Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware


  • This topic is locked This topic is locked
13 replies to this topic

#1 houmanhabibi

houmanhabibi

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 05 November 2011 - 12:53 AM

Hi
DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by human at 14:05:40 on 2011-11-04
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1218 [GMT 3.5:30]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\DATAK WiMAX Connection Manager\GPCommonService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~1\Uniblue\POWERS~1\powersuite.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\Uniblue\SPEEDU~1\sump.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DATAK WiMAX Connection Manager\DATAK WCM.exe
C:\Program Files\DATAK WiMAX Connection Manager\wimax\WmMMgr.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = hxxp://uk.yahoo.com?ilc=12&type=937811&fr=spigot-yhp-ie
uInternet Settings,ProxyOverride = local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {474597c5-ab09-49d6-a4d5-2e8d7341384e} - UrlHelper Class
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - Yontoo Layers
TB: {D4FA7277-A69D-40AF-9280-58690CE75087} - No File
TB: {51A86BB3-6602-4C85-92A5-130EE4864F13} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Software Informer] "c:\program files\software informer\softinfo.exe" -autorun
uRun: [FlashGet 3] "c:\program files\flashget network\flashget 3\FlashGet3.exe" -minimize
uRun: [iMesh] "c:\program files\imesh applications\imesh\iMesh.exe" --lightmode
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [BeyluxeMessenger] "c:\program files\beyluxe messenger\Beyluxe Messenger.exe" /hide
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [PowerSuite] "c:\progra~1\uniblue\powers~1\launcher.exe" delay 20000 -m
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/armhelper.ocx
TCP: DhcpNameServer = 81.91.129.66 81.91.129.67 8.8.8.8
TCP: Interfaces\{06D9F602-4AA3-44C6-A35A-9FD91FB00FEA} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{06D9F602-4AA3-44C6-A35A-9FD91FB00FEA}\C65636861647561657 : DhcpNameServer = 217.170.252.66
TCP: Interfaces\{36F13A64-1CE0-4A23-881E-4EAD82D48AFC} : DhcpNameServer = 81.91.129.66 81.91.129.67 8.8.8.8
TCP: Interfaces\{5C74EE6F-EE11-45BB-A5AE-78005A06662D} : DhcpNameServer = 81.91.129.66 81.91.129.67 8.8.8.8
.
============= SERVICES / DRIVERS ===============
.
R2 GPCommonService;GPCommonService;c:\program files\datak wimax connection manager\GPCommonService.exe [2011-8-1 90112]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-16 366152]
R2 MTKWMPROT;MediaTek WiMAX Modem Protocol Driver;c:\windows\system32\drivers\mtkwmptv.sys [2011-8-1 15360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-16 22216]
R3 MT7118VU;MediaTek MT7118 WiMAX USB Card Driver for VISTA;c:\windows\system32\drivers\mt7118vu.sys [2011-8-1 131072]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-7-2 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-2 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-16 1343400]
.
=============== Created Last 30 ================
.
2011-11-04 08:19:48 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c1a2ed16-c365-4664-a2f6-e22ccad2deca}\offreg.dll
2011-11-04 08:03:40 -------- d-----w- c:\programdata\YouTube Downloader
2011-11-04 08:03:32 -------- d-----w- c:\program files\YouTube Downloader
2011-11-04 07:49:59 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c1a2ed16-c365-4664-a2f6-e22ccad2deca}\mpengine.dll
2011-10-31 09:54:12 -------- d-----w- c:\users\human\appdata\roaming\Foxit Software
2011-10-23 16:03:33 86016 ----a-w- c:\windows\unvise32.exe
2011-10-23 16:03:31 -------- d-----w- C:\Game City 2
2011-10-22 12:21:54 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-10-22 11:46:58 -------- d-----w- c:\windows\system32\SPReview
2011-10-22 11:46:10 -------- d-----w- c:\windows\system32\EventProviders
2011-10-22 07:26:10 -------- dc----w- c:\users\human\appdata\local\MigWiz
2011-10-16 12:33:09 388096 ----a-r- c:\users\human\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-16 12:33:09 -------- d-----w- c:\program files\Trend Micro
2011-10-16 12:33:04 -------- d-----w- c:\users\human\appdata\roaming\WinPatrol
2011-10-16 12:32:56 -------- d-----w- c:\program files\BillP Studios
2011-10-16 12:32:55 -------- d-----w- c:\programdata\InstallMate
2011-10-16 12:31:10 -------- d-----w- c:\users\human\appdata\roaming\Malwarebytes
2011-10-16 12:29:09 -------- d-----w- c:\programdata\Malwarebytes
2011-10-16 12:29:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-16 12:29:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-16 12:28:37 -------- d-----w- c:\program files\SpywareBlaster
2011-10-16 12:28:03 -------- d-----w- c:\program files\Foxit Software
2011-10-14 13:14:49 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-14 13:13:04 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-14 13:13:04 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-14 13:13:03 72704 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-14 13:13:03 59904 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-14 13:13:03 204288 ----a-w- c:\windows\system32\MSNP.ax
2011-10-14 13:12:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-14 13:12:26 233472 ----a-w- c:\windows\system32\oleacc.dll
.
==================== Find3M ====================
.
2011-10-22 11:57:24 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-09-25 08:51:58 24 --sh--w- c:\windows\S6E4664E4.tmp
2011-09-25 07:55:36 46592 ----a-w- c:\windows\system32\drivers\risdptsk.sys
2011-09-25 07:54:19 38400 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
2011-09-25 07:54:19 172032 ----a-w- c:\windows\system32\rixdicon.dll
2011-09-25 07:54:12 48128 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
2011-09-12 18:47:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 14:06:33.37 ===============
Attached File  Attach.txt   11.32KB   1 downloads
ark log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-04 14:32:04
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916082 rev.3.AH
Running: gmer.exe; Driver: C:\Users\human\AppData\Local\Temp\agloipow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82E88349 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC1D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE peauth.sys 9E83DB9B 72 Bytes JMP AFB47621
? C:\Users\human\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000045 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000734
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000734@402ba1708366 0x39 0x24 0x4C 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000734@20d607f82a5a 0x79 0x55 0x68 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000734@001fdf342c62 0x8D 0x06 0xF2 0xCC ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000734 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000734@402ba1708366 0x39 0x24 0x4C 0x42 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000734@20d607f82a5a 0x79 0x55 0x68 0x44 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000734@001fdf342c62 0x8D 0x06 0xF2 0xCC ...

