Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer's sending spam! ACK!


  • This topic is locked This topic is locked
25 replies to this topic

#1 lintlicker

lintlicker

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 10 November 2011 - 08:06 AM

Hi,

My computer's been sending spam from my Yahoo account. I use that account on both my work and home computers. I thought I might have been hacked, so yesterday I changed all my password and personal information, but last night I sent out more spam. I turned off my work computer last night, but left my personal comuter on to run a virus scan. Since the emails were sent out overnight, I deduced that my personal computer is the zombie. Help! I don't wanna be a spam zombie!

I've run scans with malwarebytes and Avast, and neither found any infections. Please help! I'm running windows vista 64.


DDS Log follows. I can't seem to be able to configure GMER to run as prescribed in the guide. The necessary boxes are greyed out.

Thank you so much in advance.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_24
Run by Steak at 7:53:43 on 2011-11-10
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3998.1536 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\STacSV64.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\Steak\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbvcoms.exe
C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\SMINST\BLService.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Windows\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
mRun: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] C:\al\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\Users\Steak\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Steak\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E1BF6061-0748-4DDF-852B-5750E7B669C4} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun-x64: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun-x64: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
mRun-x64: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\al\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Steak\AppData\Roaming\Mozilla\Firefox\Profiles\e4n2u652.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Users\Steak\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Steak\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/05 02:58:11];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-12 40384]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 lxbv_device;lxbv_device;C:\Windows\system32\lxbvcoms.exe -service --> C:\Windows\system32\lxbvcoms.exe -service [?]
R2 NACAgent;Cisco NAC Agent;C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [2010-2-5 742144]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-1-13 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-26 296320]
R2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-26 116096]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-12 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-12 40384]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Norton Internet Security;Norton Internet Security;"C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-1-13 228408]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw3v64.sys --> C:\Windows\system32\DRIVERS\NETw3v64.sys [?]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys --> C:\Windows\system32\drivers\npf.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 RDID1061;EDIROL UA-4FX;C:\Windows\system32\Drivers\rdwm1061.sys --> C:\Windows\system32\Drivers\rdwm1061.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-6-26 93184]
.
=============== Created Last 30 ================
.
2011-11-09 12:35:35 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DD2EF909-B331-4A58-9436-7F427F6B538F}\offreg.dll
2011-11-09 01:47:09 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DD2EF909-B331-4A58-9436-7F427F6B538F}\mpengine.dll
2011-11-01 21:23:41 -------- d-----w- C:\Users\Steak\AppData\Roaming\calibre
2011-11-01 21:22:19 -------- d-----w- C:\Program Files (x86)\Calibre2
2011-10-30 02:12:02 -------- d-----r- C:\Program Files (x86)\Skype
2011-10-28 20:47:02 -------- d-----w- C:\Users\Steak\AppData\Roaming\KeePassX
.
==================== Find3M ====================
.
2011-10-23 23:52:41 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-31 22:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 7:54:31.61 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 PM

Posted 15 November 2011 - 08:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427219 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 lintlicker

lintlicker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 17 November 2011 - 06:49 PM

As requested, here's another dds log. I cannot figure out how to make gmer work as described,

