Jump to content

Chgallos

Honorary Members
  • Posts

    24
  • Joined

  • Last visited

Everything posted by Chgallos

  1. Again, I appreciate all the help, but I have already commited to formating and reinstalling. I like doing this every once in a while anyway and this is just a very good opportunity. Hopefully you won't hear from me again. The only circumstance that I see myself posting again is if formating doesn't actually make a my machine totally clean (infected Bios or D drive or something). Thanks agan.
  2. Is HJT supposed to only take about 1 second to run? I dont think I have ever been successful in using it before and it was VERY fast. HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:06:32 AM, on 9/2/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe D:\Program Files\eTrust\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Program Files\HijackThis\HijackThose.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.angelfire.com/wa3/potterhouse/uberpage.mht R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [CaISSDT] "D:\Program Files\eTrust\caissdt.exe" O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\eTrust\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\eTrust\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://uk.games.myspace.com/gameshell/game...n/abcisland.cab O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\eTrust\eTrust EZ Antivirus\VetMsg.exe -- End of file - 7671 bytes
  3. I ran ComboFix and then my my antivirus. I will post the CF log, but the antivirus came up with nothing. I will run and post HiJackThis next. Here is the CF log: ComboFix 09-09-01.07 - Potter House 09/02/2009 9:44.2.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2613 [GMT -7:00] Running from: c:\documents and settings\Potter House\Desktop\CampingFox.exe AV: eTrust EZ Antivirus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\run.log c:\windows\system32\drivers\kbiwkmxfnhtite.sys c:\windows\system32\drivers\UACkkdvjxvoaf.sys c:\windows\system32\kbiwkmmdujewnd.dat c:\windows\system32\kbiwkmpshyiyoy.dll c:\windows\system32\kbiwkmxjtqpgnb.dat c:\windows\system32\kbiwkmxrmqlxgq.dll c:\windows\system32\UACbnieqgvpxe.dll c:\windows\system32\UACdfmlmwubje.dll c:\windows\system32\UACeombgvsrcn.db c:\windows\system32\UACksrldedwod.dll c:\windows\system32\uacksrldedwod.dll.uss_dis c:\windows\system32\UACouooytegfv.dat c:\windows\system32\UACxljaoyrvcd.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_kbiwkmvxobogji -------\Legacy_kbiwkmvxobogji -------\Service_UACd.sys -------\Legacy_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 ))))))))))))))))))))))))))))))) . 2009-08-31 03:22 . 2009-08-31 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2009-08-30 01:06 . 2009-08-30 01:06 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-28 15:45 . 2009-08-28 15:48 -------- d-s---w- C:\Comb-Fox 2009-08-27 16:41 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-08-27 16:05 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-08-27 16:05 . 2009-08-27 16:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-27 16:05 . 2009-08-27 16:05 -------- d-----w- c:\program files\Lavasoft 2009-08-27 04:56 . 2009-08-27 04:58 -------- d-s---w- C:\ComboHyphenFix 2009-08-26 18:28 . 2009-08-26 18:30 -------- d-s---w- C:\NoJoke 2009-08-26 15:45 . 2009-08-26 15:46 -------- d-s---w- C:\MiddleFingerCF 2009-08-25 16:02 . 2009-08-25 16:03 -------- d-s---w- C:\LilBunnyCF 2009-08-24 04:24 . 2009-08-25 15:58 -------- d-s---w- C:\ComboFix 2009-08-24 03:15 . 2009-08-24 03:20 -------- d-s---w- C:\Combo-Fix 2009-08-23 05:09 . 2009-08-23 05:09 -------- d-----w- C:\installers 2009-08-22 02:04 . 2009-08-22 02:04 -------- d-----w- c:\program files\Trend Micro 2009-08-22 02:03 . 2009-08-21 20:51 812344 ----a-w- c:\documents and settings\Potter House\HJTInstall.exe 2009-08-22 00:10 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-22 00:10 . 2009-09-02 16:12 -------- d-----w- c:\program files\Malwarebytes' Anti-MalwareSAFE 2009-08-22 00:10 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-22 00:02 . 2009-08-22 00:02 -------- d-----w- c:\program files\Trend MicroSAFE 2009-08-21 23:46 . 2009-08-21 23:47 -------- d-----w- C:\92b1978b295196649367e8 2009-08-21 23:46 . 2009-08-21 23:57 -------- d-----w- c:\windows\SxsCaPendDel 2009-08-21 23:20 . 2009-08-27 16:28 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-21 23:20 . 2009-08-27 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-21 21:13 . 2009-08-27 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-21 19:58 . 2009-08-21 19:58 174080 ----a-w- C:\btfoltoo.exe 2009-08-19 17:28 . 2009-08-19 17:28 -------- d-----w- c:\documents and settings\Potter House\Application Data\Malwarebytes 2009-08-19 17:28 . 2009-08-19 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-19 05:35 . 2009-08-19 05:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-13 05:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-08-06 20:41 . 2009-08-07 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-02 16:09 . 2009-08-27 16:30 5632 --sha-w- c:\program files\Thumbs.db 2009-09-01 06:03 . 2008-04-25 17:09 -------- d-----w- c:\documents and settings\Potter House\Application Data\gtk-2.0 2009-08-31 04:04 . 2009-01-27 19:33 -------- d-----w- c:\documents and settings\Potter House\Application Data\Key Folder 2009-08-31 04:04 . 2008-05-15 18:01 -------- d-----w- c:\program files\WMA to MP3 Converter 2009-08-28 18:46 . 2008-04-24 00:21 -------- d-----w- c:\documents and settings\Potter House\Application Data\TrueCrypt 2009-08-27 23:31 . 2008-03-25 19:22 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-27 17:02 . 2008-05-26 19:09 -------- d-----w- c:\documents and settings\Potter House\Application Data\LimeWire 2009-08-27 16:43 . 2008-04-15 14:45 86864 ----a-w- c:\documents and settings\Potter House\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-27 16:23 . 2009-04-02 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation 2009-08-18 17:25 . 2008-08-23 16:31 -------- d-----w- c:\program files\Firefox 2009-08-18 17:22 . 2009-03-30 17:42 -------- d-----w- c:\documents and settings\Potter House\Application Data\uTorrent 2009-08-13 13:26 . 2008-04-17 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-08-07 01:03 . 2009-02-26 19:01 5 ----a-w- c:\windows\sbacknt.bin 2009-08-06 20:35 . 2008-04-15 20:21 -------- d-----w- c:\program files\Microsoft Silverlight 2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-31 20:21 . 2009-02-26 18:57 152904 ----a-w- c:\windows\system32\vghd.scr 2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 06:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2005-08-16 10:18 915456 ------w- c:\windows\system32\wininet.dll 2009-06-26 04:13 . 