---- EOF - GMER 1.0.15 ----
Plz help me

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 10 November 2011 - 12:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426414 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 houmanhabibi

houmanhabibi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 10 November 2011 - 12:45 PM

Hi
DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by human at 14:05:40 on 2011-11-04
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1218 [GMT 3.5:30]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\DATAK WiMAX Connection Manager\GPCommonService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~1\Uniblue\POWERS~1\powersuite.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\Uniblue\SPEEDU~1\sump.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DATAK WiMAX Connection Manager\DATAK WCM.exe
C:\Program Files\DATAK WiMAX Connection Manager\wimax\WmMMgr.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = hxxp://uk.yahoo.com?ilc=12&type=937811&fr=spigot-yhp-ie
uInternet Settings,ProxyOverride = local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {474597c5-ab09-49d6-a4d5-2e8d7341384e} - UrlHelper Class
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - Yontoo Layers
TB: {D4FA7277-A69D-40AF-9280-58690CE75087} - No File
TB: {51A86BB3-6602-4C85-92A5-130EE4864F13} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Software Informer] "c:\program files\software informer\softinfo.exe" -autorun
uRun: [FlashGet 3] "c:\program files\flashget network\flashget 3\FlashGet3.exe" -minimize
uRun: [iMesh] "c:\program files\imesh applications\imesh\iMesh.exe" --lightmode
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [BeyluxeMessenger] "c:\program files\beyluxe messenger\Beyluxe Messenger.exe" /hide
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [PowerSuite] "c:\progra~1\uniblue\powers~1\launcher.exe" delay 20000 -m
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/armhelper.ocx
TCP: DhcpNameServer = 81.91.129.66 81.91.129.67 8.8.8.8
TCP: Interfaces\{06D9F602-4AA3-44C6-A35A-9FD91FB00FEA} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{06D9F602-4AA3-44C6-A35A-9FD91FB00FEA}\C65636861647561657 : DhcpNameServer = 217.170.252.66
TCP: Interfaces\{36F13A64-1CE0-4A23-881E-4EAD82D48AFC} : DhcpNameServer = 81.91.129.66 81.91.129.67 8.8.8.8
TCP: Interfaces\{5C74EE6F-EE11-45BB-A5AE-78005A06662D} : DhcpNameServer = 81.91.129.66 81.91.129.67 8.8.8.8
.
============= SERVICES / DRIVERS ===============
.
R2 GPCommonService;GPCommonService;c:\program files\datak wimax connection manager\GPCommonService.exe [2011-8-1 90112]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-16 366152]
R2 MTKWMPROT;MediaTek WiMAX Modem Protocol Driver;c:\windows\system32\drivers\mtkwmptv.sys [2011-8-1 15360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-16 22216]
R3 MT7118VU;MediaTek MT7118 WiMAX USB Card Driver for VISTA;c:\windows\system32\drivers\mt7118vu.sys [2011-8-1 131072]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-7-2 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-2 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-16 1343400]
.
=============== Created Last 30 ================
.
2011-11-04 08:19:48 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c1a2ed16-c365-4664-a2f6-e22ccad2deca}\offreg.dll
2011-11-04 08:03:40 -------- d-----w- c:\programdata\YouTube Downloader
2011-11-04 08:03:32 -------- d-----w- c:\program files\YouTube Downloader
2011-11-04 07:49:59 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c1a2ed16-c365-4664-a2f6-e22ccad2deca}\mpengine.dll
2011-10-31 09:54:12 -------- d-----w- c:\users\human\appdata\roaming\Foxit Software
2011-10-23 16:03:33 86016 ----a-w- c:\windows\unvise32.exe
2011-10-23 16:03:31 -------- d-----w- C:\Game City 2
2011-10-22 12:21:54 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-10-22 11:46:58 -------- d-----w- c:\windows\system32\SPReview
2011-10-22 11:46:10 -------- d-----w- c:\windows\system32\EventProviders
2011-10-22 07:26:10 -------- dc----w- c:\users\human\appdata\local\MigWiz
2011-10-16 12:33:09 388096 ----a-r- c:\users\human\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-16 12:33:09 -------- d-----w- c:\program files\Trend Micro
