Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple malware infections (zbot.g, various trojan horses, ramnit, prast!rts etc.)


  • This topic is locked This topic is locked
60 replies to this topic

#1 RevGAM

RevGAM

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:05:18 PM

Posted 31 October 2011 - 01:08 AM

I have two infected computers, but the one I'm on now is the most important one, which has been infected for a month or two. The specs:
HP Pavilion dv2 Series Entertainment Notebook PC
2 GB RAM, int. HDD: C: 244 free/286 GB & 1.9 free/11.7 GB, ext. USB HDD K: 697 free/931 GB. E: is my wifi modem.
AMD Athlon Neo x2 Dual Core Processor L335 1.6 GHz
Windows 7 Home Premium Build 7601, SP1 (32 bit)


I must state upfront that I'm poor, so any solutions that require money are not going to be possible for me. I am interested in recommendations about what software to have to help keep my system safe, however.

The computer is not mine but is held in lieu of substantial money owed me. I don't have a receipt, the guarantee is expired, there is no rescue disk or W7 installation disk.

I have checked system restore but none of the restore points predate the infection. I have tried to use system recovery from both the boot screen and within Windows, but it says that there is no recovery information, despite D: being almost full of what appears to be recovery folders that I can't access.

I've run disk cleanup and CCleaner, plus defragged it, first with IObit's Smart Defrag, then later with Piriform Defraggler (which ran incredibly slowly for some reason). I also used IObit's Advanced System Care 4 and Auslogic's Speedboost. Window's system rating is 3.1. The last 3 days the system has been really slow (possibly due to a conflict between Comodo's active AV scanner, which I've just disabled). Indexing is limited to IE History, MS Office Outlook, Program Files, Users and the Start Menu, and the exclusions listed next to users are: Default; AppData; AppData.

I normally use Firefox and rarely IE and Chrome.

Previously, I could not download DDS - every attempt either could not start, failed during or at the end of the download, or could not save, yet each attempt that gets to 100% had left a remnant of the DDS file and I could not delete them. Windows said the owner was unknown and I could not change the owner. The one download that appeared to succeed said it wasn't a valid application or something like that and it COULD be deleted. Finally, I realized that Comodo was still running the AV active scanner (it had identified one of the remnant files as a possible threat), which I disabled. After that, I was able to download and run DDS, as well as delete the fragments.

When I ran GMER with a randomized name, it crashed almost immediately. I was, however, able to run it directly from the zip file. It took about a day to run.

I ran Panda ActiveScan 2.0 (online) and it found 4 infections on my whole system before my system froze.

Originally, I was running MS Security Essentials and from time to time checking with MBAM. I got the viruses, worms, trojans and whatnot from a flashdisk that was used on another person's computer. The malware was apparently hidden in the recycle bin as nothing showed up when I used the CLI to check for more mundaneviruses with the various permutations of dir /ashr.

There's also a distinct possibility of having received infected files from friends or portableturk.com.

MSSE loads at startup but I turned off the resident shield to reduce conflicts. I can't figure out how to get it not to load at startup . It caught:
Virus: VBS/Ramnit.F, VBS/Ramnit.gen!B, Win32/Ramnit.I, Win95/CIH.remnants, VBS/Ramnit.B
PWS: Win32/Prast!rts
Worm: Win32/Dorkbot!lnk
Trojan: Win32/Ramnit.A, Win32/Ramnit.C,
Exploit: Java/CVE-2008-5353.WX, Win32/CplLnk.A
Adware: Win32/OpenCandy, Win32/NewDotNet
Program: Win32/Ircfast, Win32/PowerRegScheduler
HackTool: Win32/Keygen
Spyware: Win32/Aureate

MBAM free didn't catch much, the free trial was expired, and I removed it so I don't know what it caught.

I then tried IObit Malware Fighter 1.2, but when I realized it was giving false positives and is generally not very good (it actually got infected and disabled itself completely on the other computer), I released everything in Quarantine and uninstalled it.