2008-09-16 22:44 721904 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 16:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll 2008-06-10 01:23 . 2008-04-24 03:30 88 --sh--r- c:\windows\system32\254C04F909.sys 2006-05-03 10:06 . 2009-01-26 19:28 163328 --sh--r- c:\windows\system32\flvDX.dll 2008-06-10 01:24 . 2008-04-24 03:30 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys 2007-02-21 11:47 . 2009-01-26 19:28 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 13:30 . 2009-01-26 19:28 216064 --sh--r- c:\windows\system32\nbDX.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-28_18.23.06 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-25 19:18 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe + 2008-04-15 14:24 . 2009-09-02 15:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-04-15 14:24 . 2009-08-28 15:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-04-15 14:24 . 2009-08-28 15:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-04-15 14:24 . 2009-09-02 15:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-08-19 05:35 . 2009-09-01 15:00 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2009-08-19 05:35 . 2009-08-26 16:11 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2008-04-15 14:24 . 2009-09-02 15:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-04-15 14:24 . 2009-08-28 15:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-09-02 15:55 . 2009-09-02 16:14 2258 c:\windows\SoftwareDistribution\EventCache\{645A0953-4128-466F-913E-77EF40D7CD91}.bin + 2009-07-10 17:39 . 2009-07-10 17:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "CaISSDT"="d:\program files\eTrust\caissdt.exe" [2006-06-26 165392] "CaAvTray"="d:\program files\eTrust\eTrust EZ Antivirus\CAVTray.exe" [2008-04-15 230928] "CAVRID"="d:\program files\eTrust\eTrust EZ Antivirus\CAVRID.exe" [2008-04-15 185872] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016] "CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384] "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "d:\\Games\\Splinter Cell\\Splinter Cell Pandora Tomorrow\\pandora.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "11980:TCP"= 11980:TCP:BitComet 11980 TCP "11980:UDP"= 11980:UDP:BitComet 11980 UDP R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 9:05 AM 64160] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] S2 efxrlnr;efxrlnr;c:\windows\system32\drivers\xiuzw.sys --> c:\windows\system32\drivers\xiuzw.sys [?] S2 hkgiv;hkgiv;c:\windows\system32\drivers\uieprale.sys --> c:\windows\system32\drivers\uieprale.sys [?] S2 lxaipujx;lxaipujx;c:\windows\system32\drivers\Iuat.sys --> c:\windows\system32\drivers\Iuat.sys [?] S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [12/10/2008 5:55 PM 89256] S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [12/10/2008 5:55 PM 15016] S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [12/10/2008 5:55 PM 120744] S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [12/10/2008 5:55 PM 114216] S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [12/10/2008 5:55 PM 25512] S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [12/10/2008 5:55 PM 110632] S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [12/10/2008 5:55 PM 115752] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49] 2009-09-02 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] 2009-09-02 c:\windows\Tasks\User_Feed_Synchronization-{EA44E479-FB04-4855-AFB1-08BE50634A84}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31] . . ------- Supplementary Scan ------- . uStart Page = www.angelfire.com/wa3/potterhouse/uberpage.mht uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://uk.games.myspace.com/gameshell/games/channel--110372603/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab FF - ProfilePath - c:\documents and settings\Potter House\Application Data\Mozilla\Firefox\Profiles\unb5fzhk.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-02 09:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE??R?.?E?X?E?? CTxfiHlp = CTXFIHLP.EXE??P?.?E?X?E?? DLA = c:\windows\System32\DLA\DLACTRLW.EXE??\?D?L?A?\?D?L?A?C?T?R?L?W?.?E?X?E?? ISUSScheduler = "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start??h?i?e?l?d?\?U?p?d?a?t?e?S?e?r?v?i?c?e?\?i?s?s?c?h?.?e?x?e?"? ?-?s?t?a?r?t?? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21] "ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "oanhccajkkpbaobmmafebgpgoaohne"=hex:64,61,6e,62,6e,68,69,6e,00,90 "oajhgelahcijbiomgfdpodbkbedeap"=hex:6b,61,61,63,65,68,65,6b,63,65,69,62,63,6e, 6f,65,70,6d,6d,66,64,6f,00,00 "napgablpacflgkjnjmdlokjfcehn"=hex:6b,61,61,63,65,68,65,6b,63,65,69,62,63,6e, 6f,65,70,6d,6d,66,64,6f,00,00 [HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:53,de,e6,7e,7c,da,a6,0f,36,c1,f7,48,55,1e,35,6e,a5,b6,d4,4d,8b,26,9b, b6,f8,ef,c8,a0,e5,f5,16,5e,6c,8a,cf,4d,ba,8e,70,73,5c,f1,e1,76,8f,7b,ca,73,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 [HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\SecuROM\License information*] "datasecu"=hex:dc,d6,a7,df,41,30,ef,39,68,a0,21,db,8a,1a,d8,d9,76,a2,5f,f8,0c, 40,26,a6,a2,3d,f2,59,b2,dd,27,59,06,0a,88,2c,0e,7c,46,02,f9,d4,3f,33,ae,b1,\ "rkeysecu"=hex:bc,f5,52,ce,8d,e9,7b,80,30,16,f4,58,23,11,cd,b4 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2009-09-02 9:56 ComboFix-quarantined-files.txt 2009-09-02 16:56 ComboFix2.txt 2009-08-28 18:32 Pre-Run: 196,527,501,312 bytes free Post-Run: 196,941,139,968 bytes free 248 --- E O F --- 2009-09-01 04:36
  4. Hey, I greatly appreciate all the help that you have given me, but in attempting to run Mbam often enough to not require safe mode I noticed that the file "C:\WINDOWS\system32\uacinit.dll" never acutally cleans. So I googled it and ended up back at this forum at the following thread: http://www.bleepingcomputer.com/forums/topic227700.html It looks like a lot of the issues I am having were also experienced by Wizzle. At this point I am quite comfortable formating, but would appreciate a little additional feedback. Over this process of this cleaning I have burned some files to DVD in attempt of backing things up. However, I find myself questioning if it is wise to trust these potentially infected files. Is there a reliable and modern resource detailing: 1- What types of files can be trusted from an infected machine 2- The best order to reinstall programs for the highest level of security 3- I have the standard C: setup, with a smaller (faster) D: drive that I use for some games and storage. Is it possible/likely that the D: is also infected? I expect to be "preparing" to format for the next few days and am likely to actually Nuke the C: on thurs morning. Any feedback before then would be greatly appreciated. Thanks.
