Jump to content

bittramp

Honorary Members
  • Posts

    21
  • Joined

  • Last visited

Everything posted by bittramp

  1. First I'd like to express my thanks to the malwarebytes team that has diligently helped me out of more than one problem. Second I'd like to apologize if this post is out of place as I wasn't quite sure which forum my question belonged in, or if there is an appropriate forum. Third, I was wondering how these malware programs can be loaded onto a system through a browser. Is this being injected somehow through javascript or some other script? Is there some way to use say a firefox addon to detect these attempts to insert programs? Is this some kind of buffer overflow injection? I am curious about this because I am a programmer and had been interested at one time in writing a browser. I am just wondering how all this happens automagically by visiting a url. Again I apologize for the questions. Perhaps there is a more fitting place to discuss such matters or maybe this information would be considered trade secrets for Malwarebytes and cannot be discussed. Either way I appreciate you entertaining this inquiry. Thanks, BBB
  2. Here is the output from ESET ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6522 # api_version=3.0.2 # EOSSerial=0c3fa87ba8f1d44ca8abe58cb496ec27 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-06-07 12:45:55 # local_time=2011-06-06 07:45:55 (-0600, Central Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=768 16777215 100 0 29892196 29892196 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=327774 # found=6 # cleaned=6 # scan_time=6295 C:\Documents and Settings\bbburgess\Application Data\Sun\Java\Deployment\cache\6.0\49\eeef9b1-3872da55 a variant of Win32/Kryptik.NZU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\bbburgess\Desktop\GooredFix Backups\C\Documents and Settings\bbburgess\Local Settings\Application Data\{E6BBD476-1069-42C5-8CB4-AC9119C957B1}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\bbburgess\My Documents\Downloads\Miro_Installer.exe Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C E:\old desktop\my documents\stuff\DVD_X_COPY_PLATINUM_4038\CRACK\KEYMAKER.EXE a variant of Win32/Keygen.AF application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C E:\old desktop\my documents\stuff\DVD_X_COPY_PLATINUM_4038\CRACK\KEYMAKER_DVDXCOPYRESCUE.EXE a variant of Win32/Keygen.AF application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C And here is SecurityCheck.exe's output Results of screen317's Security Check version 0.99.12 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! avast! Free Antivirus ESET Online Scanner v3 McAfee Security Scan Plus Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware TuneUp Companion 1.9.0 Java DB 10.5.3.0 Java 6 Update 22 Java SE Development Kit 6 Update 22 Out of date Java installed! Flash Player Out of Date! Adobe Flash Player 10.2.152.32 Adobe Reader 9.4.2 Out of date Adobe Reader installed! Mozilla Firefox (x86 en-US..) ```````````````````````````````` Process Check: objlist.exe by Laurent Alwil Software Avast5 AvastSvc.exe ``````````End of Log```````````` The system seems to be back to normal. I'll have to use it a bit and see. Thanks, BBB
  3. So am I clean? Do I need to do any more scans?
  4. Hi, Here is the output from combofix ************************* ComboFix 11-05-30.06 - bbburgess 05/30/2011 16:20:58.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2541 [GMT -5:00] Running from: c:\documents and settings\bbburgess\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\Search Toolbar c:\program files\Search Toolbar\icon.ico c:\program files\Search Toolbar\SearchToolbar.dll c:\program files\Search Toolbar\SearchToolbarUninstall.exe c:\program files\Search Toolbar\SearchToolbarUpdater.exe . Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\ntfs.sys . c:\windows\system32\grpconv.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe . . ((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 ))))))))))))))))))))))))))))))) . . 2011-05-30 21:32 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe 2011-05-26 23:12 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2011-05-19 20:27 . 2011-05-19 20:27 -------- d--h--w- c:\program files\InstallJammer Registry 2011-05-19 20:27 . 2011-05-19 20:28 -------- d-----w- c:\program files\Physion 2011-05-18 01:05 . 2011-05-18 02:15 -------- d-----w- c:\documents and settings\bbburgess\Application Data\PCF-VLC 2011-05-18 01:01 . 2011-05-18 01:01 -------- d-----w- c:\program files\GetMiro Toolbar 2011-05-18 01:01 . 2011-05-18 01:01 -------- d-----w- c:\documents and settings\bbburgess\Application Data\Participatory Culture Foundation 2011-05-18 01:00 . 2011-05-18 01:00 -------- d-----w- c:\program files\Participatory Culture Foundation 2011-05-17 23:35 . 2011-05-17 23:35 159744 ----a-r- c:\documents and settings\bbburgess\Application Data\Microsoft\Installer\{D0CE053E-0E5E-4C12-9BAE-D0F36021E911}\PVEngine.ProgramMe_D0CE053E0E5E4C129BAED0F36021E911.exe 2011-05-17 23:35 . 2011-05-17 23:35 159744 ----a-r- c:\documents and settings\bbburgess\Application Data\Microsoft\Installer\{D0CE053E-0E5E-4C12-9BAE-D0F36021E911}\NewShortcut2_D0CE053E0E5E4C129BAED0F36021E911.exe 2011-05-17 23:35 . 2011-05-17 23:35 -------- d-----w- c:\program files\POV-Ray for Windows v3.62 2011-05-06 02:07 . 2011-05-06 02:07 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-05-06 02:07 . 2011-05-06 02:07 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-05-06 02:06 . 2011-05-06 02:06 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-05-06 02:06 . 2011-05-06 02:06 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-05-06 02:06 . 2011-05-06 02:06 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll 2011-05-06 02:06 . 2011-05-06 02:06 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-05-06 02:06 . 2011-05-06 02:06 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-05-06 02:06 . 2011-05-06 02:06 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-10 12:10 . 2010-07-06 00:56 40112 ----a-w- c:\windows\avastSS.scr 2011-05-10 12:10 . 2010-06-24 23:37 199304 ----a-w- c:\windows\system32\aswBoot.exe 2011-05-10 12:03 . 2010-06-24 23:37 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-05-10 12:02 . 2010-06-24 23:37 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-05-10 12:02 . 2010-06-24 23:37 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2011-05-10 12:02 . 2010-06-24 23:37 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys 2011-05-10 11:59 . 