Jump to content

Unknown Infection aprently massmailing from my email.


Recommended Posts

Hello I noticed a virus on my computer about a week ago and have taken numerous steps to remove it. I have found other viruses in my search but not the one causing all the trouble. I know that it has hijacked an instance on Svchost.exe on my computer and it has prevented me from saving the logs created by the GMER Rootkit Scanner the first scan I attempted restarted my computer abruptly the next froze when several processes on my computer began utilizing 100% of my CPU capacity the last time I tried the scan it completed but I was unable to save the file as once again a combination of svchost.exe, wuauclt.exe, framworkservice.exe, winlogon.exe or lsass.exe used 100% of my CPU. I am at my whits end and my ISP is threatening to terminate my internet service I could really use some help. Below I have the logs of the programs I was able to use.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4174

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/7/2010 6:26:10 AM

mbam-log-2010-06-07 (06-26-10).txt

Scan type: Quick scan

Objects scanned: 129561

Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86

Run by Paul at 8:25:02.35 on Mon 06/07/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.752 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Megaupload\Mega Manager\MegaManager.exe

C:\Documents and Settings\Paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>;*.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll

TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [<NO NAME>]

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe

mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe

mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [sNM] c:\program files\spynomore\SNM.exe /startup

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\paul\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

IE: &D&ownload &with BitComet

IE: &D&ownload all video with BitComet

IE: &D&ownload all with BitComet

IE: E&xport to Microsoft Excel

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Authentication Packages = msv1_0 relog_ap

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\cehchdwf.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxps://login.erau.edu/sso/jsp/erniesso.jsp?site2pstoretoken=v1.2~112386E8~BBE9CC05C59DC242300101BE945AD929471BD5ED6AC8AD8D7

2545125C73A11F02D499AC9FC4229824134C5671B5ACBB5A8FF8A4DFCBE1CFCA9DA47347B19163AD

7

8F60784BCB3FB94DAFE1A63679DC6E524726B36B1F45CEB0645FCF203E99C585028D712CB7C6D263

3

C5ED5D1C205AEE586C618675867319D417C4F1F5EE0351D4633E6D734B6CD0D1C80F97E6FA47A9B0

D

D8828CDEB5EF0C080D3021E3A354A016D695EE8C58C90669467EB5D03A3A49473B632FD987ACE00A

9

CCDBACF2906E735BF74DD8681666FA3062C990C3FA1E4CE2A9B2FC4EBAB&p_error_code=&p_submit_url=https%3A%2F%2Flogin.erau.edu%2Fsso%2Fauth&p_cancel_url=https%3A%2F%2Fernie.erau.edu%2Fportal%2Fpls%2Fportal%2FPORTAL.home&ssousername=

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\paul\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll

FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-31 103744]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-5-22 144704]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-5-22 54608]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-31 24652]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-1-31 72936]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-1-31 33960]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-1-31 174952]

S3 cpuz131;cpuz131;\??\c:\docume~1\paul\locals~1\temp\cpuz131\cpuz_x32.sys --> c:\docume~1\paul\locals~1\temp\cpuz131\cpuz_x32.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-06-07 12:20:48 0 ----a-w- c:\documents and settings\paul\defogger_reenable

2010-06-07 08:04:39 0 d-----w- c:\docume~1\paul\applic~1\Malwarebytes

2010-06-07 08:04:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 08:04:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-07 08:04:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-07 08:04:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 11:10:46 0 d-sh--w- c:\documents and settings\paul\IETldCache

2010-06-06 03:33:31 0 dc-h--w- c:\windows\ie8

2010-06-05 11:50:10 0 d-----w- c:\windows\SxsCaPendDel

2010-06-04 18:41:18 0 d-----w- c:\program files\iPod

2010-06-04 18:41:12 0 d-----w- c:\program files\iTunes

2010-06-04 18:41:12 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-04 18:36:40 0 d-----w- c:\program files\Bonjour