  5. By the way, I forgot to mention that "c:\windows\system32\Drivers\HNPsSdk.drv" is no longer there, so I cant have it looked at. Here is checkup.txt: Results of screen317's Security Check version 0.98.9 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Windows Firewall Enabled! CA eTrust EZ Antivirus Antivirus up to date! (On Access scanning disabled!) `````````````````````````````` Anti-malware/Other Utilities Check: Ad-Aware Windows Defender Malwarebytes' Anti-Malware HijackThis 2.0.2 CCleaner (remove only) Java 6 Update 5 Java 6 Update 7 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 8.1.4 Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent Windows Defender MSMpEng.exe Ad-Aware AAWService.exe is disabled! Ad-Aware AAWTray.exe is disabled! `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````
  6. This is what happens when i try to kill one of the iexplorers manually.
  7. I believe this started Aug 7th. My wife woke up one morning to see an adware pop-up on the desktop (I think it was called "Windows Anti Virus" or something). She attemted to say no and she got the BSoD. She took a screenshot of it (I still have it if you want to see it). I think that it was only after that day that every once in a while I would notice Windows Defender telling me to turn my firewall back on, but I never turned it off. I used my antivirus (eTrust EZ Antivurus) to try to clean. I cleaned some, but didn't fix the prob. At that point I used one anti-malware or another (I dont recall which). It seemed to have gotten better for a few days. No issues. Then, when Googling, clicking on a link led to random web sites. Used different cleaners. Some of them didn't run at all. About that time was when I started posting on this site. After starting this post I had my computer on for about 20 mins a day to check email and whatnot. A few days ago it seemed pretty good. I even played a video game for a few hours because it seemed clean. Then it all came tumbling down. iexplorer gets hijacked constantly, I have strange programs that I dont recognize in my task manager-processes from time to time. Even when not on the internet I get strange audio that sounds like tv commercials or something, and there is in fact multiple iexplorers running in "processes" but not "applications". I try running cleaners and they crash, vanish, I get the BSoD or the whole thing just freezes so I cant to anything but a manual power-down. Even now, in Safe Mode with Networking I have iexplorers running and the occasional pop-up (see attached jpg). So, I think this is what you want from the F-Secure (full report). Scanning Report Sunday, August 30, 2009 20:23:05 - 21:04:35 Computer name: POTTERHOUSE Scanning type: Scan system for malware, spyware and rootkits Target: C:\ D:\ -------------------------------------------------------------------------------- 27 malware found TrackingCookie.Questionmarket (spyware) System (Disinfected) TrackingCookie.2o7 (spyware) System (Disinfected) TrackingCookie.Advertising (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) MemScan:Trojan.Clicker.MUC (spyware) System (Disinfected) TrackingCookie.Revsci (spyware) System (Disinfected) TrackingCookie.Adbrite (spyware) System (Disinfected) TrackingCookie.Xiti (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) Trojan.TDss.WT (spyware) System (Disinfected) TrackingCookie.Statcounter (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) Trojan-Downloader:W32/Renos.gen!C (spyware) System (Disinfected) Trojan-Downloader:W32/Renos.gen!C (virus) C:\WINDOWS\MSA.EXE (Not cleaned) Trojan-Downloader:W32/Renos.gen!C (virus) C:\WINDOWS\MSB.EXE (Not cleaned) Backdoor:W32/TDSS.CX (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051425.SYS (Renamed & Submitted) Trojan:W32/TDSS.CW (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051426.DLL (Renamed & Submitted) Trojan:W32/Alureon.R (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051427.DLL (Renamed) Trojan:W32/Alureon.R (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051428.DLL (Renamed) Trojan:W32/TDSS.CW (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051429.DLL (Renamed & Submitted) Trojan.Generic.1644710 (virus) C:\PROGRAM FILES\WMA TO MP3 CONVERTER\READMEDIA.DLL (Renamed & Submitted) Trojan-Downloader:W32/Renos.gen!C (virus) C:\DOCUMENTS AND SETTINGS\POTTER HOUSE\LOCAL SETTINGS\TEMP\C.EXE (Not cleaned) Trojan-Downloader:W32/Renos.gen!C (virus) C:\DOCUMENTS AND SETTINGS\POTTER HOUSE\LOCAL SETTINGS\TEMP\D.EXE (Not cleaned) Trojan-Downloader:W32/Renos.gen!C (virus) C:\DOCUMENTS AND SETTINGS\POTTER HOUSE\LOCAL SETTINGS\TEMP\F.EXE (Not cleaned) Trojan.Generic.1443458 (virus) C:\DOCUMENTS AND SETTINGS\POTTER HOUSE\APPLICATION DATA\KEY FOLDER\SQL2005.DLL (Renamed & Submitted) -------------------------------------------------------------------------------- Statistics Scanned: Files: 51129 System: 3996 Not scanned: 13 Actions: Disinfected: 15 Renamed: 7 Deleted: 0 Not cleaned: 5 Submitted: 5 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\DUMPREP.EXE C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE C:\PROGRAM FILES\TREND MICROSAFE\HIJACKTHIS\HIJACKTHIS.EXE C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LAVASOFT\AD-AWARE\MINIMESSAGE\2 -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics -------------------------------------------------------------------------------- Copyright
  8. Umm ... I'm at a crossroads here. I am posting this is safe mode because when I boot normally, windows USUALLY loads all the start-up programs and then freezes completely. Sometimes it doesn't even finish loading all the start-up stuff before freezing. Once it froze at the log-in screen. I attempted to restore my system to a previous date and it says I dont have any restore points. That seems odd since many of the programs I have been running lately say they are creating a restore point before running. Are those accessable by some other means? At this point I would love to follow your last advice, but given the circumstances, I would greatly appreciate more feedback before proceeding. Preferably this will have to be something that can be done in safe mode. Thanks a million.
