Jump to content

Malware Bytes not working, Please help


Lew

Recommended Posts

I contracted a virus probably from a downloaded bit torrent file,

I have used Malware Bytes, Ad Aware, SpyBot S&D, and Avira AVG without success. \

I continue to be redirected to websites.

I ran DDS

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by In Vivo Netbook at 13:51:44.08 on Sun 09/05/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1015.333 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\system32\wbem\unsecapp.exe

C:\windows\Explorer.EXE

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\system32\ctfmon.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Users\In Vivo Netbook\Desktop\dds.scr

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Bar = Preserve

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java

Attach.txt

Link to post
Share on other sites

Thanks RP. You guys are great to do this. I owe you a beer. Your choice.

Can I connect another PC on the same network at the same time? Or will I infect the other PC?

I reran DDS, below

Attach is zipped and attached.

Rootkit took a long time to run so I ran DDS and RootKit in Parallel. Is that OK?

Rootkit is also pasted below as well.

--------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by In Vivo Netbook at 11:29:51.28 on Mon 09/06/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1015.166 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Windows\System32\AsusService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ASUS\Asus WebStorage\BackupService.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Wireless-G Internet Home Monitoring Camera\Recorder.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Wireless-G Internet Home Monitoring Camera\Monitor.exe

C:\Program Files\EeePC\HotkeyService\HotkeyService.exe

C:\Program Files\EeePC\SHE\SuperHybridEngine.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\windows\system32\igfxsrvc.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe

C:\Program Files\ASUS\Eee Docking\Eee Docking.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\windows\system32\taskeng.exe

C:\Users\In Vivo Netbook\Desktop\dds.scr

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Bar = Preserve

uInternet Settings,ProxyOverride = *.local

uWinlogon: Shell=c:\users\in vivo netbook\appdata\roaming\antispy.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [Eee Docking] c:\program files\asus\eee docking\Eee Docking.exe

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [synAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe

mRun: [EeeStorageBackup] c:\program files\asus\asus webstorage\BackupService.exe

mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe

mRun: [superHybridEngine] AsusSender.exe c:\program files\eeepc\she\SuperHybridEngine.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Monitor.exe] c:\program files\wireless-g internet home monitoring camera\Monitor.exe

mRun: [Recorder.exe] c:\program files\wireless-g internet home monitoring camera\Recorder.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [boingo Wi-Fi] "c:\program files\boingo\boingo wi-fi\Boingo.lnk"

StartupFolder: c:\users\invivo~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotkey~1.lnk - c:\program files\eeepc\hotkeyservice\HotKeyMon.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.55/img/LinksysMLViewer.cab

DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://192.168.72.11/cab/OCXChecker_8310.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://invivobva.webex.com/client/T27L/webex/ieatgpc1.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\aibelive\voice command\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\invivo~1\appdata\roaming\mozilla\firefox\profiles\03d29puo.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\in vivo netbook\appdata\roaming\mozilla\plugins\npatgpc.dll

FF - HiddenExtension: XULRunner: {0E91F7E1-0B89-431B-9E73-A5E542E278B2} - c:\users\in vivo netbook\appdata\local\{0E91F7E1-0B89-431B-9E73-A5E542E278B2}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-31 11608]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-31 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-31 185089]

R2 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [2009-8-24 219136]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-31 56816]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-8-31 1153368]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-8-14 51712]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-23 135664]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355416]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-12-15 29472]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-15 55280]

S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-8-19 38224]

=============== Created Last 30 ================

2010-09-06 15:13:03 6656 ----a-w- c:\windows\system32\E78B54E6.exe

2010-09-05 22:21:49 430080 ----a-w- c:\users\invivo~1\appdata\roaming\antispy.exe

2010-09-05 17:50:01 0 ----a-w- c:\users\in vivo netbook\defogger_reenable

2010-09-02 19:51:24 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-02 14:24:55 0 dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-09-02 14:24:27 0 d-----w- c:\program files\Lavasoft

2010-09-02 14:24:26 0 d-----w- c:\programdata\Lavasoft

2010-09-02 13:43:37 0 d-----w- c:\users\invivo~1\appdata\roaming\AVP 2009

2010-09-01 02:29:02 0 d-----w- c:\program files\Trend Micro

2010-09-01 02:04:39 0 d-----w- c:\programdata\Spybot - Search & Destroy

2010-09-01 02:04:39 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-08-25 14:37:11 0 d-----w- c:\programdata\GoBoingo

2010-08-25 14:37:11 0 d-----w- c:\program files\Boingo

2010-08-20 07:08:45 1002008 ----a-w- c:\windows\system32\igxpun.exe

2010-08-20 01:12:15 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-08-20 01:05:53 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-08-20 01:05:53 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-08-20 01:05:13 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-08-20 01:04:41 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-08-20 01:04:40 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-08-20 00:53:41 310784 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-20 00:53:41 307200 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-08-20 00:53:41 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-08-20 00:36:13 1233920 ----a-w- c:\windows\system32\msxml3.dll

2010-08-20 00:32:05 0 d-----w- c:\users\invivo~1\appdata\roaming\Malwarebytes

2010-08-20 00:31:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-20 00:31:47 0 d-----w- c:\programdata\Malwarebytes

2010-08-20 00:31:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-20 00:31:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-20 00:27:51 224256 ----a-w- c:\windows\system32\schannel.dll

2010-08-20 00:17:31 65536 --sha-w- c:\users\in vivo netbook\ntuser.dat{3733e229-abf0-11df-9bf9-90e6ba8011b3}.TM.blf

2010-08-20 00:17:31 524288 --sha-w- c:\users\in vivo netbook\ntuser.dat{3733e229-abf0-11df-9bf9-90e6ba8011b3}.TMContainer00000000000000000002.regtrans-ms

2010-08-20 00:17:31 524288 --sha-w- c:\users\in vivo netbook\ntuser.dat{3733e229-abf0-11df-9bf9-90e6ba8011b3}.TMContainer00000000000000000001.regtrans-ms

2010-08-19 23:41:59 0 d-----w- c:\users\invivo~1\appdata\roaming\6445ACDCAC425BB710AD28AE5D523B0B

