Jump to content

Recommended Posts

Usually pretty good at sorting these things our but I am now desperate, this is a corporate computer running xp pro, up to date on all service packs, somehow picked up a virus that starts generating piles of emails and sending them, when ever connected to the network, I can use netstat to see that it connects to russia and opens a ton of ports, as long as it is disconnected all is quiet, as soon as the network connects, it goes wild. I am sure that ndis.sys is part of the problem, please help as this computer is essintial to my business. Thank you in advance.

Every time I try and run gmer, I lock up during the file section, lsass ends up running wild and taking up all the processor locking things up, can I run it in Safe mode or do you need it run with everything loaded?

I got it to run by unchecking the files block

DDS (Ver_10-03-17.01) - NTFSx86

Run by boldham at 8:44:55.46 on Thu 06/10/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1117 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\CAPM3RSK.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\NWSF8\nwsf.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvraidservice.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe

C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe

C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Western Digital Technologies\Spindown\ExSpinDn.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe

C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\DateInTray\DateInTray.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mmc.exe

C:\Documents and Settings\boldham.RNG\Desktop\Virus Data\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

mWinlogon: Userinit=c:\windows\system32\Userinit.exe

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [NWEReboot]

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [FtLnSOP_setup] c:\windows\twain_32\fjscan32\sop\FtLnSOP.exe

mRun: [FJTWAIN Setup] c:\windows\twain_32\fjscan32\FjtwSetup.exe /Station

mRun: [Pdfquickview] c:\program files\pfu\scansnap\pdf thumbnail view\pdfquickview.exe

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [ultraMon] "c:\program files\ultramon\UltraMon.exe" /auto

mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe

mRun: [unlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [WD Spindown Utility] "c:\program files\western digital technologies\spindown\ExSpinDn.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [CorelGadget] Rundll32.exe "c:\program files\common files\ulead systems\gadget\GadgetEB.dll",LaunchGadget

mRun: [standby] "c:\program files\common files\corel\standby\Standby.exe" -START

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\boldham.rng\startm~1\programs\startup\datein~1.lnk - c:\program files\dateintray\DateInTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cardmi~1.lnk - c:\program files\pfu\scansnap\cardminder v3.1\CardLauncher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netsen~1.lnk - c:\program files\fomine net send gui\NetSendGUI.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winfax~1.lnk - c:\program files\symantec\winfax\WTNSETUP.EXE

uPolicies-explorer: NoActiveDesktop = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-system: SetVisualStyle =

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file:///D:/LTOCX14N.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} - hxxp://www.shockwave.com/content/reaxxion/sis/HLGLauncher.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} - hxxp://www.playwhat.com/solidPlugin/solidstateion.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {F80B9305-A013-11D2-BD23-00A024978908} - file:///E:/viewer/accuradimage.cab

DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab

TCP: {CBE6576F-2220-427F-9E94-BEE13183367B} = 10.10.3.10,209.63.0.6

TCP: {F62C6CB5-2045-41DB-A37D-CB0B73A8922B} = 10.10.3.10,209.63.0.6

Handler: asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll

Handler: hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll

Handler: x-asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll

Handler: x-cnote - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll

Handler: x-hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll

Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\wowctl2.dll

Handler: x-zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll

Handler: zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\boldham.rng\applic~1\mozilla\firefox\profiles\kz8qr2qy.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.rngmedcons.com/cdb2/cases.html

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\boldham.rng\application data\mozilla\firefox\profiles\kz8qr2qy.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\mozilla firefox\plugins\np_IEGetPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\photosynth\tech preview\nppsynth.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]

R2 Network SuperFax;Network SuperFax;c:\nwsf8\nwsf.exe [2009-12-10 1269760]

R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]

R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-18 24652]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100608.004\naveng.sys [2010-6-9 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100608.004\navex15.sys [2010-6-9 1347504]

R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2005-5-14 3584]

S2 Crypto;Crypto;\??\c:\windows\system32\drivers\crypto.sys --> c:\windows\system32\drivers\Crypto.sys [?]

S2 RapidPortM3;RapidPortM3;c:\windows\system32\drivers\CAPM3LP.SYS [2006-12-1 22976]

S2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2007-5-24 43008]

S3 CBUSB;MARX CryptoTech LP;c:\windows\system32\drivers\CBUSB.sys [2006-5-14 45056]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]

S3 cpuz130;cpuz130;\??\c:\docume~1\boldham.rng\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\boldham.rng\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-7-14 12672]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-1-11 332928]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2006-12-1 11520]

S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [2006-4-12 38016]

S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\windows\system32\drivers\sustucau.sys --> c:\windows\system32\drivers\sustucau.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-8-15 11520]