I installed SUPERAntiSpyware Pro (trial), but it was immediately completely disabled by (apparently) malware, or maybe one of the AV tools I had at that moment (MBAM, MSSE & MF), but I don't really know. As I was uninstalling it, AVG identified two files in its directory as hidden possible rootkits (SASKUTIL.sys & SASDIFSV.SYS).

I then installed AVG Pro 8.5 (registered) which has been better at catching things than just about all the others. It currently loads at startup but I've disabled the resident shield and web shield to avoid conflicts. It caught:
Trojan horse: Dropper.Generic2.ANGG, FakeAV.RMW, PSW.Agent.XQV, IRC/BackDoor.SdBot4.QBI, Dropper.Generic.BNDY, BackDoo.Generic12.BWYC, Generic22.AOSY, Generic22.WUB
Virus: Win32/Heur, Worm/Generic.BMUQ

There were others but they were deleted from the system due to the quarantine being full, and some items detected by the resident shield and web shield don't seem to have been recorded.

After that, I installed Comodo Antivirus 2011 Advanced (30-day trial), beginning in the most restrictive modes for both the AV Scan and Defense+. Unfortunately, the hands-on nature of those modes is beyond my ability and I couldn't differentiate between what needed to be in the sandbox and what didn't, although it did help me to find some rogue software (realplayer and realsched seemed to have been infected, so I removed them). The names it assigned to what it found don't seem to be of much use, but here they are: Heur.Suspicious@256038907, UnclassifiedMalware@161186614 (Nirsoft's Produkey), Heur.Packed.Unknown@-1, Heur.Corrupt.PE@-1, Heur.Dual.Extensions@-1.

Currently, I'm running WebRoot SecureAnywhere Complete (trial), which - given the rave review on PC Mag - is disappointing me. I can't attach the log because it's too big. If you want to see it, please let me know and I'll try to break it up into 512k pieces.