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_24
Run by Steak at 18:46:31 on 2011-11-17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3998.1676 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\STacSV64.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\Steak\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbvcoms.exe
C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\SMINST\BLService.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Windows\splwow64.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\al\kolmafia\KoLmafia-14.7.exe
C:\Program Files (x86)\Java\jre6\bin\javaw.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11c_Plugin.exe -update plugin
mRun: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
mRun: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] C:\al\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\Users\Steak\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Steak\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E1BF6061-0748-4DDF-852B-5750E7B669C4} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun-x64: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun-x64: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
mRun-x64: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\al\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Steak\AppData\Roaming\Mozilla\Firefox\Profiles\e4n2u652.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Users\Steak\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Steak\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/05 02:58:11];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-12 40384]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 lxbv_device;lxbv_device;C:\Windows\system32\lxbvcoms.exe -service --> C:\Windows\system32\lxbvcoms.exe -service [?]
R2 NACAgent;Cisco NAC Agent;C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [2010-2-5 742144]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-1-13 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-26 296320]
R2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-26 116096]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-12 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-12 40384]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Norton Internet Security;Norton Internet Security;"C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-1-13 228408]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw3v64.sys --> C:\Windows\system32\DRIVERS\NETw3v64.sys [?]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys --> C:\Windows\system32\drivers\npf.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 RDID1061;EDIROL UA-4FX;C:\Windows\system32\Drivers\rdwm1061.sys --> C:\Windows\system32\Drivers\rdwm1061.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-6-26 93184]
.
=============== Created Last 30 ================
.
2011-11-15 22:37:53 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C0961DB9-52B8-43AB-9869-08323D1FE581}\offreg.dll
2011-11-15 22:37:51 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C0961DB9-52B8-43AB-9869-08323D1FE581}\mpengine.dll
2011-11-01 21:23:41 -------- d-----w- C:\Users\Steak\AppData\Roaming\calibre
2011-11-01 21:22:19 -------- d-----w- C:\Program Files (x86)\Calibre2
2011-10-30 02:12:02 -------- d-----r- C:\Program Files (x86)\Skype
2011-10-28 20:47:02 -------- d-----w- C:\Users\Steak\AppData\Roaming\KeePassX
.
==================== Find3M ====================
.
2011-10-23 23:52:41 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-31 22:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 18:47:27.44 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:38 AM

Posted 17 November 2011 - 09:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Let's try aswMBR if Gmer isn't playing ball

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 lintlicker

lintlicker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 18 November 2011 - 08:03 AM

Hi mole,

Thanks for the help. That new tool (can't remember name) caused the dreaded BLUE SCREEN OF DOOM. Therefore I have no new logs for you. The problem I'm having with GMER is that all those option check boxes that the tutorial tells you to use are all grayed out and unusable.

I work 8-4ish so I will be stalking this thread while I'm not at work.

Thanks again,

Lintlicker

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:38 AM

Posted 18 November 2011 - 06:07 PM

Let's try and get a log out of the machine for a start :P

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#7 lintlicker

lintlicker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 18 November 2011 - 07:41 PM

It says: "Found non-standard or infected MBR.
Enter Y and hit enter for more options, or N to exit."

End terminates the program. Y brings up the following options
"[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit."

I chose 1, hoping for some sort of log file. This is what I got.
"Enter the physical disk number to dump (0-99, -1 to exit):"

Ok, I'm over my head now. Entered -1

This makes me say yikes.

Yikes.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:38 AM

Posted 19 November 2011 - 10:30 PM

It says: "Found non-standard or infected MBR.


This does not automatically mean you have a problem. I will need to see the log file though, it provides a few more details which I need.
Posted Image
m0le is a proud member of UNITE

#9 lintlicker

lintlicker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 20 November 2011 - 07:48 AM

Ok, I'm not smart. I didn't realize that logs were being created despite the problems. I expected a popup text window like in other programs I've used. Here's a log. Sorry.