2010-06-04 10:18:48 0 d-----w- C:\QUARANTINE

2010-06-04 09:47:39 184 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg

2010-06-04 09:47:34 408 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-06-04 09:47:08 172032 ---ha-w- C:\SZKGFS.dat

2010-06-04 09:45:49 0 d-----w- c:\program files\common files\iS3

2010-06-04 09:42:00 1152 ----a-w- c:\windows\system32\windrv.sys

2010-06-04 07:19:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-06-04 07:19:01 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-03 04:39:39 243 ----a-w- c:\windows\VTMCHAR.INI

2010-06-03 04:39:28 0 d-----w- c:\documents and settings\paul\WINDOWS

2010-05-17 19:25:35 0 d-----w- c:\program files\CDisplay

==================== Find3M ====================

2010-05-05 02:17:40 56532 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2009-12-04 15:22:01 16384 --sha-w- c:\windows\temp\cookies\index.dat

2009-12-04 15:22:01 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2009-12-04 15:22:01 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 8:26:20.56 ===============

Attach.zip

Link to post
Share on other sites

Hello PaulAtreides161! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Step 1

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Step 3

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

I am unable to complete the Combofix scan. Approximately 1 minute and 3 seconds after the message that it is scanning and it should take 10 minutes or longer on heavily infected systems my computer flashes a blue screen for about 1 second and then restarts. I have been unable to read the message on the Blue screen because it flashes for such a brief period.

Link to post
Share on other sites

DDS (Ver_10-03-17.01) - NTFSx86

Run by Paul at 12:08:28.79 on Tue 06/08/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1265 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>;*.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll

TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [<NO NAME>]

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe

mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe

mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [sNM] c:\program files\spynomore\SNM.exe /startup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\paul\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

IE: &D&ownload &with BitComet

IE: &D&ownload all video with BitComet

IE: &D&ownload all with BitComet

IE: E&xport to Microsoft Excel

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Authentication Packages = msv1_0 relog_ap

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\cehchdwf.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage -

hxxps://login.erau.edu/sso/jsp/erniesso.jsp?site2pstoretoken=v1.2~112386E8~BBE9CC05C59DC242300101BE945AD929471BD5ED6AC8AD8D7

2545125C73A11F02D499AC9FC42298241

34C5671B5ACBB5A8FF8A4DFCBE1CFCA9DA47347B19163AD78F60784BCB3FB94DAFE1A63679DC6E52

4726B36B1F45CEB0645FCF203E99C585028D712CB7C6D2633C5ED5D1C205AEE586C6186758673

19D417C4F1F5EE0351D4633E6D734B6CD0D1C80F97E6FA47A9B0DD8828CDEB5EF0C080D3021E3A35

4A016D695EE8C58C90669467EB5D03A3A49473B632FD987ACE00A9CCDBACF2906E735BF74DD86

81666FA3062C990C3FA1E4CE2A9B2FC4EBAB&p_error_code=&p_submit_url=https%3A%2F%2Flogin.erau.edu%2Fsso%2Fauth&p_cancel_url=https%3A%2F%2Fernie.erau.edu%2Fportal%

2Fpls%2Fportal%2FPORTAL.home&ssousername=

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\paul\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll

FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program

files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-5-22 144704]

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-31 103744]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-5-22 54608]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-1-31 72936]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-1-31 33960]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-1-31 174952]

S2 PEVSystemStart;PEVSystemStart;c:\combo-fix\PEV.cfxxe [2010-6-8 256512]

S3 cpuz131;cpuz131;\??\c:\docume~1\paul\locals~1\temp\cpuz131\cpuz_x32.sys --> c:\docume~1\paul\locals~1\temp\cpuz131\cpuz_x32.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-06-08 16:00:07 0 d-s---w- C:\Combo-Fix