2010-06-24 23:37 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-05-10 11:59 . 2010-06-24 23:37 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2011-05-10 11:59 . 2010-06-24 23:38 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-03-07 05:33 . 2010-02-27 20:12 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-05-06 02:06 . 2011-05-06 02:06 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-12-09 3911776] . [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}] 2010-12-09 18:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}] 2010-12-09 18:51 3911776 ----a-w- c:\program files\Vuze_Remote\tbVuze.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-12-09 3911776] "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776] . [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}] . [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-12-09 3911776] . [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Raptr"="c:\progra~1\Raptr\raptrstub.exe" [2011-05-25 53160] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-05-30 868352] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422] "M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-09-02 643592] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-22 274608] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160] . c:\documents and settings\bbburgess\Start Menu\Programs\Startup\ OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Raptr\\raptr.exe"= "c:\\Program Files\\Raptr\\raptr_im.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/26/2011 6:12 PM 441176] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/24/2010 6:37 PM 307928] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/24/2010 6:38 PM 19544] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 8:39 PM 136176] S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 12:58 PM 11336] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 8:39 PM 136176] S3 MADFUMOBILEPRE;Service for M-Audio MobilePre DFU;c:\windows\system32\drivers\MAudioMobilePre_DFU.sys [11/27/2010 4:05 PM 42248] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WUAUSERV . Contents of the 'Scheduled Tasks' folder . 2011-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50] . 2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 01:39] . 2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 01:39] . 2011-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-583907252-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33] . 2011-05-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-583907252-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 205.152.150.23 205.152.144.23 FF - ProfilePath - c:\documents and settings\bbburgess\Application Data\Mozilla\Firefox\Profiles\hf5pyjkm.default\ FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe HKLM-Run-nwiz - nwiz.exe AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-30 16:36 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(1972) c:\windows\system32\WININET.dll c:\progra~1\Raptr\ltc_help32-51289.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\WinSCP\DragExt.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\program files\idt\intelxpv_v103\wdm\STacSV.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\RealVNC\VNC4\WinVNC4.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\windows\system32\RUNDLL32.EXE c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\OpenOffice.org 3\program\soffice.bin c:\program files\iPod\bin\iPodService.exe c:\progra~1\Raptr\raptr.exe c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe c:\progra~1\Raptr\raptr_im.exe c:\program files\Common Files\Java\Java Update\jucheck.exe . ************************************************************************** . Completion time: 2011-05-30 16:45:25 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-30 21:45 . Pre-Run: 9,084,870,656 bytes free Post-Run: 10,158,100,480 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 8E2092A456FADF887A8FF69B2916DE6F ************************* And here is the log from dds ************************* . DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Run by bbburgess at 16:57:05 on 2011-05-30 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2660 [GMT -5:00] . AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . ============== Running Processes =============== . C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\idt\intelxpv_v103\wdm\STacSV.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\IDT\WDM\sttray.exe C:\WINDOWS\system32\M-AudioTaskBarIcon.exe C:\program files\real\realplayer\update\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\Raptr\raptr.exe C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe C:\PROGRA~1\Raptr\raptr_im.exe C:\Program Files\Common Files\Java\Java Update\jucheck.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\bbburgess\Desktop\dds.scr C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll uRun: [Raptr] c:\progra~1\raptr\raptrstub.exe --startup uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe" uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\bbburg~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267308214765 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267308438171 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\bbburgess\application data\mozilla\firefox\profiles\hf5pyjkm.default\ FF - prefs.js: network.proxy.type - 0 . ============= SERVICES / DRIVERS =============== . R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-26 441176] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-24 307928] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-24 19544] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-24 42184] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176] S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176] S3 MADFUMOBILEPRE;Service for M-Audio MobilePre DFU;c:\windows\system32\drivers\MAudioMobilePre_DFU.sys [2010-11-27 42248] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] . =============== Created Last 30 ================ . 