2010-08-19 12:52:14 0 d-----w- c:\program files\HP

2010-08-15 15:06:49 0 d-----w- c:\windows\system32\x64

==================== Find3M ====================

2010-08-05 01:08:36 97876 ----a-w- c:\windows\fonts\KUENSTL1.TTF

2010-08-05 01:04:23 58928 ----a-w- c:\windows\fonts\Kunstler_0.ttf

2010-08-05 01:04:23 58928 ----a-w- c:\windows\fonts\Kunstler.ttf

2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll

2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2010-01-09 22:12:25 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010010920100110\index.dat

2009-12-31 03:49:02 16384 --sha-w- c:\windows\temp\cookies\index.dat

2009-12-31 03:49:02 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2009-12-31 03:49:02 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 11:32:23.02 ===============

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows 7

Version 6.1.7600

Number of processors #2

==============================================

>Drivers

==============================================

0x8A81D000 C:\windows\system32\DRIVERS\igdkmd32.sys 5279744 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)

0x81C12000 C:\windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)

0x81C12000 PnpManager 4259840 bytes

0x81C12000 RAW 4259840 bytes

0x81C12000 WMIxWDM 4259840 bytes

0x8B631000 C:\windows\system32\drivers\RTKVHDA.sys 2658304 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0x8D900000 Win32k 2400256 bytes

0x8D900000 C:\windows\System32\win32k.sys 2400256 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0x86809000 C:\windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)

0x86628000 C:\windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)

0x8A40A000 C:\windows\system32\DRIVERS\athr.sys 1232896 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)

0x8B90F000 C:\windows\System32\Drivers\dump_iaStor.sys 892928 bytes

0x86402000 C:\windows\system32\DRIVERS\iaStor.sys 892928 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)

0x8AD26000 C:\windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)

0x8652A000 C:\windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)

0x822E2000 C:\windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)

0xA54AB000 C:\windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)

0x88C33000 C:\windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)

0x8220F000 C:\windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)

0x8238D000 C:\windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)

0xA329F000 C:\windows\system32\drivers\spsys.sys 434176 bytes (Microsoft Corporation, security processor)

0x86795000 C:\windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)

0x89C1A000 C:\windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xA3224000 C:\windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)

0xA557A000 C:\windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)

0x8A55C000 C:\windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0x862FD000 C:\windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)

0x8623B000 C:\windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)

0x8AF90000 C:\windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)

0x8AEBE000 C:\windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)

0x822A0000 C:\windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)

0x89D14000 C:\windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0x86983000 C:\windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0x8635E000 C:\windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)

0xA543D000 C:\windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)

0x88DC5000 C:\windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)

0x82022000 ACPI_HAL 225280 bytes

0x82022000 C:\windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0x864E5000 C:\windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0x8AE7C000 C:\windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)

0x88C00000 C:\windows\system32\DRIVERS\SynTP.sys 208896 bytes (Synaptics Incorporated, Synaptics Touchpad Driver)

0x863C1000 C:\windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)

0x89C74000 C:\windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)

0x86952000 C:\windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)

0x8B8BA000 C:\windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0x869CA000 C:\windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)

0x86757000 C:\windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)

0xA3275000 C:\windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)

0x86294000 C:\windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0x86200000 C:\windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)

0x8639C000 C:\windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)

0x8AF13000 C:\windows\System32\Drivers\usbvideo.sys 147456 bytes (Microsoft Corporation, USB Video Class Driver)

0x88CD1000 C:\windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0x8AE12000 C:\windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xA554C000 C:\windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)

0x89DB9000 C:\windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)

0x88D44000 C:\windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)

0x8ADDD000 C:\windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)

0x89CAD000 C:\windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)

0x8DB90000 C:\windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)

0x89D9B000 C:\windows\system32\DRIVERS\avipbb.sys 114688 bytes (Avira GmbH, Avira Driver for RootKit Detection)

0x8AF37000 C:\windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)

0xA5478000 C:\windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)

0x8AF66000 C:\windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)

0x88CB8000 C:\windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)

0x8B8E9000 C:\windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)

0x89D75000 C:\windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)

0x8A5B6000 C:\windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)

0x89C00000 C:\windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0x8AE34000 C:\windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0x8AE4C000 C:\windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0x8AE63000 C:\windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)

0x88DA3000 C:\windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)

0x8B600000 C:\windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0x86348000 C:\windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)

0x8AF52000 C:\windows\system32\DRIVERS\avgntflt.sys 81920 bytes (Avira GmbH, Avira Minifilter Driver)

0x86782000 C:\windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0x8AFE6000 C:\windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)

0x89CEB000 C:\windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0x89DEC000 C:\windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)

0x89DDA000 C:\windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)

0x8AE00000 C:\windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)

0x865E1000 C:\windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)

0x8B9E9000 C:\windows\System32\Drivers\dump_dumpfve.sys 69632 bytes

0x86519000 C:\windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)

0x8AF02000 C:\windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)

0x862C9000 C:\windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)

0x82287000 C:\windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)

0x89CCC000 C:\windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)

0x8A541000 C:\windows\system32\DRIVERS\L1C62x86.sys 65536 bytes (Atheros Communications, Inc., Atheros L1c PCI-E Gigabit Ethernet Controller)

0x8AF80000 C:\windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)

0x86609000 C:\windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)

0x8AFD6000 C:\windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)

0x89CFE000 C:\windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)

0x862ED000 C:\windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)

0x8A5A7000 C:\windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0x89D8D000 C:\windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)

0x89CDD000 C:\windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)

0x88D95000 C:\windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)

0x867F2000 C:\windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)

0x8AEB0000 C:\windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)

0x82200000 C:\windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)

0x8A800000 C:\windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)

0x8B902000 C:\windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)

0x8A5D6000 C:\windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)

0x8A5E5000 C:\windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)

0xA556D000 C:\windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)

0x88D65000 C:\windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)

0x89D69000 C:\windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)

0x88D38000 C:\windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0x862E2000 C:\windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)

