Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with recurring Trojan Zefarch


  • This topic is locked This topic is locked
16 replies to this topic

#1 BxSLY

BxSLY

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 28 November 2011 - 06:59 PM

The issue began when I was suddenly being redirected to different sites when clicking on Google search results. This problem was fixed when Symantec Endpoint Protection notified me of a Tojan.Zefarch and said it was “cleaned by deletion”. However, since that initial notification, I now receive the same Symantec notification and deletion of a Trojan.Zefarch every time I boot the computer. I am not sure if this is relevant but I also receive one other notification window each time I start my computer, which has just began about a week ago which says:
“Error loading C:\Users\xSLYx\AppData\Local\sclsd8.dll
The specified module could not be found.”
I have attached the DDS log below, but I was not able to complete the GMER log. The first time I tried the scan I had left the computer since the scan was taking an extended period of time and when I returned, the program had seemingly closed itself. I tried to reopen GMER but it gave me an error message saying something along the lines that it was already running (I accidentally closed out before I copied the exact message). Afterwards, I deleted all of the GMER files and re-downloaded it. After beginning the scan a second time, the scan seemed to be going fine for a while but then I noticed my mouse was beginning to move much slower so I left the computer alone for a while. When I returned to it, the computer was completely frozen (no mouse movement, keys would not work, etc). Any assistance with this issue would be extremely appreciated.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_21
Run by xSLYx at 17:33:19 on 2011-11-28
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3581.2285 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\Program Files\Motorola\Moto Helper Service\MotoHelper.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Windows\system32\schtasks.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\xSLYx\AppData\Local\Nike\Nike+ Connect\Nike+ Connect daemon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2801948
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626
uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
uURLSearchHooks: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH_.dll
mURLSearchHooks: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH_.dll
mURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {04cbc846-519b-4b55-805e-f8f95764bdda} - c:\windows\system32\apilogen32.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH_.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH_.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Tunebite] c:\program files\rapidsolution\tunebite\Tunebite.exe -tray
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Lzujec] rundll32.exe "c:\users\xslyx\appdata\local\udasojoloni.dll",Startup
uRun: [Ocahiruj] rundll32.exe "c:\users\xslyx\appdata\local\sclsd8.dll",Startup
uRun: [Nike+ Connect] "c:\users\xslyx\appdata\local\nike\nike+ connect\Nike+ Connect daemon.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [TuneClone] c:\program files\tuneclone\TuneClone.exe /silence
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\users\xslyx\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: line6.net
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{8DDC4915-432F-4089-8CCB-335BCD2CEB51} : DhcpNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
mASetup: {61E3FE32-07B9-4563-A3E0-2DE2D620FE10} - c:\program files\pixiepack codec pack\InstallerHelper.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\xslyx\appdata\roaming\mozilla\firefox\profiles\mr2le8ch.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51152
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\xslyx\appdata\roaming\mozilla\firefox\profiles\mr2le8ch.default\extensions\{12e4c684-c03e-4e4d-85bc-0c065e7a9489}\components\WinampPlayer.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-6-25 73728]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MotoHelper.exe;Motorola Helper;c:\program files\motorola\moto helper service\MotoHelper.exe [2010-9-14 6656]
R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-1-27 226624]
R2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2009-6-22 715400]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-8-12 2440632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-14 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-13 106104]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LanmanServer32;Server ;c:\windows\system32\mmcss32.exe --> c:\windows\system32\mmcss32.exe [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-8-12 23888]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-10-24 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-10-23 79360]
S3 L6TPortA;Service - Line 6 TonePort UX1;c:\windows\system32\drivers\L6TPortA.sys [2009-1-6 530816]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-12-3 20352]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-1 23424]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-9-29 24064]
S3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [2009-5-6 413208]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 wsvad_driver;Daniusoft Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2008-11-12 20352]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-6-26 209408]
.
=============== File Associations ===============
.
regfile="regedit.exe" "%1"
.
=============== Created Last 30 ================
.
2011-11-28 22:28:36 -------- d-----w- c:\users\xslyx\appdata\local\{D5325080-3388-4965-A06F-6B41D22A2C42}
2011-11-28 19:15:16 100864 ----a-w- C:\kgloipob.sys
2011-11-28 18:24:32 -------- d-----w- c:\users\xslyx\appdata\local\{A1763617-4CF4-42E6-8299-A610F33B2473}