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 1 (build 6001), 64-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP Pavilion dv6 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 205):
0x02C63000 \SystemRoot\system32\ntoskrnl.exe
0x02C1D000 \SystemRoot\system32\hal.dll
0x0060C000 \SystemRoot\system32\kdcom.dll
0x00616000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00643000 \SystemRoot\system32\PSHED.dll
0x00657000 \SystemRoot\system32\CLFS.SYS
0x006B4000 \SystemRoot\system32\CI.dll
0x00800000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008DA000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008E8000 \SystemRoot\system32\drivers\acpi.sys
0x0093E000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00947000 \SystemRoot\system32\drivers\msisadrv.sys
0x00951000 \SystemRoot\system32\drivers\pci.sys
0x00981000 \SystemRoot\system32\drivers\isapnp.sys
0x0098A000 \SystemRoot\system32\drivers\mpio.sys
0x009AC000 \SystemRoot\System32\drivers\partmgr.sys
0x009C1000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x009C5000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x009D1000 \SystemRoot\system32\drivers\volmgr.sys
0x00766000 \SystemRoot\System32\drivers\volmgrx.sys
0x009E5000 \SystemRoot\system32\drivers\intelide.sys
0x009ED000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x007CC000 \SystemRoot\system32\drivers\aliide.sys
0x007D3000 \SystemRoot\system32\drivers\amdide.sys
0x007DA000 \SystemRoot\system32\drivers\cmdide.sys
0x007E2000 \SystemRoot\System32\drivers\mountmgr.sys
0x00A0D000 \SystemRoot\system32\drivers\msdsm.sys
0x00A2B000 \SystemRoot\system32\drivers\nvraid.sys
0x00A4E000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x00A7A000 \SystemRoot\system32\drivers\pciide.sys
0x00A81000 \SystemRoot\system32\drivers\viaide.sys
0x00A89000 \SystemRoot\system32\drivers\iastorv.sys
0x00B50000 \SystemRoot\system32\drivers\atapi.sys
0x00B58000 \SystemRoot\system32\drivers\ataport.SYS
0x00B7C000 \SystemRoot\system32\drivers\lsi_scsi.sys
0x00B9A000 \SystemRoot\system32\drivers\storport.sys
0x00A00000 \SystemRoot\system32\drivers\msahci.sys
0x00C0E000 \SystemRoot\system32\drivers\hpcisss.sys
0x00C1C000 \SystemRoot\system32\drivers\adp94xx.sys
0x00C95000 \SystemRoot\system32\drivers\adpahci.sys
0x00CEB000 \SystemRoot\system32\drivers\adpu160m.sys
0x00D0C000 \SystemRoot\system32\drivers\SCSIPORT.SYS
0x00D3A000 \SystemRoot\system32\drivers\adpu320.sys
0x00D69000 \SystemRoot\system32\drivers\djsvs.sys
0x00D81000 \SystemRoot\system32\drivers\arc.sys
0x00D9A000 \SystemRoot\system32\drivers\arcsas.sys
0x00E05000 \SystemRoot\system32\drivers\elxstor.sys
0x00EA8000 \SystemRoot\system32\drivers\i2omp.sys
0x00EB3000 \SystemRoot\system32\drivers\iirsp.sys
0x00EC4000 \SystemRoot\system32\drivers\iteatapi.sys
0x00ED1000 \SystemRoot\system32\drivers\iteraid.sys
0x00EDE000 \SystemRoot\system32\drivers\lsi_fc.sys
0x00EFC000 \SystemRoot\system32\drivers\lsi_sas.sys
0x00F18000 \SystemRoot\system32\drivers\megasas.sys
0x00F24000 \SystemRoot\system32\drivers\megasr.sys
0x00FEB000 \SystemRoot\system32\drivers\mraid35x.sys
0x00DB3000 \SystemRoot\system32\drivers\nfrd960.sys
0x00DC3000 \SystemRoot\system32\drivers\nvstor.sys
0x0100A000 \SystemRoot\system32\drivers\ql2300.sys
0x0115C000 \SystemRoot\system32\drivers\ql40xx.sys
0x011BA000 \SystemRoot\system32\drivers\sisraid2.sys
0x011C8000 \SystemRoot\system32\drivers\sisraid4.sys
0x011DE000 \SystemRoot\system32\drivers\symc8xx.sys
0x011EC000 \SystemRoot\system32\drivers\sym_hi.sys
0x00DD3000 \SystemRoot\system32\drivers\sym_u3.sys
0x0120C000 \SystemRoot\system32\drivers\uliahci.sys
0x01255000 \SystemRoot\system32\drivers\ulsata.sys
0x01284000 \SystemRoot\system32\drivers\ulsata2.sys
0x012C6000 \SystemRoot\system32\drivers\vsmraid.sys
0x012ED000 \SystemRoot\system32\drivers\fltmgr.sys
0x01333000 \SystemRoot\system32\drivers\fileinfo.sys
0x01347000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01409000 \SystemRoot\system32\drivers\ndis.sys
0x0160F000 \SystemRoot\system32\drivers\msrpc.sys
0x0165F000 \SystemRoot\system32\drivers\NETIO.SYS
0x01807000 \SystemRoot\System32\drivers\tcpip.sys
0x0197B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01A0C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01B90000 \SystemRoot\system32\drivers\wd.sys
0x01B98000 \SystemRoot\system32\drivers\volsnap.sys
0x01BDC000 \SystemRoot\System32\Drivers\spldr.sys
0x01BE4000 \SystemRoot\system32\drivers\sbp2port.sys
0x019A7000 \SystemRoot\System32\Drivers\mup.sys
0x019B9000 \SystemRoot\System32\drivers\ecache.sys
0x01A00000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
0x019E5000 \SystemRoot\system32\drivers\disk.sys
0x016B7000 \SystemRoot\system32\drivers\crcdisk.sys
0x016E5000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x016F2000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x016FB000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x019F9000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x02A00000 \SystemRoot\system32\DRIVERS\igdkmd64.sys
0x0170E000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x031AB000 \SystemRoot\System32\drivers\watchdog.sys
0x031BA000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x03204000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0324A000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x0325B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x0326E000 \SystemRoot\system32\DRIVERS\bcmwl664.sys
0x031C6000 \SystemRoot\system32\DRIVERS\Rtlh64.sys