  9. Wow. It worked. Here is the combofix log. Near the top there is a list of all the names I re-named ComboFix (ComboHyphenFix, NoJoke, MiddleFingerCF, ect.). I never noticed those files before because I was looking for a txt file. After running the program I got a phone call and when I came back I could see my wallpaper, but none of my icons or start menu or anthing (like explorer crashed or it was restarting). I waited a few minutes and nothing was happening, so I manually turned off and back on. After bootup combofix had a window up and eventually gave me a log. I hope that I was not just being impatient again. Anyway, here is the Combofix Log: ComboFix 09-08-27.A3 - Potter House 08/28/2009 11:07.1.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2510 [GMT -7:00] Running from: c:\documents and settings\Potter House\Desktop\CampingFox.exe AV: eTrust EZ Antivirus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\POTTER~1\LOCALS~1\Temp\1.wmv c:\program files\IEToolbar c:\windows\Downloaded Program Files\popcaploader.dll c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\Downloaded Program Files\Temp c:\windows\Fonts\AcadEref.ttf c:\windows\Fonts\ZWAdobeF.TTF c:\windows\Installer\8dc30.msp c:\windows\Installer\d75ae81.msi c:\windows\Installer\e018a9e.msp c:\windows\kb913800.exe c:\windows\lcggg0805.exe c:\windows\system32\drivers\kbiwkmtoggyseb.sys c:\windows\system32\kbiwkmientrdmx.dll c:\windows\system32\kbiwkmnsfoowyr.dat c:\windows\system32\kbiwkmohexwxej.dll c:\windows\system32\kbiwkmpfuxtstp.dll c:\windows\system32\kbiwkmqrodeagu.dll c:\windows\system32\kbiwkmvmyqvxew.dat c:\windows\system32\kbiwkmvxompdwf.dat c:\windows\system32\kbiwkmvxssqgvo.dat c:\windows\winhelp.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 ))))))))))))))))))))))))))))))) . 2009-08-28 15:45 . 2009-08-28 15:48 -------- d-s---w- C:\Comb-Fox 2009-08-27 16:41 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-08-27 16:05 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-08-27 16:05 . 2009-08-27 16:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-27 16:05 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe 2009-08-27 16:05 . 2009-08-27 16:05 -------- d-----w- c:\program files\Lavasoft 2009-08-27 04:56 . 2009-08-27 04:58 -------- d-s---w- C:\ComboHyphenFix 2009-08-26 18:28 . 2009-08-26 18:30 -------- d-s---w- C:\NoJoke 2009-08-26 15:45 . 2009-08-26 15:46 -------- d-s---w- C:\MiddleFingerCF 2009-08-25 16:02 . 2009-08-25 16:03 -------- d-s---w- C:\LilBunnyCF 2009-08-24 04:24 . 2009-08-25 15:58 -------- d-s---w- C:\ComboFix 2009-08-24 03:15 . 2009-08-24 03:20 -------- d-s---w- C:\Combo-Fix 2009-08-23 05:09 . 2009-08-23 05:09 -------- d-----w- C:\installers 2009-08-22 02:04 . 2009-08-22 02:04 -------- d-----w- c:\program files\Trend Micro 2009-08-22 02:03 . 2009-08-21 20:51 812344 ----a-w- c:\documents and settings\Potter House\HJTInstall.exe 2009-08-22 00:10 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-22 00:10 . 2009-08-26 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-MalwareSAFE 2009-08-22 00:10 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-22 00:02 . 2009-08-22 00:02 -------- d-----w- c:\program files\Trend MicroSAFE 2009-08-21 23:46 . 2009-08-21 23:47 -------- d-----w- C:\92b1978b295196649367e8 2009-08-21 23:46 . 2009-08-21 23:57 -------- d-----w- c:\windows\SxsCaPendDel 2009-08-21 23:20 . 2009-08-27 16:28 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-21 23:20 . 2009-08-27 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-21 21:13 . 2009-08-27 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-21 19:58 . 2009-08-21 19:58 174080 ----a-w- C:\btfoltoo.exe 2009-08-19 17:28 . 2009-08-19 17:28 -------- d-----w- c:\documents and settings\Potter House\Application Data\Malwarebytes 2009-08-19 17:28 . 2009-08-19 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-19 05:35 . 2009-08-19 05:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-13 05:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-08-06 20:42 . 2009-08-06 20:42 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe 2009-08-06 20:41 . 2009-08-07 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-27 23:31 . 2008-03-25 19:22 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-27 17:02 . 2008-05-26 19:09 -------- d-----w- c:\documents and settings\Potter House\Application Data\LimeWire 2009-08-27 16:43 . 2008-04-15 14:45 86864 ----a-w- c:\documents and settings\Potter House\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-27 16:30 . 2009-08-27 16:30 5632 --sha-w- c:\program files\Thumbs.db 2009-08-27 16:23 . 2009-04-02 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation 2009-08-26 05:30 . 2008-04-25 17:09 -------- d-----w- c:\documents and settings\Potter House\Application Data\gtk-2.0 2009-08-25 16:25 . 2008-04-24 00:21 -------- d-----w- c:\documents and settings\Potter House\Application Data\TrueCrypt 2009-08-18 17:25 . 2008-08-23 16:31 -------- d-----w- c:\program files\Firefox 2009-08-18 17:22 . 2009-03-30 17:42 -------- d-----w- c:\documents and settings\Potter House\Application Data\uTorrent 2009-08-18 11:10 . 2009-01-27 19:33 -------- d-----w- c:\documents and settings\Potter House\Application Data\Key Folder 2009-08-13 13:26 . 2008-04-17 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-08-07 01:03 . 2009-02-26 19:01 5 ----a-w- c:\windows\sbacknt.bin 2009-08-06 20:35 . 2008-04-15 20:21 -------- d-----w- c:\program files\Microsoft Silverlight 2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-31 20:21 . 2009-02-26 18:57 152904 ----a-w- c:\windows\system32\vghd.scr 2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 06:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll 2009-07-02 20:57 . 2009-06-26 04:20 -------- d-----w- c:\program files\DAEMON Tools Lite 2009-07-02 05:45 . 2009-07-02 05:44 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE 2009-06-26 04:13 . 2008-09-16 22:44 721904 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 16:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2005-08-16 10:18 1291264 ----a-w- c:\windows\system32\quartz.dll 2008-06-10 01:23 . 2008-04-24 03:30 88 --sh--r- c:\windows\system32\254C04F909.sys 2006-05-03 10:06 . 2009-01-26 19:28 163328 --sh--r- c:\windows\system32\flvDX.dll 2008-06-10 01:24 . 2008-04-24 03:30 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys 2007-02-21 11:47 . 2009-01-26 19:28 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 13:30 . 2009-01-26 19:28 216064 --sh--r- c:\windows\system32\nbDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "CaISSDT"="d:\program files\eTrust\caissdt.exe" [2006-06-26 165392] "CaAvTray"="d:\program files\eTrust\eTrust EZ Antivirus\CAVTray.exe" [2008-04-15 230928] "CAVRID"="d:\program files\eTrust\eTrust EZ Antivirus\CAVRID.exe" [2008-04-15 185872] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384] "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "d:\\Games\\Splinter Cell\\Splinter Cell Pandora Tomorrow\\pandora.