2011-05-30 21:32:32 39424 ----a-w- c:\windows\system32\grpconv.exe 2011-05-30 21:17:16 -------- d-sha-r- C:\cmdcons 2011-05-30 21:13:42 98816 ----a-w- c:\windows\sed.exe 2011-05-30 21:13:42 518144 ----a-w- c:\windows\SWREG.exe 2011-05-30 21:13:42 256512 ----a-w- c:\windows\PEV.exe 2011-05-30 21:13:42 208896 ----a-w- c:\windows\MBR.exe 2011-05-26 23:12:06 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2011-05-19 20:27:59 -------- d--h--w- c:\program files\InstallJammer Registry 2011-05-19 20:27:37 -------- d-----w- c:\program files\Physion 2011-05-18 01:05:28 -------- d-----w- c:\documents and settings\bbburgess\application data\PCF-VLC 2011-05-18 01:01:24 -------- d-----w- c:\program files\GetMiro Toolbar 2011-05-18 01:01:23 -------- d-----w- c:\documents and settings\bbburgess\application data\Participatory Culture Foundation 2011-05-18 01:00:36 -------- d-----w- c:\program files\Participatory Culture Foundation 2011-05-17 23:35:57 159744 ----a-r- c:\documents and settings\bbburgess\application data\microsoft\installer\{d0ce053e-0e5e-4c12-9bae-d0f36021e911}\PVEngine.ProgramMe_D0CE053E0E5E4C129BAED0F36021E911.exe 2011-05-17 23:35:57 159744 ----a-r- c:\documents and settings\bbburgess\application data\microsoft\installer\{d0ce053e-0e5e-4c12-9bae-d0f36021e911}\NewShortcut2_D0CE053E0E5E4C129BAED0F36021E911.exe 2011-05-17 23:35:44 -------- d-----w- c:\program files\POV-Ray for Windows v3.62 2011-05-06 02:07:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll 2011-05-06 02:07:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll 2011-05-06 02:06:59 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll 2011-05-06 02:06:59 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll 2011-05-06 02:06:59 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll 2011-05-06 02:06:59 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll 2011-05-06 02:06:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2011-05-06 02:06:58 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll . ==================== Find3M ==================== . 2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 16:59:34.07 =============== ************************* I have also zipped and attached attach.txt per dds instructions. Thanks, BBB attach.txt
  5. Thanks for your patience. Here is the output of MWB quick scan Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6688 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/26/2011 6:06:06 PM mbam-log-2011-05-26 (18-05-57).txt Scan type: Quick scan Objects scanned: 148026 Time elapsed: 6 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 6 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\bbburgess\Local Settings\Application Data\abc.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\bbburgess\Local Settings\Application Data\abc.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\bbburgess\Local Settings\Application Data\abc.exe" -a "iexplore.exe") Good: (iexplore.exe) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\bbburgess\local settings\Temp\att-sst_installer\Setup\motiveclient\AXB.exe (Adware.BHO) -> No action taken. **************** I told it to remove these items and in hindsight realized that you did not ask me to do that. I apologize if I have created more hassle. Here is the output from DDS **************** . DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Run by bbburgess at 18:12:26 on 2011-05-26 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2703 [GMT -5:00] . AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . ============== Running Processes =============== . C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\IDT\WDM\sttray.exe C:\WINDOWS\system32\M-AudioTaskBarIcon.exe C:\program files\real\realplayer\update\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\PROGRA~1\Raptr\raptr.exe C:\PROGRA~1\Raptr\raptr_im.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe C:\Documents and Settings\bbburgess\Desktop\dds.scr C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Raptr] c:\progra~1\raptr\raptrstub.exe --startup uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe" uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [nwiz] nwiz.exe /installquiet mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRunOnce: [aswAhAScr.dll] "c:\program files\alwil software\avast5\aswregsvr.exe" "c:\program files\alwil software\avast5\AhAScr.dll" StartupFolder: c:\docume~1\bbburg~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267308214765 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267308438171 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\bbburgess\application data\mozilla\firefox\profiles\hf5pyjkm.default\ FF - prefs.js: network.proxy.type - 0 FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll FF - plugin: c:\documents and settings\bbburgess\application data\facebook\npfbplugin_1_0_3.dll FF - plugin: c:\program files\common files\motive\npMotive.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll . ============= SERVICES / DRIVERS =============== . R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-24 307928] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-24 19544] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-24 40384] S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-26 441176] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176] S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176] S3 MADFUMOBILEPRE;Service for M-Audio MobilePre DFU;c:\windows\system32\drivers\MAudioMobilePre_DFU.sys [2010-11-27 42248] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] . =============== Created Last 30 ================ . 2011-05-26 23:12:06 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2011-05-19 20:27:59 -------- d--h--w- c:\program files\InstallJammer Registry 2011-05-19 20:27:37 -------- d-----w- c:\program files\Physion 2011-05-18 01:05:28 -------- d-----w- c:\documents and settings\bbburgess\application data\PCF-VLC 2011-05-18 01:01:26 -------- d-----w- c:\program files\Search Toolbar 2011-05-18 01:01:24 -------- d-----w- c:\program files\GetMiro Toolbar 2011-05-18 01:01:23 -------- d-----w- c:\documents and settings\bbburgess\application data\Participatory Culture Foundation 2011-05-18 01:00:36 -------- d-----w- c:\program files\Participatory Culture Foundation 2011-05-17 23:35:57 159744 ----a-r- c:\documents and settings\bbburgess\application data\microsoft\installer\{d0ce053e-0e5e-4c12-9bae-d0f36021e911}\PVEngine.ProgramMe_D0CE053E0E5E4C129BAED0F36021E911.exe 2011-05-17 23:35:57 159744 ----a-r- c:\documents and settings\bbburgess\application data\microsoft\installer\{d0ce053e-0e5e-4c12-9bae-d0f36021e911}\NewShortcut2_D0CE053E0E5E4C129BAED0F36021E911.exe 2011-05-17 23:35:44 -------- d-----w- c:\program files\POV-Ray for Windows v3.62 2011-05-06 02:07:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll 2011-05-06 02:07:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll 2011-05-06 02:06:59 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll 2011-05-06 02:06:59 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll 2011-05-06 02:06:59 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll 2011-05-06 02:06:59 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll 2011-05-06 02:06:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2011-05-06 02:06:58 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll . ==================== Find3M ==================== . 2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 18:13:10.95 =============== **************** I have attached the attach.txt which I archived per the instructions also. Thanks again for your help, BBB attach.zip