0x033E6000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x031F4000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x017ED000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x03400000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x03444000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x03446000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x03452000 \SystemRoot\system32\DRIVERS\enecir.sys
0x0346E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x0348A000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x03493000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0x0349F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x034D7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x034E4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x03507000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03513000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x03544000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x03554000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x03572000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0358A000 \SystemRoot\system32\DRIVERS\termdd.sys
0x0359C000 \SystemRoot\system32\DRIVERS\swenum.sys
0x0359E000 \SystemRoot\system32\DRIVERS\ks.sys
0x035D2000 \SystemRoot\system32\DRIVERS\circlass.sys
0x035E3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x035EE000 \SystemRoot\system32\DRIVERS\umbus.sys
0x0380E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x03855000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x03869000 \SystemRoot\system32\DRIVERS\stwrt64.sys
0x038E0000 \SystemRoot\system32\DRIVERS\portcls.sys
0x0391B000 \SystemRoot\system32\DRIVERS\drmk.sys
0x0393E000 \SystemRoot\system32\drivers\ksthunk.sys
0x03944000 \SystemRoot\system32\drivers\IntcHdmi.sys
0x03968000 \SystemRoot\system32\DRIVERS\hidir.sys
0x03973000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x03985000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x0398D000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x03997000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x039A2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x039AC000 \SystemRoot\System32\Drivers\Null.SYS
0x039B5000 \SystemRoot\System32\drivers\vga.sys
0x039C3000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x039E8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x039F1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03800000 \SystemRoot\System32\Drivers\Msfs.SYS
0x015CC000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01600000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x015DD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x013CE000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x013DE000 \SystemRoot\system32\DRIVERS\smb.sys
0x04805000 \SystemRoot\system32\drivers\afd.sys
0x04871000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x0487B000 \SystemRoot\System32\DRIVERS\netbt.sys
0x048BF000 \SystemRoot\system32\DRIVERS\pacer.sys
0x048DD000 \SystemRoot\system32\DRIVERS\netbios.sys
0x048EC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x04907000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x04955000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04961000 \SystemRoot\System32\Drivers\dfsc.sys
0x0497E000 \SystemRoot\System32\Drivers\aswSP.SYS
0x049A1000 \SystemRoot\System32\Drivers\crashdmp.sys
0x049AF000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x049BB000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x049C5000 \SystemRoot\system32\drivers\RTSTOR64.SYS
0x00070000 \SystemRoot\System32\win32k.sys
0x049DA000 \SystemRoot\System32\drivers\Dxapi.sys
0x016C1000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x049E6000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x15A0B000 \SystemRoot\System32\Drivers\usbvideo.sys
0x15A35000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x15A43000 \SystemRoot\System32\Drivers\bthport.sys
0x15AF1000 \SystemRoot\system32\DRIVERS\monitor.sys
0x15B04000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x15B35000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x15B42000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x15B61000 \SystemRoot\system32\DRIVERS\bthmodem.sys
0x15B72000 \SystemRoot\system32\drivers\modem.sys
0x15B81000 \SystemRoot\system32\drivers\btwavdt.sys
0x04C09000 \SystemRoot\system32\drivers\btwaudio.sys
0x04C8D000 \SystemRoot\system32\DRIVERS\btwrchid.sys
0x00410000 \SystemRoot\System32\TSDDD.dll
0x00600000 \SystemRoot\System32\cdd.dll
0x04C91000 \SystemRoot\system32\drivers\luafv.sys
0x04CB3000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x04CCD000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x04CD6000 \SystemRoot\system32\drivers\spsys.sys
0x04D70000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x04D84000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x04DB8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x04DC3000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x04DDB000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x17602000 \SystemRoot\system32\drivers\HTTP.sys
0x176A1000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x176CA000 \SystemRoot\system32\DRIVERS\bowser.sys
0x176E8000 \SystemRoot\System32\drivers\mpsdrv.sys
0x17702000 \SystemRoot\system32\drivers\mrxdav.sys
0x17729000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x17752000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x1779B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x177BA000 \SystemRoot\System32\DRIVERS\srv2.sys
0x17806000 \SystemRoot\System32\DRIVERS\srv.sys
0x1789D000 \SystemRoot\system32\drivers\peauth.sys
0x17953000 \SystemRoot\System32\Drivers\secdrv.SYS
0x1795E000 \SystemRoot\System32\drivers\tcpipreg.sys
0x1796D000 \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl
0x17998000 \SystemRoot\system32\drivers\MSPQM.sys
0x77A90000 \Windows\System32\ntdll.dll