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "11980:TCP"= 11980:TCP:BitComet 11980 TCP "11980:UDP"= 11980:UDP:BitComet 11980 UDP R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 9:05 AM 64160] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [12/10/2008 5:55 PM 89256] S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [12/10/2008 5:55 PM 15016] S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [12/10/2008 5:55 PM 120744] S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [12/10/2008 5:55 PM 114216] S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [12/10/2008 5:55 PM 25512] S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [12/10/2008 5:55 PM 110632] S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [12/10/2008 5:55 PM 115752] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49] 2009-08-28 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] 2009-08-28 c:\windows\Tasks\User_Feed_Synchronization-{EA44E479-FB04-4855-AFB1-08BE50634A84}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31] . . ------- Supplementary Scan ------- . uStart Page = www.angelfire.com/wa3/potterhouse/uberpage.mht uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://uk.games.myspace.com/gameshell/games/channel--110372603/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab FF - ProfilePath - c:\documents and settings\Potter House\Application Data\Mozilla\Firefox\Profiles\unb5fzhk.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-28 11:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE??R?.?E?X?E?? CTxfiHlp = CTXFIHLP.EXE??P?.?E?X?E?? DLA = c:\windows\System32\DLA\DLACTRLW.EXE??\?D?L?A?\?D?L?A?C?T?R?L?W?.?E?X?E?? ISUSScheduler = "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start??h?i?e?l?d?\?U?p?d?a?t?e?S?e?r?v?i?c?e?\?i?s?s?c?h?.?e?x?e?"? ?-?s?t?a?r?t?? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21] "ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "oanhccajkkpbaobmmafebgpgoaohne"=hex:64,61,6e,62,6e,68,69,6e,00,90 "oajhgelahcijbiomgfdpodbkbedeap"=hex:6b,61,61,63,65,68,65,6b,63,65,69,62,63,6e, 6f,65,70,6d,6d,66,64,6f,00,00 "napgablpacflgkjnjmdlokjfcehn"=hex:6b,61,61,63,65,68,65,6b,63,65,69,62,63,6e, 6f,65,70,6d,6d,66,64,6f,00,00 [HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:53,de,e6,7e,7c,da,a6,0f,36,c1,f7,48,55,1e,35,6e,a5,b6,d4,4d,8b,26,9b, b6,f8,ef,c8,a0,e5,f5,16,5e,6c,8a,cf,4d,ba,8e,70,73,5c,f1,e1,76,8f,7b,ca,73,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 [HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\SecuROM\License information*] "datasecu"=hex:dc,d6,a7,df,41,30,ef,39,68,a0,21,db,8a,1a,d8,d9,76,a2,5f,f8,0c, 40,26,a6,a2,3d,f2,59,b2,dd,27,59,06,0a,88,2c,0e,7c,46,02,f9,d4,3f,33,ae,b1,\ "rkeysecu"=hex:bc,f5,52,ce,8d,e9,7b,80,30,16,f4,58,23,11,cd,b4 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3968) c:\windows\system32\WININET.dll c:\windows\system32\nview.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\progra~1\WINDOW~3\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\windows\system32\nvsvc32.exe d:\program files\eTrust\eTrust EZ Antivirus\VetMsg.exe c:\windows\system32\searchindexer.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\wscntfy.exe c:\windows\system32\CTXFISPI.EXE c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\windows\system32\searchprotocolhost.exe c:\program files\Lavasoft\Ad-Aware\AAWTray.exe c:\windows\system32\searchfilterhost.exe . ************************************************************************** . Completion time: 2009-08-28 11:32 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-28 18:32 Pre-Run: 195,607,183,360 bytes free Post-Run: 196,957,974,528 bytes free 281 --- E O F --- 2009-08-28 18:30
  10. Niether log was minimized. I will post the one that was in front. If it is the wrong one (as I suspect it might be, since it says not to post it) then let me know. I will save both of them. UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-07-30.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 4/15/2008 7:37:52 AM System Uptime: 8/26/2009 11:17:19 PM (2 hours ago) Motherboard: Dell Inc. | | 0UY253 Processor: Intel® Core2 Quad CPU @ 2.40GHz | Microprocessor | 2394/1066mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 293 GiB total, 171.528 GiB free. D: is FIXED (NTFS) - 149 GiB total, 30.336 GiB free. E: is CDROM () F: is CDROM () G: is Removable H: is Removable I: is Removable J: is Removable K: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Broadcom NetXtreme 57xx Gigabit Controller Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_02071028&REV_21\4&3601BAE0&0&0028 Manufacturer: Broadcom Name: Broadcom NetXtreme 57xx Gigabit Controller PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_02071028&REV_21\4&3601BAE0&0&0028 Service: b57w2k Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318} Description: Microsoft Kernel DLS Synthesizer Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC Manufacturer: Microsoft Name: Microsoft Kernel DLS Synthesizer PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC Service: DMusic ==== System Restore Points =================== RP537: 8/18/2009 10:12:37 AM - System Checkpoint RP538: 8/18/2009 10:12:38 AM - System Checkpoint RP539: 8/18/2009 10:12:39 AM - Software Distribution Service 3.0 RP540: 8/18/2009 10:12:39 AM - System Checkpoint RP541: 8/18/2009 10:12:40 AM - System Checkpoint RP542: 8/18/2009 10:12:40 AM - System Checkpoint RP543: 8/18/2009 10:12:41 AM - Software Distribution Service 3.0 RP544: 8/18/2009 10:12:42 AM - System Checkpoint RP545: 8/18/2009 10:12:43 AM - Installed Google SketchUp 7 RP546: 8/18/2009 10:12:43 AM - Removed Google SketchUp 6 RP547: 8/18/2009 10:12:44 AM - Removed Google SketchUp 6 RP548: 8/18/2009 10:12:44 AM - System Checkpoint RP549: 8/18/2009 10:12:45 AM - Software Distribution Service 3.0 RP550: 8/18/2009 10:12:46 AM - System Checkpoint RP551: 8/18/2009 10:12:47 AM - System Checkpoint RP552: 8/18/2009 10:12:48 AM - System Checkpoint RP553: 8/18/2009 10:12:48 AM - System Checkpoint RP554: 8/18/2009 10:12:50 AM - Software Distribution Service 3.0 RP555: 8/18/2009 10:12:51 AM - System Checkpoint RP556: 8/18/2009 10:12:52 AM - System Checkpoint RP557: 8/18/2009 10:12:52 AM - Software Distribution Service 3.0 RP558: 8/18/2009 10:12:53 AM - Removed BioShock RP559: 8/18/2009 10:12:54 AM - Removed Star Wars: Empire at War RP560: 8/18/2009 10:12:55 AM - System Checkpoint RP561: 8/18/2009 10:12:55 AM - System Checkpoint RP562: 8/18/2009 10:12:55 AM - System Checkpoint RP563: 8/18/2009 10:12:56 AM - Software Distribution Service 3.0 RP564: 8/18/2009 10:12:57 AM - System Checkpoint RP565: 8/18/2009 10:12:57 AM - System Checkpoint RP566: 8/18/2009 10:12:57 AM - Software Distribution Service 3.0 RP567: 8/18/2009 10:12:58 AM - System Checkpoint RP568: 