2011-11-28 17:31:22 -------- d-----w- c:\users\xslyx\appdata\local\{1E18D229-C8FC-44F8-BB03-F8B6829D43B0}
2011-11-28 13:22:28 -------- d-----w- c:\users\xslyx\appdata\local\{8D3428D1-88D4-43B1-9702-5CACE24CFB4A}
2011-11-28 02:06:08 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{24227be5-7b15-46a3-8ddc-ceec86087907}\offreg.dll
2011-11-28 02:05:56 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{24227be5-7b15-46a3-8ddc-ceec86087907}\mpengine.dll
2011-11-28 01:56:50 -------- d-----w- c:\users\xslyx\appdata\local\{346B509C-36ED-4587-BE94-0AE5C0FCC76F}
2011-11-21 23:54:02 -------- d-----w- c:\users\xslyx\appdata\local\{75EC7AD5-B4A6-478E-AA01-CA09D6F80C8B}
2011-11-21 23:52:00 -------- d-----w- c:\users\xslyx\appdata\local\{33DB7EA6-D68B-47D7-A760-686DF85F4366}
2011-11-21 19:05:37 -------- d-----w- c:\users\xslyx\appdata\local\{D633E50C-E504-4B13-9346-0C37BF4187D2}
2011-11-21 19:04:14 -------- d-----w- c:\users\xslyx\appdata\local\{4560EC99-24B9-4405-B7E8-71D116D7DB23}
2011-11-21 09:21:02 -------- d-----w- c:\users\xslyx\appdata\local\{34FE37C6-404F-4C07-BA0F-DCBACBE1D1C2}
2011-11-21 01:12:01 -------- d-----w- c:\users\xslyx\appdata\local\{EF2E1F2D-2E48-47A1-AA4E-991C6F454FBE}
2011-11-20 19:11:38 -------- d-----w- c:\users\xslyx\appdata\local\{376EA6E4-410B-4C60-8128-0FEFFD8C96E6}
2011-11-20 18:35:25 -------- d-----w- c:\users\xslyx\appdata\local\{4337B71B-9F57-410D-8DA9-3D59D23FB13F}
2011-11-19 18:47:27 -------- d-----w- c:\users\xslyx\appdata\local\{3FD6151E-A2EB-4FC0-BEE7-D24023C64DF9}
2011-11-19 01:42:09 -------- d-----w- c:\users\xslyx\appdata\local\{A4E3228F-B1EF-4EA9-A93C-B5CCA2E56C9C}
2011-11-19 00:56:15 -------- d-----w- c:\users\xslyx\appdata\local\{1D131E00-E2A4-4917-8008-4B47D26C21C4}
2011-11-18 04:58:03 -------- d-----w- c:\users\xslyx\appdata\local\{21ED4D36-B049-4E16-9E26-39364D58F835}
2011-11-17 21:55:45 -------- d-----w- c:\users\xslyx\appdata\local\{612EE761-5442-4442-81B8-0CA33AAC21E6}
2011-11-17 21:54:11 -------- d-----w- c:\users\xslyx\appdata\local\{7FD549AE-39B7-4E73-A1FD-22019C1AD89C}
2011-11-17 06:26:46 -------- d-----w- c:\users\xslyx\appdata\local\{4C6CC49A-4249-413E-A1C3-DBFABBB9D565}
2011-11-17 06:24:36 -------- d-----w- c:\users\xslyx\appdata\local\{F35A5B7C-2776-4616-874F-50ADD60208D5}
2011-11-17 05:57:45 -------- d-----w- c:\users\xslyx\appdata\local\{D12A4229-5F0F-4E6D-85FA-7BA87019D220}
2011-11-17 05:55:42 -------- d-----w- c:\users\xslyx\appdata\local\{A5993699-74A1-412D-8FAF-DE85699D911F}
2011-11-15 21:34:25 -------- d-----w- c:\users\xslyx\appdata\local\{F03EBCB5-AEF8-4BB1-9466-61EA5F3B15F4}
2011-11-15 21:32:00 -------- d-----w- c:\users\xslyx\appdata\local\{88773CF6-62B2-4D14-B6BA-99F1B658E6A6}
2011-11-14 17:05:03 -------- d-----w- c:\users\xslyx\appdata\local\{31BA9563-D94C-4A98-B078-6F2E51434B31}
2011-11-14 17:04:00 -------- d-----w- c:\users\xslyx\appdata\local\{50D95E80-4C57-429D-BE35-18CCD61573FB}
2011-11-14 15:37:16 -------- d-----w- c:\users\xslyx\appdata\local\{951691AA-0399-4EF2-BD27-F7948050CD92}
2011-11-14 15:35:18 -------- d-----w- c:\users\xslyx\appdata\local\{A32E2A8A-418F-4143-8B01-EC5C3CFE3989}
2011-11-13 19:03:36 -------- d-----w- c:\users\xslyx\appdata\local\{A13B3F57-4C04-4C13-94A3-6F7715F84087}
2011-11-13 18:45:11 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 18:45:08 707584 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-13 18:44:50 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-11-13 17:47:48 -------- d-----w- c:\users\xslyx\appdata\local\{509BB726-BF48-4848-9F56-440B4723C767}
2011-11-07 04:10:42 -------- d-----w- c:\users\xslyx\appdata\local\{A5E002BA-755E-421D-B503-ABAE912460B7}
2011-11-07 04:08:54 -------- d-----w- c:\users\xslyx\appdata\local\{5981248C-1C81-4D97-B14D-346040CC0AF0}
2011-11-06 16:54:26 -------- d-----w- c:\users\xslyx\appdata\local\{4B2D3212-9556-440C-8F70-DCE446F81081}
2011-11-06 00:55:15 -------- d-----w- c:\users\xslyx\appdata\local\{4F7F3382-CEB0-454E-A3A3-4CDB7E343313}
2011-11-06 00:28:29 -------- d-----w- c:\users\xslyx\appdata\local\{A9F6E4F7-F0CC-4AF5-A67C-9C2D1C80C6F7}
2011-11-05 18:23:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-05 18:18:35 -------- d-----w- c:\users\xslyx\appdata\local\{D6355409-9357-4B99-894F-A2218B83BA0A}
2011-11-05 02:56:25 -------- d-----w- c:\users\xslyx\appdata\local\Mixxx
2011-11-05 00:46:05 -------- d-----w- c:\users\xslyx\appdata\local\{7B0A6188-8BA7-4A53-9564-4528211993C4}
2011-11-04 20:22:16 -------- d-----w- c:\program files\VirtualDJ
2011-11-04 00:08:46 310 ----a-w- c:\windows\system32\UnifiedToolbarCleanup.bat
2011-11-03 23:59:34 -------- d-----w- c:\users\xslyx\appdata\local\{79D6CC54-2595-40E4-831D-71DCD1064962}
2011-11-02 21:38:29 -------- d-----w- c:\users\xslyx\appdata\local\{3DC60634-B23C-43CD-8415-A08F41B9DC87}
2011-11-02 01:33:04 -------- d-----w- c:\users\xslyx\appdata\local\{45FDE3D5-BE4B-4F0C-9E01-3EEBDF580ED0}
2011-11-01 20:52:31 -------- d-----w- c:\users\xslyx\appdata\local\{861DDE5F-95C1-4443-9340-8768D500EADA}
2011-11-01 20:51:13 -------- d-----w- c:\users\xslyx\appdata\local\{7967181C-5253-46E7-BF7C-46A5607AD5AA}
2011-11-01 13:40:32 -------- d-----w- c:\users\xslyx\appdata\local\{667D09EA-C065-40E7-A4AF-0F541A7FAC13}
2011-11-01 13:38:39 -------- d-----w- c:\users\xslyx\appdata\local\{BBD780D2-00BE-490A-8701-338FE3748A91}
2011-10-31 20:50:16 -------- d-----w- c:\users\xslyx\appdata\local\{6A066266-2CD3-466C-8D11-F3090DDE1AB3}
2011-10-31 02:40:44 -------- d-----w- c:\users\xslyx\appdata\local\{A77DE111-118A-451B-8E33-4A98D4C3DC70}
.
==================== Find3M ====================
.
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-09-02 13:39:07 1383424 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 17:35:03.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 03 December 2011 - 12:37 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image P2P - I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • aswMBR log