Thanks for your help!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by HP at 11:57:06 on 2011-10-31
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.62.1033.18.2046.962 [GMT 7:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AVG Anti-Virus *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WRSA.exe
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\aestsrv.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Logitech\ScrollApp\KhalScroll.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\FileServe Manager\FSStarter.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Program Files\Smartfren Connex AC682 UI\bin\MonServiceUDisk.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Smartfren Connex AC682 UI\bin\App.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\explorer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_id&c=91&bd=Pavilion&pf=cnnb
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.skip-search.com/?cfg=2-82-0-0
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_id&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_id&c=91&bd=Pavilion&pf=cnnb
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: FileServeManager: {00000001-ab3b-4334-9da2-ec6b2a02afc6} - c:\program files\fileserve manager\FileServeBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: SBCONVERT Class: {3017fb3e-9a77-4396-88c5-0ec9548fb42f} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\progra~1\search~1\SEARCH~1.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Webroot Browser Helper Object: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - c:\programdata\wrdata\pkg\LPBar.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Logitech Scroll App: {e11db59d-5008-42ff-9069-535843bc0be1} - c:\program files\logitech\scrollapp\LogiSmooth.dll
BHO: Download Accelerator Plus Integration: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~1\toolbar\grabber.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - c:\programdata\wrdata\pkg\LPBar.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [VIADataCardNetconnect] c:\program files\via tool\VIAService.exe
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UCam_Menu] "c:\program files\hewlett-packard\media\webcam\muitransfer\muistartmenu.exe" "c:\program files\hewlett-packard\media\webcam" update "software\hewlett-packard\media\Webcam"
mRun: [TVAgent] "c:\program files\hewlett-packard\media\tv\TVAgent.exe"
mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LogiScrollApp] c:\program files\logitech\scrollapp\KhalScroll.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [FileServe Manager Task] "c:\program files\fileserve manager\FSStarter.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [WRSVC] "c:\program files\webroot\WRSA.exe" -ul
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Download with FileServe Manager - c:\program files\fileserve manager\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: Interfaces\{2592701E-3375-4CB6-A077-62A5BEEAEF73} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\1427A657E61602C4F657E67656 : NameServer = 203.130.208.18,203.130.193.74
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\1427A657E61602C4F657E67656 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C433 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C43324 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C43334 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C44314 : NameServer = 203.130.208.18,203.130.193.74
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C44314 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C44334 : NameServer = 203.130.208.18,203.130.193.74
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C44334 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B3319E14-98A4-43D9-B46C-3D6A29C98879} : NameServer = 10.17.3.252 10.17.3.245
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\hp\appdata\roaming\mozilla\firefox\profiles\q08t9ulr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.skip-search.com/?cfg=2-82-0-0
FF - prefs.js: keyword.URL - hxxp://id.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=642886&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\nitro pdf\reader\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader\npnitromozilla.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2011-10-20 12552]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-10-29 28552]