2011-10-16 12:33:04 -------- d-----w- c:\users\human\appdata\roaming\WinPatrol
2011-10-16 12:32:56 -------- d-----w- c:\program files\BillP Studios
2011-10-16 12:32:55 -------- d-----w- c:\programdata\InstallMate
2011-10-16 12:31:10 -------- d-----w- c:\users\human\appdata\roaming\Malwarebytes
2011-10-16 12:29:09 -------- d-----w- c:\programdata\Malwarebytes
2011-10-16 12:29:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-16 12:29:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-16 12:28:37 -------- d-----w- c:\program files\SpywareBlaster
2011-10-16 12:28:03 -------- d-----w- c:\program files\Foxit Software
2011-10-14 13:14:49 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-14 13:13:04 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-14 13:13:04 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-14 13:13:03 72704 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-14 13:13:03 59904 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-14 13:13:03 204288 ----a-w- c:\windows\system32\MSNP.ax
2011-10-14 13:12:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-14 13:12:26 233472 ----a-w- c:\windows\system32\oleacc.dll
.
==================== Find3M ====================
.
2011-10-22 11:57:24 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-09-25 08:51:58 24 --sh--w- c:\windows\S6E4664E4.tmp
2011-09-25 07:55:36 46592 ----a-w- c:\windows\system32\drivers\risdptsk.sys ?!!!!
2011-09-25 07:54:19 38400 ----a-w- c:\windows\system32\drivers\rixdptsk.sys ?!!!!
2011-09-25 07:54:19 172032 ----a-w- c:\windows\system32\rixdicon.dll
2011-09-25 07:54:12 48128 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
2011-09-12 18:47:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 14:06:33.37 ===============
Attach:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 7/13/2010 4:18:38 PM
System Uptime: 11/4/2011 11:54:20 AM (3 hours ago)
.
Motherboard: Quanta | | 30D2
Processor: Intel® Core™2 Duo CPU T5750 @ 2.00GHz | U2E1 | 2000/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 137 GiB total, 94.264 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 7.624 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
==== System Restore Points ===================
.
RP293: 10/22/2011 3:16:49 PM - Windows 7 Service Pack 1
RP294: 10/22/2011 11:14:28 PM - Windows Update
RP296: 10/24/2011 8:25:10 AM - Windows Modules Installer
RP297: 10/24/2011 8:27:01 AM - Windows Modules Installer
RP298: 10/24/2011 8:27:46 AM - Windows Modules Installer
RP299: 10/26/2011 10:57:15 PM - Windows Update
RP300: 10/31/2011 2:09:00 PM - Installed Adobe Reader 8.1.0
RP301: 11/1/2011 1:35:08 PM - Windows Update
RP302: 11/4/2011 11:43:34 AM - Removed YouTube Downloader Toolbar v4.7.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
AV Burning Pro Version 3.1.1
Boulder Dash
CloneDVD2
CyberLink YouCam
DATAK WiMAX Connection Manager
Diner Dash
Electra
Free Mp3 Wma Converter V 2.0
Google Update Helper
HiJackThis
Intel® Matrix Storage Manager
Luxor
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
Nokia Connectivity Cable Driver
NVIDIA Drivers
NVIDIA PhysX
PVSonyDll
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
SpywareBlaster 4.4
Synaptics Pointing Device Driver
The KMPlayer (remove only)
Uniblue DriverScanner
Uniblue PowerSuite
Uniblue RegistryBooster
Uniblue SpeedUpMyPC
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
WinPatrol
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger
Yahoo! Software Update
YouTube Downloader 3.4
.
==== Event Viewer Messages From Past Week ========
.
11/4/2011 11:41:37 AM, Error: Microsoft-Windows-RasSstp [1] - CoId={E708EBBD-0101-4505-B2B6-C4047DCCB78D}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/3/2011 1:53:04 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={A3AFBD68-C935-4667-B73F-2BC2BACEAEF8}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/3/2011 1:05:57 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={38EE48D1-D736-4738-A754-1502F5BD3649}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/3/2011 1:04:56 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={36DAC19B-BBCE-4FDE-92EF-9A92E8D629E7}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/3/2011 1:03:55 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={9573D6C5-B9CA-4ED0-8D56-122A0D82FF07}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/2/2011 12:46:34 AM, Error: Microsoft-Windows-RasSstp [1] - CoId={6B9DB3B2-802A-427C-AFB0-C5D6DC97E172}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. No connection could be made because the target machine actively refused it.
