----w- C:\!KillBox
2011-05-31 23:10:07 -------- d-----w- c:\program files\CCleaner
2011-05-30 16:52:22 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-05-30 15:41:23 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 15:40:31 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-30 15:39:52 -------- d-----w- c:\programdata\Hitman Pro
2011-05-30 04:13:46 469256 ----a-w- c:\program files\common files\windows live\.cache\f46a42cd1cc1e7f2a\InstallManager_WLE_WLE.exe
2011-05-30 04:11:46 15712 ----a-w- c:\program files\common files\windows live\.cache\b0610e181cc1e7f1d\MeshBetaRemover.exe
2011-05-30 04:10:34 94040 ----a-w- c:\program files\common files\windows live\.cache\8377d7ac1cc1e7f16\DSETUP.dll
2011-05-30 04:10:34 525656 ----a-w- c:\program files\common files\windows live\.cache\8377d7ac1cc1e7f16\DXSETUP.exe
2011-05-30 04:10:34 1691480 ----a-w- c:\program files\common files\windows live\.cache\8377d7ac1cc1e7f16\dsetup32.dll
2011-05-30 04:10:27 94040 ----a-w- c:\program files\common files\windows live\.cache\80c3273d1cc1e7f15\DSETUP.dll
2011-05-30 04:10:27 525656 ----a-w- c:\program files\common files\windows live\.cache\80c3273d1cc1e7f15\DXSETUP.exe
2011-05-30 04:10:27 1691480 ----a-w- c:\program files\common files\windows live\.cache\80c3273d1cc1e7f15\dsetup32.dll
2011-05-30 03:32:24 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-30 01:10:34 -------- d--h--w- C:\$AVG
2011-05-29 19:54:27 -------- d-----w- c:\users\greg\appdata\roaming\AVG10
2011-05-29 19:53:07 -------- d--h--w- c:\programdata\Common Files
2011-05-29 19:49:06 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-29 19:49:06 -------- d-----w- c:\programdata\AVG10
2011-05-29 19:47:06 -------- d-----w- c:\program files\AVG
2011-05-29 19:37:56 -------- d-----w- c:\programdata\MFAData
2011-05-28 00:33:40 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3997cc3b-a51a-4a55-9861-9ebf73ce0baf}\mpengine.dll
2011-05-14 08:15:57 -------- d--h--w- c:\users\greg\appdata\roaming\Malwarebytes
2011-05-14 08:15:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-14 08:15:51 -------- d-----w- c:\programdata\Malwarebytes
2011-05-14 08:15:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-05-25 02:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-15 04:28:30 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-05 07:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 23:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
.
============= FINISH: 18:42:28.66 ===============

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 PM

Posted 01 June 2011 - 09:50 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Please download Rootkit Unhooker and save it on your desktop.
  • Disable your security programs
  • Double click RKUnhookerLE.exe to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.
Note - You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please include the following in your next post:
  • Rootkit Unhooker log
  • The Attach.txt log from DDS

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 gsf1969

gsf1969
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 02 June 2011 - 10:07 AM