0x8B621000 C:\windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)

0x88D8A000 C:\windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)

0x8A80D000 C:\windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0x88DBA000 C:\windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)

0x8A551000 C:\windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0x862BE000 C:\windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)

0x8B617000 C:\windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)

0x89D5F000 C:\windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)

0x89D55000 C:\windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)

0xA5542000 C:\windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)

0x8A537000 C:\windows\system32\DRIVERS\vwifibus.sys 40960 bytes (Microsoft Corporation, Virtual WiFi Bus Driver)

0x864DC000 C:\windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)

0x86600000 C:\windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)

0xA3309000 C:\windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0x8DB60000 C:\windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)

0x8A5F6000 C:\windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)

0x86283000 C:\windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0x82298000 C:\windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)

0x862DA000 C:\windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)

0x869F7000 C:\windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)

0x8A5CE000 C:\windows\system32\DRIVERS\kbfiltr.sys 32768 bytes ( , Keyboard Filter Driver)

0x81BBE000 C:\windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)

0x8628C000 C:\windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)

0x88D72000 C:\windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)

0x88D7A000 C:\windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)

0x88D82000 C:\windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)

0x869C2000 C:\windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)

0x88D31000 C:\windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)

0x88D2A000 C:\windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)

0x89CA6000 C:\windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)

0x89D0E000 C:\windows\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)

0x8A5F2000 C:\windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)

0x89DB7000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)

0x8AE7A000 C:\windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0x8A5E3000 C:\windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

!!!!!!!!!!!Hidden driver: 0x84EB5AEA ?_empty_? 1302 bytes

0x84EB5EC5 unknown_irp_handler 315 bytes

!!!!!!!!!!!Hidden driver: 0x84DAD880 ?_empty_? 0 bytes

==============================================

>Stealth

==============================================

0x86402000 WARNING: suspicious driver modification [iaStor.sys::0x84EB5AEA]

0x89C74000 WARNING: Virus alike driver modification [netbt.sys], 204800 bytes

0x04320000 Hidden Image-->LogicNP.EZShellExtensions.dll [ EPROCESS 0x83667728 ] PID: 3148, 217088 bytes

0x04C90000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x83667728 ] PID: 3148, 860160 bytes

0x05A60000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x836EAB38 ] PID: 3568, 860160 bytes

==============================================

>Files

==============================================

!-->[Hidden] C:\Program Files\Wireless-G Internet Home Monitoring Camera\Storage\LKB3D70C\Data\1283786482.sef

!-->[Hidden] C:\Program Files\Wireless-G Internet Home Monitoring Camera\Storage\LKB3D70C\Data\1283786492.sef

!-->[Hidden] C:\ProgramData\Microsoft\RAC\StateData\RacMetaData.dat::$DATA

!-->[Hidden] C:\ProgramData\Microsoft\RAC\StateData\RacWmiEventData.dat::$DATA

!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E78B54E6.exe_39457a556b929338d33c784e273eae7ac97c6785_cab_060993f5\Report.wer

!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E78B54E6.exe_39457a556b929338d33c784e273eae7ac97c6785_cab_060993f5\WER8EA8.tmp.appcompat.txt

!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E78B54E6.exe_39457a556b929338d33c784e273eae7ac97c6785_cab_060993f5\WER9000.tmp.WERInternalMetadata.xml

!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E78B54E6.exe_39457a556b929338d33c784e273eae7ac97c6785_cab_060993f5\WER9020.tmp.hdmp

!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E78B54E6.exe_39457a556b929338d33c784e273eae7ac97c6785_cab_060993f5\WER934C.tmp.mdmp

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF0041AF8A0C9BB6F7.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF08D3FF58C1AE0BE3.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF0C4D010C83A39AAB.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF18A5CC3AAA09800D.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF21A539405626AE2A.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF2CEA3BB614D26BD0.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF2EE1AF22313D4BA9.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF358A39A547FEB179.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF44983AE00951FA47.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF4AD08B62201F7CB1.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF4E7EEAF047C3D55A.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF50C5F03F2216C51B.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF55E3E2BE44FEAB36.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF57D9926829489B8C.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF597D8855D8867C9C.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF67422A507158B2E0.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF68D197F664D18C7B.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF6C05ECCA868C9C7D.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF6D96FA9D3DE70844.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF71ECDE86AAE006BB.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF73910B7A3B445576.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF77A3872EE2527A4A.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF82390B1F5BF53F01.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DF9D3E34A9429335B1.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFA7EE280FE2E74370.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFAE0CD83B50F98CEC.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFAECE74429087E7D9.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFC7C2082A9A5E0744.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFCAF6AB78BCCA0340.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFD9282E1772D85B1C.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFDC7886D52B98E55E.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFF367B5FA5A00B301.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFF3DAAD6B0BA3BD55.TMP::$DATA

!-->[Hidden] C:\Users\In Vivo Netbook\AppData\Local\Temp\~DFF83297A0F4690022.TMP::$DATA

!-->[Hidden] C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5O8UPT1R\2F%252Fmoviereviews.mevio[1].com%252F%253Futm_campaign%253Ddf250c_214849_113320_156500%2526utm_source%253Ddf250c%2526utm_medium%253Ddf250cf

!-->[Hidden] C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H1E8V4WV\2F%252Ftechgrouch.mevio[1].com%252F%253Futm_campaign%253D768d65_249799_113320_150752%2526utm_source%253D768d65c%2526utm_medium%253D768d651]

!-->[Hidden] C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H1E8V4WV\pos-btf%7Cresearch-survey%7Cenvid-origin%7Curi-_video_sympathy-for-devil_3456367%7Ctag-adj%7Cmtype-standard%7Csz-1x2%7Ctile-9%7Cdemo-D;[1]]

!-->[Hidden] C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZG3NQGAB\pos-atf%7C!category-expand%7C!category-pop%7Cenvid-origin%7Curi-_%7Ctag-adj%7Cmtype-standard%7Csz-728x90%7Ctile-1%7Cdemo-D%7Cdcopt-ist;[1]]