11/1/2011 3:57:55 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={1D3B94AC-39BF-4281-872D-5ECCE8248C68}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/1/2011 3:56:53 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={C2929635-5CE1-4C56-B558-8B923E7C21F5}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/1/2011 2:04:38 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={03DA60C4-B15A-4ABC-8E7E-E2154D686EBB}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/1/2011 2:03:37 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={50701AC8-5EB2-49AA-9990-E66AF36C097E}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/1/2011 2:02:36 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={F43174FF-DC73-43CA-BCD4-B5F4CDD6D91A}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
11/1/2011 2:01:35 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={5A65DA4C-0372-4D98-B95D-3288F1E2C144}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
10/31/2011 11:39:43 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={F3BB40FE-8AC2-4786-A0AF-96D1ADE0487C}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
10/31/2011 11:38:41 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={DB7E0AA7-D3DA-4A08-8B54-8B4244C453F0}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
10/31/2011 11:37:40 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={2AA47A22-D164-40C4-A293-41A5A6711E46}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
10/31/2011 11:36:39 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={406E3FE7-75DB-43C5-9D0F-701B14B948C6}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The requested name is valid, but no data of the requested type was found.
10/30/2011 4:45:04 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={A374462E-618F-4532-A0AA-0EDC6A15CEB2}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. No connection could be made because the target machine actively refused it.
10/30/2011 4:44:46 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={75BB914F-779E-4392-9704-626BED1B2F39}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. No connection could be made because the target machine actively refused it.
10/30/2011 4:44:29 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={33D32759-1CBD-4814-9F97-158B518FE08E}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. No connection could be made because the target machine actively refused it.
.
==== End Of File ===========================
ark log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-04 14:32:04
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916082 rev.3.AH
Running: gmer.exe; Driver: C:\Users\human\AppData\Local\Temp\agloipow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82E88349 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC1D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE peauth.sys 9E83DB9B 72 Bytes JMP AFB47621
? C:\Users\human\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000045 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000734
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000734@402ba1708366 0x39 0x24 0x4C 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000734@20d607f82a5a 0x79 0x55 0x68 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000734@001fdf342c62 0x8D 0x06 0xF2 0xCC ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000734 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000734@402ba1708366 0x39 0x24 0x4C 0x42 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000734@20d607f82a5a 0x79 0x55 0x68 0x44 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000734@001fdf342c62 0x8D 0x06 0xF2 0xCC ...