Attached File  Attach.zip   3.03KB   1 downloads

Root kit unhooker hangs up on files and does nothing

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #2
==============================================
>Drivers
==============================================
0x92609000 C:\Windows\system32\DRIVERS\79490771.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x92C22000 C:\Windows\system32\DRIVERS\igdkmd32.sys 5275648 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x81A44000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
0x81A44000 PnpManager 4259840 bytes
0x81A44000 RAW 4259840 bytes
0x81A44000 WMIxWDM 4259840 bytes
0x93230000 C:\Windows\system32\DRIVERS\bcmwl6.sys 2519040 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0x96090000 Win32k 2404352 bytes
0x96090000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x88227000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x8BC4D000 C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100711.002\NAVEX15.SYS 1343488 bytes (Symantec Corporation, AV Engine)
0x87E1C000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x9312A000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x88033000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x87AE9000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0xB222F000 C:\Windows\system32\drivers\hardlock.sys 688128 bytes (Aladdin Knowledge Systems Ltd., Hardlock Device Driver for Windows NT)
0xB234D000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x97C77000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x87A16000 C:\Windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x87C04000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x93626000 C:\Windows\system32\DRIVERS\stwrt.sys 442368 bytes (IDT, Inc., IDT PC Audio)
0x910ED000 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 434176 bytes (Symantec Corporation, SPBBC Driver)
0x9228F000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x92208000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x87F89000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x9102B000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB54A9000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x8D018000 C:\Windows\system32\DRIVERS\7949077.sys 327680 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wlh_x86])
0xB543A000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x96340000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x934AF000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x87D45000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8BC03000 C:\Windows\System32\Drivers\SRTSP.SYS 303104 bytes (Symantec Corporation, Symantec AutoProtect)
0x87C83000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x8D150000 C:\Windows\system32\DRIVERS\avgtdix.sys 290816 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0x97C0E000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x911B9000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x87AA7000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x91164000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x883AA000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes
0x880EA000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x92389000 C:\Windows\system32\DRIVERS\NWADIenum.sys 249856 bytes (Novatel Wireless Inc, NWADI Interface Bus Enumerator)
0x92319000 C:\Windows\system32\DRIVERS\avgldx86.sys 245760 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0x97D4A000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x9352E000 C:\Windows\system32\DRIVERS\SynTP.sys 241664 bytes (Synaptics Incorporated, Synaptics Touchpad Driver)
0x92B60000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x81A0D000 ACPI_HAL 225280 bytes
0x81A0D000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x92BBE000 C:\Windows\system32\DRIVERS\teefer2.sys 221184 bytes (Symantec Corporation, Symantec CMC Firewall Teefer2)
0x87B94000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x92355000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x8817A000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x8D197000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x88370000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x93692000 C:\Windows\system32\DRIVERS\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8D114000 C:\Windows\System32\Drivers\SYMTDI.SYS 188416 bytes (Symantec Corporation, Network Dispatch Driver)
0x8814D000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x87F4B000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0xB22D7000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x87CDC000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x881BD000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x88128000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x92B99000 C:\Windows\system32\DRIVERS\Rt86win7.sys 151552 bytes (Realtek Corporation , Realtek 8101E/8168/8169 NDIS 6.20 32-bit Driver )
0x8BD95000 C:\Windows\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0x9372D000 C:\Windows\System32\Drivers\usbvideo.sys 147456 bytes (Microsoft Corporation, USB Video Class Driver)
0x87DAF000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x97D27000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x935C3000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB2200000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x92B29000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8D082000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0xB5489000 C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys 131072 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0x931E1000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0xB232E000 C:\Windows\system32\Drivers\NSHE.SYS 126976 bytes (T0r0 & Tecar Forum 2009, Emulator for HARDLOCK)
0x9108C000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x96320000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x92266000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0x93799000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x97D85000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x937B4000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x97CFC000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x936C1000 C:\Windows\system32\DRIVERS\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x922F3000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x93509000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
0x935A0000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x935E5000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x93200000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x93217000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8D0F2000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x936DA000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x87D90000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x8BDBA000 C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100711.002\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0x936FC000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x87F76000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x97C64000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x910CA000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x9358E000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x92B4A000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x97D15000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8D0E1000 C:\Windows\system32\DRIVERS\avgfwd6x.sys 69632 bytes (AVG Technologies CZ, s.r.o., AVG Filter Driver)
0x881AC000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x93773000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x87BC8000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x923C6000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x87D11000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x87A8E000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x910AB000 C:\Windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)
0x937CE000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x88200000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x97C54000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x910DD000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x87D35000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x934FA000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x9230B000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x910BC000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8D0D3000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x87DDC000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x87FE6000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x92C0A000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x87C75000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x8D142000 C:\Windows\system32\drivers\wpsdrvnt.sys 57344 bytes (Symantec Corporation, Symantec CMC Firewall WPS)
0x883F1000 C:\Windows\system32\DRIVERS\79490772.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0x93581000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x93751000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x93521000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x9356B000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0x91157000 C:\Windows\System32\Drivers\SCDEmu.SYS 53248 bytes (PowerISO Computing, Inc., PowerISO Virtual Drive)