Edited by RPMcMurphy, 03 December 2011 - 12:38 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 BxSLY

BxSLY
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 03 December 2011 - 02:07 PM

Thank you for your reply.
The software has been uninstalled.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-03 13:53:45
-----------------------------
13:53:45.663 OS Version: Windows 6.0.6002 Service Pack 2
13:53:45.663 Number of processors: 2 586 0x1706
13:53:45.665 ComputerName: XSLYX-PC UserName: xSLYx
13:54:36.617 Initialize success
13:55:56.133 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
13:55:56.139 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
13:55:56.214 Disk 0 MBR read successfully
13:55:56.221 Disk 0 MBR scan
13:55:56.229 Disk 0 Windows VISTA default MBR code
13:55:56.239 Disk 0 scanning sectors +488394752
13:55:56.368 Disk 0 scanning C:\Windows\system32\drivers
13:56:15.813 Service scanning
13:56:17.365 Service SysPlant C:\Windows\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
13:56:17.383 Service Teefer2 C:\Windows\system32\DRIVERS\teefer2.sys **LOCKED** 32
13:56:17.445 Service WPS C:\Windows\system32\drivers\wpsdrvnt.sys **LOCKED** 32
13:56:17.453 Service WpsHelper C:\Windows\system32\drivers\WpsHelper.sys **LOCKED** 32
13:56:17.976 Modules scanning
13:56:33.301 Disk 0 trace - called modules:
13:56:33.362 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
13:56:33.394 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86bc5ac8]
13:56:33.412 3 CLASSPNP.SYS[8c5a58b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85712030]
13:56:33.432 Scan finished successfully
13:58:36.757 Disk 0 MBR has been saved successfully to "C:\Users\xSLYx\Desktop\MBR.dat"
13:58:36.775 The log file has been saved successfully to "C:\Users\xSLYx\Desktop\aswMBR.txt"

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 03 December 2011 - 03:25 PM

Please do this next:

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 BxSLY

BxSLY
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 03 December 2011 - 06:01 PM

ComboFix finished with no issues and created the log below. However, I had to save the log to a USB drive and post this reply from a different computer because absolutely nothing will open on my computer (i.e. browser, files, programs, etc.) The same error message comes up when I try to open anything that says:
"Illegal operation attempted on a registry key that has been marked for deletion."