  6. Have I posted in the wrong thread? Just let me know.
  7. I have started a newer, more concise post regarding this matter with the same thread topic name.
  8. Hello, I have recently been infected by the XP Internet Security 2011 virus, for lack of a better name. I have attached output from DDS and GMER. I could not get mbam to execute at all, and now my system is now in a state that double clicking on an .exe file asks me what program do I want to use to open it. Can you help me with this? Thanks. BBB dds.txt attach.zip
  9. Hello, I read a bit further about GMER and am attaching a zip with attach.txt and ark.txt in it. Thanks, BBB attach.zip
  10. Hello, I saw another post by someone that seemed to be having a similar problem starting malware. They were advised to report the finding of dds. So I ran that and have attached the two files of output. dds.txt attach.zip
  11. Greetings, I too have fallen under the "XP Internet Security 2011" spell as of yesterday. Seems several people did. Perhaps it was tied to the rapture? Anyway, I went out and was going to follow the instructions but I could not get step one working. mbam setup would not run on the infected computer. I wasn't sure if I needed to just skip that step or not. Can you help me out? What should I try next? Start with the DeFogger step? Any help is appreciated. Thanks, BBB
  12. Greetings, The only noticeable difference now is the icons on my desktop. The titles for the icons all have a gray background, as though they were selected, but not that blue. I attached a screen shot. It's not really a problem, but I am just not sure if it points to another problem as my background was "hijacked" before. I'm not sure if this is some active desktop bs or what. My other most noticeable problem was finding my computer rebooted every day and a message that it had been updated. I wont know if that still exists until tomorrow. I'll let you know. Yeah, I know my desktop is a little cluttered, but that's how I roll. Thanks again, BBB
  13. Here is the result from securitycheck.exe Results of screen317's Security Check version 0.98.9 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! WMIC entry does not exist for antivirus; attempting automatic update. `````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 11 Java 6 Update 2 Java 6 Update 4 Java 6 Update 7 Java SE Development Kit 6 Update 11 Java DB 10.4.1.3 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 8.1.2 Adobe Reader 8.1.2 Security Update 1 (KB403742) Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````
  14. I ran F-Secure online scanner. When I tried to view the results it either presented them in the app window were I couldn't copy/paste or presented a webpage. I have attached the web page results from the scan as it was too large to post. It is fsecure.zip. I have also attached attach.zip which is one of the output logs from dds. When it finished running, there were two notepads open, neither were minimized. But the app alert said to zip attach.txt and post DDS.txt. So that's why I'm doing this. Thanks again for your help. I will do the security check now. Here is DDS.txt DDS (Ver_09-07-30.01) - NTFSx86 Run by bbburgess at 14:25:56.45 on Sat 09/05/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11 ============== Running Processes =============== ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [MtdAcqu] "c:\program files\creative\mediasource5\MtdAcqu.exe" /s uRun: [Google Update] "c:\documents and settings\bbburgess\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe" uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [sbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor mRun: [updReg] c:\windows\UpdReg.EXE mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRunOnce: [symPCCheckup] StartupFolder: c:\docume~1\bbburg~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpoffi~1.lnk - c:\program files\hewlett-packard\hp officejet series 700\bin\HPOstr05.exe StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll LSP: bmnet.dll Trusted Zone: aol.com\free DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186817808265 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\bbburg~1\applic~1\mozilla\firefox\profiles\qm9j483q.default\ FF - plugin: c:\documents and settings\bbburgess\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.14);user_pref(yahoo.homepage.dontask, true ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2009-09-04 16:25 <DIR> -cd----- c:\windows\system32\dllcache\cache 2009-09-04 15:37 <DIR> --d----- C:\cmdcons 2009-09-04 15:35 230,912 a------- c:\windows\PEV.exe 2009-09-04 15:35 161,792 a------- c:\windows\SWREG.exe 2009-09-04 15:35 98,816 a------- c:\windows\sed.exe 2009-08-26 18:15 <DIR> --d----- c:\docume~1\bbburg~1\applic~1\Canneverbe_Limited 2009-08-26 18:15 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Canneverbe Limited 2009-08-23 14:07 <DIR> --d----- c:\program files\Trend Micro 2009-08-23 13:51 <DIR> --d----- c:\docume~1\bbburg~1\applic~1\Malwarebytes 2009-08-23 13:51 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-23 13:51 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-08-23 13:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-08-23 13:51 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes 2009-08-23 13:23 7,680 a--sh--- c:\windows\system32\Thumbs.db 2009-08-22 07:10 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat 2009-08-22 03:05 <DIR> --d----- c:\windows\system32\XPSViewer 2009-08-22 03:05 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-22 03:05 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-22 03:05 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-22 03:05 575,488 -------- c:\windows\system32\xpsshhdr.dll 2009-08-22 03:05 117,760 -------- c:\windows\system32\prntvpt.dll 2009-08-22 03:05 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll 2009-08-22 03:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll 2009-08-19 19:59 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Blizzard Entertainment 2009-08-12 15:23 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx 2009-08-12 15:23 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll ==================== Find3M ==================== 2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll 2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll 2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll 2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll 2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe 2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe 2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll 2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll 2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll 2008-08-27 19:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat ============= FINISH: 14:26:26.26 =============== fsecure.zip Attach.zip