Processes (total 77):
0 System Idle Process
4 System
436 C:\Windows\System32\smss.exe
548 csrss.exe
600 C:\Windows\System32\wininit.exe
620 csrss.exe
656 C:\Windows\System32\services.exe
668 C:\Windows\System32\lsass.exe
676 C:\Windows\System32\lsm.exe
784 C:\Windows\System32\winlogon.exe
868 C:\Windows\System32\svchost.exe
944 C:\Windows\System32\svchost.exe
988 C:\Windows\System32\svchost.exe
348 C:\Windows\System32\svchost.exe
444 C:\Windows\System32\svchost.exe
516 C:\Windows\System32\svchost.exe
504 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\stacsv64.exe
1120 C:\Windows\System32\audiodg.exe
1268 C:\Windows\System32\SLsvc.exe
1292 C:\Windows\System32\svchost.exe
1372 C:\Windows\System32\hpservice.exe
1440 C:\Windows\System32\svchost.exe
1616 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1664 C:\Windows\System32\dwm.exe
1688 C:\Windows\System32\wlanext.exe
1732 C:\Windows\explorer.exe
1856 C:\Windows\System32\hkcmd.exe
1864 C:\Windows\System32\igfxpers.exe
1872 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1880 C:\Program Files\IDT\WDM\sttray64.exe
1896 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
1908 C:\Program Files\Windows Defender\MSASCui.exe
1932 C:\Program Files\Windows Sidebar\sidebar.exe
1948 C:\Windows\ehome\ehtray.exe
1968 C:\Windows\System32\igfxsrvc.exe
1984 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
1996 C:\Users\Steak\AppData\Roaming\Dropbox\bin\Dropbox.exe
2028 C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
2036 C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
2044 C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
1400 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
1428 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
1556 C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
1628 C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
1436 C:\Windows\ehome\ehmsas.exe
2072 C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
2288 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
2380 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
2416 C:\Windows\System32\taskeng.exe
2560 C:\Windows\System32\spoolsv.exe
2584 C:\Windows\System32\svchost.exe
2720 C:\Windows\System32\taskeng.exe
2476 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8aadd48d\AESTSr64.exe
876 C:\Windows\System32\svchost.exe
2672 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
308 C:\Windows\System32\lxbvcoms.exe
3112 C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe
3204 C:\Windows\System32\svchost.exe
3272 C:\Program Files (x86)\SMINST\BLService.exe
3392 C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
3432 C:\Windows\System32\svchost.exe
3528 C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
3544 C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
3576 C:\Windows\System32\svchost.exe
3608 C:\Windows\System32\SearchIndexer.exe
3648 C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
4000 C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
3308 WmiPrvSE.exe
3488 C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
4076 WmiPrvSE.exe
892 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
4524 C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
4592 C:\Users\Steak\Desktop\MBRCheck.exe
4720 C:\Windows\System32\wbem\unsecapp.exe
4920 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
4448 C:\Program Files\Windows Media Player\wmpnscfg.exe
4220 C:\Program Files\Windows Media Player\wmpnetwk.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000047`60c00000 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMJA2320BHG2, Rev: 8919