0xB2221000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8D0A3000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8801B000 C:\Windows\system32\DRIVERS\avgmfx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0x92283000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x93716000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x8D076000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x87D2A000 C:\Windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
0x9375E000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x936F1000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x9378E000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x93722000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8D0C8000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x935B8000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8D109000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x934A4000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x87D06000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x93769000 C:\Windows\System32\Drivers\dump_msahci.sys 40960 bytes
0x93784000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x87DD2000 C:\Windows\system32\DRIVERS\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0x911AF000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x911A5000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x92C00000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0xB23E4000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8BDCE000 C:\Windows\System32\Drivers\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xB5520000 C:\Windows\system32\DRIVERS\vwifibus.sys 40960 bytes (Microsoft Corporation, Virtual WiFi Bus Driver)
0x87DEA000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x87DA6000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0xB5533000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x87FF4000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x962F0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x883A1000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x93578000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x87CCB000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x87A9F000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x87D22000 C:\Windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
0x88210000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x818E2000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x87CD4000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8D0B0000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8D0B8000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x8D0C0000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x883E9000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x88218000 C:\Windows\system32\DRIVERS\avgrkx86.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0x8D06F000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x9370F000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x8D068000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x91085000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0xB2328000 C:\Windows\System32\Drivers\SYMREDRV.SYS 24576 bytes (Symantec Corporation, Redirector Filter Driver)
0xB23EE000 C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys 20480 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0x8821F000 C:\Windows\system32\DRIVERS\AVGIDSEH.Sys 16384 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0x97DB8000 C:\Windows\system32\DRIVERS\AVGIDSShim.Sys 16384 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0x92B5C000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x9322E000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x93569000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x8493F1ED unknown_irp_handler 3603 bytes
==============================================
>Stealth
==============================================
0x84940A91 Unknown page with executable code, 1391 bytes
0x84943E7A Unknown thread object [ ETHREAD 0x84B585B8 ] TID: 252, 600 bytes
0x84946008 Unknown thread object [ ETHREAD 0x84B82020 ] TID: 256, 600 bytes
0x84945CDC Unknown page with executable code, 804 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006F74C, Type: Inline - RelativeJump 0x81AB374C-->81AB375F [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006FCB8, Type: Inline - RelativeCall 0x81AB3CB8-->E43024B4 [unknown_code_page]
[3316]Ymsgr_tray.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B611B8-->614AA7A3 [yui.dll]
[3316]Ymsgr_tray.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77B61144-->614AADA9 [yui.dll]
[3316]Ymsgr_tray.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77B61138-->614AAE77 [yui.dll]
[3316]Ymsgr_tray.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77B611A0-->614AADE9 [yui.dll]
[3316]Ymsgr_tray.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040C0E4-->614AA7A3 [yui.dll]
[3316]Ymsgr_tray.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0040C0E0-->614AADA9 [yui.dll]
[3316]Ymsgr_tray.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x0040C0B0-->614AAE77 [yui.dll]
[3316]Ymsgr_tray.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x0040C0B8-->614AADE9 [yui.dll]
[3316]Ymsgr_tray.exe-->shell32.dll-->gdi32.dll-->GetStockObject, Type: IAT modification 0x73802168-->614A9CEC [yui.dll]
[3316]Ymsgr_tray.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x738021BC-->614AADA9 [yui.dll]
[3316]Ymsgr_tray.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x73802248-->614AADE9 [yui.dll]
[3316]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->AnimateWindow, Type: IAT modification 0x73801F38-->614A9D87 [yui.dll]
[3316]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->DefWindowProcW, Type: IAT modification 0x73802014-->614AA3BA [yui.dll]
[3316]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->GetSysColor, Type: IAT modification 0x73801F90-->614A9C27 [yui.dll]
[3316]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->GetSysColorBrush, Type: IAT modification 0x73801BD8-->614A9CF2 [yui.dll]
[3316]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->TrackPopupMenu, Type: IAT modification 0x73801C58-->614A9B56 [yui.dll]
[3316]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->TrackPopupMenuEx, Type: IAT modification 0x73801E14-->614A9B94 [yui.dll]
[3316]Ymsgr_tray.exe-->user32.dll-->DefWindowProcW, Type: IAT modification 0x0040C268-->614AA3BA [yui.dll]
[3316]Ymsgr_tray.exe-->user32.dll-->gdi32.dll-->GetStockObject, Type: IAT modification 0x77D11288-->614A9CEC [yui.dll]
[3316]Ymsgr_tray.exe-->user32.dll-->GetSysColor, Type: IAT modification 0x0040C2A4-->614A9C27 [yui.dll]
[3316]Ymsgr_tray.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D114E0-->614AA7A3 [yui.dll]
[3316]Ymsgr_tray.exe-->user32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x77D11490-->614AAE29 [yui.dll]
[3316]Ymsgr_tray.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77D11398-->614AAE77 [yui.dll]
[3316]Ymsgr_tray.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77D114E4-->614AADE9 [yui.dll]
[3316]Ymsgr_tray.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification 0x0040C29C-->614A9B56 [yui.dll]
[4088]YahooAUService.exe-->advapi32.dll-->CreateServiceW, Type: IAT modification 0x00467054-->68B91C53 [AcGenral.dll]
[4088]YahooAUService.exe-->advapi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77C6178C-->68BA13A6 [AcGenral.dll]
[4088]YahooAUService.exe-->advapi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77C617F0-->68BA2E71 [AcGenral.dll]
[4088]YahooAUService.exe-->advapi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77C61848-->68BA1515 [AcGenral.dll]
[4088]YahooAUService.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C617B8-->748A5E25 [apphelp.dll]
[4088]YahooAUService.exe-->advapi32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x77C61844-->68BA15DF [AcGenral.dll]
[4088]YahooAUService.exe-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x00467088-->68BA2101 [AcGenral.dll]
[4088]YahooAUService.exe-->advapi32.dll-->RegDeleteValueW, Type: IAT modification 0x00467090-->68BA27D1 [AcGenral.dll]
[4088]YahooAUService.exe-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x00467004-->68BA2211 [AcGenral.dll]
[4088]YahooAUService.exe-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x00467084-->68BA22E5 [AcGenral.dll]
[4088]YahooAUService.exe-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x0046707C-->68BA267F [AcGenral.dll]
[4088]YahooAUService.exe-->crypt32.dll-->kernel32.dll-->CreateFileA, Type: IAT modification 0x719B1400-->68BA2D58 [AcGenral.dll]
[4088]YahooAUService.exe-->crypt32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x719B14D4-->68BA2E71 [AcGenral.dll]
[4088]YahooAUService.exe-->crypt32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x719B1474-->68BA1515 [AcGenral.dll]
[4088]YahooAUService.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x719B14EC-->748A5E25 [apphelp.dll]