==============================================

>Hooks

==============================================

[1524]firefox.exe-->mswsock.dll+0x00002BBC, Type: Inline - RelativeJump 0x74AE2BBC-->00000000 [unknown_code_page]

[1524]firefox.exe-->mswsock.dll+0x000044B1, Type: Inline - RelativeJump 0x74AE44B1-->00000000 [unknown_code_page]

[1524]firefox.exe-->mswsock.dll+0x000046B7, Type: Inline - RelativeJump 0x74AE46B7-->00000000 [unknown_code_page]

[1524]firefox.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x76F96448-->00000000 [unknown_code_page]

[1524]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x76FAF585-->00000000 [firefox.exe]

[1524]firefox.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x76F95360-->00000000 [unknown_code_page]

[1524]firefox.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x76F95EE0-->00000000 [unknown_code_page]

[2532]msnmsgr.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C617B8-->00000000 [apphelp.dll]

[2532]msnmsgr.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B611B8-->00000000 [apphelp.dll]

[2532]msnmsgr.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D114E0-->00000000 [apphelp.dll]

[2532]msnmsgr.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7120144C-->00000000 [apphelp.dll]

[3148]explorer.exe-->mswsock.dll+0x00002BBC, Type: Inline - RelativeJump 0x74AE2BBC-->00000000 [unknown_code_page]

[3148]explorer.exe-->mswsock.dll+0x000044B1, Type: Inline - RelativeJump 0x74AE44B1-->00000000 [unknown_code_page]

[3148]explorer.exe-->mswsock.dll+0x000046B7, Type: Inline - RelativeJump 0x74AE46B7-->00000000 [unknown_code_page]

[3148]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x76F96448-->00000000 [unknown_code_page]

[3148]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x76F95360-->00000000 [unknown_code_page]

[3148]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x76F95EE0-->00000000 [unknown_code_page]

[3636]Recorder.exe-->advapi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77C6178C-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->advapi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77C617F0-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->advapi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77C61848-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C617B8-->00000000 [apphelp.dll]

[3636]Recorder.exe-->advapi32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x77C61844-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->advapi32.dll-->RegCreateKeyExA, Type: IAT modification 0x00434000-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x00434004-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->advapi32.dll-->RegSetValueExA, Type: IAT modification 0x00434008-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->gdi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77B61154-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->gdi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77B611E0-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->gdi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77B6118C-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B611B8-->00000000 [apphelp.dll]

[3636]Recorder.exe-->kernel32.dll-->CreateFileA, Type: IAT modification 0x004341D4-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->kernel32.dll-->GetFileAttributesA, Type: IAT modification 0x004340FC-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x004341E8-->00000000 [apphelp.dll]

[3636]Recorder.exe-->shell32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x738022C4-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->shell32.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x73802240-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->shell32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x73802298-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->user32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77D11524-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D114E0-->00000000 [apphelp.dll]

[3636]Recorder.exe-->user32.dll-->kernel32.dll-->RegCreateKeyExW, Type: IAT modification 0x77D114B4-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->user32.dll-->kernel32.dll-->RegOpenKeyExW, Type: IAT modification 0x77D11444-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->user32.dll-->kernel32.dll-->RegSetValueExW, Type: IAT modification 0x77D114AC-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->advapi32.dll-->RegCreateKeyExA, Type: IAT modification 0x71201284-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x712011D0-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->advapi32.dll-->RegDeleteValueA, Type: IAT modification 0x71201244-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->advapi32.dll-->RegDeleteValueW, Type: IAT modification 0x712011D8-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x7120128C-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x71201268-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->advapi32.dll-->RegSetValueExA, Type: IAT modification 0x71201288-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x712011DC-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->CopyFileA, Type: IAT modification 0x712012DC-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->CreateFileA, Type: IAT modification 0x712014CC-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x712014D0-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->DeleteFileA, Type: IAT modification 0x712014F4-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x71201448-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7120144C-->00000000 [apphelp.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->MoveFileA, Type: IAT modification 0x71201318-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->MoveFileExA, Type: IAT modification 0x71201444-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x71201310-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x71201314-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->SetFileAttributesA, Type: IAT modification 0x7120132C-->00000000 [AcGenral.dll]

[3636]Recorder.exe-->wininet.dll-->kernel32.dll-->SetFileAttributesW, Type: IAT modification 0x71201400-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->advapi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77C6178C-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->advapi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77C617F0-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->advapi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77C61848-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C617B8-->00000000 [apphelp.dll]

[3728]Monitor.exe-->advapi32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x77C61844-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->advapi32.dll-->ntdll.dll-->RtlAllocateHeap, Type: IAT modification 0x77C61100-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->advapi32.dll-->ntdll.dll-->RtlFreeHeap, Type: IAT modification 0x77C610FC-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->advapi32.dll-->ntdll.dll-->RtlReAllocateHeap, Type: IAT modification 0x77C613A4-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->advapi32.dll-->RegCloseKey, Type: IAT modification 0x0043E004-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->advapi32.dll-->RegCreateKeyExA, Type: IAT modification 0x0043E00C-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x0043E010-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->advapi32.dll-->RegQueryValueExA, Type: IAT modification 0x0043E000-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->advapi32.dll-->RegSetValueExA, Type: IAT modification 0x0043E008-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->gdi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77B61154-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->gdi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77B611E0-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->gdi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77B6118C-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B611B8-->00000000 [apphelp.dll]

[3728]Monitor.exe-->gdi32.dll-->ntdll.dll-->RtlAllocateHeap, Type: IAT modification 0x77B610B0-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->gdi32.dll-->ntdll.dll-->RtlFreeHeap, Type: IAT modification 0x77B610B4-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x0043E2B4-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->kernel32.dll-->CompareStringA, Type: IAT modification 0x0043E198-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->kernel32.dll-->CompareStringW, Type: IAT modification 0x0043E19C-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->kernel32.dll-->CopyFileA, Type: IAT modification 0x0043E24C-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->kernel32.dll-->CreateFileA, Type: IAT modification 0x0043E264-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x0043E250-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->kernel32.dll-->GetFileAttributesA, Type: IAT modification 0x0043E254-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0043E2A0-->00000000 [apphelp.dll]