ComboFix 11-12-03.01 - xSLYx 12/03/2011 17:04:33.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3581.1768 [GMT -5:00]
Running from: c:\users\xSLYx\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\xSLYx\AppData\Local\udasojoloni.dll
c:\users\xSLYx\AppData\Roaming\3602.B17
c:\users\xSLYx\AppData\Roaming\Adobe\plugs
c:\users\xSLYx\AppData\Roaming\Adobe\plugs\KB16664401.exe
c:\users\xSLYx\AppData\Roaming\Adobe\shed
c:\users\xSLYx\AppData\Roaming\Mozilla\Firefox\Profiles\mr2le8ch.default\extensions\{475463e8-9ab4-4e58-b5b1-4b94af82783d}
c:\users\xSLYx\AppData\Roaming\Mozilla\Firefox\Profiles\mr2le8ch.default\extensions\{475463e8-9ab4-4e58-b5b1-4b94af82783d}\chrome.manifest
c:\users\xSLYx\AppData\Roaming\Mozilla\Firefox\Profiles\mr2le8ch.default\extensions\{475463e8-9ab4-4e58-b5b1-4b94af82783d}\chrome\xulcache.jar
c:\users\xSLYx\AppData\Roaming\Mozilla\Firefox\Profiles\mr2le8ch.default\extensions\{475463e8-9ab4-4e58-b5b1-4b94af82783d}\defaults\preferences\xulcache.js
c:\users\xSLYx\AppData\Roaming\Mozilla\Firefox\Profiles\mr2le8ch.default\extensions\{475463e8-9ab4-4e58-b5b1-4b94af82783d}\install.rdf
c:\users\xSLYx\POD Farm v1.02 Installer.exe
c:\users\xSLYx\POD Farm v1.03 Installer.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-03 to 2011-12-03 )))))))))))))))))))))))))))))))
.
.
2011-12-03 22:18 . 2011-12-03 22:30 -------- d-----w- c:\users\xSLYx\AppData\Local\temp
2011-12-03 22:18 . 2011-12-03 22:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-03 18:50 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C94DEB9A-2CAA-4B04-B8C6-9D908686042F}\mpengine.dll
2011-12-03 18:28 . 2011-12-03 18:28 -------- d-----w- c:\users\xSLYx\AppData\Local\{3E9B6B09-05CD-45B8-ADFF-D76DE8FEBECF}
2011-12-03 18:14 . 2011-12-03 18:14 -------- d-----w- c:\users\xSLYx\AppData\Local\{31DDE95E-229C-47C6-B189-AB10E724B6FA}
2011-12-01 08:20 . 2011-12-01 08:20 -------- d-----w- c:\users\xSLYx\AppData\Local\{3FE32D7F-7068-4B11-8463-142A8B52C146}
2011-11-30 19:09 . 2011-11-30 19:09 -------- d-----w- c:\users\xSLYx\AppData\Local\{109582D8-FB1F-419A-A820-6FB138FF51FF}
2011-11-29 21:33 . 2011-11-29 21:33 -------- d-----w- c:\users\xSLYx\AppData\Local\{BD5A1423-D74D-4D6E-84FA-14D8AC65C464}
2011-11-29 12:51 . 2011-11-29 12:51 -------- d-----w- c:\users\xSLYx\AppData\Local\{D9A1A411-DACB-4B9B-8688-6BDBC5249913}
2011-11-28 23:25 . 2011-11-28 23:25 -------- d-----w- c:\users\xSLYx\AppData\Local\{B0078AF1-2511-45E6-B574-CB9C85910E7F}
2011-11-28 22:28 . 2011-11-28 22:28 -------- d-----w- c:\users\xSLYx\AppData\Local\{D5325080-3388-4965-A06F-6B41D22A2C42}
2011-11-28 19:15 . 2011-11-28 19:15 100864 ----a-w- C:\kgloipob.sys
2011-11-28 18:24 . 2011-11-28 18:24 -------- d-----w- c:\users\xSLYx\AppData\Local\{A1763617-4CF4-42E6-8299-A610F33B2473}
2011-11-28 17:31 . 2011-11-28 17:31 -------- d-----w- c:\users\xSLYx\AppData\Local\{1E18D229-C8FC-44F8-BB03-F8B6829D43B0}
2011-11-28 13:22 . 2011-11-28 13:22 -------- d-----w- c:\users\xSLYx\AppData\Local\{8D3428D1-88D4-43B1-9702-5CACE24CFB4A}
2011-11-28 01:56 . 2011-11-28 01:56 -------- d-----w- c:\users\xSLYx\AppData\Local\{346B509C-36ED-4587-BE94-0AE5C0FCC76F}
2011-11-21 23:52 . 2011-11-21 23:52 -------- d-----w- c:\users\xSLYx\AppData\Local\{33DB7EA6-D68B-47D7-A760-686DF85F4366}
2011-11-21 19:04 . 2011-11-21 19:04 -------- d-----w- c:\users\xSLYx\AppData\Local\{4560EC99-24B9-4405-B7E8-71D116D7DB23}
2011-11-21 09:21 . 2011-11-21 09:21 -------- d-----w- c:\users\xSLYx\AppData\Local\{34FE37C6-404F-4C07-BA0F-DCBACBE1D1C2}
2011-11-21 01:12 . 2011-11-21 01:12 -------- d-----w- c:\users\xSLYx\AppData\Local\{EF2E1F2D-2E48-47A1-AA4E-991C6F454FBE}
2011-11-20 19:11 . 2011-11-20 19:11 -------- d-----w- c:\users\xSLYx\AppData\Local\{376EA6E4-410B-4C60-8128-0FEFFD8C96E6}
2011-11-20 18:35 . 2011-11-20 18:35 -------- d-----w- c:\users\xSLYx\AppData\Local\{4337B71B-9F57-410D-8DA9-3D59D23FB13F}
2011-11-19 18:47 . 2011-11-19 18:47 -------- d-----w- c:\users\xSLYx\AppData\Local\{3FD6151E-A2EB-4FC0-BEE7-D24023C64DF9}
2011-11-19 01:42 . 2011-11-19 01:42 -------- d-----w- c:\users\xSLYx\AppData\Local\{A4E3228F-B1EF-4EA9-A93C-B5CCA2E56C9C}
2011-11-19 00:56 . 2011-11-19 00:56 -------- d-----w- c:\users\xSLYx\AppData\Local\{1D131E00-E2A4-4917-8008-4B47D26C21C4}
2011-11-18 04:58 . 2011-11-18 04:58 -------- d-----w- c:\users\xSLYx\AppData\Local\{21ED4D36-B049-4E16-9E26-39364D58F835}
2011-11-17 21:54 . 2011-11-17 21:54 -------- d-----w- c:\users\xSLYx\AppData\Local\{7FD549AE-39B7-4E73-A1FD-22019C1AD89C}
2011-11-17 06:24 . 2011-11-17 06:24 -------- d-----w- c:\users\xSLYx\AppData\Local\{F35A5B7C-2776-4616-874F-50ADD60208D5}
2011-11-17 05:55 . 2011-11-17 05:55 -------- d-----w- c:\users\xSLYx\AppData\Local\{A5993699-74A1-412D-8FAF-DE85699D911F}
2011-11-15 21:32 . 2011-11-15 21:32 -------- d-----w- c:\users\xSLYx\AppData\Local\{88773CF6-62B2-4D14-B6BA-99F1B658E6A6}
2011-11-14 17:04 . 2011-11-14 17:04 -------- d-----w- c:\users\xSLYx\AppData\Local\{50D95E80-4C57-429D-BE35-18CCD61573FB}
2011-11-14 15:35 . 2011-11-14 15:35 -------- d-----w- c:\users\xSLYx\AppData\Local\{A32E2A8A-418F-4143-8B01-EC5C3CFE3989}
2011-11-13 19:03 . 2011-11-13 19:03 -------- d-----w- c:\users\xSLYx\AppData\Local\{A13B3F57-4C04-4C13-94A3-6F7715F84087}
2011-11-13 18:45 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 18:45 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-13 18:44 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-13 17:47 . 2011-11-13 17:47 -------- d-----w- c:\users\xSLYx\AppData\Local\{509BB726-BF48-4848-9F56-440B4723C767}
2011-11-07 04:08 . 2011-11-07 04:08 -------- d-----w- c:\users\xSLYx\AppData\Local\{5981248C-1C81-4D97-B14D-346040CC0AF0}
2011-11-06 16:54 . 2011-11-06 16:54 -------- d-----w- c:\users\xSLYx\AppData\Local\{4B2D3212-9556-440C-8F70-DCE446F81081}
2011-11-06 00:55 . 2011-11-06 00:55 -------- d-----w- c:\users\xSLYx\AppData\Local\{4F7F3382-CEB0-454E-A3A3-4CDB7E343313}
2011-11-06 00:28 . 2011-11-06 00:28 -------- d-----w- c:\users\xSLYx\AppData\Local\{A9F6E4F7-F0CC-4AF5-A67C-9C2D1C80C6F7}