  15. Hello again, I tried running hijackthis and could not. I uninstalled and downloaded again but with same results. I get "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" while trying to run C:\Program Files\Trend Micro\HijackThis\HijackThis.exe I do not see anything out of the ordinary with the file attributes. It does have a plain windows icon when I view that directory with the windows explorer window. But other than that it looks like a 387K application file. Can you suggest something? Thanks, BBB
  16. Here is the log from ComboFix. I will look to find a link to get a "fresh" copy of hijackthis and post it's output. ComboFix 09-09-03.02 - bbburgess 09/04/2009 15:51.1.2 - NTFSx86 Running from: c:\documents and settings\bbburgess\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\BBBURG~1\LOCALS~1\Temp\1.wmv c:\documents and settings\bbburgess\Desktop\starving1.jpg c:\documents and settings\bbburgess\Desktop\starving1.jpg c:\documents and settings\bbburgess\Start Menu\Programs\Windows Antivirus Pro c:\documents and settings\bbburgess\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk c:\program files\Gamevance\gvtl.dll c:\recycler\S-1-5-21-1078081533-606747145-1801674531-1003 c:\recycler\S-1-5-21-1715567821-838170752-839522115-1003 c:\recycler\S-1-5-21-1993962763-1390067357-725345543-1003 c:\windows\ppp3.dat c:\windows\ppp4.dat c:\windows\system\Winaspi.dll c:\windows\system\Wowpost.exe c:\windows\system32\bennuar.old c:\windows\system32\bincd32.dat c:\windows\system32\Data c:\windows\system32\dddesot.dll c:\windows\system32\desot.exe c:\windows\system32\images c:\windows\system32\images\i1.gif c:\windows\system32\images\i2.gif c:\windows\system32\images\i3.gif c:\windows\system32\images\j1.gif c:\windows\system32\images\j2.gif c:\windows\system32\images\j3.gif c:\windows\system32\images\jj1.gif c:\windows\system32\images\jj2.gif c:\windows\system32\images\jj3.gif c:\windows\system32\images\l1.gif c:\windows\system32\images\l2.gif c:\windows\system32\images\l3.gif c:\windows\system32\images\pix.gif c:\windows\system32\images\t1.gif c:\windows\system32\images\t2.gif c:\windows\system32\images\up1.gif c:\windows\system32\images\up2.gif c:\windows\system32\images\w1.gif c:\windows\system32\images\w11.gif c:\windows\system32\images\w2.gif c:\windows\system32\images\w3.gif c:\windows\system32\images\w3.jpg c:\windows\system32\images\wt1.gif c:\windows\system32\images\wt2.gif c:\windows\system32\images\wt3.gif c:\windows\system32\onhelp.htm c:\windows\system32\sysnet.dat c:\windows\system32\tapi.nfo c:\windows\system32\UACekommvwiikxobys.log c:\windows\system32\UACfewtbtswfrmlwti.dll c:\windows\system32\UACffibuuehspiailb.dll c:\windows\system32\UACfwrurajnkxdwpbx.dll c:\windows\system32\UACfxtqgxaxtmotnee.dll c:\windows\system32\uacinit.dll c:\windows\system32\UACokohutckejuswpr.dat c:\windows\system32\UACsqdskgnffrragxx.dll c:\windows\system32\wispex.html D:\install.exe Infected copy of c:\windows\system32\scecli.dll was found and disinfected Restored copy from - c:\windows\system32\sceclt.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ANTIPPRO2009_12 -------\Legacy_NEW_DRV -------\Legacy_UACd.sys -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Service_AntipPro2009_12 -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 ))))))))))))))))))))))))))))))) . 2009-08-29 20:05 . 2009-08-29 20:05 -------- d-----w- C:\rsit 2009-08-26 23:15 . 2009-08-26 23:15 -------- d-----w- c:\documents and settings\bbburgess\Application Data\Canneverbe_Limited 2009-08-26 23:15 . 2009-08-26 23:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Canneverbe Limited 2009-08-26 23:14 . 2009-08-26 23:14 -------- d-----w- c:\program files\CDBurnerXP 2009-08-23 19:07 . 2009-08-23 19:07 -------- d-----w- c:\program files\Trend Micro 2009-08-23 18:51 . 2009-08-23 18:51 -------- d-----w- c:\documents and settings\bbburgess\Application Data\Malwarebytes 2009-08-23 18:51 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-23 18:51 . 2009-08-23 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-23 18:51 . 2009-08-23 18:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes 2009-08-23 18:51 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-22 15:52 . 2009-08-22 15:52 -------- d-----w- c:\documents and settings\bbburgess\Local Settings\Application Data\PCHealth 2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\MSBuild 2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\Reference Assemblies 2009-08-22 08:05 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-22 08:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-22 08:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-22 08:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-22 08:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-22 08:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2009-08-22 08:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-20 00:59 . 2009-08-20 00:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Blizzard Entertainment 2009-08-12 20:23 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-04 21:18 . 2008-10-12 20:53 -------- d-----w- c:\program files\DNA 2009-09-04 21:18 . 2008-10-12 20:53 -------- d-----w- c:\documents and settings\bbburgess\Application Data\DNA 2009-09-04 21:16 . 2008-12-24 20:33 -------- d-----w- c:\documents and settings\bbburgess\Application Data\WTablet 2009-09-04 21:06 . 2009-01-14 09:09 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\WTablet 2009-09-04 21:03 . 2009-06-07 01:49 -------- d-----w- c:\program files\Gamevance 2009-09-04 07:21 . 