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2011-10-17 106312]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-10-20 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-10-20 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-10-20 108552]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-6-30 19088]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-6-30 238960]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-6-6 218688]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/12/02 03:06:12];c:\program files\hewlett-packard\media\dvd\000.fcl [2009-1-8 87536]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_9691412ff1876250\AEstSrv.exe [2009-3-2 81920]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2011-10-20 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2011-10-20 297752]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-5-26 154424]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2011-5-13 26168]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-5-12 222512]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-16 230400]
R3 USB_BusEnum_T;EVDO Telecom USB Bus Enumerator;c:\windows\system32\drivers\USB_BusEnum_T.sys [2011-10-25 38400]
R3 USB_ETS_T;ZTE ETS Port FFDD;c:\windows\system32\drivers\USB_ETS_T.sys [2011-10-25 16128]
R3 USB_WinMux_T;EVDO Telecom USB MUX Serial Port;c:\windows\system32\drivers\USB_WinMux_T.sys [2011-10-25 30080]
R3 UsbModemDriver;ZTE USB Modem FFDD;c:\windows\system32\drivers\USB_MODEM_T.sys [2011-10-25 21504]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 gupdate;Layanan Pembaruan Google (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-9 136176]
S3 athur;Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2011-6-22 1500160]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [2011-10-25 947528]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-4-1 183560]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-7-14 29472]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-7-11 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-13 206072]
S3 gupdatem;Layanan Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-9 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-8 52224]
S3 ViaUsbEtsDriver;VIA Telecom USB ETS Driver;c:\windows\system32\drivers\ViaUsbEts.sys [2011-6-5 16128]
S3 ViaUsbModemDriver;VIA Telecom USB Modem Driver;c:\windows\system32\drivers\ViaUsbModem.sys [2011-6-5 20096]
.
=============== File Associations ===============
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
=============== Created Last 30 ================
.
2011-10-31 04:28:23 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{819fdf5e-7f8a-4910-a140-0b0796519caf}\offreg.dll
2011-10-30 15:31:40 -------- d-----w- c:\users\hp\appdata\local\Apps
2011-10-29 18:24:43 6668624 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{819fdf5e-7f8a-4910-a140-0b0796519caf}\mpengine.dll
2011-10-28 19:20:48 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-10-28 19:18:09 -------- d-----w- c:\program files\Panda Security
2011-10-28 04:57:25 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{3aaf24d2-1b64-4bf4-a671-5bea2095a860}\gapaengine.dll
2011-10-28 04:56:28 6668624 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-10-27 18:22:24 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 18:22:16 141088 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-10-27 18:22:10 194048 ----a-w- c:\program files\internet explorer\IEShims.dll
2011-10-27 18:22:01 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-10-27 18:21:56 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-10-27 18:21:53 678912 ----a-w- c:\program files\internet explorer\iedvtool.dll
2011-10-27 09:10:24 -------- d-----w- c:\users\hp\appdata\local\lptmp10981
2011-10-27 08:25:01 140760 ----a-w- c:\windows\system32\WRusr.dll
2011-10-27 08:24:44 -------- d-----w- c:\program files\Webroot
2011-10-26 07:26:31 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-26 07:00:52 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-26 07:00:52 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-26 05:24:16 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-26 05:24:15 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-25 12:06:24 -------- d-----w- c:\program files\Defraggler
2011-10-25 11:35:04 -------- d-----w- c:\users\hp\appdata\roaming\Auslogics
2011-10-25 11:33:00 -------- d-----w- c:\program files\Auslogics