2011-11-05 18:23 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-05 02:56 . 2011-11-05 03:08 -------- d-----w- c:\users\xSLYx\AppData\Local\Mixxx
2011-11-05 00:46 . 2011-11-05 00:46 -------- d-----w- c:\users\xSLYx\AppData\Local\{7B0A6188-8BA7-4A53-9564-4528211993C4}
2011-11-04 20:22 . 2011-11-04 20:22 -------- d-----w- c:\program files\VirtualDJ
2011-11-04 00:08 . 2011-11-04 00:08 310 ----a-w- c:\windows\system32\UnifiedToolbarCleanup.bat
2011-11-03 23:59 . 2011-11-03 23:59 -------- d-----w- c:\users\xSLYx\AppData\Local\{79D6CC54-2595-40E4-831D-71DCD1064962}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-17 05:55 . 2011-06-30 02:20 0 ----a-w- c:\users\xSLYx\AppData\Local\Alirad.bin
2011-09-06 13:30 . 2011-10-12 21:55 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-11-28 18:29 . 2011-07-16 22:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-08 297808]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
[HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2009-11-08 14:55 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 20:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}]
2011-01-17 20:54 175912 ----a-w- c:\program files\NCH_EN\prxtbNCH_.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{37483B40-C254-4A72-BDA4-22EE90182C1E}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Nike+ Connect"="c:\users\xSLYx\AppData\Local\Nike\Nike+ Connect\Nike+ Connect daemon.exe" [2010-10-01 299008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"SPIRunE"="SPIRunE.dll" [2009-03-05 18432]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-12 101136]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-08-12 115560]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2009-06-22 446088]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-12-09 74752]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
.
c:\users\xSLYx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-6-25 679936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 04:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi6"=ma_cmidn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 LanmanServer32;Server ;c:\windows\system32\mmcss32.exe [x]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-29 6016]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-08-12 23888]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-10-24 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-24 79360]
R3 L6TPortA;Service - Line 6 TonePort UX1;c:\windows\system32\Drivers\L6TPortA.sys [2009-01-06 530816]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 25856]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2010-12-03 20352]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-29 8320]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 23424]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2010-09-29 24064]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [2009-05-06 413208]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 268528]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 wsvad_driver;Daniusoft Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2008-05-28 20352]
R4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\ianvstor.sys [2007-09-07 209408]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-12-03 73728]
S2 MotoHelper.exe;Motorola Helper;c:\program files\Motorola\Moto Helper Service\MotoHelper.exe [2010-09-15 6656]
S2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [2011-01-27 226624]
S2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2009-06-22 715400]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-13 106104]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2009-06-11 47360]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
2008-02-25 16:55 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-25 c:\windows\Tasks\User_Feed_Synchronization-{DB339E74-5AD4-418F-8406-E184CBA707F3}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2801948
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: line6.net
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\xSLYx\AppData\Roaming\Mozilla\Firefox\Profiles\mr2le8ch.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51152
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{04CBC846-519B-4B55-805E-F8F95764BDDa} - c:\windows\system32\apilogen32.dll
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKCU-Run-Tunebite - c:\program files\RapidSolution\Tunebite\Tunebite.exe
HKCU-Run-Lzujec - c:\users\xSLYx\AppData\Local\udasojoloni.dll
HKCU-Run-Ocahiruj - c:\users\xSLYx\AppData\Local\sclsd8.dll
HKLM-Run-TuneClone - c:\program files\TuneClone\TuneClone.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-Symantec Antvirus
AddRemove-Mixxx (1.9.0) - c:\users\xSLYx\AppData\Local\Mixxx\uninst.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2522679844-3549791834-3747312674-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:b5,60,40,f7,df,e3,8b,1a,46,2a,f3,97,9e,80,3b,15,c7,1b,93,b0,38,d2,28,
f3,75,9d,95,fc,7e,d7,e9,a8,95,6f,2d,92,ac,1e,55,e6,f2,a6,75,7e,a0,aa,18,dc,\
"??"=hex:42,ea,74,82,c5,64,43,9e,17,c5,5f,d2,25,d5,be,47
.
[HKEY_USERS\S-1-5-21-2522679844-3549791834-3747312674-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:b4,38,a2,89,77,b2,9d,54,5c,d6,bf,75,f2,1d,68,0d,d1,38,65,80,db,
be,26,ae,8d,20,72,70,00,35,a0,36,db,a7,5e,a7,d0,b3,c3,80,54,02,50,ae,6d,15,\
"rkeysecu"=hex:44,fb,6f,b9,9c,9e,ca,21,3c,78,49,b3,91,94,e4,5f
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
- - - - - - - > 'Explorer.exe'(3404)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\windows\system32\btncopy.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\windows\system32\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Motorola\MotoHelper\MotoHelperAgent.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\schtasks.exe
.
**************************************************************************
.
Completion time: 2011-12-03 17:35:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-03 22:35
.
Pre-Run: 23,697,469,440 bytes free
Post-Run: 25,508,413,440 bytes free
.
- - End Of File - - 999974E20165D3FB041E512BBC640E4B

