Jump to content

XP.SP3 GMER found malicious Win32:MBRoot


Recommended Posts

Merged 2 post

XP.SP3-Home desktop PC. While using Chrome, the initial issues appeared during a download(unexpected bundled product, seems to be Babylon toolbar). Impacted Chrome, where initially the icon changed. While attempting to 'fix', each effort seemed to spawn additional problems.

At first I only noticed browser redirects to the Babylon search. Then things got worse.

Ran Avast and MB. PC hung up/stalled, then logged me out and required a "User" login. I do not have a Guest account setup so it appeared the malware was intercepting my privledges and password. It also forced an Admin password to access the secure wireless network.

After running above, the PC seemed to retract more & more Admin privledges from me. Sys32 or Temp files "not accessible", etc.

When I run GMER in normal mode, the full scan runs. But when I click Save, the computer reboots. Running GMER again in safe mode(not complete as of this post)

I have MB, OT, DDS, aswMBR outputs. If you prefer another scan type, please advise and I wil post here.

My 2nd device, Win7 laptop, is in SafeMode as it seems to have inherited this issue through the wireless network. As I need the laptop to access internet, let's fix the XP first.

Thanks in advance for your expert guidance here.

070512|Midnight:

Updating ticket w DDS details. Of note, I tried GMER in Safe Mode; it ran to completion but when I hit Copy or Save, the #*$&*$ gave errors indicating insufficient space, no access to blah blah blah.

Although I have backups of data & some programs, I am certain it is incomplete. I hesitate to put the NAS back on the network in case it gets hit with this problem.

Your early assistance is welcomed!! ~chaosmastered

__________________________________________________

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27

Run by user at 9:51:25 on 2012-07-04

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1099 [GMT -5:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: avast! Antivirus *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Microsoft\BingBar\BBSvc.EXE

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\D-Link\SharePort Utility\Spnuhelper.exe

C:\Program Files\FarStone\DriveClone\Client\Efb\FBPAgent.exe

C:\Program Files\FarStone\DriveClone\Client\cbp\DCSchdler.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe

C:\Program Files\FarStone\DriveClone\Client\DCNTranProc.exe

C:\Program Files\iTivity\bin\rfbd.exe

C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Business-in-a-Box\BIBLauncher.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\ePad995\ePad995.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\D-Link\SharePort Utility\Connect.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\taskmgr.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://todoist.com/app?v=6#start

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - No File

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: {D5233FCD-D258-4903-89B8-FB1568E7413D} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [QuickenBillminder] c:\program files\quicken\Billmind.exe -startup

uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [bIBLauncher] c:\program files\business-in-a-box\BIBLauncher.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [GoogleChromeAutoLaunch_CC3BFD97C321DE64D73DD83160F90AC3] "c:\documents and settings\user\local settings\application data\google\chrome\application\chrome.exe" --no-startup-window

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

StartupFolder: c:\docume~1\user\startm~1\programs\startup\sharep~1.lnk - c:\program files\d-link\shareport utility\Connect.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epad995.lnk - c:\program files\epad995\ePad995.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: chartlinks.com\portal

DPF: {03A89EFD-E023-8600-A22D-45F77558EB4C} - hxxp://content.ilinc.com/clientdownload/download/ilinci86.dll

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B}

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://portal.chartlinks.com/NELX.cab

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www1.gotomeeting.com/default/applets/g2mdlax.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://quickscan.bitdefender.com/cab/ActiveQscan.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2E0B085B-3882-415B-81E2-F908D4FC844F} : DhcpNameServer = 192.168.1.1

Notify: PCANotify - PCANotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\q721body.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npoff.dll

FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npwbe.dll

FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false

============= SERVICES / DRIVERS ===============

.

R0 dcsnap;dcsnap;c:\windows\system32\drivers\dcsnap.sys [2011-9-16 86168]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-24 721000]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-4 353688]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-3-29 98392]

R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2012-1-5 87064]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-4 21256]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-4 44808]

R2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]

R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]

R2 D-Link SharePort Helper;D-Link SharePort Helper;c:\program files\d-link\shareport utility\Spnuhelper.exe [2011-9-16 40960]

R2 FBAgent;File Backup Agent;c:\program files\farstone\driveclone\client\efb\FBPAgent.exe [2011-9-16 86016]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-10-28 54760]

R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2009-3-6 227352]

R2 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2011-9-16 246920]

R2 Tran_Process_Proc;DCNTranProc;c:\program files\farstone\driveclone\client\DCNTranProc.exe [2009-11-26 77824]

R2 tridiavnc;Tridia Screen Server;c:\program files\itivity\bin\rfbd.exe [2008-9-3 434176]

R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2012-4-24 1714176]

R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2008-2-4 20504]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S1 DCDisk;DCDisk; [x]

S1 efbDisk;efbDisk; [x]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 DCScheduler;DCScheduler;c:\program files\farstone\driveclone\client\cbp\DCSchdlerSRVC.exe [2011-9-16 104976]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 250056]

S3 FARMNTIO;FARMNTIO;c:\windows\system32\drivers\FarMntIo.sys [2011-9-16 13184]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-15 1361288]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-27 129976]

S3 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]

S3 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-12-16 188736]

S3 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2009-12-16 65856]

S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]

S3 TridiaFTPServer;TridiaFTP Server;c:\program files\itivity\bin\ftpd.exe [2008-9-3 536640]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]

S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

.

=============== File Associations ===============

.

.txt=UltraEdit.txt

.

=============== Created Last 30 ================

.

2012-06-28 04:02:25 -------- d-----w- c:\documents and settings\user\local settings\application data\Microsoft_Corporation

2012-06-27 21:09:18 359744 ----a-w- c:\documents and settings\all users\application data\microsoft\vstahost\ssis_scriptcomponent\9.0\1033\ResourceCache.dll

2012-06-27 21:09:00 359744 ----a-w- c:\documents and settings\all users\application data\microsoft\vstahost\ssis_scripttask\9.0\1033\ResourceCache.dll

2012-06-27 16:04:55 -------- d-----w- c:\program files\Mozilla Maintenance Service

2012-06-27 16:04:49 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe

2012-06-27 16:04:49 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe

2012-06-13 22:57:03 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-06-06 23:13:41 -------- d-----w- c:\documents and settings\all users\application data\VS

.

==================== Find3M ====================

.

2012-06-28 12:52:37 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-06-28 12:52:20 41224 ----a-w- c:\windows\avastSS.scr

2012-06-27 18:59:51 59 ----a-w- c:\windows\wpd99.drv

2012-06-25 12:55:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-25 12:55:16 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 20:18:58 214256 ----a-w- c:\windows\system32\muweb.dll

2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys

2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec

2012-05-04 13:12:30 2192640 ------w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32:19 2069120 ------w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-04-19 01:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2012-04-19 01:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

2007-06-28 20:40:59 33272460 -c--a-w- c:\program files\pcAnywhere_12_1_MarketingTrialware.exe

.

============= FINISH: 9:53:14.06 ===============

attach_070412V.zip

Link to post
Share on other sites

post-32477-1261866970.gif

If you are using a router it might be the cause of the infection.

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.