2011-10-25 07:54:07 -------- d-----w- c:\users\hp\appdata\roaming\ZTEEVDO
2011-10-25 07:43:22 30080 ----a-w- c:\windows\system32\drivers\USB_WinMux_T.sys
2011-10-25 07:43:22 21504 ----a-w- c:\windows\system32\drivers\USB_MODEM_T.sys
2011-10-25 07:43:21 38400 ----a-w- c:\windows\system32\drivers\USB_BusEnum_T.sys
2011-10-25 07:43:21 16128 ----a-w- c:\windows\system32\drivers\USB_ETS_T.sys
2011-10-25 07:43:18 -------- d-----w- c:\program files\Smartfren Connex AC682 UI
2011-10-25 01:37:50 -------- d-----w- c:\users\hp\appdata\local\COMODO
2011-10-21 16:13:02 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-10-21 13:15:43 -------- d-----w- c:\program files\Avira
2011-10-21 11:45:58 -------- d-----w- c:\program files\Glary Undelete
2011-10-20 18:44:19 -------- d--h--w- C:\$AVG8.VAULT$
2011-10-20 14:43:33 -------- d-----w- c:\programdata\AVG Security Toolbar
2011-10-20 14:19:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2011-10-20 14:18:56 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-10-20 14:18:53 -------- d-----w- c:\windows\system32\drivers\Avg
2011-10-20 14:18:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-10-20 14:18:28 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-20 14:18:16 -------- d-----w- c:\program files\AVG
2011-10-20 14:18:15 -------- d-----w- c:\programdata\avg8
2011-10-20 13:27:28 -------- d--h--w- c:\programdata\Common Files
2011-10-20 13:27:17 -------- d-----w- c:\programdata\MFAData
2011-10-18 04:20:13 -------- d--h--w- C:\VritualRoot
2011-10-18 03:53:39 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2011-10-18 03:50:35 -------- d-----w- c:\programdata\Comodo
2011-10-18 03:50:23 -------- d-----w- c:\program files\COMODO
2011-10-18 03:50:22 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-10-18 03:49:03 -------- d-----w- c:\programdata\Comodo Downloader
2011-10-17 20:15:11 702 ---ha-w- C:\aaw7boot.cmd
2011-10-17 16:36:46 106312 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2011-10-17 16:36:46 -------- d-----w- c:\programdata\WRData
2011-10-17 16:27:58 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-17 16:23:32 -------- d-----w- c:\programdata\Panda Security
2011-10-17 16:23:19 -------- d-----w- c:\program files\Panda USB Vaccine
2011-10-17 13:17:44 -------- d-----w- c:\users\hp\appdata\roaming\OpenOffice.org
2011-10-17 04:21:33 -------- d-----w- c:\windows\pss
2011-10-05 03:22:08 -------- d-----w- c:\program files\Windows Media Components
2011-10-05 03:21:29 -------- d-----w- c:\program files\common files\Ulead Systems
2011-10-05 03:21:28 282624 ----a-w- c:\program files\common files\installshield\updateservice\agent.exe
2011-10-05 03:21:28 -------- d-----w- c:\program files\Ulead Systems
2011-10-05 03:17:40 -------- d-----w- c:\users\hp\appdata\roaming\DIMAGE
2011-10-05 03:17:01 -------- d-----w- c:\program files\DiMAGE Messenger 2.0
2011-10-05 03:10:58 69632 ----a-w- c:\windows\system32\MQTQueen2.dll
2011-10-05 03:10:58 339968 ----a-w- c:\windows\system32\MCMLDSC2.dll
2011-10-05 03:10:58 245760 ----a-w- c:\windows\system32\MQueen.dll
2011-10-05 03:10:58 225280 ----a-w- c:\windows\system32\DSCIPLib2.dll
2011-10-05 03:10:57 81920 ----a-w- c:\windows\system32\MQueen2.dll
2011-10-05 03:10:57 69632 ----a-w- c:\windows\system32\MQTQueen.dll
2011-10-05 03:10:54 -------- d-----w- c:\program files\DiMAGE Viewer
2011-10-05 03:09:37 150240 ------w- c:\windows\system32\drivers\MLTCAP.sys
2011-10-05 03:08:32 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2011-10-05 03:08:32 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-10-05 03:08:32 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2011-10-05 03:08:32 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2011-10-05 03:08:31 696320 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2011-10-05 03:08:30 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-10-05 03:08:30 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2011-10-01 13:14:26 -------- d-----w- c:\users\hp\appdata\roaming\PoBros
2011-10-01 13:14:26 -------- d-----w- c:\programdata\PoBros
.
==================== Find3M ====================
.
2011-10-27 05:34:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-25 15:00:14 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-10-02 22:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-11 06:50:43 130208 ------r- c:\windows\bwUnin-8.1.1.87-8876480SL.exe
.
============= FINISH: 12:02:36,46 ===============