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 03 December 2011 - 06:38 PM

Rebooting the PC should solve that illegal operation issue. Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://www.bleepingcomputer.com/forums/topic429764.html
Collect::
C:\kgloipob.sys
Firefox::
FF - ProfilePath - c:\users\xSLYx\AppData\Roaming\Mozilla\Firefox\Profiles\mr2le8ch.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51152

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 BxSLY

BxSLY
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 04 December 2011 - 03:06 AM

Rebooting did solve the illegal operation issue.
I have copied the second ComboFix log below, as well as the Malwarebytes log. However, Malwarebytes would not allow me to update before running the scan and gave me an error message that said:
"An error has ocurred. Please report the following error code to the Malwarebytes' Anti-Malware support team.
Error code: 732 (0,0)"
The current database version is from 8/24/2009. Should I uninstall the current free version of Malwarebytes, since it won't allow me to update it, re-install the current version from their website, and run the scan again?


ComboFix 11-12-03.01 - xSLYx 12/03/2011 22:51:10.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3581.2183 [GMT -5:00]
Running from: c:\users\xSLYx\Desktop\ComboFix.exe
Command switches used :: c:\users\xSLYx\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: C:\kgloipob.sys
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\kgloipob.sys
c:\users\xSLYx\AppData\Roaming\inst.exe
c:\users\xSLYx\AppData\Roaming\vso_ts_preview.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-11-04 to 2011-12-04 )))))))))))))))))))))))))))))))
.
.
2011-12-04 04:04 . 2011-12-04 04:09 -------- d-----w- c:\users\xSLYx\AppData\Local\temp
2011-12-04 04:04 . 2011-12-04 04:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-03 18:50 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C94DEB9A-2CAA-4B04-B8C6-9D908686042F}\mpengine.dll
2011-12-03 18:28 . 2011-12-03 18:28 -------- d-----w- c:\users\xSLYx\AppData\Local\{3E9B6B09-05CD-45B8-ADFF-D76DE8FEBECF}
2011-12-03 18:14 . 2011-12-03 18:14 -------- d-----w- c:\users\xSLYx\AppData\Local\{31DDE95E-229C-47C6-B189-AB10E724B6FA}
2011-12-01 08:20 . 2011-12-01 08:20 -------- d-----w- c:\users\xSLYx\AppData\Local\{3FE32D7F-7068-4B11-8463-142A8B52C146}
2011-11-30 19:09 . 2011-11-30 19:09 -------- d-----w- c:\users\xSLYx\AppData\Local\{109582D8-FB1F-419A-A820-6FB138FF51FF}
2011-11-29 21:33 . 2011-11-29 21:33 -------- d-----w- c:\users\xSLYx\AppData\Local\{BD5A1423-D74D-4D6E-84FA-14D8AC65C464}
2011-11-29 12:51 . 2011-11-29 12:51 -------- d-----w- c:\users\xSLYx\AppData\Local\{D9A1A411-DACB-4B9B-8688-6BDBC5249913}
2011-11-28 23:25 . 2011-11-28 23:25 -------- d-----w- c:\users\xSLYx\AppData\Local\{B0078AF1-2511-45E6-B574-CB9C85910E7F}
2011-11-28 22:28 . 2011-11-28 22:28 -------- d-----w- c:\users\xSLYx\AppData\Local\{D5325080-3388-4965-A06F-6B41D22A2C42}
2011-11-28 18:24 . 2011-11-28 18:24 -------- d-----w- c:\users\xSLYx\AppData\Local\{A1763617-4CF4-42E6-8299-A610F33B2473}
2011-11-28 17:31 . 2011-11-28 17:31 -------- d-----w- c:\users\xSLYx\AppData\Local\{1E18D229-C8FC-44F8-BB03-F8B6829D43B0}
2011-11-28 13:22 . 2011-11-28 13:22 -------- d-----w- c:\users\xSLYx\AppData\Local\{8D3428D1-88D4-43B1-9702-5CACE24CFB4A}
2011-11-28 01:56 . 2011-11-28 01:56 -------- d-----w- c:\users\xSLYx\AppData\Local\{346B509C-36ED-4587-BE94-0AE5C0FCC76F}
2011-11-21 23:52 . 2011-11-21 23:52 -------- d-----w- c:\users\xSLYx\AppData\Local\{33DB7EA6-D68B-47D7-A760-686DF85F4366}
2011-11-21 19:04 . 2011-11-21 19:04 -------- d-----w- c:\users\xSLYx\AppData\Local\{4560EC99-24B9-4405-B7E8-71D116D7DB23}
2011-11-21 09:21 . 2011-11-21 09:21 -------- d-----w- c:\users\xSLYx\AppData\Local\{34FE37C6-404F-4C07-BA0F-DCBACBE1D1C2}
2011-11-21 01:12 . 2011-11-21 01:12 -------- d-----w- c:\users\xSLYx\AppData\Local\{EF2E1F2D-2E48-47A1-AA4E-991C6F454FBE}
2011-11-20 19:11 . 2011-11-20 19:11 -------- d-----w- c:\users\xSLYx\AppData\Local\{376EA6E4-410B-4C60-8128-0FEFFD8C96E6}
2011-11-20 18:35 . 2011-11-20 18:35 -------- d-----w- c:\users\xSLYx\AppData\Local\{4337B71B-9F57-410D-8DA9-3D59D23FB13F}
2011-11-19 18:47 . 2011-11-19 18:47 -------- d-----w- c:\users\xSLYx\AppData\Local\{3FD6151E-A2EB-4FC0-BEE7-D24023C64DF9}
2011-11-19 01:42 . 2011-11-19 01:42 -------- d-----w- c:\users\xSLYx\AppData\Local\{A4E3228F-B1EF-4EA9-A93C-B5CCA2E56C9C}
2011-11-19 00:56 . 2011-11-19 00:56 -------- d-----w- c:\users\xSLYx\AppData\Local\{1D131E00-E2A4-4917-8008-4B47D26C21C4}
2011-11-18 04:58 . 2011-11-18 04:58 -------- d-----w- c:\users\xSLYx\AppData\Local\{21ED4D36-B049-4E16-9E26-39364D58F835}
2011-11-17 21:54 . 2011-11-17 21:54 -------- d-----w- c:\users\xSLYx\AppData\Local\{7FD549AE-39B7-4E73-A1FD-22019C1AD89C}
2011-11-17 06:24 . 2011-11-17 06:24 -------- d-----w- c:\users\xSLYx\AppData\Local\{F35A5B7C-2776-4616-874F-50ADD60208D5}
2011-11-17 05:55 . 2011-11-17 05:55 -------- d-----w- c:\users\xSLYx\AppData\Local\{A5993699-74A1-412D-8FAF-DE85699D911F}
2011-11-15 21:32 . 2011-11-15 21:32 -------- d-----w- c:\users\xSLYx\AppData\Local\{88773CF6-62B2-4D14-B6BA-99F1B658E6A6}
2011-11-14 17:04 . 2011-11-14 17:04 -------- d-----w- c:\users\xSLYx\AppData\Local\{50D95E80-4C57-429D-BE35-18CCD61573FB}
2011-11-14 15:35 . 2011-11-14 15:35 -------- d-----w- c:\users\xSLYx\AppData\Local\{A32E2A8A-418F-4143-8B01-EC5C3CFE3989}
2011-11-13 19:03 . 2011-11-13 19:03 -------- d-----w- c:\users\xSLYx\AppData\Local\{A13B3F57-4C04-4C13-94A3-6F7715F84087}
2011-11-13 18:45 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 18:45 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-13 18:44 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-13 17:47 . 2011-11-13 17:47 -------- d-----w- c:\users\xSLYx\AppData\Local\{509BB726-BF48-4848-9F56-440B4723C767}