[3728]Monitor.exe-->kernel32.dll-->GetVersion, Type: IAT modification 0x0043E220-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->kernel32.dll-->GetVersionExA, Type: IAT modification 0x0043E168-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->kernel32.dll-->LCMapStringA, Type: IAT modification 0x0043E13C-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->kernel32.dll-->LCMapStringW, Type: IAT modification 0x0043E140-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->kernel32.dll-->ntdll.dll-->RtlAllocateHeap, Type: IAT modification 0x77DE1600-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->kernel32.dll-->ntdll.dll-->RtlCreateHeap, Type: IAT modification 0x77DE1674-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->kernel32.dll-->ntdll.dll-->RtlDestroyHeap, Type: IAT modification 0x77DE1670-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->kernel32.dll-->ntdll.dll-->RtlExitUserProcess, Type: IAT modification 0x77DE16FC-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->kernel32.dll-->ntdll.dll-->RtlFreeHeap, Type: IAT modification 0x77DE161C-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->kernel32.dll-->ntdll.dll-->RtlLockHeap, Type: IAT modification 0x77DE138C-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->kernel32.dll-->ntdll.dll-->RtlReAllocateHeap, Type: IAT modification 0x77DE136C-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->kernel32.dll-->ntdll.dll-->RtlSizeHeap, Type: IAT modification 0x77DE1384-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->kernel32.dll-->ntdll.dll-->RtlUnlockHeap, Type: IAT modification 0x77DE1394-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->mswsock.dll-->ntdll.dll-->RtlAllocateHeap, Type: IAT modification 0x6C8810B0-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->mswsock.dll-->ntdll.dll-->RtlCreateHeap, Type: IAT modification 0x6C881124-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->mswsock.dll-->ntdll.dll-->RtlDestroyHeap, Type: IAT modification 0x6C881120-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->mswsock.dll-->ntdll.dll-->RtlFreeHeap, Type: IAT modification 0x6C881078-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->shell32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x738022C4-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->shell32.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x73802240-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->shell32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x73802298-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->shell32.dll-->ntdll.dll-->RtlFreeHeap, Type: IAT modification 0x73801A9C-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->user32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77D11524-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D114E0-->00000000 [apphelp.dll]

[3728]Monitor.exe-->user32.dll-->kernel32.dll-->RegCreateKeyExW, Type: IAT modification 0x77D114B4-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->user32.dll-->kernel32.dll-->RegOpenKeyExW, Type: IAT modification 0x77D11444-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->user32.dll-->kernel32.dll-->RegSetValueExW, Type: IAT modification 0x77D114AC-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->user32.dll-->ntdll.dll-->RtlAllocateHeap, Type: IAT modification 0x77D11130-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->user32.dll-->ntdll.dll-->RtlFreeHeap, Type: IAT modification 0x77D11134-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->user32.dll-->ntdll.dll-->RtlReAllocateHeap, Type: IAT modification 0x77D11064-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->user32.dll-->ntdll.dll-->RtlSizeHeap, Type: IAT modification 0x77D11054-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->wininet.dll-->advapi32.dll-->RegCreateKeyExA, Type: IAT modification 0x71201284-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->wininet.dll-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x712011D0-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->wininet.dll-->advapi32.dll-->RegDeleteValueA, Type: IAT modification 0x71201244-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->wininet.dll-->advapi32.dll-->RegDeleteValueW, Type: IAT modification 0x712011D8-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->wininet.dll-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x7120128C-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->wininet.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x71201268-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->wininet.dll-->advapi32.dll-->RegSetValueExA, Type: IAT modification 0x71201288-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->wininet.dll-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x712011DC-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->CopyFileA, Type: IAT modification 0x712012DC-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->CreateFileA, Type: IAT modification 0x712014CC-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x712014D0-->00000000 [AcLayers.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->DeleteFileA, Type: IAT modification 0x712014F4-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x71201448-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7120144C-->00000000 [apphelp.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->MoveFileA, Type: IAT modification 0x71201318-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->MoveFileExA, Type: IAT modification 0x71201444-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x71201310-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x71201314-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->SetFileAttributesA, Type: IAT modification 0x7120132C-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->wininet.dll-->kernel32.dll-->SetFileAttributesW, Type: IAT modification 0x71201400-->00000000 [AcGenral.dll]

[3728]Monitor.exe-->ws2_32.dll-->ntdll.dll-->RtlAllocateHeap, Type: IAT modification 0x41AC10F0-->00000000 [AcXtrnal.dll]

[3728]Monitor.exe-->ws2_32.dll-->ntdll.dll-->RtlFreeHeap, Type: IAT modification 0x41AC10EC-->00000000 [AcXtrnal.dll]

[980]svchost.exe-->mswsock.dll+0x00002BBC, Type: Inline - RelativeJump 0x74AE2BBC-->00000000 [unknown_code_page]

[980]svchost.exe-->mswsock.dll+0x000044B1, Type: Inline - RelativeJump 0x74AE44B1-->00000000 [unknown_code_page]

[980]svchost.exe-->mswsock.dll+0x000046B7, Type: Inline - RelativeJump 0x74AE46B7-->00000000 [unknown_code_page]

[980]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x76F96448-->00000000 [unknown_code_page]

[980]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x76F95360-->00000000 [unknown_code_page]

[980]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x76F95EE0-->00000000 [unknown_code_page]

[980]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7662C198-->00000000 [unknown_code_page]

Link to post
Share on other sites

Lew:

icon11.gif Download Combofix from either of the links below, and save it to your desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.

.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Here is the combofix log

Combofix had to reboot because it found rootkit activity

Avira which I had disabled, restarted on reboot and found some malware and virus.

ComboFix 10-09-06.02 - In Vivo Netbook 09/06/2010 14:24:47.1.2 - x86

Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1015.456 [GMT -4:00]

Running from: c:\users\In Vivo Netbook\Desktop\ComboFix.exe

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\In Vivo Netbook\AppData\Local\{0E91F7E1-0B89-431B-9E73-A5E542E278B2}

c:\users\In Vivo Netbook\AppData\Local\{0E91F7E1-0B89-431B-9E73-A5E542E278B2}\chrome.manifest

c:\users\In Vivo Netbook\AppData\Local\{0E91F7E1-0B89-431B-9E73-A5E542E278B2}\chrome\content\_cfg.js

c:\users\In Vivo Netbook\AppData\Local\{0E91F7E1-0B89-431B-9E73-A5E542E278B2}\chrome\content\overlay.xul

c:\users\In Vivo Netbook\AppData\Local\{0E91F7E1-0B89-431B-9E73-A5E542E278B2}\install.rdf

c:\users\In Vivo Netbook\AppData\Roaming\antispy.exe

c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - Kitty had a snack :blink:

.