2010-06-08 14:49:31 0 d-sha-r- C:\cmdcons

2010-06-08 14:46:51 98816 ----a-w- c:\windows\sed.exe

2010-06-08 14:46:51 77312 ----a-w- c:\windows\MBR.exe

2010-06-08 14:46:51 256512 ----a-w- c:\windows\PEV.exe

2010-06-08 14:46:51 161792 ----a-w- c:\windows\SWREG.exe

2010-06-07 12:20:48 0 ----a-w- c:\documents and settings\paul\defogger_reenable

2010-06-07 08:04:39 0 d-----w- c:\docume~1\paul\applic~1\Malwarebytes

2010-06-07 08:04:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 08:04:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-07 08:04:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-07 08:04:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 11:10:46 0 d-sh--w- c:\documents and settings\paul\IETldCache

2010-06-06 03:33:31 0 dc-h--w- c:\windows\ie8

2010-06-05 11:50:10 0 d-----w- c:\windows\SxsCaPendDel

2010-06-04 18:41:18 0 d-----w- c:\program files\iPod

2010-06-04 18:41:12 0 d-----w- c:\program files\iTunes

2010-06-04 18:41:12 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-04 18:36:40 0 d-----w- c:\program files\Bonjour

2010-06-04 10:18:48 0 d-----w- C:\QUARANTINE

2010-06-04 09:47:39 184 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg

2010-06-04 09:47:34 408 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-06-04 09:47:08 172032 ---ha-w- C:\SZKGFS.dat

2010-06-04 09:45:49 0 d-----w- c:\program files\common files\iS3

2010-06-04 09:42:00 1152 ----a-w- c:\windows\system32\windrv.sys

2010-06-04 07:19:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-06-04 07:19:01 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-03 04:39:39 243 ----a-w- c:\windows\VTMCHAR.INI

2010-06-03 04:39:28 0 d-----w- c:\documents and settings\paul\WINDOWS

2010-05-17 19:25:35 0 d-----w- c:\program files\CDisplay

==================== Find3M ====================

2010-05-05 02:17:40 56532 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2009-12-04 15:22:01 16384 --sha-w- c:\windows\temp\cookies\index.dat

2009-12-04 15:22:01 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2009-12-04 15:22:01 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 12:09:40.76 ===============

Link to post
Share on other sites

Download RootRepeal Beta on your desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

P.S.: If this beta does not work, try with the latest final version.

http://ad13.geekstogo.com/RootRepeal.rar

Link to post
Share on other sites

ROOTREPEAL © AD, 2007-2010

==================================================

Report Save Time: 2010/06/08 12:22

Program Version: Version 2.0.0.0

Windows Version: Windows XP SP3

==================================================

DRIVERS

-------------------

Hidden 0x00000000 , 0 bytes

File Invisible rootrepeal.sys 0xa3846000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes

PROCESSES

-------------------

4 - System

540 - C:\WINDOWS\system32\svchost.exe

572 - C:\WINDOWS\system32\rundll32.exe

580 - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

652 - C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

684 - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

692 - C:\WINDOWS\RTHDCPL.EXE

720 - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

732 - C:\Program Files\McAfee\Common Framework\UdaterUI.exe

748 - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

764 - C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

776 - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

816 - C:\Program Files\iTunes\iTunesHelper.exe

832 - C:\Program Files\Common Files\Real\Update_OB\realsched.exe

840 - C:\WINDOWS\system32\LVCOMSX.EXE

864 - C:\Program Files\Common Files\Java\Java Update\jusched.exe

944 - C:\WINDOWS\system32\spoolsv.exe

984 - C:\Program Files\Real\RealUpgrade\realupgrade.exe

1112 - C:\WINDOWS\system32\smss.exe

1220 - C:\WINDOWS\system32\csrss.exe

1244 - C:\WINDOWS\system32\winlogon.exe

1292 - C:\WINDOWS\system32\services.exe

1304 - C:\WINDOWS\system32\lsass.exe

1484 - C:\WINDOWS\system32\svchost.exe

1532 - C:\WINDOWS\system32\svchost.exe

1584 - C:\WINDOWS\system32\wuauclt.exe

1592 - C:\Documents and Settings\Paul\Desktop\RootRepeal.exe

1680 - C:\WINDOWS\explorer.exe

1732 - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

1824 - C:\Program Files\McAfee\Common Framework\Mctray.exe

1852 - C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

1888 - C:\WINDOWS\system32\svchost.exe

1968 - C:\WINDOWS\system32\svchost.exe

2060 - C:\WINDOWS\system32\nvsvc32.exe

2176 - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

2440 - C:\WINDOWS\system32\svchost.exe

2512 - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

2544 - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

2584 - C:\Program Files\Bonjour\mDNSResponder.exe

2608 - C:\WINDOWS\system32\svchost.exe

2708 - C:\Program Files\iPod\bin\iPodService.exe

2856 - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

2944 - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

3048 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

3136 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

3500 - C:\Program Files\Java\jre6\bin\jqs.exe

3824 - C:\WINDOWS\system32\alg.exe

4020 - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

FILES

-------------------

Mismatch C:\Combo-Fix\N_\24609, Allocation size mismatch (API: 98218411659423872, Raw: 392)

Mismatch C:\Documents and Settings\Paul\ntuser.dat.LOG, Size mismatch (API: 1024, Raw: 16384)

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

Sector F:\

MBR F:\

STEALTH CODE

-------------------

System 0x8a3c0aea - Hidden Code

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_CLEANUP]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_CLOSE]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_CREATE]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_CREATE_MAILSLOT]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_CREATE_NAMED_PIPE]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_DEVICE_CHANGE]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_DEVICE_CONTROL]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_DIRECTORY_CONTROL]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_FILE_SYSTEM_CONTROL]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_FLUSH_BUFFERS]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_LOCK_CONTROL]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_POWER]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_QUERY_EA]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_QUERY_INFORMATION]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_QUERY_QUOTA]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_QUERY_SECURITY]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_QUERY_VOLUME_INFORMATION]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_READ]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_SCSI]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_SET_EA]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_SET_INFORMATION]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_SET_SECURITY]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_SET_VOLUME_INFORMATION]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_SHUTDOWN]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_SYSTEM_CONTROL]

System 0x8a3c0ec5 - Hidden Code [Driver: , IRP: IRP_MJ_WRITE]

System 0xf757c985 - Modified Entry Point [Driver: intelppm, Other Val: 0xf757d494]

HIDDEN SERVICES

-------------------

SSDT

-------------------

SYSCALL OK, INT 0x2E OK, ServiceTable OK, Driver IAT OK

Link to post
Share on other sites

Thanks! :)

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

12:48:42:781 1900 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

12:48:42:781 1900 ================================================================================

12:48:42:781 1900 SystemInfo:

12:48:42:781 1900 OS Version: 5.1.2600 ServicePack: 3.0

12:48:42:781 1900 Product type: Workstation

12:48:42:781 1900 ComputerName: ARAKIS

12:48:42:781 1900 UserName: Paul

12:48:42:781 1900 Windows directory: C:\WINDOWS

12:48:42:781 1900 Processor architecture: Intel x86

12:48:42:781 1900 Number of processors: 2

12:48:42:781 1900 Page size: 0x1000

12:48:42:796 1900 Boot type: Normal boot

12:48:42:796 1900 ================================================================================

12:48:43:125 1900 Initialize success

12:48:43:125 1900

12:48:43:125 1900 Scanning Services ...

12:48:43:484 1900 Raw services enum returned 355 services

12:48:43:484 1900

12:48:43:484 1900 Scanning Drivers ...