8/18/2009 10:12:59 AM - Software Distribution Service 3.0 RP569: 8/18/2009 10:12:59 AM - Software Distribution Service 3.0 RP570: 8/18/2009 10:13:00 AM - System Checkpoint RP571: 8/18/2009 10:13:01 AM - System Checkpoint RP572: 8/18/2009 10:13:01 AM - Software Distribution Service 3.0 RP573: 8/18/2009 10:13:02 AM - System Checkpoint RP574: 8/18/2009 10:13:03 AM - System Checkpoint RP575: 8/18/2009 10:13:05 AM - Software Distribution Service 3.0 RP576: 8/18/2009 10:13:05 AM - System Checkpoint RP577: 8/18/2009 10:13:06 AM - System Checkpoint RP578: 8/18/2009 10:13:06 AM - System Checkpoint RP579: 8/18/2009 10:13:07 AM - Software Distribution Service 3.0 RP580: 8/18/2009 10:13:09 AM - System Checkpoint RP581: 8/18/2009 10:13:10 AM - System Checkpoint RP582: 8/18/2009 10:13:11 AM - System Checkpoint RP583: 8/18/2009 10:13:13 AM - Software Distribution Service 3.0 RP584: 8/18/2009 10:13:14 AM - SPTD setup V1.58 RP585: 8/18/2009 10:13:14 AM - Installed DirectX RP586: 8/18/2009 10:13:15 AM - Installed %1 %2. RP587: 8/18/2009 10:13:16 AM - Printer Driver Microsoft XPS Document Writer Installed RP588: 8/18/2009 10:13:17 AM - Installed %1 %2. RP589: 8/18/2009 10:13:17 AM - Printer Driver Microsoft XPS Document Writer Installed RP590: 8/18/2009 10:13:18 AM - Installed DirectX RP591: 8/18/2009 10:13:19 AM - System Checkpoint RP592: 8/18/2009 10:13:20 AM - System Checkpoint RP593: 8/18/2009 10:13:20 AM - System Checkpoint RP594: 8/18/2009 10:13:21 AM - Software Distribution Service 3.0 RP595: 8/18/2009 10:13:22 AM - System Checkpoint RP596: 8/18/2009 10:13:23 AM - System Checkpoint RP597: 8/18/2009 10:13:23 AM - Installed DirectX RP598: 8/18/2009 10:13:24 AM - Software Distribution Service 3.0 RP599: 8/18/2009 10:13:25 AM - Software Distribution Service 3.0 RP600: 8/18/2009 10:13:26 AM - System Checkpoint RP601: 8/18/2009 10:13:26 AM - System Checkpoint RP602: 8/18/2009 10:13:26 AM - System Checkpoint RP603: 8/18/2009 10:13:27 AM - Software Distribution Service 3.0 RP604: 8/18/2009 10:13:27 AM - Software Distribution Service 3.0 RP605: 8/18/2009 10:13:28 AM - System Checkpoint RP606: 8/18/2009 10:13:28 AM - System Checkpoint RP607: 8/18/2009 10:13:29 AM - Software Distribution Service 3.0 RP608: 8/18/2009 10:13:29 AM - System Checkpoint RP609: 8/18/2009 10:13:30 AM - System Checkpoint RP610: 8/18/2009 10:13:31 AM - System Checkpoint RP611: 8/18/2009 10:13:31 AM - Software Distribution Service 3.0 RP612: 8/18/2009 10:13:32 AM - System Checkpoint RP613: 8/18/2009 10:13:32 AM - System Checkpoint RP614: 8/18/2009 10:13:33 AM - Software Distribution Service 3.0 RP615: 8/18/2009 10:13:33 AM - Software Distribution Service 3.0 RP616: 8/18/2009 10:13:34 AM - System Checkpoint RP617: 8/18/2009 10:13:34 AM - System Checkpoint RP618: 8/18/2009 10:13:34 AM - System Checkpoint RP619: 8/18/2009 10:13:35 AM - Software Distribution Service 3.0 RP620: 8/18/2009 10:13:35 AM - System Checkpoint RP621: 8/18/2009 10:13:35 AM - Software Distribution Service 3.0 RP622: 8/18/2009 10:13:36 AM - Software Distribution Service 3.0 RP623: 8/18/2009 10:13:36 AM - Software Distribution Service 3.0 RP624: 8/18/2009 10:13:37 AM - System Checkpoint RP625: 8/18/2009 10:13:37 AM - System Checkpoint RP626: 8/18/2009 10:13:38 AM - System Checkpoint RP627: 8/18/2009 10:13:38 AM - Software Distribution Service 3.0 RP628: 8/18/2009 10:13:38 AM - System Checkpoint RP629: 8/18/2009 10:13:38 AM - System Checkpoint RP630: 8/18/2009 10:13:39 AM - Software Distribution Service 3.0 RP631: 8/18/2009 10:13:39 AM - Software Distribution Service 3.0 RP632: 8/18/2009 10:13:39 AM - Software Distribution Service 3.0 RP633: 8/18/2009 10:13:40 AM - System Checkpoint RP634: 8/18/2009 10:13:40 AM - System Checkpoint RP635: 8/18/2009 10:13:40 AM - System Checkpoint RP636: 8/18/2009 10:13:41 AM - Software Distribution Service 3.0 RP637: 8/18/2009 10:13:41 AM - System Checkpoint RP638: 8/18/2009 10:13:41 AM - System Checkpoint RP639: 8/18/2009 10:13:41 AM - Software Distribution Service 3.0 RP640: 8/18/2009 10:13:41 AM - System Checkpoint RP641: 8/18/2009 10:13:42 AM - System Checkpoint RP642: 8/18/2009 10:13:42 AM - System Checkpoint RP643: 8/18/2009 10:13:42 AM - Software Distribution Service 3.0 RP644: 8/18/2009 10:13:42 AM - System Checkpoint RP645: 8/18/2009 10:13:43 AM - System Checkpoint RP646: 8/18/2009 10:13:43 AM - Software Distribution Service 3.0 RP647: 8/18/2009 10:13:43 AM - System Checkpoint RP648: 8/18/2009 10:13:43 AM - System Checkpoint RP649: 8/18/2009 10:13:44 AM - Software Distribution Service 3.0 RP650: 8/18/2009 10:13:44 AM - System Checkpoint RP651: 8/18/2009 10:13:44 AM - Software Distribution Service 3.0 RP652: 8/21/2009 1:34:33 PM - Windows Defender Checkpoint RP653: 8/21/2009 4:58:10 PM - Printer Driver Microsoft XPS Document Writer Installed ==== Installed Programs ======================
  11. I ran GMER. It took a while. Here is the outcome: GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net Rootkit scan 2009-08-27 01:45:55 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- INT 0x63 ? 8AEC1BF8 INT 0x73 ? 8AEC1BF8 INT 0x83 ? 8AEC1BF8 Code 897DEF08 ZwEnumerateKey Code 897AFE80 ZwFlushInstructionCache Code 8994325E ZwSaveKey Code 8980DEDE ZwSaveKeyEx Code 894AD12E IofCallDriver Code 89E73026 IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 894AD133 .text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 89E7302B ? spui.sys The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload B8CB08AC 5 Bytes JMP 8AC251D8 ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[460] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 01121B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation) .text C:\WINDOWS\Explorer.EXE[2628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B7000A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9EA8042] spui.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9EA813E] spui.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9EA80C0] spui.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9EA8800] spui.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9EA86D6] spui.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8AEC01F8 Device \Driver\USB_RNDIS \Device\{2A28D736-6915-4867-BAF8-20FA45C84550} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation) Device \Driver\usbohci \Device\USBPDO-0 8AC241F8 Device \Driver\sptd \Device\166299352 spui.sys Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AEC21F8 Device \Driver\dmio \Device\DmControl\DmConfig 8AEC21F8 Device \Driver\dmio \Device\DmControl\DmPnP 8AEC21F8 Device \Driver\dmio \Device\DmControl\DmInfo 8AEC21F8 Device \Driver\usbehci \Device\USBPDO-1 8AC181F8 Device \Driver\PCI_PNP6852 \Device\00000055 spui.