2011-11-07 04:08 . 2011-11-07 04:08 -------- d-----w- c:\users\xSLYx\AppData\Local\{5981248C-1C81-4D97-B14D-346040CC0AF0}
2011-11-06 16:54 . 2011-11-06 16:54 -------- d-----w- c:\users\xSLYx\AppData\Local\{4B2D3212-9556-440C-8F70-DCE446F81081}
2011-11-06 00:55 . 2011-11-06 00:55 -------- d-----w- c:\users\xSLYx\AppData\Local\{4F7F3382-CEB0-454E-A3A3-4CDB7E343313}
2011-11-06 00:28 . 2011-11-06 00:28 -------- d-----w- c:\users\xSLYx\AppData\Local\{A9F6E4F7-F0CC-4AF5-A67C-9C2D1C80C6F7}
2011-11-05 18:23 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-05 02:56 . 2011-11-05 03:08 -------- d-----w- c:\users\xSLYx\AppData\Local\Mixxx
2011-11-05 00:46 . 2011-11-05 00:46 -------- d-----w- c:\users\xSLYx\AppData\Local\{7B0A6188-8BA7-4A53-9564-4528211993C4}
2011-11-04 20:22 . 2011-11-04 20:22 -------- d-----w- c:\program files\VirtualDJ
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-17 05:55 . 2011-06-30 02:20 0 ----a-w- c:\users\xSLYx\AppData\Local\Alirad.bin
2011-11-04 00:08 . 2011-11-04 00:08 310 ----a-w- c:\windows\system32\UnifiedToolbarCleanup.bat
2011-09-06 13:30 . 2011-10-12 21:55 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-11-28 18:29 . 2011-07-16 22:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-08 297808]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
[HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2009-11-08 14:55 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 20:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}]
2011-01-17 20:54 175912 ----a-w- c:\program files\NCH_EN\prxtbNCH_.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{37483B40-C254-4A72-BDA4-22EE90182C1E}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Nike+ Connect"="c:\users\xSLYx\AppData\Local\Nike\Nike+ Connect\Nike+ Connect daemon.exe" [2010-10-01 299008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"SPIRunE"="SPIRunE.dll" [2009-03-05 18432]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-12 101136]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-08-12 115560]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2009-06-22 446088]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-12-09 74752]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
.
c:\users\xSLYx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-6-25 679936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 04:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi6"=ma_cmidn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 LanmanServer32;Server ;c:\windows\system32\mmcss32.exe [x]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-29 6016]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-08-12 23888]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-10-24 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-24 79360]
R3 L6TPortA;Service - Line 6 TonePort UX1;c:\windows\system32\Drivers\L6TPortA.sys [2009-01-06 530816]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 25856]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2010-12-03 20352]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-29 8320]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 23424]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2010-09-29 24064]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [2009-05-06 413208]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 268528]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 wsvad_driver;Daniusoft Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2008-05-28 20352]
R4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\ianvstor.sys [2007-09-07 209408]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-12-03 73728]
S2 MotoHelper.exe;Motorola Helper;c:\program files\Motorola\Moto Helper Service\MotoHelper.exe [2010-09-15 6656]
S2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [2011-01-27 226624]
S2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2009-06-22 715400]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-13 106104]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2009-06-11 47360]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
2008-02-25 16:55 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-25 c:\windows\Tasks\User_Feed_Synchronization-{DB339E74-5AD4-418F-8406-E184CBA707F3}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2801948
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: line6.net
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\xSLYx\AppData\Roaming\Mozilla\Firefox\Profiles\mr2le8ch.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-03 23:08
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2522679844-3549791834-3747312674-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:b5,60,40,f7,df,e3,8b,1a,46,2a,f3,97,9e,80,3b,15,c7,1b,93,b0,38,d2,28,
f3,75,9d,95,fc,7e,d7,e9,a8,95,6f,2d,92,ac,1e,55,e6,f2,a6,75,7e,a0,aa,18,dc,\
"??"=hex:42,ea,74,82,c5,64,43,9e,17,c5,5f,d2,25,d5,be,47
.
[HKEY_USERS\S-1-5-21-2522679844-3549791834-3747312674-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:b4,38,a2,89,77,b2,9d,54,5c,d6,bf,75,f2,1d,68,0d,d1,38,65,80,db,
be,26,ae,8d,20,72,70,00,35,a0,36,db,a7,5e,a7,d0,b3,c3,80,54,02,50,ae,6d,15,\
"rkeysecu"=hex:44,fb,6f,b9,9c,9e,ca,21,3c,78,49,b3,91,94,e4,5f
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
- - - - - - - > 'Explorer.exe'(1356)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\windows\system32\btncopy.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\windows\system32\STacSV.exe
c:\program files\Motorola\MotoHelper\MotoHelperAgent.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\schtasks.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2011-12-03 23:16:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-04 04:15
ComboFix2.txt 2011-12-03 22:35
.
Pre-Run: 25,487,560,704 bytes free
Post-Run: 25,351,434,240 bytes free
.
- - End Of File - - 93277DE6813E398E1A0EB345DBAD3E27
Upload was successful