12:48:44:140 1900 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

12:48:44:156 1900 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

12:48:44:187 1900 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

12:48:44:218 1900 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

12:48:44:281 1900 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

12:48:44:328 1900 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

12:48:44:328 1900 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

12:48:44:375 1900 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

12:48:44:390 1900 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

12:48:44:437 1900 BCM43XX (e679fe7890c366f3418963e289d273cf) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

12:48:44:468 1900 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

12:48:44:484 1900 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

12:48:44:531 1900 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

12:48:44:546 1900 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

12:48:44:562 1900 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

12:48:44:578 1900 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

12:48:44:609 1900 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

12:48:44:671 1900 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

12:48:44:734 1900 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

12:48:44:765 1900 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

12:48:44:781 1900 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

12:48:44:796 1900 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

12:48:44:843 1900 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

12:48:44:859 1900 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

12:48:44:875 1900 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

12:48:44:890 1900 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

12:48:44:890 1900 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

12:48:44:906 1900 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

12:48:44:921 1900 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

12:48:44:937 1900 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

12:48:45:000 1900 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

12:48:45:046 1900 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

12:48:45:156 1900 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys

12:48:45:171 1900 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

12:48:45:187 1900 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys

12:48:45:203 1900 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

12:48:45:234 1900 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

12:48:45:250 1900 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

12:48:45:281 1900 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

12:48:45:312 1900 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

12:48:45:343 1900 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

12:48:45:359 1900 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

12:48:45:453 1900 IntcAzAudAddService (1508153784633e16dc3dfce3cd7a9b18) C:\WINDOWS\system32\drivers\RtkHDAud.sys

12:48:45:484 1900 intelppm (4f99812af077fa729158a619d072afc2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

12:48:45:484 1900 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: 4f99812af077fa729158a619d072afc2, Fake md5: 8c953733d8f36eb2133f5bb58808b66b

12:48:45:484 1900 File "C:\WINDOWS\system32\DRIVERS\intelppm.sys" infected by TDSS rootkit ... 12:48:46:921 1900 Backup copy found, using it..

12:48:46:937 1900 will be cured on next reboot

12:48:46:953 1900 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

12:48:47:000 1900 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

12:48:47:031 1900 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

12:48:47:046 1900 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

12:48:47:062 1900 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

12:48:47:078 1900 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

12:48:47:109 1900 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

12:48:47:125 1900 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

12:48:47:140 1900 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

12:48:47:171 1900 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys

12:48:47:187 1900 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

12:48:47:218 1900 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

12:48:47:250 1900 LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys

12:48:47:281 1900 mfeapfk (6a7418672657547e543d8c04f94258e1) C:\WINDOWS\system32\drivers\mfeapfk.sys

12:48:47:296 1900 mfeavfk (63c29d5148a1fb26beb60e45b94e6df2) C:\WINDOWS\system32\drivers\mfeavfk.sys

12:48:47:312 1900 mfebopk (a4d0923fb0f233c6476e1fa2b5d6c0b1) C:\WINDOWS\system32\drivers\mfebopk.sys

12:48:47:343 1900 mfehidk (791e08dca5e1d347551ae27edf32a2b6) C:\WINDOWS\system32\drivers\mfehidk.sys

12:48:47:390 1900 mferkdk (2f875c69112eeed976b7d7e397fd6871) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys

12:48:47:406 1900 mfetdik (923b88a31c63fb2b1bde239fef6ed158) C:\WINDOWS\system32\drivers\mfetdik.sys

12:48:47:421 1900 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

12:48:47:437 1900 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

12:48:47:453 1900 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

12:48:47:468 1900 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

12:48:47:484 1900 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

12:48:47:500 1900 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

12:48:47:546 1900 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

12:48:47:562 1900 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

12:48:47:578 1900 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

12:48:47:593 1900 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

12:48:47:609 1900 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

12:48:47:625 1900 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

12:48:47:656 1900 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

12:48:47:671 1900 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

12:48:47:703 1900 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

12:48:47:718 1900 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

12:48:47:750 1900 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

12:48:47:765 1900 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

12:48:47:781 1900 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

12:48:47:796 1900 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

12:48:47:828 1900 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

12:48:47:828 1900 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

12:48:47:843 1900 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

12:48:47:859 1900 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

12:48:47:875 1900 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

12:48:47:890 1900 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

12:48:47:921 1900 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

12:48:48:046 1900 nv (9e143fb3ef13b7ec1c1dd06529debadd) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