2008-06-23 22:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater 2009-09-01 02:49 . 2007-08-11 08:08 -------- d-----w- c:\program files\World of Warcraft 2009-08-31 02:08 . 2007-08-19 20:03 -------- d-----w- c:\documents and settings\bbburgess\Application Data\gtk-2.0 2009-08-30 03:30 . 2008-11-21 00:33 -------- d-----w- c:\documents and settings\bbburgess\Application Data\U3 2009-08-27 01:58 . 2008-10-12 20:54 -------- d-----w- c:\documents and settings\bbburgess\Application Data\BitTorrent 2009-08-26 23:15 . 2007-08-21 22:59 33672 ----a-w- c:\documents and settings\bbburgess\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-09 18:56 . 2005-04-23 22:13 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-05 00:01 . 2008-06-15 17:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion 2009-08-01 01:18 . 2008-12-05 05:52 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-18 23:53 . 2008-11-30 17:59 -------- d-----w- c:\program files\Roku Radio Snooper 2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:19 . 2007-08-11 06:50 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-27 139264] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 68856] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528] "Google Update"="c:\documents and settings\bbburgess\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-08 133104] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848] "CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-30 1935360] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 9134080] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600] "AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-06-15 22528] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376] "SbUsb AudCtrl"="sbusbdll.dll" - c:\windows\system32\sbusbdll.dll [2003-08-06 68608] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304] c:\documents and settings\bburgess\Start Menu\Programs\Startup\ AdSubtract.lnk - c:\program files\interMute\AdSubtract\AdSub.exe [2005-4-25 790528] c:\documents and settings\bbburgess\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000] c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ HP OfficeJet Series 700 Startup.lnk - c:\program files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe [2009-4-22 1175552] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-3-6 67128] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-5 805392] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= c:\windows\system32\onhelp.htm FriendlyName= tets [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 08:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"= "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"= "c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Curse\\CurseClient.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Java\\jre1.6.0_04\\bin\\java.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "5900:TCP"= 5900:TCP:RealVNC "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] R3 PciCon;PciCon;E:\PciCon.sys [x] R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\DRIVERS\sbusb.sys [2003-09-15 892160] R3 SUSCOM;Susteen Serial port driver;c:\windows\system32\DRIVERS\SUSCOM.SYS [2002-10-22 40448] S2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe [2009-01-29 578920] S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-01 3032360] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-03-17 15144] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] 2009-09-04 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-11 11:42] 2009-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1770027372-725345543-1003Core.job - c:\documents and settings\bbburgess\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 00:12] 2009-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1770027372-725345543-1003UA.job - c:\documents and settings\bbburgess\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 00:12] 2009-09-03 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job - c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10] 2009-08-30 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job - c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103470 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 HKLM-Run-Gamevance - c:\program files\Gamevance\gamevance32.exe HKLM-Run-SigmatelSysTrayApp - sttray.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com LSP: bmnet.dll Trusted Zone: aol.com\free Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\bbburgess\Application Data\Mozilla\Firefox\Profiles\qm9j483q.default\ FF - plugin: c:\documents and settings\bbburgess\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.14);user_pref(yahoo.homepage.dontask, true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-04 16:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-823518204-1770027372-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:cb,3c,81,bd,02,a3,be,c8,e3,7a,b7,45,06,58,26,40,ab,6e,06,83,3f,e9,b0, a5,ae,1b,3c,60,43,d6,17,6d,ff,7e,0e,cd,f3,36,56,c0,e8,f8,50,9f,3a,65,64,57,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 [HKEY_USERS\S-1-5-21-823518204-1770027372-725345543-1003\Software\SecuROM\License information*] "datasecu"=hex:fe,3e,35,30,8d,f3,ff,31,9d,a5,e2,54,60,ca,4c,1e,79,f8,24,c3,3d, 7c,2e,bb,cc,ab,ad,27,ae,46,9d,ac,c2,f8,f9,c6,a9,71,aa,9a,4b,75,ab,cc,da,ab,\ "rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(784) c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll - - - - - - - > 'lsass.exe'(840) c:\windows\system32\bmnet.dll - - - - - - - > 'explorer.exe'(3004) c:\windows\system32\WININET.dll c:\program files\Logitech\SetPoint\lgscroll.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\bmnet.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\bmwebcfg.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\windows\system32\nvsvc32.exe c:\program files\RealVNC\VNC4\winvnc4.exe c:\windows\system32\MsPMSPSv.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\WTablet\Pen_TabletUser.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\OpenOffice.org 3\program\soffice.bin c:\program files\iPod\bin\iPodService.exe c:\program files\Hewlett-Packard\HP OfficeJet Series 700\Bin\hpovdx05.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\program files\Logitech\SetPoint\LU\LULnchr.exe c:\program files\Logitech\SetPoint\LU\LogitechUpdate.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe c:\program files\Java\jre6\bin\jucheck.exe . ************************************************************************** . Completion time: 2009-09-04 16:26 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-04 21:26 Pre-Run: 32,976,195,584 bytes free Post-Run: 36,330,057,728 bytes free 322 --- E O F --- 2009-09-04 08:01