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))

.

2010-09-06 18:37 . 2010-09-06 18:38 -------- d-----w- c:\users\In Vivo Netbook\AppData\Local\temp

2010-09-06 18:37 . 2010-09-06 18:37 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-09-02 19:51 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-02 14:27 . 2010-09-02 14:27 -------- d-----w- c:\users\In Vivo Netbook\AppData\Local\Sunbelt Software

2010-09-02 14:24 . 2010-09-02 14:24 -------- dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-09-02 14:24 . 2010-08-12 12:16 2979848 -c--a-w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe

2010-09-02 14:24 . 2010-09-02 14:24 -------- d-----w- c:\program files\Lavasoft

2010-09-02 14:24 . 2010-09-02 14:55 -------- d-----w- c:\programdata\Lavasoft

2010-09-02 13:43 . 2010-09-02 13:43 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\AVP 2009

2010-09-01 02:29 . 2010-09-01 02:29 -------- d-----w- c:\program files\Trend Micro

2010-09-01 02:04 . 2010-09-01 03:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-09-01 02:04 . 2010-09-01 02:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-25 16:48 . 2010-08-25 16:48 2517 ----a-w- c:\users\In Vivo Netbook\AppData\Local\icufivuta.dll

2010-08-25 14:37 . 2010-08-25 14:37 -------- d-----w- c:\programdata\GoBoingo

2010-08-25 14:37 . 2010-08-25 14:37 -------- d-----w- c:\program files\Boingo

2010-08-25 14:32 . 2010-08-25 14:32 1738 ----a-w- c:\users\In Vivo Netbook\AppData\Local\iyomezocijez.dll

2010-08-22 23:02 . 2010-08-30 14:47 120 ----a-w- c:\users\In Vivo Netbook\AppData\Local\Onoqeza.dat

2010-08-22 23:02 . 2010-08-30 14:47 0 ----a-w- c:\users\In Vivo Netbook\AppData\Local\Czuta.bin

2010-08-20 07:08 . 2009-09-23 23:30 1002008 ----a-w- c:\windows\system32\igxpun.exe

2010-08-20 01:12 . 2010-06-14 06:12 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-08-20 01:10 . 2010-06-19 04:07 2326016 ----a-w- c:\windows\system32\win32k.sys

2010-08-20 01:10 . 2010-06-30 06:25 978432 ----a-w- c:\windows\system32\wininet.dll

2010-08-20 01:05 . 2010-07-29 06:30 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-08-20 01:05 . 2010-07-29 06:30 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-08-20 01:05 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-08-20 01:04 . 2010-06-19 06:33 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-08-20 01:04 . 2010-06-19 06:33 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-08-20 00:53 . 2010-06-22 02:47 310784 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-20 00:53 . 2010-06-22 02:47 307200 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-08-20 00:53 . 2010-06-22 02:47 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-08-20 00:36 . 2010-06-08 06:02 1233920 ----a-w- c:\windows\system32\msxml3.dll

2010-08-20 00:32 . 2010-08-20 00:32 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\Malwarebytes

2010-08-20 00:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-20 00:31 . 2010-08-20 00:31 -------- d-----w- c:\programdata\Malwarebytes

2010-08-20 00:31 . 2010-08-20 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-20 00:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-20 00:27 . 2010-06-16 05:48 224256 ----a-w- c:\windows\system32\schannel.dll

2010-08-19 23:41 . 2010-08-19 23:41 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\6445ACDCAC425BB710AD28AE5D523B0B

2010-08-19 12:52 . 2010-08-19 12:52 -------- d-----w- c:\program files\HP

2010-08-15 15:06 . 2010-08-15 15:06 -------- d-----w- c:\windows\system32\x64

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-06 18:04 . 2010-02-20 20:41 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\uTorrent

2010-09-05 23:01 . 2010-02-25 18:35 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\vlc

2010-09-01 01:31 . 2010-02-20 20:42 -------- d-----w- c:\program files\uTorrent

2010-08-20 07:10 . 2009-08-19 05:08 -------- d-----w- c:\program files\Microsoft Works

2010-08-20 07:02 . 2009-08-19 05:06 -------- d-----w- c:\programdata\Microsoft Help

2010-08-20 00:17 . 2009-12-15 19:28 79920 ----a-w- c:\users\In Vivo Netbook\AppData\Local\GDIPFONTCACHEV1.DAT

2010-07-18 14:37 . 2009-12-17 20:20 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\Skype

2010-07-18 14:36 . 2010-06-19 18:42 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\skypePM

2010-07-14 21:52 . 2010-07-14 21:52 -------- d-----w- c:\program files\EPSViewer

2010-06-19 18:42 . 2010-06-19 18:42 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2009-11-25 16:47 297808 ----a-w- c:\windows\System32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2009-11-25 16:47 297808 ----a-w- c:\windows\System32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Eee Docking"="c:\program files\Asus\Eee Docking\Eee Docking.exe" [2009-08-17 402608]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-08-31 328568]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-19 39408]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]

"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-07-20 83240]

"EeeStorageBackup"="c:\program files\ASUS\Asus WebStorage\BackupService.exe" [2009-07-31 947472]

"HotkeyService"="AsusSender.exe" [2009-08-18 27648]

"SuperHybridEngine"="AsusSender.exe" [2009-08-18 27648]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-20 7625248]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"Monitor.exe"="c:\program files\Wireless-G Internet Home Monitoring Camera\Monitor.exe" [2007-10-08 1765376]

"Recorder.exe"="c:\program files\Wireless-G Internet Home Monitoring Camera\Recorder.exe" [2007-10-02 311296]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]

"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2010-08-25 2429]

c:\users\In Vivo Netbook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-1 795936]

HotKeyMon.lnk - c:\program files\EeePC\HotkeyService\HotKeyMon.exe [2009-9-12 100328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

R2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 135664]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-08-12 15008]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-04-29 38224]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-08-12 1355416]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc

.

Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 15:11]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 15:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.55/img/LinksysMLViewer.cab

DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://192.168.72.11/cab/OCXChecker_8310.cab

FF - ProfilePath - c:\users\In Vivo Netbook\AppData\Roaming\Mozilla\Firefox\Profiles\03d29puo.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\users\In Vivo Netbook\AppData\Roaming\Mozilla\plugins\npatgpc.dll

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-09-06 14:43:50

ComboFix-quarantined-files.txt 2010-09-06 18:43

Pre-Run: 80,038,526,976 bytes free

Post-Run: 80,268,173,312 bytes free

- - End Of File - - 3F570C9987A4BF6F795D9BB14B56572E

Link to post
Share on other sites

Lew:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://forums.malwarebytes.org/index.php?showtopic=62072
Collect::
c:\users\In Vivo Netbook\AppData\Local\iyomezocijez.dll
c:\users\In Vivo Netbook\AppData\Local\Onoqeza.dat
File::
c:\users\In Vivo Netbook\AppData\Local\Czuta.bin

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

  • ComboFix log
  • MBAM log

Link to post
Share on other sites

II had to run it twice. If seemed to find something and uploaded it to MWB

John

ComboFix 10-09-06.04 - In Vivo Netbook 09/07/2010 12:35:12.4.2 - x86

Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1015.297 [GMT -4:00]

Running from: c:\users\In Vivo Netbook\Desktop\ComboFix.exe

Command switches used :: c:\users\In Vivo Netbook\Desktop\CFScript.txt

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

FILE ::

"c:\users\In Vivo Netbook\AppData\Local\Czuta.bin"

file zipped: c:\users\In Vivo Netbook\AppData\Local\iyomezocijez.dll

file zipped: c:\users\In Vivo Netbook\AppData\Local\Onoqeza.dat

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\In Vivo Netbook\AppData\Local\Czuta.bin

c:\users\In Vivo Netbook\AppData\Local\iyomezocijez.dll

c:\users\In Vivo Netbook\AppData\Local\Onoqeza.dat

.

((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))

.

2010-09-07 16:52 . 2010-09-07 16:52 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-09-07 16:52 . 2010-09-07 16:52 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-09-07 16:31 . 2010-09-07 16:32 -------- d-----w- C:\32788R22FWJFW

2010-09-06 18:43 . 2010-09-07 16:53 -------- d-----w- c:\users\In Vivo Netbook\AppData\Local\temp

2010-09-02 19:51 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-02 14:27 . 2010-09-02 14:27 -------- d-----w- c:\users\In Vivo Netbook\AppData\Local\Sunbelt Software

2010-09-02 14:24 . 2010-09-02 14:24 -------- dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-09-02 14:24 . 2010-08-12 12:16 2979848 -c--a-w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe

2010-09-02 14:24 . 2010-09-02 14:24 -------- d-----w- c:\program files\Lavasoft

2010-09-02 14:24 . 2010-09-02 14:55 -------- d-----w- c:\programdata\Lavasoft

2010-09-02 13:43 . 2010-09-02 13:43 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\AVP 2009

2010-09-01 02:29 . 2010-09-01 02:29 -------- d-----w- c:\program files\Trend Micro

2010-09-01 02:04 . 2010-09-01 03:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-09-01 02:04 . 2010-09-01 02:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-25 16:48 . 2010-08-25 16:48 2517 ----a-w- c:\users\In Vivo Netbook\AppData\Local\icufivuta.dll

2010-08-25 14:37 . 2010-08-25 14:37 -------- d-----w- c:\programdata\GoBoingo

2010-08-25 14:37 . 2010-08-25 14:37 -------- d-----w- c:\program files\Boingo

2010-08-20 07:08 . 2009-09-23 23:30 1002008 ----a-w- c:\windows\system32\igxpun.exe

2010-08-20 01:12 . 2010-06-14 06:12 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-08-20 01:10 . 2010-06-19 04:07 2326016 ----a-w- c:\windows\system32\win32k.sys

2010-08-20 01:10 . 2010-06-30 06:25 978432 ----a-w- c:\windows\system32\wininet.dll

2010-08-20 01:05 . 2010-07-29 06:30 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-08-20 01:05 . 2010-07-29 06:30 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-08-20 01:05 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-08-20 01:04 . 2010-06-19 06:33 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-08-20 01:04 . 2010-06-19 06:33 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-08-20 00:53 . 2010-06-22 02:47 310784 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-20 00:53 . 2010-06-22 02:47 307200 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-08-20 00:53 . 2010-06-22 02:47 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-08-20 00:36 . 2010-06-08 06:02 1233920 ----a-w- c:\windows\system32\msxml3.dll

2010-08-20 00:32 . 2010-08-20 00:32 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\Malwarebytes

2010-08-20 00:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-20 00:31 . 2010-08-20 00:31 -------- d-----w- c:\programdata\Malwarebytes

2010-08-20 00:31 . 2010-08-20 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-20 00:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-20 00:27 . 2010-06-16 05:48 224256 ----a-w- c:\windows\system32\schannel.dll

2010-08-19 23:41 . 2010-08-19 23:41 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\6445ACDCAC425BB710AD28AE5D523B0B

2010-08-19 12:52 . 2010-08-19 12:52 -------- d-----w- c:\program files\HP

2010-08-15 15:06 . 2010-08-15 15:06 -------- d-----w- c:\windows\system32\x64

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-07 16:46 . 2010-02-20 20:41 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\uTorrent

2010-09-05 23:01 . 2010-02-25 18:35 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\vlc

2010-09-01 01:31 . 2010-02-20 20:42 -------- d-----w- c:\program files\uTorrent

2010-08-20 07:10 . 2009-08-19 05:08 -------- d-----w- c:\program files\Microsoft Works

2010-08-20 07:02 . 2009-08-19 05:06 -------- d-----w- c:\programdata\Microsoft Help

2010-08-20 00:17 . 2009-12-15 19:28 79920 ----a-w- c:\users\In Vivo Netbook\AppData\Local\GDIPFONTCACHEV1.DAT