Attached Files


Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 05 November 2011 - 01:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/425721 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:18 AM

Posted 05 November 2011 - 03:57 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#4 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:05:18 PM

Posted 05 November 2011 - 05:24 PM

Hello Elle, and congratulations on being a Study Hall Senior!

I don't have anything to add to my previous description, but if you have any questions, I'll try to answer them. I am not a computer novice so you can throw some IT jargon at me if you like. :)

Sorry about forgetting to zip my first attach.txt file!

I did NOT experience any problems with using GMER with the randomized name this time, and it completed very quickly, whereas when I ran it for my previous post, it took almost a day (perhaps because I had to run it directly from the rar file).

Thanks!
Glenn

Here is my DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by HP at 5:11:15 on 2011-11-06
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.62.1033.18.2046.687 [GMT 7:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
AV: AVG Anti-Virus *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\aestsrv.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Logitech\ScrollApp\KhalScroll.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\FileServe Manager\FSStarter.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Program Files\Smartfren Connex AC682 UI\bin\MonServiceUDisk.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Smartfren Connex AC682 UI\bin\App.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_id&c=91&bd=Pavilion&pf=cnnb
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.skip-search.com/?cfg=2-82-0-0
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_id&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_id&c=91&bd=Pavilion&pf=cnnb
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: FileServeManager: {00000001-ab3b-4334-9da2-ec6b2a02afc6} - c:\program files\fileserve manager\FileServeBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: SBCONVERT Class: {3017fb3e-9a77-4396-88c5-0ec9548fb42f} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\progra~1\search~1\SEARCH~1.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Webroot Browser Helper Object: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - c:\programdata\wrdata\pkg\LPBar.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Logitech Scroll App: {e11db59d-5008-42ff-9069-535843bc0be1} - c:\program files\logitech\scrollapp\LogiSmooth.dll
BHO: Download Accelerator Plus Integration: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~1\toolbar\grabber.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - c:\programdata\wrdata\pkg\LPBar.dll
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [VIADataCardNetconnect] c:\program files\via tool\VIAService.exe
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UCam_Menu] "c:\program files\hewlett-packard\media\webcam\muitransfer\muistartmenu.exe" "c:\program files\hewlett-packard\media\webcam" update "software\hewlett-packard\media\Webcam"
mRun: [TVAgent] "c:\program files\hewlett-packard\media\tv\TVAgent.exe"
mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LogiScrollApp] c:\program files\logitech\scrollapp\KhalScroll.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [FileServe Manager Task] "c:\program files\fileserve manager\FSStarter.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [WRSVC] "c:\program files\webroot\WRSA.exe" -ul
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Download with FileServe Manager - c:\program files\fileserve manager\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: Interfaces\{2592701E-3375-4CB6-A077-62A5BEEAEF73} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\1427A657E61602C4F657E67656 : NameServer = 203.130.208.18,203.130.193.74
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\1427A657E61602C4F657E67656 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C433 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C43324 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C43334 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C44314 : NameServer = 203.130.208.18,203.130.193.74
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C44314 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C44334 : NameServer = 203.130.208.18,203.130.193.74
TCP: Interfaces\{5F10E134-6355-4C59-9E96-23AE6673E065}\84F4354554C44334 : DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\hp\appdata\roaming\mozilla\firefox\profiles\q08t9ulr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.skip-search.com/?cfg=2-82-0-0
FF - prefs.js: keyword.URL - hxxp://id.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=642886&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\nitro pdf\reader\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader\npnitromozilla.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2011-10-20 12552]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-10-29 28552]
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2011-10-17 106312]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-10-20 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-10-20 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-10-20 108552]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-6-30 19088]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-6-30 238960]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-6-6 218688]
R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/12/02 03:06:12];c:\program files\hewlett-packard\media\dvd\000.fcl [2009-1-8 87536]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_9691412ff1876250\AEstSrv.exe [2009-3-2 81920]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2011-5-13 26168]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService2.exe [2011-6-21 196912]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-5-12 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVCapSvc.exe [2009-1-7 296320]
R2 TVSched;TV Task Scheduler (TVTS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVSched.exe [2009-1-7 116096]