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 8AE4F1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8AE4F1F8 Device \Driver\Cdrom \Device\CdRom0 8AC0B1F8 Device \Driver\Cdrom \Device\CdRom1 8AC0B1F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 8AE4F1F8 Device \Driver\Ftdisk \Device\HarddiskVolume4 8AE4F1F8 Device \Driver\USBSTOR \Device\00000080 88A41500 Device \Driver\USBSTOR \Device\00000081 88A41500 Device \Driver\USBSTOR \Device\00000082 88A41500 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A935500 Device \Driver\USBSTOR \Device\00000084 88A41500 Device \Driver\USBSTOR \Device\00000078 88A41500 Device \Driver\NetBT \Device\NetbiosSmb 8A935500 Device \Driver\usbohci \Device\USBFDO-0 8AC241F8 Device \Driver\usbehci \Device\USBFDO-1 8AC181F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A937500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A937500 Device \Driver\Ftdisk \Device\FtControl 8AE4F1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{2A28D736-6915-4867-BAF8-20FA45C84550} 8A935500 Device \Driver\USBSTOR \Device\0000007e 88A41500 Device \Driver\USBSTOR \Device\0000007f 88A41500 Device \Driver\aru4bnoq \Device\Scsi\aru4bnoq1Port5Path0Target0Lun0 8ABB61F8 Device \Driver\aru4bnoq \Device\Scsi\aru4bnoq1 8ABB61F8 Device \FileSystem\Fastfat \Fat 8AAEC500 Device \FileSystem\Fastfat \Fat AD901297 Device \FileSystem\Cdfs \Cdfs 88B91500 Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\kbiwkmtoggyseb.sys (*** hidden *** ) [sYSTEM] kbiwkmmuvudfbi <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi@imagepath \systemroot\system32\drivers\kbiwkmtoggyseb.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main@aid 10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main@sid 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main@cmddelay 14400 Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main\delete Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main\injector@* kbiwkmwsp.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main\tasks Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmtoggyseb.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqrodeagu.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmvxssqgvo.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmohexwxej.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkm.dat \systemroot\system32\kbiwkmvmyqvxew.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x01 0xB4 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC1 0x5D 0xC3 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0xC9 0x43 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0x07 0xA2 0x27 ... Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi@group file system Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi@imagepath \systemroot\system32\drivers\kbiwkmtoggyseb.sys Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main@aid 10002 Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main@sid 1 Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main@cmddelay 14400 Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main\delete (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main\injector (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main\injector@* kbiwkmwsp.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main\tasks (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmtoggyseb.sys Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqrodeagu.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmvxssqgvo.dat Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmohexwxej.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkm.dat \systemroot\system32\kbiwkmvmyqvxew.dat Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x01 0xB4 0x2A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC1 0x5D 0xC3 0xCE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0xC9 0x43 0x80 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0x07 0xA2 0x27 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}@oanhccajkkpbaobmmafebgpgoaohne 0x64 0x61 0x6E 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}@oajhgelahcijbiomgfdpodbkbedeap 0x6B 0x61 0x61 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}@napgablpacflgkjnjmdlokjfcehn 0x6B 0x61 0x61 0x63 ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F459.log 131072 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45A.log 131072 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45B.log 131072 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45C.log 131072 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45D.log 131072 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45E.log 131072 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45F.log 131072 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.ci 0 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.dir 0 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.wid 0 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.ci 73728 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.ci 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.ci 86016 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.ci 0 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid 0 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.ci 32768 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.ci 102400 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.ci 36864 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.ci 73728 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.ci 290816 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.ci 151552 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010026.ci 73728 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010026.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010026.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010027.ci 73728 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010027.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010027.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010029.ci 163840 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010029.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010029.wid 65536 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002A.ci 131072 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002A.dir 4096 bytes File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002A.wid 65536 bytes File C:\WINDOWS\system32\kbiwkmohexwxej.dll 19968 bytes executable File C:\WINDOWS\system32\kbiwkmqrodeagu.dll 45056 bytes executable File C:\WINDOWS\system32\kbiwkmvmyqvxew.dat 91 bytes File C:\WINDOWS\system32\kbiwkmvxssqgvo.dat 56232 bytes File C:\WINDOWS\system32\drivers\kbiwkmtoggyseb.sys 71168 bytes executable <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----
  12. I've attached a camera pic of the BSoD that I got after deleting and re-downloading (from your link). The short version is: something attempted to write to read-only memory. Make sure new hard/software is properly installed and updated. I'm not savvy enough to fully understand what bios caching or shadowing has to do with this problem. I will run GMER.