Malwarebytes' Anti-Malware 1.40
Database version: 2693
Windows 6.0.6002 Service Pack 2

12/4/2011 2:50:52 AM
mbam-log-2011-12-04 (02-50-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 425476
Time elapsed: 3 hour(s), 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 04 December 2011 - 10:48 AM

Hello,

Please try these steps to resolve your issues with MBAM:

Posted Image Uninstall Malwarebytes via Control Panel > Add/Remove Programs
  • Reboot
  • Download the Malwarebytes Removal Tool
  • Double click on the utility to run it
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here
If all goes well, please run a "Full" scan and post the log for me.

Please include the following in your next post:
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 BxSLY

BxSLY
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 04 December 2011 - 04:57 PM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8309

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

12/4/2011 4:52:04 PM
mbam-log-2011-12-04 (16-52-04).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 477220
Time elapsed: 3 hour(s), 2 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 04 December 2011 - 05:10 PM

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 BxSLY

BxSLY
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 04 December 2011 - 05:38 PM

The computer is running much better and starting up faster. I still have Symantec Endpoint Protection turned off though, which is the program that was giving me the recurring Trojan.Zefarch notifications initially.

Java will not allow me to update. The update stops with one bar left and gives 3 error windows:
1.) "bin\jsoundds.dll: Old File not found. However, a file of the same name was found. No update done since file contents do not match."
2.) "Java ™ Update fails to apply changes to your system."
3.) "Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor."
The Java installer window then changes and says the installer was interrupted before the update could be completely installed.

I did not run the ESET scan yet, because I did not know if I needed to have the Java issue fixed first.

Edited by BxSLY, 04 December 2011 - 05:40 PM.


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 04 December 2011 - 06:15 PM

Let's to that update a different way then - Go to this page ,click the "Free Java Download" button near the center of the page and follow the prompts.

Then please go ahead with the ESET scan.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 BxSLY

BxSLY
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 05 December 2011 - 12:25 AM

Successfully updated Java.
ESET Log:

C:\Qoobox\Quarantine\C\Users\xSLYx\AppData\Local\udasojoloni.dll.vir a variant of Win32/Kryptik.NCK trojan
C:\Qoobox\Quarantine\C\Users\xSLYx\AppData\Roaming\Mozilla\Firefox\Profiles\mr2le8ch.default\extensions\{475463e8-9ab4-4e58-b5b1-4b94af82783d}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Users\xSLYx\Downloads\winamp5601_full_emusic-7plus_en-us.exe Win32/OpenCandy application

Edited by BxSLY, 05 December 2011 - 12:26 AM.


#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 05 December 2011 - 02:36 PM

Hi,

Your logs look good. Those first ESET detctions are in the ComboFix quarantine and will be removed when we uninstall ComboFix. It flagged your winamp installer because some AV vendors consider it adware. I'll leave that up to you; if you no longer want it you can simply uninstall it from Control Panel > Add/remove programs.

All I have left for you is some very important cleanup:

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • aswMBR
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 BxSLY

BxSLY
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 05 December 2011 - 05:00 PM

I completed all of the final cleanup instructions, and will definitely be following your suggestions. Thank you for all of your help and the time you put into assisting me. My computer is booting up much faster, running great, and no longer giving me any virus notification or error windows. Thank you again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users