R2 UDisk Monitor;UDisk Monitor;c:\program files\smartfren connex ac682 ui\bin\MonServiceUDisk.exe [2011-10-25 512000]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-5-12 222512]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-16 230400]
R3 USB_BusEnum_T;EVDO Telecom USB Bus Enumerator;c:\windows\system32\drivers\USB_BusEnum_T.sys [2011-10-25 38400]
R3 USB_ETS_T;ZTE ETS Port FFDD;c:\windows\system32\drivers\USB_ETS_T.sys [2011-10-25 16128]
R3 USB_WinMux_T;EVDO Telecom USB MUX Serial Port;c:\windows\system32\drivers\USB_WinMux_T.sys [2011-10-25 30080]
R3 UsbModemDriver;ZTE USB Modem FFDD;c:\windows\system32\drivers\USB_MODEM_T.sys [2011-10-25 21504]
S2 gupdate;Layanan Pembaruan Google (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-9 136176]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S2 WRSVC;WRSVC;c:\program files\webroot\WRSA.exe [2011-10-27 605272]
S3 athur;Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2011-6-22 1500160]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [2011-10-25 947528]
S3 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2011-10-20 908056]
S3 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2011-10-20 297752]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-4-1 183560]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-7-14 29472]
S3 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-5-26 154424]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-7-11 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-13 206072]
S3 gupdatem;Layanan Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-9 136176]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-8 52224]
S3 ViaUsbEtsDriver;VIA Telecom USB ETS Driver;c:\windows\system32\drivers\ViaUsbEts.sys [2011-6-5 16128]
S3 ViaUsbModemDriver;VIA Telecom USB Modem Driver;c:\windows\system32\drivers\ViaUsbModem.sys [2011-6-5 20096]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-6 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
=============== Created Last 30 ================
.
2011-11-05 16:21:23 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{388bd8e2-eb32-4fdd-8cc5-5cb7e276004c}\offreg.dll
2011-11-04 09:10:23 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-11-04 09:10:08 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{388bd8e2-eb32-4fdd-8cc5-5cb7e276004c}\mpengine.dll
2011-10-30 15:31:40 -------- d-----w- c:\users\hp\appdata\local\Apps
2011-10-28 19:20:48 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-10-28 19:18:09 -------- d-----w- c:\program files\Panda Security
2011-10-27 18:22:24 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 18:22:16 141088 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-10-27 18:22:10 194048 ----a-w- c:\program files\internet explorer\IEShims.dll
2011-10-27 18:22:01 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-10-27 18:21:56 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-10-27 18:21:53 678912 ----a-w- c:\program files\internet explorer\iedvtool.dll
2011-10-27 09:10:24 -------- d-----w- c:\users\hp\appdata\local\lptmp10981
2011-10-27 08:25:01 140760 ----a-w- c:\windows\system32\WRusr.dll
2011-10-27 08:24:44 -------- d-----w- c:\program files\Webroot
2011-10-26 07:26:31 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-26 07:00:52 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-26 07:00:52 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-26 05:24:16 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-26 05:24:15 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-25 12:06:24 -------- d-----w- c:\program files\Defraggler
2011-10-25 11:35:04 -------- d-----w- c:\users\hp\appdata\roaming\Auslogics
2011-10-25 11:33:00 -------- d-----w- c:\program files\Auslogics
2011-10-25 07:54:07 -------- d-----w- c:\users\hp\appdata\roaming\ZTEEVDO
2011-10-25 07:43:22 30080 ----a-w- c:\windows\system32\drivers\USB_WinMux_T.sys
2011-10-25 07:43:22 21504 ----a-w- c:\windows\system32\drivers\USB_MODEM_T.sys
2011-10-25 07:43:21 38400 ----a-w- c:\windows\system32\drivers\USB_BusEnum_T.sys
2011-10-25 07:43:21 16128 ----a-w- c:\windows\system32\drivers\USB_ETS_T.sys
2011-10-25 07:43:18 -------- d-----w- c:\program files\Smartfren Connex AC682 UI
2011-10-25 01:37:50 -------- d-----w- c:\users\hp\appdata\local\COMODO
2011-10-21 16:13:02 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-10-21 13:15:43 -------- d-----w- c:\program files\Avira
2011-10-21 11:45:58 -------- d-----w- c:\program files\Glary Undelete
2011-10-20 18:44:19 -------- d--h--w- C:\$AVG8.VAULT$
2011-10-20 14:43:33 -------- d-----w- c:\programdata\AVG Security Toolbar
2011-10-20 14:19:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2011-10-20 14:18:56 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-10-20 14:18:53 -------- d-----w- c:\windows\system32\drivers\Avg
2011-10-20 14:18:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-10-20 14:18:28 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-20 14:18:16 -------- d-----w- c:\program files\AVG
2011-10-20 14:18:15 -------- d-----w- c:\programdata\avg8
2011-10-20 13:27:28 -------- d--h--w- c:\programdata\Common Files
2011-10-20 13:27:17 -------- d-----w- c:\programdata\MFAData
2011-10-18 04:20:13 -------- d--h--w- C:\VritualRoot
2011-10-18 03:53:39 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2011-10-18 03:50:35 -------- d-----w- c:\programdata\Comodo
2011-10-18 03:50:23 -------- d-----w- c:\program files\COMODO
2011-10-18 03:50:22 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-10-18 03:49:03 -------- d-----w- c:\programdata\Comodo Downloader
2011-10-17 20:15:11 702 ---ha-w- C:\aaw7boot.cmd
2011-10-17 16:36:46 106312 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2011-10-17 16:36:46 -------- d-----w- c:\programdata\WRData
2011-10-17 16:27:58 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-17 16:23:32 -------- d-----w- c:\programdata\Panda Security
2011-10-17 16:23:19 -------- d-----w- c:\program files\Panda USB Vaccine
2011-10-17 13:17:44 -------- d-----w- c:\users\hp\appdata\roaming\OpenOffice.org
2011-10-17 04:21:33 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2011-10-27 05:34:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-25 15:00:14 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-10-02 22:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-11 06:50:43 130208 ------r- c:\windows\bwUnin-8.1.1.87-8876480SL.exe
.
============= FINISH: 5:14:11,33 ===============