12:48:48:156 1900 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

12:48:48:156 1900 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

12:48:48:171 1900 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

12:48:48:187 1900 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

12:48:48:203 1900 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

12:48:48:218 1900 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

12:48:48:234 1900 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

12:48:48:250 1900 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

12:48:48:265 1900 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

12:48:48:296 1900 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

12:48:48:328 1900 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

12:48:48:390 1900 PID_0928 (5bd2c6d982481d548107c602e7ccfbbc) C:\WINDOWS\system32\DRIVERS\LV561AV.SYS

12:48:48:406 1900 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

12:48:48:421 1900 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

12:48:48:421 1900 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

12:48:48:437 1900 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

12:48:48:500 1900 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

12:48:48:500 1900 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

12:48:48:515 1900 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

12:48:48:531 1900 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

12:48:48:531 1900 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

12:48:48:546 1900 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

12:48:48:562 1900 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

12:48:48:593 1900 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

12:48:48:609 1900 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

12:48:48:640 1900 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

12:48:48:656 1900 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

12:48:48:671 1900 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

12:48:48:671 1900 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

12:48:48:687 1900 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

12:48:48:718 1900 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

12:48:48:750 1900 snapman (bcc773872041aa59bc9a6cf770fb32e2) C:\WINDOWS\system32\DRIVERS\snapman.sys

12:48:48:781 1900 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

12:48:48:796 1900 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

12:48:48:812 1900 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

12:48:48:843 1900 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

12:48:48:859 1900 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

12:48:48:875 1900 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

12:48:48:921 1900 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

12:48:48:953 1900 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

12:48:48:968 1900 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

12:48:48:984 1900 tdrpman (eb53ec341458256deae2ad58822c4a17) C:\WINDOWS\system32\DRIVERS\tdrpman.sys

12:48:49:015 1900 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

12:48:49:015 1900 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

12:48:49:031 1900 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

12:48:49:046 1900 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys

12:48:49:093 1900 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

12:48:49:125 1900 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

12:48:49:140 1900 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

12:48:49:156 1900 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

12:48:49:171 1900 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

12:48:49:171 1900 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

12:48:49:187 1900 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

12:48:49:203 1900 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

12:48:49:218 1900 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

12:48:49:234 1900 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

12:48:49:265 1900 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

12:48:49:281 1900 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

12:48:49:296 1900 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

12:48:49:312 1900 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

12:48:49:328 1900 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

12:48:49:359 1900 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

12:48:49:375 1900 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

12:48:49:375 1900 Reboot required for cure complete..

12:48:49:734 1900 Cure on reboot scheduled successfully

12:48:49:734 1900

12:48:49:734 1900 Completed

12:48:49:734 1900

12:48:49:734 1900 Results:

12:48:49:734 1900 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

12:48:49:734 1900 File objects infected / cured / cured on reboot: 1 / 0 / 1

12:48:49:734 1900

12:48:49:734 1900 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Delete your copy of ComboFix and let's try again:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix 10-06-07.04 - Paul 06/08/2010 13:06:39.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1482 [GMT -4:00]

Running from: c:\documents and settings\Paul\Desktop\Combo-Fix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))

.

2010-06-07 08:10 . 2010-06-07 08:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-06-07 08:04 . 2010-06-07 08:04 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes

2010-06-07 08:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 08:04 . 2010-06-07 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-07 08:04 . 2010-06-07 08:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 08:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-06 13:02 . 2010-06-06 13:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-06-06 11:20 . 2010-06-06 11:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-06-06 11:10 . 2010-06-06 11:10 -------- d-sh--w- c:\documents and settings\Paul\IETldCache

2010-06-06 03:33 . 2010-06-06 03:35 -------- dc-h--w- c:\windows\ie8

2010-06-05 11:50 . 2010-06-05 11:50 -------- d-----w- c:\windows\SxsCaPendDel

2010-06-04 18:41 . 2010-06-05 11:50 -------- d-----w- c:\program files\iPod

2010-06-04 18:41 . 2010-06-05 11:50 -------- d-----w- c:\program files\iTunes

2010-06-04 18:41 . 2010-06-04 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-04 18:36 . 2010-06-05 11:50 -------- d-----w- c:\program files\Bonjour