[4088]YahooAUService.exe-->crypt32.dll-->kernel32.dll-->SetFileAttributesW, Type: IAT modification 0x719B1470-->68BA1A56 [AcGenral.dll]
[4088]YahooAUService.exe-->gdi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77B61154-->68BA13A6 [AcGenral.dll]
[4088]YahooAUService.exe-->gdi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77B611E0-->68BA2E71 [AcGenral.dll]
[4088]YahooAUService.exe-->gdi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77B6118C-->68BA1515 [AcGenral.dll]
[4088]YahooAUService.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B611B8-->748A5E25 [apphelp.dll]
[4088]YahooAUService.exe-->kernel32.dll-->CreateFileA, Type: IAT modification 0x00467138-->68BA2D58 [AcGenral.dll]
[4088]YahooAUService.exe-->kernel32.dll-->CreateFileW, Type: IAT modification 0x004670C8-->68BA2E71 [AcGenral.dll]
[4088]YahooAUService.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x004670D8-->68B999F4 [AcGenral.dll]
[4088]YahooAUService.exe-->kernel32.dll-->DeleteFileA, Type: IAT modification 0x00467250-->68BA14C0 [AcGenral.dll]
[4088]YahooAUService.exe-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x004670AC-->68BA1515 [AcGenral.dll]
[4088]YahooAUService.exe-->kernel32.dll-->GetFileAttributesW, Type: IAT modification 0x00467108-->68B995E4 [AcGenral.dll]
[4088]YahooAUService.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x004670F0-->748A5E25 [apphelp.dll]
[4088]YahooAUService.exe-->kernel32.dll-->MoveFileA, Type: IAT modification 0x00467254-->68BA156A [AcGenral.dll]
[4088]YahooAUService.exe-->shell32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x738022C4-->68BA13A6 [AcGenral.dll]
[4088]YahooAUService.exe-->shell32.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x73802240-->68BA16C4 [AcGenral.dll]
[4088]YahooAUService.exe-->shell32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x73802298-->68BA15DF [AcGenral.dll]
[4088]YahooAUService.exe-->user32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77D11524-->68BA2E71 [AcGenral.dll]
[4088]YahooAUService.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D114E0-->748A5E25 [apphelp.dll]
[4088]YahooAUService.exe-->user32.dll-->kernel32.dll-->RegCreateKeyExW, Type: IAT modification 0x77D114B4-->68BA2101 [AcGenral.dll]
[4088]YahooAUService.exe-->user32.dll-->kernel32.dll-->RegOpenKeyExW, Type: IAT modification 0x77D11444-->68BA22E5 [AcGenral.dll]
[4088]YahooAUService.exe-->user32.dll-->kernel32.dll-->RegSetValueExW, Type: IAT modification 0x77D114AC-->68BA267F [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->advapi32.dll-->RegCreateKeyExA, Type: IAT modification 0x63001278-->68BA1FF3 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x630011D4-->68BA2101 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->advapi32.dll-->RegDeleteValueA, Type: IAT modification 0x6300126C-->68BA272F [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->advapi32.dll-->RegDeleteValueW, Type: IAT modification 0x630011B8-->68BA27D1 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x63001298-->68BA2211 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x63001274-->68BA22E5 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->advapi32.dll-->RegSetValueExA, Type: IAT modification 0x6300127C-->68BA25CB [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x630011DC-->68BA267F [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->CopyFileA, Type: IAT modification 0x63001328-->68BA134E [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->CreateFileA, Type: IAT modification 0x63001460-->68BA2D58 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x63001464-->68BA2E71 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->DeleteFileA, Type: IAT modification 0x6300148C-->68BA14C0 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x6300150C-->68BA1515 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x630013FC-->748A5E25 [apphelp.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->MoveFileA, Type: IAT modification 0x63001300-->68BA156A [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->MoveFileExA, Type: IAT modification 0x630012F4-->68BA1654 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x630012F8-->68BA16C4 [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x630012FC-->68BA15DF [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->SetFileAttributesA, Type: IAT modification 0x63001318-->68BA19FE [AcGenral.dll]
[4088]YahooAUService.exe-->wininet.dll-->kernel32.dll-->SetFileAttributesW, Type: IAT modification 0x63001398-->68BA1A56 [AcGenral.dll]
[4232]iexplore.exe-->kernel32.dll-->CreateThread, Type: Inline - RelativeJump 0x75D3281D-->6D6A7133 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x7653CC8F-->6D707AEF [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->CreateWindowExA, Type: Inline - RelativeJump 0x7653E18A-->6D6B3173 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x76540E51-->6D70FF57 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->DefWindowProcA, Type: Inline - RelativeJump 0x7653E0E4-->6D6A9345 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->DefWindowProcA, Type: Inline - SEH 0x7653E0E9 [unknown_code_page]
[4232]iexplore.exe-->user32.dll-->DefWindowProcA, Type: Inline - SEH 0x7653E0EA [unknown_code_page]
[4232]iexplore.exe-->user32.dll-->DefWindowProcW, Type: Inline - RelativeJump 0x7654724B-->6D707B52 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->DefWindowProcW, Type: Inline - SEH 0x76547250 [unknown_code_page]
[4232]iexplore.exe-->user32.dll-->DefWindowProcW, Type: Inline - SEH 0x76547251 [unknown_code_page]
[4232]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7657D29C-->6D835974 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x76564AA7-->6D83590F [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7657CF6A-->6D8358AA [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7656564A-->6D6415BB [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->EnableWindow, Type: Inline - RelativeJump 0x7653A72E-->6D6E9884 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7658EA29-->6D835754 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7658EA4D-->6D8356F0 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7658E8C9-->6D835831 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7658E9C3-->6D8357B8 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7654210A-->6D6E1FE4 [ieframe.dll]
[4232]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7653CC7B-->6D72EB70 [ieframe.dll]
[4232]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - RelativeJump 0x76021B9C-->002C6B70 [unknown_code_page]
[4232]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersW, Type: Inline - RelativeJump 0x7606F7A8-->002C6D70 [unknown_code_page]
[4232]iexplore.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x75FD3BED-->0103000A [unknown_code_page]
[4232]iexplore.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x75FD48BE-->0102000A [unknown_code_page]
[4232]iexplore.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump 0x75FD6737-->01F0000A [unknown_code_page]
[4232]iexplore.exe-->ws2_32.dll-->gethostbyname, Type: Inline - RelativeJump 0x75FE7133-->01EF000A [unknown_code_page]
[4232]iexplore.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x75FD47DF-->005B000A [unknown_code_page]
[4232]iexplore.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x75FDC4C8-->0104000A [unknown_code_page]
[5108]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7657D29C-->6D835974 [ieframe.dll]
[5108]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x76564AA7-->6D83590F [ieframe.dll]
[5108]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7657CF6A-->6D8358AA [ieframe.dll]
[5108]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7656564A-->6D6415BB [ieframe.dll]
[5108]iexplore.exe-->user32.dll-->EnableWindow, Type: Inline - RelativeJump 0x7653A72E-->6D6E9884 [ieframe.dll]
[5108]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7658EA29-->6D835754 [ieframe.dll]
[5108]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7658EA4D-->6D8356F0 [ieframe.dll]
[5108]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7658E8C9-->6D835831 [ieframe.dll]
[5108]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7658E9C3-->6D8357B8 [ieframe.dll]
[5108]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - RelativeJump 0x76021B9C-->00376B70 [unknown_code_page]
[5108]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersW, Type: Inline - RelativeJump 0x7606F7A8-->00376D70 [unknown_code_page]
[5108]iexplore.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x75FD3BED-->00D9000A [unknown_code_page]
[5108]iexplore.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x75FD48BE-->005B000A [unknown_code_page]
[5108]iexplore.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump 0x75FD6737-->00DC000A [unknown_code_page]
[5108]iexplore.exe-->ws2_32.dll-->gethostbyname, Type: Inline - RelativeJump 0x75FE7133-->00DB000A [unknown_code_page]
[5108]iexplore.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x75FD47DF-->005A000A [unknown_code_page]
[5108]iexplore.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x75FDC4C8-->00DA000A [unknown_code_page]