2010-07-18 14:37 . 2009-12-17 20:20 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\Skype

2010-07-18 14:36 . 2010-06-19 18:42 -------- d-----w- c:\users\In Vivo Netbook\AppData\Roaming\skypePM

2010-07-14 21:52 . 2010-07-14 21:52 -------- d-----w- c:\program files\EPSViewer

2010-06-19 18:42 . 2010-06-19 18:42 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-09-06_18.38.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-25 07:40 . 2010-09-07 11:13 47312 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

- 2009-07-14 04:55 . 2010-09-06 18:21 47542 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 04:55 . 2010-09-07 16:28 47542 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-12-15 19:29 . 2010-09-07 16:27 81920 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-12-15 19:29 . 2010-09-06 18:23 81920 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-07-14 04:41 . 2010-09-06 18:23 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:41 . 2010-09-07 16:27 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:34 . 2010-09-06 18:53 64576 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

+ 2009-12-16 04:01 . 2010-09-07 16:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-12-16 04:01 . 2010-09-06 18:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-12-16 04:01 . 2010-09-07 16:12 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-12-16 04:01 . 2010-09-06 18:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-12-16 04:01 . 2010-09-06 18:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-12-16 04:01 . 2010-09-07 16:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-12-16 17:15 . 2010-09-07 16:28 9304 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1563257941-1583627815-2607456693-1000_UserData.bin

+ 2010-09-07 14:47 . 2010-09-07 16:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2010-09-06 18:18 . 2010-09-06 18:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2010-09-07 14:47 . 2010-09-07 16:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2010-09-06 18:18 . 2010-09-06 18:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2009-12-15 23:22 . 2010-09-07 15:59 206164 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin

- 2009-07-14 02:05 . 2010-09-06 18:24 615360 c:\windows\System32\perfh009.dat

+ 2009-07-14 02:05 . 2010-09-07 16:30 615360 c:\windows\System32\perfh009.dat

- 2009-07-14 02:05 . 2010-09-06 18:24 103702 c:\windows\System32\perfc009.dat

+ 2009-07-14 02:05 . 2010-09-07 16:30 103702 c:\windows\System32\perfc009.dat

+ 2009-07-25 07:35 . 2010-09-07 16:00 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat

- 2009-07-25 07:35 . 2010-09-06 18:01 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat

+ 2009-07-14 02:03 . 2010-09-07 15:02 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat

- 2009-07-14 02:03 . 2010-09-06 18:34 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat

- 2009-12-15 19:29 . 2010-09-06 18:23 1376256 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-12-15 19:29 . 2010-09-07 16:27 1376256 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2009-11-25 16:47 297808 ----a-w- c:\windows\System32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2009-11-25 16:47 297808 ----a-w- c:\windows\System32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-08-17 402608]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-08-31 328568]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-19 39408]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]

"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-07-20 83240]

"EeeStorageBackup"="c:\program files\ASUS\Asus WebStorage\BackupService.exe" [2009-07-31 947472]

"HotkeyService"="AsusSender.exe" [2009-08-18 27648]

"SuperHybridEngine"="AsusSender.exe" [2009-08-18 27648]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-20 7625248]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"Monitor.exe"="c:\program files\Wireless-G Internet Home Monitoring Camera\Monitor.exe" [2007-10-08 1765376]

"Recorder.exe"="c:\program files\Wireless-G Internet Home Monitoring Camera\Recorder.exe" [2007-10-02 311296]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]

"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2010-08-25 2429]

c:\users\In Vivo Netbook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-1 795936]

HotKeyMon.lnk - c:\program files\EeePC\HotkeyService\HotKeyMon.exe [2009-9-12 100328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

R2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 135664]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-08-12 1355416]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-08-12 15008]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-04-29 38224]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc

.

Contents of the 'Scheduled Tasks' folder

2010-09-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 15:11]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 15:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.55/img/LinksysMLViewer.cab

DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://192.168.72.11/cab/OCXChecker_8310.cab

FF - ProfilePath - c:\users\In Vivo Netbook\AppData\Roaming\Mozilla\Firefox\Profiles\03d29puo.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\users\In Vivo Netbook\AppData\Roaming\Mozilla\plugins\npatgpc.dll

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-09-07 12:58:25

ComboFix-quarantined-files.txt 2010-09-07 16:58

ComboFix2.txt 2010-09-06 18:43

Pre-Run: 80,058,945,536 bytes free

Post-Run: 79,987,314,688 bytes free

- - End Of File - - E76A3B03D89A4B1A9C63614AA4FF564B

Upload was successful

Link to post
Share on other sites

Lew:

That looks to have run correctly. Please do this now:

icon11.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java 6 Update 18 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • Kaspersky log
  • MBAM log
  • How is your computer running now?

Link to post
Share on other sites

Updated Java and deleted old files

Ran MWB and Kas

Things are running well. No recent redirection.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4566

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

9/7/2010 9:56:06 PM

mbam-log-2010-09-07 (21-56-06).txt

Scan type: Quick scan

Objects scanned: 135223

Time elapsed: 12 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, September 8, 2010

Operating system: Microsoft Home Edition (build 7600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, September 07, 2010 23:08:22

Records in database: 4203720

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 85734

Threats found: 1

Infected objects found: 2

Suspicious objects found: 0

Scan duration: 03:45:54

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\windows\system32\Drivers\netbt.sys.vir Infected: Virus.Win32.TDSS.b 1

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys Infected: Virus.Win32.TDSS.b 1

Selected area has been scanned.

Link to post
Share on other sites

Lew:

This will take care of the Kaspersky detection (the other is already in quarantine):

icon11.gif Go to Start > Run and copy/paste the contents of the codebox below into the Run box and click OK:

cmd /c del /a/f/q "C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys"

A DOS window will open and close again, this is normal.

Now all I have left for you are another update and some very important cleanup work:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • Rootkit Unhooker

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please visit our General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Proceeded as you describe.

During reboot there was a message about a dll not found. It was a dll in a temp folder named something like nos_adobe_uninstaller.dll

Everything else is fine, and I have not seen anything else suggesting malware or redirection

Thanks for all your help

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.