Attached Files


Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#5 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:05:18 PM

Posted 06 November 2011 - 06:34 AM

I forgot to mention that there is possibly a keylogger on my system. I've noticed frequent lags recently when I use online editors, and sometimes characters I type in just disappear. I haven't noticed this problem with offline things like Word, or even in the Google toolbar search window.

I am not given to clicking unknown links in suspicious emails from anyone. If I don't know who it is or why they sent me, or it doesn't look like a valid email (no salutation, no farewell with the sender's name, etc.) or it seems atypical of the sender, I'll either delete it or, if I know the sender, I'll warn them that someone has either hacked their system or their email account, or I'll verify that they did indeed send it.

That said, my wife also uses this computer, and she's not so aware as I am.

Thanks!
Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:18 AM

Posted 07 November 2011 - 12:12 PM

Hi there RevGAM,



I am sorry for the possible delay in my replies, this weekend I was busy with school projects. :)
I will come back ASAP with a reply.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:18 AM

Posted 08 November 2011 - 03:21 PM

Hi there,



I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Webroot SecureAnywhere or AVG Antivirus or COMODO Antivirus.


=========================================================================================================
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:05:18 PM

Posted 09 November 2011 - 09:24 AM

Just to be clear, only WebRoot's real-time protection was enabled. The other two were disabled. In any event, I uninstalled AVG & Comodo.

I've done a backup image of my computer onto my external USB HDD today using Windows Backup & Restore.

Previously, Windows System Recovery stated there was no recovery information saved on the computer.

Per HP's website instructions, I tried F11 at bootup, which gave the message "=F11 Recovery Mode=" but no menu appeared as should have happened. It went directly into W7 after that.

I tried HP Total Care's Recovery Manager by Soft Think but this is apparently a tool for Windows Vista, not Windows 7. In other words, the system was upgraded. Tonight, I found the W7 upgrade disc, too. Recovery Manager gave me this message when I started it:
"Recovery Manager content was for Windows Vista. After upgrading to Windows 7, some applications and drivers in Recovery Manager may no longer work. Please use the HP Upgrade Manager Disc to recover Windows 7 specific drivers or applications."

After that message, the RM opens. I haven't used it (except to check the laptop's memory, which is fine) because of that message.

FYI, the images you tried to post are not being displayed.

Thanks,
Glenn

Along with the Windows 7 Home Premium Upgrade Media disc, I also found the HP Upgrade Manager disc.

The HP recovery information for this recovery manager appears to be stored on D:, which is a small partition that's almost full. Since I haven't got a Vista disc, I'm being careful.

I have downloaded combofix and will follow your instructions.

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#9 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:05:18 PM

Posted 10 November 2011 - 12:29 PM

I tried disabling WebRoot and it claimed to be disabled but ComboFix insists it is still active. I've unchecked every box for every shield I could find, flipped off all the switches for the shields, and exited WR, but ComboFix says it's still running. It doesn't show up in Task Manager after I turn it off.

Is it safe for me to proceed, or what should I do?

Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:18 AM

Posted 10 November 2011 - 01:08 PM

Yes, it is safe to continue if you are sure you have deactivated WB. :)




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:05:18 PM

Posted 11 November 2011 - 06:33 AM

Okay, I ran ComboFix. I've attached the log file.

Here's an interesting development: Previous to running ComboFix, I couldn't see the two pictures you posted, nor could I see pictures posted by Jove in a different thread. Now, your pictures are visible.

FYI, the pictures you posted (to put in WRC) didn't come up, and the whole thing was run in a CMD-style window with a blue background.

Glenn

Attached Files


Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:18 AM

Posted 13 November 2011 - 04:57 AM

Hi there,



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\kJegWEoh.sys
c:\windows\system32\drivers\rnbFMqMR.sys
c:\windows\system32\drivers\WpgpxdUx.sys
c:\windows\system32\drivers\jELZIyYy.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:05:18 PM

Posted 13 November 2011 - 07:06 AM

Will do as soon as the download of ComboFix is done.

Broni suggests in http://www.bleepingcomputer.com/forums/topic427638.html/page__view__findpost__p__2472813 that given that I had/have ramnit, it's best to reformat and reinstall Windows. I don't have the Vista disk - I just have the W7 upgrade disc. What do you and your mentor think? Is there a chance that I can get rid of Ramnit?

Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#14 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:05:18 PM

Posted 13 November 2011 - 09:16 AM

Darn it, it said the file is too big to upload. (It's only 26kb) The system tells me: "Used 497.47K of your 512K global upload quota (Max. single file size: 14.53K)" next to the attach this file button.

Do you want me to post it here, or can you fix the problem so I can attach it?

BTW, around stage 41, I discovered that WebRoot hadn't quit, although I had exited it. It apparently decided to rebel, so I don't know if that affected the results. I quit it again at that point.

Thanx!
Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#15 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:18 AM

Posted 13 November 2011 - 12:12 PM

Hi Glenn,

Please copy/paste it into your next reply. Do not attach it. :)



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users