---- EOF - GMER 1.0.15 ----
Plz help me

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:07 PM

Posted 10 November 2011 - 03:11 PM

Could you explain what is wrong? Why do you think you're infected?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 houmanhabibi

houmanhabibi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 11 November 2011 - 12:31 AM

Hi
I have changed my anti virus to ESet.Eset scanned my computer and detected some virus and cleaned it.
After that I worried about other viruses such as rootkit bootkit and etc that this anti virus may failed to detect it.
For extra information I put here ESET Log:
11/6/2011 12:25:44 AM Real-time file system protection file C:\Users\human\AppData\Local\Temp\85F0C534-BAB0-7891-AA8F-98B21EFB47E2\MyBabylonTB.exe probably a variant of Win32/Toolbar.Babylon potentially unwanted application deleted human-PC\human Event occurred on a new file created by the application: C:\Users\human\AppData\Local\Temp\85F0C534-BAB0-7891-AA8F-98B21EFB47E2\Setup.exe.
11/4/2011 2:52:23 PM Real-time file system protection file C:\Program Files\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster potentially unwanted application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe.
Thanks.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:07 PM

Posted 12 November 2011 - 07:48 AM

Hi,
what set detected are so called "potentially unwanted programs". The first is babylon toolbar, a toolbar that does translations. The second is a registry cleaner, which I would advise against using in general as there's a higher chance of them ruining your system tjan fixing it.

Your logs are clean though, I'm not seeing signs of malware, bootkit or otherwise.

What I am seeing though is an outdated adobe reader, which would make it easy for malware to get onto your system:
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
  • Click on Help and select Check for Updates.
  • A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
  • Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
  • In the window that opens click Install.
  • Once the update is done click Close.
Your Adobe Reader is now up to date!

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 houmanhabibi

houmanhabibi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 12 November 2011 - 09:49 PM

Hi and thanks again.
I have removed adobe acrobat and installed Foxit Reader.
I can not update my Adobe from this site Adobe Reader Version X..I suppose my ID was blocked by this site. :angry:
Many good and useful sites such as malware,vmware,symantec,...have blocked IDs that came form IRAN. :cold:
However I fill good about helper person of this forum that help every one
Regardless of their nationality. :inlove:

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:07 PM

Posted 13 November 2011 - 06:20 AM

Hi,

foxit is probably the safer choice anyways. :thumbup2: It's targetted much less frequently by malware.

If you don't have any more questions, I think we can wrap this up. :)

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 houmanhabibi

houmanhabibi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 13 November 2011 - 12:58 PM

Hi and thanks again
Bless you
I can not donate you from IRAN but I am trying to donating you and Gringo(I owe him also)from Vancouver by my friend.
I hope to do it soon.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:07 PM

Posted 13 November 2011 - 01:08 PM

Hi,

no worries. :) I'm glad that things work well for you :)

Read those last few lines, in order to keep your pc safe and clean:

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 houmanhabibi

houmanhabibi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 14 November 2011 - 11:47 AM

I do not know how to thank you
But I just have a best green wishes and long life for you.
Thanks again. :thumbup2: :thumbsup: B) :inlove:

Edited by houmanhabibi, 14 November 2011 - 11:48 AM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:07 PM

Posted 14 November 2011 - 05:39 PM

You're most welcome :)

If you have no further question I'll go ahead and close this thread as solved.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 houmanhabibi

houmanhabibi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 14 November 2011 - 09:33 PM

I do not have any question.
Thanks again. :thumbup2: B)

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:07 PM

Posted 15 November 2011 - 03:04 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users