Edited by gsf1969, 02 June 2011 - 10:08 AM.


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 PM

Posted 03 June 2011 - 08:01 AM

gsf1969:

Posted Image Download aswMBR.exe ( 511KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 gsf1969

gsf1969
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 03 June 2011 - 10:32 AM

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-06-03 08:24:44
-----------------------------
08:24:44.219 OS Version: Windows 6.1.7600
08:24:44.235 Number of processors: 2 586 0x1C0A
08:24:44.235 ComputerName: GREG-PC UserName: Greg
08:25:04.562 Initialize success
08:28:46.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
08:28:46.078 Disk 0 Vendor: Hitachi_HTS545016B9A300 PBBOCA0G Size: 152627MB BusType: 11
08:28:48.121 Disk 0 MBR read successfully
08:28:48.121 Disk 0 MBR scan
08:28:48.137 Disk 0 Windows 7 default MBR code
08:28:50.165 Disk 0 scanning sectors +312576000
08:28:50.196 Disk 0 scanning C:\Windows\system32\drivers
08:28:58.168 Service scanning
08:29:00.461 Disk 0 trace - called modules:
08:29:00.492 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
08:29:00.508 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8461c238]
08:29:00.523 3 CLASSPNP.SYS[87f9159e] -> nt!IofCallDriver -> [0x8450a918]
08:29:00.539 5 ACPI.sys[87a4d3b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84501030]
08:29:00.555 Scan finished successfully
08:29:18.713 Disk 0 MBR has been saved successfully to "C:\Users\Greg\Desktop\MBR.dat"
08:29:18.729 The log file has been saved successfully to "C:\Users\Greg\Desktop\aswMBR.txt"

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 PM

Posted 03 June 2011 - 07:47 PM

gsf1969:

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Programs > Uninstall a program or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.
  • Double click to run AppRemover
  • Follow the prompts to remove AVG
  • Reboot
Once you've removed AVG with this tool please continue with these instructions
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 gsf1969

gsf1969
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 03 June 2011 - 09:25 PM