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: E6CCDBFD8F5B3DAA80CE1AA64C67955A606A347D


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): 0Dumping \\.\PhysicalDisk0...
Enter filename to dump to: nonstandardmbrDumped successfully!

Enter the physical disk number to dump (0-99, -1 to exit): 1Dumping \\.\PhysicalDisk1...
Enter filename to dump to: mbr2Error opening disk (2)!

Enter the physical disk number to dump (0-99, -1 to exit): -1

Done!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:38 AM

Posted 20 November 2011 - 07:55 PM

  • Please download MBRBackup to your Desktop.
  • Double-click or Right-click on MBRBackup.exe and select Run as Administrator to launch the program.
  • Click on SaveMBR... (top left corner) and save the backup file to your Desktop. It will have a name similar to MBR_2010-11-10.bin were the numbers correspond to the date the backup was made.
  • Save this file to the desktop >> click on Exit.
  • Now Zip this file up and post as an attachment in your next reply please.

  • Download NTBR_CD by noahdfear to the desktop.
  • Click on the NTBR_CD.exe to extract its contents to the desktop.
  • Once extracted, open the NTBR_CD folder and click on the BurnItCD application.
  • Insert a blank CD when prompted. The .iso image will be burned to the CD.
  • Boot the computer with the CD you just burned and follow the prompts.
  • Press Enter for English.
  • At the menu type 1 to select MBRWORK then hit Enter

    This screen will show the hard drive configuration.
    Posted Image
  • Type 5 to Install standard MBR code then hit Enter
  • Type 1 to select Standard then hit Enter
  • Type Y then hit Enter to confirm
  • Type E then hit Enter to exit
  • Back at the menu, type 6 to Quit.
  • Press Ctrl+Alt+Del to restart the machine.
  • Eject the CD upon restart and boot normally.

Now please rerun MBRCheck and post the new log.

Edited by m0le, 20 November 2011 - 07:56 PM.

Posted Image
m0le is a proud member of UNITE

#11 lintlicker

lintlicker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 20 November 2011 - 10:03 PM

I started the process tonight, but I do not have a blank CD on hand. I will finish the process tomorrow. Here's the zip of the MBR

Attached Files

  • Attached File  mbr.zip   567bytes   0 downloads


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:38 AM

Posted 21 November 2011 - 05:48 PM

:thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 lintlicker

lintlicker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 22 November 2011 - 12:43 PM

I'm having trouble booting from CD. I set the bios to boot from the cd, but when I try and run the program, it gives me all sorts of crazy error messages like "can't read cd" and "no cd drive" and "can't find file". I've suspected that my cd rom might be crapping out, so I learned myself to make a boot usb drive, and I'm going to try it tonight. Just wanted to post to keep you up to date.

#14 lintlicker

lintlicker
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 22 November 2011 - 06:09 PM

I am still unable to run the utility. Can you offer advice about how to write the iso to a flash drive. I cannot find a method that does not automatically try to create a windows boot or a linux boot.

Sorry to be helpless. I've googled myself stupid on this.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:38 AM

Posted 22 November 2011 - 08:31 PM

We have to try an alternative method which does not involve the CD ROM but will copy an .iso to a flashdrive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Download xPUDtestdisk.exe and save it to the usb device, then double click it to extract the contents. It will create a folder named testdisk on the device.
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear


Now to run TestDisk in the xPUD environment

  • Press File
  • Expand mnt
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive
  • Confirm that you see TestDisk that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
  • Start TestDisk.
  • The first screen will present log options - press Enter to continue.

    Posted Image
  • TestDisk will scan the system and show drive information.
  • If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

    Posted Image
  • Select [Intel] partiton and press Enter to continue.

    Posted Image
  • Select [MBR Code] and press Enter to continue.

    Posted Image
  • Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

    Posted Image
  • Press Q repeatedly until TestDisk exits then remove the USB and reboot.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users