2010-06-04 18:35 . 2010-06-04 18:35 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-06-04 10:18 . 2010-06-07 09:03 -------- d-----w- C:\QUARANTINE

2010-06-04 09:47 . 2010-06-04 09:47 172032 ---ha-w- C:\SZKGFS.dat

2010-06-04 09:45 . 2010-06-04 09:45 -------- d-----w- c:\program files\Common Files\iS3

2010-06-04 09:42 . 2010-06-04 09:42 1152 ----a-w- c:\windows\system32\windrv.sys

2010-06-04 07:19 . 2010-06-04 07:19 -------- d-----w- c:\program files\Common Files\Java

2010-06-04 07:19 . 2010-06-04 07:18 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-03 04:39 . 2010-06-03 04:39 -------- d-----w- c:\documents and settings\Paul\WINDOWS

2010-06-02 20:55 . 2010-06-02 20:55 61440 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c78587f-n\decora-sse.dll

2010-06-02 20:55 . 2010-06-02 20:55 503808 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70482195-n\msvcp71.dll

2010-06-02 20:55 . 2010-06-02 20:55 499712 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70482195-n\jmc.dll

2010-06-02 20:55 . 2010-06-02 20:55 348160 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70482195-n\msvcr71.dll

2010-06-02 20:55 . 2010-06-02 20:55 12800 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c78587f-n\decora-d3d.dll

2010-05-17 19:25 . 2010-05-17 19:25 -------- d-----w- c:\program files\CDisplay

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-08 16:50 . 2009-01-31 03:52 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys

2010-06-08 16:43 . 2009-05-11 01:52 -------- d-----w- c:\documents and settings\Paul\Application Data\mIRC

2010-06-08 16:42 . 2009-05-11 01:52 -------- d-----w- c:\program files\mIRC

2010-06-08 14:58 . 2010-03-09 04:27 -------- d-----w- c:\documents and settings\Paul\Application Data\Skype

2010-06-08 14:34 . 2010-03-09 04:32 -------- d-----w- c:\documents and settings\Paul\Application Data\skypePM

2010-06-08 14:26 . 2009-01-31 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-06-05 11:50 . 2009-01-31 23:32 -------- d-----w- c:\program files\Common Files\Apple

2010-06-05 11:50 . 2009-06-05 15:18 -------- d-----w- c:\program files\QuickTime

2010-06-04 09:47 . 2010-06-04 09:47 408 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-06-04 09:47 . 2010-06-04 09:47 184 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg

2010-06-01 05:12 . 2009-06-15 05:54 -------- d-----w- c:\program files\Google

2010-05-05 02:17 . 2009-12-09 02:51 56532 ---ha-w- c:\windows\system32\mlfcache.dat

2010-05-03 05:18 . 2010-05-03 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2010-05-03 05:18 . 2010-05-03 05:10 -------- d-----w- c:\program files\AIM

2010-05-03 05:18 . 2010-05-03 05:18 -------- d-----w- c:\program files\Common Files\Software Update Utility

2010-05-03 05:10 . 2009-07-01 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads

2010-04-23 07:12 . 2010-04-23 07:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-04-23 07:12 . 2010-04-23 07:12 -------- d-----w- c:\documents and settings\Paul\Application Data\Office Genuine Advantage

2010-04-13 17:28 . 2010-04-13 17:28 -------- d-----w- c:\program files\GPLGS

2010-04-13 17:27 . 2010-04-13 17:27 -------- d-----w- c:\program files\Acro Software

2010-04-12 01:28 . 2010-04-10 02:47 -------- d-----w- c:\program files\Wizards of the Coast

2010-04-10 07:32 . 2009-01-31 03:56 69232 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-09 23:08 . 2010-04-09 23:08 159112 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-09 23:08 . 2009-02-02 20:21 -------- d-----w- c:\program files\MSBuild