=============== Created Last 30 ================

2010-06-10 14:55:36 0 d--h--w- c:\windows\$hf_mig$

2010-06-10 04:32:13 0 d-----w- c:\windows\system32\wbem\Repository

2010-06-10 02:10:45 6144 ------w- c:\windows\system32\151.tmp

2010-06-10 02:10:23 6144 ------w- c:\windows\system32\150.tmp

2010-06-10 01:24:32 6144 ------w- c:\windows\system32\14F.tmp

2010-06-10 00:13:36 0 d-----w- c:\program files\Panda Security

2010-06-09 23:46:37 0 d-----w- C:\$AVG

2010-06-09 22:41:16 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll

2010-06-09 22:41:04 0 d-----w- c:\windows\system32\drivers\Avg(2)

2010-06-09 22:38:42 0 d-----w- c:\program files\AVG(2)

2010-06-09 22:38:23 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-06-09 22:24:01 685056 ----a-w- c:\windows\is-K3H5E.exe

2010-06-09 21:37:33 0 d-----w- C:\VundoFix Backups

2010-06-09 20:43:49 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-06-09 19:48:34 0 d-----w- c:\program files\Sophos

2010-06-09 18:04:49 54016 ----a-w- c:\windows\system32\drivers\gsjs.sys

2010-06-09 17:25:35 0 ----a-w- c:\documents and settings\boldham.rng\defogger_reenable

2010-06-08 23:11:52 210816 -c--a-w- c:\windows\system32\dllcache\ndis.sys

2010-06-08 23:11:37 20 ----a-w- c:\docume~1\boldham.rng\applic~1\ohipmn.dat

2010-06-05 18:21:57 8192 --sha-w- c:\windows\Thumbs.db

2010-06-03 07:42:39 0 d-----w- c:\windows\MVUNINST

2010-06-03 07:42:39 0 d-----w- c:\program files\Memorex exPressit Label Design Studio

2010-06-03 07:42:39 0 d-----w- c:\program files\common files\SureThing Shared

2010-06-03 02:36:31 90 ----a-w- c:\windows\AVControl.ini

2010-06-03 01:54:21 209040 ----a-w- c:\windows\system32\IVIresizeW7.dll

2010-06-03 01:54:20 24720 ----a-w- c:\windows\system32\IVIresize.dll

2010-06-03 01:54:20 204944 ----a-w- c:\windows\system32\IVIresizeA6.dll

2010-06-03 01:54:20 196752 ----a-w- c:\windows\system32\IVIresizeP6.dll

2010-06-03 01:54:20 196752 ----a-w- c:\windows\system32\IVIresizeM6.dll

2010-06-03 01:54:20 192656 ----a-w- c:\windows\system32\IVIresizePX.dll

2010-05-31 20:34:36 0 d-----w- c:\program files\SmartSound Software

2010-05-31 20:34:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SmartSound Software Inc

2010-05-31 19:12:36 0 d-----w- c:\documents and settings\boldham.rng\Corel

2010-05-31 19:06:48 7520 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

2010-05-31 19:06:48 168 --sh--r- c:\docume~1\alluse~1\applic~1\F947D326FC.sys

2010-05-31 19:01:32 0 d-----w- c:\windows\system32\windows media

2010-05-31 19:01:26 0 d--h--w- c:\windows\msdownld.tmp

2010-05-31 19:01:11 0 d-----w- c:\docume~1\alluse~1\applic~1\InterVideo

2010-05-31 18:59:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Corel

2010-05-31 18:57:53 0 d-----w- c:\program files\common files\Protexis

2010-05-31 18:54:54 0 d-----w- c:\program files\Windows Media Components

2010-05-31 18:54:40 0 d-----w- c:\program files\common files\Ulead Systems

2010-05-31 18:54:40 0 d-----w- c:\program files\common files\Corel

2010-05-31 18:54:19 0 d-----w- c:\program files\Corel

2010-05-18 18:55:54 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-18 18:08:48 0 d-----w- c:\docume~1\boldham.rng\applic~1\Malwarebytes

2010-05-18 18:08:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-18 18:08:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-18 18:08:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 18:08:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-06-10 14:45:48 10880 ----a-w- c:\windows\system32\drivers\ndisip.sys

2010-06-09 18:57:19 68224 ----a-w- c:\windows\system32\drivers\pci.sys

2010-06-08 23:11:52 210816 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-04-21 17:06:41 77824 ----a-w- c:\windows\system32\KCL310.dll

2010-04-21 17:06:41 16384 ----a-w- c:\windows\system32\KDB310.dll

2010-04-21 04:07:48 256 ----a-w- c:\documents and settings\boldham.rng\pool.bin

2010-03-18 01:57:25 72848 ---ha-w- c:\windows\system32\mlfcache.dat

2009-08-29 02:42:52 40448 ----a-w- c:\windows\inf\usbaapl.sys

2001-05-24 19:59:30 162304 ----a-w- c:\program files\UNWISE.EXE

2007-02-27 20:02:16 2 --sha-w- c:\windows\system32\WINDRV30.SYS

2008-07-28 21:36:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072820080729\index.dat

============= FINISH: 8:45:13.87 ===============

Attach.zip

mbam_log_2010_06_09__23_13_46_.zip

arc.zip

Link to post
Share on other sites

Hello Brian O

Welcome to Malwarebytes.

=====================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.