  17. Hello, Here is the output Log file is located at: C:\Documents and Settings\bbburgess\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Cannot access: C:\WINDOWS\system32\MRT.exe [1] 2009-07-07 08:10:58 24539592 C:\WINDOWS\system32\MRT.exe () [2] 2009-05-07 00:16:30 24699336 C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP710\A0039881.exe (Microsoft Corporation) [2] 2009-06-01 11:51:12 23635392 C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP744\A0040844.exe (Microsoft Corporation) [2] 2009-07-07 10:10:56 24539592 C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP765\A0042919.exe (Microsoft Corporation) [2] 2009-07-07 08:10:58 24539592 C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP766\A0042960.exe (Microsoft Corporation) [2] 2009-07-07 10:10:56 24539592 C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP766\A0042998.exe (Microsoft Corporation) [2] 2009-07-07 08:10:58 24539592 C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP767\A0043048.exe (Microsoft Corporation) Cannot access: C:\WINDOWS\system32\scecli.dll [1] 2004-08-04 07:00:00 180224 C:\WINDOWS\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation) [1] 2008-04-13 19:12:05 181248 C:\WINDOWS\ServicePackFiles\i386\scecli.dll (Microsoft Corporation) [1] 2008-04-13 19:12:05 60928 C:\WINDOWS\system32\scecli.dll () [2] 2008-04-13 19:12:05 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation) Cannot access: C:\WINDOWS\system32\wbem\SET104.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET104.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET113.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET113.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET16F.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET16F.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET19.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET19.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET1F.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET1F.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET20.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET20.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET25.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET25.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET29C.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET29C.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET2C.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET2C.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET37.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET37.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET38.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET38.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET39.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET39.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET42.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET42.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET50.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET50.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET53.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET53.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET60.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET60.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET76.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET76.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET77.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET77.tmp () Cannot access: C:\WINDOWS\system32\wbem\SET8C.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SET8C.tmp () Cannot access: C:\WINDOWS\system32\wbem\SETA0.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SETA0.tmp () Cannot access: C:\WINDOWS\system32\wbem\SETEE.tmp [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\SETEE.tmp () Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe [1] 2009-02-06 05:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation) [1] 2004-08-04 07:00:00 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation) [1] 2008-04-13 19:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation) [1] 2008-04-13 19:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation) [1] 2009-02-06 11:39:29 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\wmiprvse.exe (Microsoft Corporation) [1] 2009-02-06 04:41:05 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\wmiprvse.exe (Microsoft Corporation) [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\wmiprvse.exe (Microsoft Corporation) [1] 2009-02-06 05:15:13 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\wmiprvse.exe (Microsoft Corporation) [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation) [1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe () Finished! Thanks again
  18. I was able to run GMER as instructed with the following output in the Rootkit/Malware tab after scanning Thanks again for the help GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net Rootkit scan 2009-08-29 20:13:27 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB64B16B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB64B1574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB64B1A52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB64B114C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB64B164E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB64B108C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB64B10F0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB64B176E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB64B172E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB64B18AE] ---- Kernel code sections - GMER 1.0.15 ---- ? win32k.sys:1 The system cannot find the file specified. ! ? win32k.sys:2 The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.exe[2632] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C46BE666.x86.dll .text C:\WINDOWS\Explorer.exe[2632] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C46BE666.x86.dll .text C:\WINDOWS\Explorer.exe[2632] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C46BE666.x86.dll .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3024] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3040] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3212] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C46BE666.x86.dll .