2010-04-09 23:08 . 2010-04-09 23:08 -------- d-----w- c:\program files\Reference Assemblies

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-05 05:34 . 2010-04-05 05:34 143976 ----a-w- c:\documents and settings\Paul\Application Data\Move Networks\uninstall.exe

2010-04-05 05:34 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Paul\Application Data\Move Networks\plugins\npqmp071701000002.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]

"nwiz"="nwiz.exe" [2009-01-15 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]

"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 18063872]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 290816]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-19 202256]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Paul\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\ApexDC++\\ApexDC.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25288:TCP"= 25288:TCP:BitComet 25288 TCP

"25288:UDP"= 25288:UDP:BitComet 25288 UDP

"57480:TCP"= 57480:TCP:Pando Media Booster

"57480:UDP"= 57480:UDP:Pando Media Booster

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/30/2010 11:16 AM 1107336]

S3 cpuz131;cpuz131;\??\c:\docume~1\Paul\LOCALS~1\Temp\cpuz131\cpuz_x32.sys --> c:\docume~1\Paul\LOCALS~1\Temp\cpuz131\cpuz_x32.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB

*Deregistered* - klmdb

.

Contents of the 'Scheduled Tasks' folder

2010-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-08 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>;*.local

IE: &D&ownload &with BitComet

IE: &D&ownload all video with BitComet

IE: &D&ownload all with BitComet

IE: E&xport to Microsoft Excel

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\cehchdwf.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxps://login.erau.edu/sso/jsp/erniesso.jsp?site2pstoretoken=v1.2~112386E8~BBE9CC05C59DC242300101BE945AD929471BD5ED6AC8AD8D7

2545125C73A11F02D499AC9FC4229824134C5671B5ACBB5A8FF8A4DFCBE1CFCA9DA47347B19163AD

7

8F60784BCB3FB94DAFE1A63679DC6E524726B36B1F45CEB0645FCF203E99C585028D712CB7C6D263

3

C5ED5D1C205AEE586C618675867319D417C4F1F5EE0351D4633E6D734B6CD0D1C80F97E6FA47A9B0

D

D8828CDEB5EF0C080D3021E3A354A016D695EE8C58C90669467EB5D03A3A49473B632FD987ACE00A

9

CCDBACF2906E735BF74DD8681666FA3062C990C3FA1E4CE2A9B2FC4EBAB&p_error_code=&p_submit_url=https%3A%2F%2Flogin.erau.edu%2Fsso%2Fauth&p_cancel_url=https%3A%2F%2Fernie.erau.edu%2Fportal%2Fpls%2Fportal%2FPORTAL.home&ssousername=

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\Paul\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe

SafeBoot-klmdb.sys

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1308)

c:\windows\system32\relog_ap.dll

c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(2736)

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-08 13:11:59

ComboFix-quarantined-files.txt 2010-06-08 17:11

Pre-Run: 10,765,754,368 bytes free

Post-Run: 11,254,218,752 bytes free

- - End Of File - - C4DB175A2E359E25F534CB2E27320721

Link to post
Share on other sites

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=b2e660f8a5009d4e8b73d7832cb91241

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-06-08 07:15:34

# local_time=2010-06-08 03:15:34 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=159636

# found=6

# cleaned=6

# scan_time=5341

C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\12\60fa4d8c-1d8395a7 a variant of OSX/Exploit.Smid.B trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\30\2bae4f1e-114cb989 a variant of OSX/Exploit.Smid.B trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-579d08a3 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\51\22c3fb33-72f56f87 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\54\947f9b6-26ed25d0 probably a variant of Win32/TrojanDownloader.Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\6\5b3d5486-66834b28 a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Good work! :)

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete Defogger, ResetTeaTimerk, DDS, GMER, RootRepeal and TDSSKiller.

Step 4

Please uninstall ESET Online Scanner.

Step 5

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing! ;)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.