ComboFix 11-06-04.02 - Greg 06/03/2011 18:11:00.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2011.1110 [GMT -7:00]
Running from: c:\users\Greg\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-04 to 2011-06-04 )))))))))))))))))))))))))))))))
.
.
2011-06-04 01:32 . 2011-06-04 01:32 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-06-04 01:32 . 2011-06-04 01:32 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-06-04 01:32 . 2011-06-04 01:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-03 08:59 . 2009-07-14 01:19 245328 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-06-03 01:45 . 2011-06-03 01:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-01 00:43 . 2011-06-01 14:24 -------- d-----w- c:\programdata\Kaspersky Lab
2011-06-01 00:39 . 2009-10-22 20:54 37392 ----a-w- c:\windows\system32\drivers\79490772.sys
2011-06-01 00:39 . 2009-10-10 06:31 311312 ----a-w- c:\windows\system32\drivers\7949077.sys
2011-06-01 00:39 . 2009-09-26 00:59 128016 ----a-w- c:\windows\system32\drivers\79490771.sys
2011-05-31 23:13 . 2011-05-31 23:13 -------- d-----w- C:\!KillBox
2011-05-31 23:10 . 2011-05-31 23:10 -------- d-----w- c:\program files\CCleaner
2011-05-30 16:52 . 2011-05-30 16:52 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-05-30 15:41 . 2011-06-03 15:26 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 15:40 . 2011-05-30 15:40 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-30 15:39 . 2011-05-30 16:52 -------- d-----w- c:\programdata\Hitman Pro
2011-05-30 04:13 . 2011-05-30 04:13 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\f46a42cd1cc1e7f2a\InstallManager_WLE_WLE.exe
2011-05-30 04:11 . 2011-05-30 04:11 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\b0610e181cc1e7f1d\MeshBetaRemover.exe
2011-05-30 04:10 . 2011-05-30 04:10 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\8377d7ac1cc1e7f16\DSETUP.dll
2011-05-30 04:10 . 2011-05-30 04:10 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\8377d7ac1cc1e7f16\DXSETUP.exe
2011-05-30 04:10 . 2011-05-30 04:10 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\8377d7ac1cc1e7f16\dsetup32.dll
2011-05-30 04:10 . 2011-05-30 04:10 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\80c3273d1cc1e7f15\DSETUP.dll
2011-05-30 04:10 . 2011-05-30 04:10 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\80c3273d1cc1e7f15\DXSETUP.exe
2011-05-30 04:10 . 2011-05-30 04:10 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\80c3273d1cc1e7f15\dsetup32.dll
2011-05-30 03:32 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-29 19:54 . 2011-05-29 19:54 -------- d-----w- c:\users\Greg\AppData\Roaming\AVG10
2011-05-29 19:53 . 2011-05-29 19:53 -------- d--h--w- c:\programdata\Common Files
2011-05-29 19:49 . 2011-06-04 01:00 -------- d-----w- c:\programdata\AVG10
2011-05-29 19:47 . 2011-05-29 19:47 -------- d-----w- c:\program files\AVG
2011-05-29 19:37 . 2011-06-04 00:59 -------- d-----w- c:\programdata\MFAData
2011-05-28 00:33 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3997CC3B-A51A-4A55-9861-9EBF73CE0BAF}\mpengine.dll
2011-05-14 08:15 . 2011-05-14 08:15 -------- d--h--w- c:\users\Greg\AppData\Roaming\Malwarebytes
2011-05-14 08:15 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-14 08:15 . 2011-05-27 14:21 -------- d-----w- c:\programdata\Malwarebytes
2011-05-14 08:15 . 2011-05-28 00:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-30 04:35 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-25 02:14 . 2010-03-16 18:24 222080 ------w- c:\windows\system32\MpSigStub.exe
2003-03-19 04:20 . 2010-07-29 15:29 1060864 ----a-w- c:\program files\mozilla firefox\plugins\mfc71.dll
2003-02-21 11:42 . 2010-07-29 15:29 348160 ----a-w- c:\program files\mozilla firefox\plugins\msvcr71.dll
2011-05-30 17:24 . 2011-03-23 17:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-04-05 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-19 15146376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AprvRemoveLegacyExcelKeys"="c:\program files\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn" [X]
"AprvRemoveLegacyWordKeys"="c:\program files\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn" [X]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-02-12 115560]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-03-17 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-01-31 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-02-26 495708]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-25 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-25 150552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-09 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"ApproveItForOfficeSetup"="c:\program files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe" [2010-01-26 155648]
.
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
setup_9.0.0.722_01.06.2011_02-44.lnk - c:\users\Greg\Documents\Virus Removal Tool\setup_9.0.0.722_01.06.2011_02-44\startup.exe [2011-5-31 72208]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 130600]
ApproveIt StartUp.lnk - c:\windows\Installer\{4E01B649-0023-4EB5-9263-57DE317C3418}\Icon9557F1BC1.ico [2011-3-24 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 326D341B;326D341B;c:\windows\system32\326D341B.exe [x]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-11-19 23888]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2009-06-15 20480]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2009-06-03 174720]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\DRIVERS\SCR3XX2K.sys [2010-01-07 57856]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-03-21 32408]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-05 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S0 79490772;79490772 Boot Guard Driver;c:\windows\system32\DRIVERS\79490772.sys [2009-10-22 37392]
S1 79490771;79490771;c:\windows\system32\DRIVERS\79490771.sys [2009-09-26 128016]
S1 setup_9.0.0.722_01.06.2011_02-44drv;setup_9.0.0.722_01.06.2011_02-44drv;c:\windows\system32\DRIVERS\7949077.sys [2009-10-10 311312]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_0cefa6767c6211ec\aestsrv.exe [2009-03-03 81920]
S2 NSHE;Guardant Emulator Driver;c:\windows\system32\Drivers\NSHE.SYS [2008-12-18 97792]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-17 102448]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-02 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2483690858-1922094556-3107687318-1000Core.job
- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-03 18:54]
.
2011-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2483690858-1922094556-3107687318-1000UA.job
- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-03 18:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=192.168.97.1:3128;https=192.168.97.1:3128;socks=192.168.97.1:1080
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\8x3ghx4g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-03 18:39:46
ComboFix-quarantined-files.txt 2011-06-04 01:39
.
Pre-Run: 103,360,745,472 bytes free
Post-Run: 102,789,947,392 bytes free
.
- - End Of File - - E6169FE88AA5332411B89DEAC22AFFE4

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 PM

Posted 04 June 2011 - 10:29 AM

gsf1969:

Did you set up these proxys?:

uInternet Settings,ProxyServer = http=192.168.97.1:3128;https=192.168.97.1:3128;socks=192.168.97.1:1080


Posted Image Go to the Control Panel
  • In the search bar enter Show hidden
  • In the main window click on Folder Options > Show hidden files and folders
  • Change the setting under Hidden files and folders to Show hidden files, folders, or drives
  • Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:
virscan.org
Virus Total

Click on Browse, and upload the following file for analysis:
c:\windows\system32\drivers\79490772.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Please include the following in your next post:
  • Proxy info
  • File analysis results

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 gsf1969

gsf1969
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 04 June 2011 - 10:59 AM

I did not do anything as far as the proxy is concerned (as far as I know)

2 VT Community user(s) with a total of 2 reputation credit(s) say(s) this sample is goodware. 2 VT Community user(s) with a total of 2 reputation credit(s) say(s) this sample is malware.

File name:
79490772.sys

Submission date:
2011-06-04 15:44:47 (UTC)

Current status:
finished




Result:
0/ 43 (0.0%)





User:
Anonymous

Reputation:
1 credits

Comment date:
2010-09-13 06:58:02 (UTC) Identified by malwarebytes MBAM as Rootkit.Agent.H. The file is found in %windir%\system32\drivers and registered as a driver.
Tags: Malware,
Was this comment helpful?Yes (0) | No (0) | Report abuse





User:
Anonymous

Reputation:
1 credits

Comment date:
2010-10-05 00:14:25 (UTC) Malwarebytes identified this file as Rootkit.Agent.H
I searched at google, and I didn't find anything about it.
The file is found in
%windir%\system32\drivers
Tags: Malware,
Was this comment helpful?Yes (1) | No (0) | Report abuse





User:
Anonymous

Reputation:
1 credits

Comment date:
2011-03-19 19:07:41 (UTC) Excelente programa!
Tags: Goodware,
Was this comment helpful?Yes (0) | No (0) | Report abuse





User:
Anonymous

Reputation:
1 credits

Comment date:
2011-04-21 04:56:27 (UTC) This is a part of Kaspersky Lab's antivirus utility AVP Tool.
Tags: Goodware,

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 PM

Posted 04 June 2011 - 11:36 AM

gsf1969:

OK, thanks. Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\windows\system32\326D341B.exe
Driver::
326D341B
FCopy::
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll | c:\windows\System32\user32.dll
DDS::
uInternet Settings,ProxyServer = http=192.168.97.1:3128;https=192.168.97.1:3128;socks=192.168.97.1:1080

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 gsf1969

gsf1969
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 04 June 2011 - 12:50 PM