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3212] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C46BE666.x86.dll .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3212] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C46BE666.x86.dll .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3240] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\iTunes\iTunesHelper.exe[3280] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C46BE666.x86.dll .text C:\Program Files\iTunes\iTunesHelper.exe[3280] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C46BE666.x86.dll .text C:\Program Files\iTunes\iTunesHelper.exe[3280] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C46BE666.x86.dll .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3304] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[812] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002 IAT C:\WINDOWS\system32\services.exe[812] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000 IAT C:\WINDOWS\Explorer.exe[2632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C46BE666.x86.dll IAT C:\WINDOWS\Explorer.exe[2632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C46BE666.x86.dll IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C46BE666.x86.dll IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C46BE666.x86.dll IAT C:\Program Files\iTunes\iTunesHelper.exe[3280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C46BE666.x86.dll IAT C:\Program Files\iTunes\iTunesHelper.exe[3280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C46BE666.x86.dll ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe [176] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\Program Files\RealVNC\VNC4\WinVNC4.exe [616] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1064] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1168] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1264] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1384] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1648] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1796] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1844] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1960] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [2632] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\Documents and Settings\bbburgess\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [2764] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [3212] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [3280] 0x35670000 Library \\?\globalroot\Device\__max++>\C46BE666.x86.dll (*** hidden *** ) @ C:\Program Files\DNA\btdna.exe [3532] 0x35670000 ---- Files - GMER 1.0.15 ---- ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP765\A0042889.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP765\A0042906.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP765\A0042916.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP765\A0042921.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP765\A0042939.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP766\A0042972.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP766\A0042988.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP766\A0043004.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP766\A0043016.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP766\A0043029.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP767\A0043061.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP770\A0043166.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP771\A0043204.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP772\A0043239.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP773\A0043308.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP774\A0043350.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP774\A0044350.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP775\A0044381.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP776\A0044414.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP777\A0044457.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP778\A0044492.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP779\A0044525.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP780\A0044561.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP781\A0044609.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP782\A0045014.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP783\A0045062.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP783\A0045086.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP784\A0045133.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP785\A0045166.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP786\A0045202.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP787\A0045240.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP788\A0045273.sys:1 8192 bytes executable ADS C:\System Volume Information\_restore{141BA4B4-54D3-49A9-A2E5-FBFE895E0FE5}\RP789\A0045305.sys:1 8192 bytes executable ---- EOF - GMER 1.0.15 ----
  19. I tried to run RSIT.exe and got an error Line -1: Error: Variable used without being declared.
  20. Hello, I downloaded the .pif file and clicked on it. I get the unknown publisher message, I hit 'Run', and nothing happens. I cannot find a process running. It seems to die before it is spawned. Do you have an alternative? Thanks for your time. BBB
  21. Hello. I am currently having a problem running the Malware bytes anti-malware software and the hijack this. I installed the anti-malware software which then updated and brought up a tabbed application. I checked the update tab and hit update and it said I was up to date. Then I tried a quick scan, which ran for a few seconds before an abrupt exit. I tried looking for the tdsservice hidden device driver and could not find one by that name. And I downloaded HJTInstall, which ran and gave me an option to scan and save log. I selected and it looked like it was displaying a list of files from my drive for just a couple of seconds before an abrupt exit. No notepad output. Can you offer any advice? I started these steps because I got a trojan of some kind I think it was the windows anti-virus pro variety and it has left me unable to change my background from their screen, I had to run devmgmt.msc in order to get my device manager to come up, and every morning my computer has been rebooted and tells me my system was recently updated. I know windows has (and needs) many update patches, but after the sixth day in a row one cannot help but become suspicious. Thanks for your time
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.