  13. When I attempt to run ComboFix I still get the Blue Screen of Death every time. I uninstalled, re-downloaded and re-installed HiJackThis and it ran for the first time. I will post the log of that also. MBAM says the sytem is now clean, but it is still running much slower than before the infection. I just want to make sure that everything is clean before I go on my merry way. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:38:32 AM, on 8/26/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe D:\Program Files\eTrust\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\Program Files\Windows Defender\MSASCui.exe D:\Program Files\eTrust\caissdt.exe D:\Program Files\eTrust\eTrust EZ Antivirus\CAVTray.exe D:\Program Files\eTrust\eTrust EZ Antivirus\CAVRID.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\stsystra.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.angelfire.com/wa3/potterhouse/uberpage.mht R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [CaISSDT] "D:\Program Files\eTrust\caissdt.exe" O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\eTrust\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\eTrust\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://uk.games.myspace.com/gameshell/game...n/abcisland.cab O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\eTrust\eTrust EZ Antivirus\VetMsg.exe -- End of file - 9523 bytes
  14. Just to see what would happen I reinstalled and ran MBAM. It RAN!!! Found 40 infected items. It says I need to restart, but I wanted to post the log first: Malwarebytes' Anti-Malware 1.40 Database version: 2700 Windows 5.1.2600 Service Pack 3 8/26/2009 10:19:40 AM mbam-log-2009-08-26 (10-19-40).txt Scan type: Quick Scan Objects scanned: 110465 Time elapsed: 5 minute(s), 57 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 37 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\IEToolbar\Bullseye Tool Bar (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\runit (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\dxis.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\qtowjid.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\tqbckpxd.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\veyakmpb.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\wgkorh.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\kbiwkmqrodeagu.dll (Rootkit.TDSS) -> Delete on reboot. C:\WINDOWS\system32\vdut.exe (Adware.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tapi.nfo (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\6VJRVWYP\unkbo[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\6VJRVWYP\20090817043818[1].exe (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\7IZXRAHZ\hvfjj[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\7IZXRAHZ\zftxxb[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\DWEK1AS2\fvoogxxl[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\DWEK1AS2\jtdhyccuu[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\ukms35315.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\dnavt3507.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\iqpb8002.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\basis.xml (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\date2.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\icons.bmp (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\info.txt (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\lw.crc (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\lw.dll (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\lwpopper.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\popper3.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\popup1.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\popup2.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\tbhelper.dll (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\uninstall.exe (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\version.txt (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\IEToolbar\Bullseye Tool Bar\your_logo.png (Adware.BullseyeToolbar) -> Quarantined and deleted successfully. C:\Program Files\runit\config.txt (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\runit\runitu_32.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Start Menu\Programs\Startup\runit_32.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACiemygmnbyd.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\UACmxbywcbwsa.sys (Trojan.Agent) -> Quarantined and deleted successfully.
  15. When I run combofix it shows me the "this may take 10 minutes" screen and then BSoD.
  16. Avenger log: Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. Hidden driver "aqtv986q" found! Start Type: 3 (Manual) Rootkit scan completed. File move operation "C:\Documents and Settings\All Users\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully. Completed script processing. ******************* Finished! Terminate.
  17. I tried restarting and downloading ComboFix again. Named it LilBunnyCF.exe. Ran for a while ... maybe 2-3 minutes. No error screens this time. It just vanished. Tried a second time ... maybe 20 seconds then vanished. Just to see what would happen I deleted it, restarted and downloaded again. This time named as MiddleFingerCF.exe. That time it might have been the same 20 seconds, but may have been less. I dont see any reports/log on my desktop or C:. Hope this new info means something to you. I appreciate your help.
  18. I didn't delete the old log, but assuming that it wrote over it here is the new one. Log file is located at: C:\Documents and Settings\Potter House\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706 Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945 Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213 Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496 Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Found mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127 Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568 Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615 Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338 Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864 Cannot access: C:\WINDOWS\system32\dumprep.exe Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe [1] 2004-08-10 04:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 17:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 17:12:18 10752 C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation) [1] 2004-08-10 04:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation) Cannot access: C:\WINDOWS\system32\eventlog.dll Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll [1] 2004-08-10 04:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 17:11:53 62464 C:\WINDOWS\system32\eventlog.dll () [2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) [1] 2004-08-10 04:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation) Finished!
  19. Here is the Win32kDiag report: WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864 Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\dumprep.exe [1] 2004-08-10 04:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 17:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 17:12:18 10752 C:\WINDOWS\system32\dumprep.exe () [1] 2004-08-10 04:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation) Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2004-08-10 04:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 17:11:53 62464 C:\WINDOWS\system32\eventlog.dll () [2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) [1] 2004-08-10 04:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation) Finished!
  20. I get a 404 error when trying to get ComboFix from the "here" link. Not sure if that is my machine or a typo on the post (or whatever). I will try using the second program.
  21. Sorry for being impatient. I re-installed MBAM and ran it. Like before, it ran for about 2 seconds and then vanished. No log to post other than the old one from the 19th. When I attempted to run ComboFix it gave me an application error (0xc0000142). I took a screenshot of the first one. Right after that there was another one that looked just like it, but before I could get a screen shot the Blue Screen of Death did a memory dump and reset my computer for me. I tried ComboFix again, thinking that maybe it was the screenshot that caused the problem, but it only ran for a few seconds more before BSoD. I briefly read the bit about it taking 10 minutes (or double) that time. There is no C:\ComboFix.txt file. I doubt the screenshot will be useful, so I will post the old log that I have from a few days ago. Back then I was just getting my browser hijacked. Malwarebytes' Anti-Malware 1.40 Database version: 2657 Windows 5.1.2600 Service Pack 3 8/19/2009 10:34:47 AM mbam-log-2009-08-19 (10-34-47).txt Scan type: Quick Scan Objects scanned: 102311 Time elapsed: 4 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temp\UAC557.tmp (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temp\mwexacorsn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temp\nemxowrcsa.tmp (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACvthalkmivd.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\UACafmuvijnsv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
  22. Okay, 2 days ago I made a similar post and I haven't gotten any response. Here's the scoop. I run the MBAM or HiJackThis installer and it installs. I run the program, it runs for about 2 secs, then it disapears. No warnings, no errors, no pop-ups, just ... gone. No longer running. I try to run it again and it says "you may no longer have access to this item." Run the installer again. Same thing. Runs 2 secs, gone, no access. It's killing me. Well, at least that was 2 days ago. Now HiJackThis won't even install anymore. I can't get any programs to give me logs. But I found one from a few days ago. It is obviously no longer accurate, but I will post it because it is the best I can do. Please help. Malwarebytes' Anti-Malware 1.40 Database version: 2657 Windows 5.1.2600 Service Pack 3 8/19/2009 10:34:47 AM mbam-log-2009-08-19 (10-34-47).txt Scan type: Quick Scan Objects scanned: 102311 Time elapsed: 4 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temp\UAC557.tmp (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temp\mwexacorsn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Potter House\Local Settings\Temp\nemxowrcsa.tmp (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACvthalkmivd.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\UACafmuvijnsv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
  23. Like many other people here, after installing (or re-installing) Mbam, it will run for a few seconds and then disapear. If I attempt to run it again, it says I don't have permission. I have attempted to run it in safe mode hoping to duplicate the success of others, but I have not been successful. I have no idea what this infection is, but it has disabled everything that I have attempted to install to get rid of it (Ad-aware, HiJackThis, Spybot, etc.). My virus protection seems to be working still (eTrust EZ Antivirus), but I don't have much faith in it's protective abilities since this infection slip in under it's nose. I am a total loss as to what to do at this point. Any help is greatly appreciated.
  24. It seems that I have this same issue/virus/program. Where should I start to try to resolve this same issue?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.