ComboFix 11-06-04.02 - Greg 06/04/2011 9:47.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2011.1133 [GMT -7:00]
Running from: c:\users\Greg\Desktop\ComboFix.exe
Command switches used :: c:\users\Greg\Desktop\CFscript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\326D341B.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll --> c:\windows\System32\user32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_326D341B
.
.
((((((((((((((((((((((((( Files Created from 2011-05-04 to 2011-06-04 )))))))))))))))))))))))))))))))
.
.
2011-06-04 17:10 . 2011-06-04 17:10 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-06-03 08:59 . 2009-07-14 01:19 245328 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-06-03 01:45 . 2011-06-03 01:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-01 00:43 . 2011-06-01 14:24 -------- d-----w- c:\programdata\Kaspersky Lab
2011-06-01 00:39 . 2009-10-22 20:54 37392 ----a-w- c:\windows\system32\drivers\79490772.sys
2011-06-01 00:39 . 2009-10-10 06:31 311312 ----a-w- c:\windows\system32\drivers\7949077.sys
2011-06-01 00:39 . 2009-09-26 00:59 128016 ----a-w- c:\windows\system32\drivers\79490771.sys
2011-05-31 23:13 . 2011-05-31 23:13 -------- d-----w- C:\!KillBox
2011-05-31 23:10 . 2011-05-31 23:10 -------- d-----w- c:\program files\CCleaner
2011-05-30 16:52 . 2011-05-30 16:52 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-05-30 15:41 . 2011-06-04 16:30 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 15:40 . 2011-05-30 15:40 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-30 15:39 . 2011-05-30 16:52 -------- d-----w- c:\programdata\Hitman Pro
2011-05-30 04:13 . 2011-05-30 04:13 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\f46a42cd1cc1e7f2a\InstallManager_WLE_WLE.exe
2011-05-30 04:11 . 2011-05-30 04:11 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\b0610e181cc1e7f1d\MeshBetaRemover.exe
2011-05-30 04:10 . 2011-05-30 04:10 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\8377d7ac1cc1e7f16\DSETUP.dll
2011-05-30 04:10 . 2011-05-30 04:10 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\8377d7ac1cc1e7f16\DXSETUP.exe
2011-05-30 04:10 . 2011-05-30 04:10 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\8377d7ac1cc1e7f16\dsetup32.dll
2011-05-30 04:10 . 2011-05-30 04:10 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\80c3273d1cc1e7f15\DSETUP.dll
2011-05-30 04:10 . 2011-05-30 04:10 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\80c3273d1cc1e7f15\DXSETUP.exe
2011-05-30 04:10 . 2011-05-30 04:10 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\80c3273d1cc1e7f15\dsetup32.dll
2011-05-30 03:32 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-29 19:54 . 2011-05-29 19:54 -------- d-----w- c:\users\Greg\AppData\Roaming\AVG10
2011-05-29 19:53 . 2011-05-29 19:53 -------- d--h--w- c:\programdata\Common Files
2011-05-29 19:49 . 2011-06-04 01:00 -------- d-----w- c:\programdata\AVG10
2011-05-29 19:47 . 2011-05-29 19:47 -------- d-----w- c:\program files\AVG
2011-05-29 19:37 . 2011-06-04 00:59 -------- d-----w- c:\programdata\MFAData
2011-05-28 00:33 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3997CC3B-A51A-4A55-9861-9EBF73CE0BAF}\mpengine.dll
2011-05-14 08:15 . 2011-05-14 08:15 -------- d--h--w- c:\users\Greg\AppData\Roaming\Malwarebytes
2011-05-14 08:15 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-14 08:15 . 2011-05-27 14:21 -------- d-----w- c:\programdata\Malwarebytes
2011-05-14 08:15 . 2011-05-28 00:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-30 04:35 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-25 02:14 . 2010-03-16 18:24 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 23:20 . 2011-04-06 23:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2003-03-19 04:20 . 2010-07-29 15:29 1060864 ----a-w- c:\program files\mozilla firefox\plugins\mfc71.dll
2003-02-21 11:42 . 2010-07-29 15:29 348160 ----a-w- c:\program files\mozilla firefox\plugins\msvcr71.dll
2011-05-30 17:24 . 2011-03-23 17:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-19 15146376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AprvRemoveLegacyExcelKeys"="c:\program files\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn" [X]
"AprvRemoveLegacyWordKeys"="c:\program files\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn" [X]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-02-12 115560]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-03-17 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-01-31 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-02-26 495708]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-25 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-25 150552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-09 47904]
"ApproveItForOfficeSetup"="c:\program files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe" [2010-01-26 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
setup_9.0.0.722_01.06.2011_02-44.lnk - c:\users\Greg\Documents\Virus Removal Tool\setup_9.0.0.722_01.06.2011_02-44\startup.exe [2011-5-31 72208]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 130600]
ApproveIt StartUp.lnk - c:\windows\Installer\{4E01B649-0023-4EB5-9263-57DE317C3418}\Icon9557F1BC1.ico [2011-3-24 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-11-19 23888]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2009-06-15 20480]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2009-06-03 174720]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\DRIVERS\SCR3XX2K.sys [2010-01-07 57856]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-03-21 32408]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-05 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S0 79490772;79490772 Boot Guard Driver;c:\windows\system32\DRIVERS\79490772.sys [2009-10-22 37392]
S1 79490771;79490771;c:\windows\system32\DRIVERS\79490771.sys [2009-09-26 128016]
S1 setup_9.0.0.722_01.06.2011_02-44drv;setup_9.0.0.722_01.06.2011_02-44drv;c:\windows\system32\DRIVERS\7949077.sys [2009-10-10 311312]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_0cefa6767c6211ec\aestsrv.exe [2009-03-03 81920]
S2 NSHE;Guardant Emulator Driver;c:\windows\system32\Drivers\NSHE.SYS [2008-12-18 97792]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-17 102448]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-02 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2483690858-1922094556-3107687318-1000Core.job
- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-03 18:54]
.
2011-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2483690858-1922094556-3107687318-1000UA.job
- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-03 18:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\8x3ghx4g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_0cefa6767c6211ec\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\DllHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-06-04 10:24:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-04 17:24
ComboFix2.txt 2011-06-04 01:39
.
Pre-Run: 102,474,076,160 bytes free
Post-Run: 102,373,998,592 bytes free
.
- - End Of File - - 3854E32CF78FFEA6FAAB715F05B1121B



Malwarebytes' Anti-Malware
www.malwarebytes.org

Database version:

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

6/4/2011 10:47:29 AM
mbam-log-2011-06-04 (10-47-29).txt

Scan type: Quick scan
Objects scanned: 177782
Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 PM

Posted 04 June 2011 - 08:22 PM

gsf1969:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • How is the computer running?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 gsf1969

gsf1969
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 06 June 2011 - 08:53 AM

Computer is running pretty good.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6522
# api_version=3.0.2
# EOSSerial=33b0a81d24ea734b8d2ad784afe8ba6f
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-06 12:54:17
# local_time=2011-06-05 05:54:17 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 535404 535404 0 0
# compatibility_mode=5893 16776573 100 94 0 58865021 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=39523
# found=0
# cleaned=0
# scan_time=1428
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6522
# api_version=3.0.2
# EOSSerial=33b0a81d24ea734b8d2ad784afe8ba6f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-06 03:55:51
# local_time=2011-06-05 08:55:51 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 536938 536938 0 0
# compatibility_mode=5893 16776573 100 94 0 58866555 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=336127
# found=0
# cleaned=0
# scan_time=10788

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 PM

Posted 06 June 2011 - 07:57 PM

gsf1969:

Your logs look good! Now I have some very important cleanup for you to do:

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • Rootkit Unhooker
  • aswMBR
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Edited by RPMcMurphy, 06 June 2011 - 07:57 PM.
removed unnecessary instruction

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 PM

Posted 11 June 2011 - 09:24 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users