Jump to content

multi-rouge unremovable e


BRD529
 Share

Recommended Posts

Friends,

Stuck with "XP Antispyware 2011" a horrible malware described here: http://siri-urz.blogspot.com/search/label/Braviax

- Avast didn't find it

- It blocks Webroot Spysweeper from installing

- It prevents MBAM from running, even if I change the name to winlogon.exe

Here are logs:

DDS:

DDS (Ver_10-11-10.01) - NTFSx86

Run by Judi at 1:37:27.20 on Tue 11/23/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1405 [GMT -5:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\r205445\stacsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Documents and Settings\Judi\Local Settings\Application Data\vz.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Yahoo!\Common\YMailAdvisor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\palmOne\HOTSYNC.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Quicken\bagent.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Safari\Safari.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\DOCUME~1\Judi\LOCALS~1\Temp\Saf454.tmp\Defogger.exe

C:\DOCUME~1\Judi\LOCALS~1\Temp\Saf458.tmp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [QuickenScheduledUpdates] "c:\program files\quicken\bagent.exe"

mRun: [Apoint] "c:\program files\delltpad\Apoint.exe"

mRun: [igfxTray] "c:\windows\system32\igfxtray.exe"

mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"

mRun: [Persistence] "c:\windows\system32\igfxpers.exe"

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"

mRun: [broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"

mRun: [sysTrayApp] "%ProgramFiles%\IDT\WDM\sttray.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [<NO NAME>]

mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [hpqSRMon]

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16

mRun: [WebrootTrayApp] c:\program files\webroot\security\current\framework\WRTray.exe

StartupFolder: c:\docume~1\judi\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll

Trusted Zone: intuit.com\ttlc

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/47.10/uploader2.cab

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\judi\applic~1\mozilla\firefox\profiles\wmtoj4b4.default\

FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/

FF - plugin: c:\documents and settings\judi\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\judi\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-22 165584]

R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2010-11-23 108880]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-22 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-22 40384]

R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2010-11-23 45072]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-2-17 112128]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-22 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-22 40384]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-2-17 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-2-17 244368]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-2-17 110080]

S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys --> c:\windows\system32\drivers\ssfs0bbc.sys [?]

S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\security\current\plugins\antimalware\aei.exe" --> c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [?]

S2 WRConsumerService;Webroot Client Service;"c:\program files\webroot\security\current\framework\wrconsumerservice.exe" --> c:\program files\webroot\security\current\framework\WRConsumerService.exe [?]

S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\d:\scpmpr5.sys --> d:\SCPMPR5.SYS [?]

=============== File Associations ===============

.exe=sezfile

=============== Created Last 30 ================

2010-11-23 06:13:40 775168 ----a-w- c:\windows\isRS-000.tmp

2010-11-23 06:13:06 108880 ----a-w- c:\windows\system32\drivers\pwipf6.sys

2010-11-23 06:08:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot

2010-11-23 06:02:06 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys

2010-11-23 05:55:19 -------- d-----w- c:\docume~1\judi\locals~1\applic~1\PackageAware

2010-11-23 04:47:01 -------- d-----w- c:\program files\MSSOAP

2010-11-23 04:46:10 -------- d-----w- c:\program files\Webroot

2010-11-22 23:49:32 38848 ----a-w- c:\windows\avastSS.scr

2010-11-22 23:00:13 -------- d-----w- c:\windows\pss

2010-11-22 20:00:04 -------- d-----w- c:\windows\system32\CatRoot

2010-11-22 17:49:50 318464 --sha-w- c:\docume~1\judi\locals~1\applic~1\vz.exe

2010-11-09 03:09:47 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll

2010-11-09 03:09:47 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe

2010-11-09 03:09:47 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll

2010-11-09 03:09:47 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll

2010-11-09 03:09:46 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll

2010-11-09 03:09:46 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll

2010-11-09 03:09:46 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll

2010-11-09 03:09:24 4199768 ----a-w- c:\windows\system32\cdintf400.dll

2010-11-09 03:08:37 -------- d-----w- c:\program files\Quicken

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-30 21:49:03 103720 ----a-w- c:\documents and settings\judi\GoToAssistDownloadHelper.exe

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 1:38:19.53 ===============

GMER:

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-11-23 09:03:45

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST980411 rev.DE14

Running: gzlbyevi.exe; Driver: C:\DOCUME~1\Judi\LOCALS~1\Temp\fxloapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwAdjustPrivilegesToken [0x986866B0]

SSDT 8A60A408 ZwAllocateVirtualMemory

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0x98573CF0]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwConnectPort [0x98686BB0]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateFile [0x98685510]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0x98573BAC]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreatePort [0x98686F10]

SSDT 8A70D190 ZwCreateProcess

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateProcessEx [0x98687870]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateSection [0x98687170]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateThread [0x98687470]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDebugActiveProcess [0x98685E80]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0x98574160]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0x9857408A]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeviceIoControlFile [0x98685F80]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0x98573782]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenFile [0x986857A0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0x98573C86]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0x985736C2]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenSection [0x98685A10]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0x98573726]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0x98573DA6]

SSDT 8A60A480 ZwQueueApcThread

SSDT 8A60A318 ZwReadVirtualMemory

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0x9857422E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0x98573D66]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwResumeThread [0x98684610]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSecureConnectPort [0x98686D60]

SSDT 8A7481C8 ZwSetContextThread

SSDT 8A74A358 ZwSetInformationKey

SSDT 8A7323C0 ZwSetInformationProcess

SSDT 8A748240 ZwSetInformationThread

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0x98573EE6]

SSDT 8A749118 ZwSuspendProcess

SSDT 8A60A4F8 ZwSuspendThread

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateProcess [0x98683DD0]

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateThread [0x986844F0]

SSDT 8A60A390 ZwWriteVirtualMemory

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x98580B0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C9C 80504538 12 Bytes [10, 6F, 68, 98, 90, D1, 70, ...]

PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP 98580B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP 9857C5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP 9857DFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

? C:\DOCUME~1\Judi\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1772] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 8A60A1A8

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8A60A2A0

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8A60A2A0

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 8A60A1A8

IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 8A60A1A8

IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8A60A2A0

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8A60A2A0

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 8A60A1A8

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8A60A2A0

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 8A60A1A8

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8A60A2A0

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 8A60A1A8

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 8A60A2A0

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8A60A2A0

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 8A60A1A8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[984] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002

IAT C:\WINDOWS\system32\services.exe[984] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \Driver\Tcpip \Device\Ip 8970E1B8

Device \Driver\Tcpip \Device\Ip 88E65488

Device \Driver\Tcpip \Device\Ip 890F8FA8

AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Tcp 8970E1B8

Device \Driver\Tcpip \Device\Tcp 88E65488

Device \Driver\Tcpip \Device\Tcp 890F8FA8

AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Udp 8970E1B8

Device \Driver\Tcpip \Device\Udp 88E65488

Device \Driver\Tcpip \Device\Udp 890F8FA8

AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\RawIp 8970E1B8

Device \Driver\Tcpip \Device\RawIp 88E65488

Device \Driver\Tcpip \Device\RawIp 890F8FA8

AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\IPMULTICAST 8970E1B8

Device \Driver\Tcpip \Device\IPMULTICAST 88E65488

Device \Driver\Tcpip \Device\IPMULTICAST 890F8FA8

Device \FileSystem\Fastfat \Fat 966D9D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

---- EOF - GMER 1.0.15 ----

Thanks,

BRD529

Link to post
Share on other sites

Hello BRD529! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. rkill.pif
  5. WiNlOgOn.exe
  6. uSeRiNiT.exe

Please post the log in your next reply.

Note: The log can be found at the root of your installed hard drive entitled rkill.log

Step 2

Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. Rkill log
  2. Malwarebytes' Anti-Malware log
  3. a new fresh DDS log only

Link to post
Share on other sites

Dear Maniac,

Thanks SO MUCH for your help. I really appreciate it. Using RKILL and MBAM I appear to have solved the problem. Here is what I did:

- Started in Safe Mode

- Ran RKILL

- Installed MBAM

- Restarted

- The Rouge no longer appears. Here are the latest logs:

RKILL:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Judi on 11/27/2010 at 12:43:09.

Services Stopped:

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Judi\Desktop\tools\rkill.exe

Rkill completed on 11/27/2010 at 12:43:12.

MBAM:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5199

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

11/27/2010 12:19:15 PM

safe-mode-mbam-log-2010-11-27 (12-19-15).txt

Scan type: Quick scan

Objects scanned: 174521

Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Judi\Local Settings\Temp\svchost.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Judi\Local Settings\Application Data\opRSK (Malware.Trace) -> No action taken.

DDS"

DDS (Ver_10-11-27.01) - NTFSx86

Run by Judi at 12:48:30.15 on Sat 11/27/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1333 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\r205445\stacsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Yahoo!\Common\YMailAdvisor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Quicken\bagent.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\palmOne\HOTSYNC.EXE

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Judi\Desktop\tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [QuickenScheduledUpdates] "c:\program files\quicken\bagent.exe"

mRun: [Apoint] "c:\program files\delltpad\Apoint.exe"

mRun: [igfxTray] "c:\windows\system32\igfxtray.exe"

mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"

mRun: [Persistence] "c:\windows\system32\igfxpers.exe"

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"

mRun: [broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"

mRun: [sysTrayApp] "%ProgramFiles%\IDT\WDM\sttray.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [<NO NAME>]

mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [hpqSRMon]

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [WebrootTrayApp] c:\program files\webroot\security\current\framework\WRTray.exe

mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16

StartupFolder: c:\docume~1\judi\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll

Trusted Zone: intuit.com\ttlc

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/47.10/uploader2.cab

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\judi\applic~1\mozilla\firefox\profiles\wmtoj4b4.default\

FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/

FF - plugin: c:\documents and settings\judi\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\judi\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\judi\application data\Move Networks

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\judi\applic~1\mozilla\firefox\profiles\wmtoj4b4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-22 165584]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-22 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-22 40384]

R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2010-11-23 45072]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-2-17 112128]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-22 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-22 40384]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-2-17 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-2-17 244368]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-2-17 110080]

S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\d:\scpmpr5.sys --> d:\SCPMPR5.SYS [?]

=============== Created Last 30 ================

2010-11-27 17:31:52 775168 ----a-w- c:\windows\isRS-000.tmp

2010-11-27 17:08:16 -------- d-----w- c:\docume~1\judi\applic~1\Malwarebytes

2010-11-27 17:08:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-27 17:08:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-27 17:08:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-27 17:08:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-23 06:02:06 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys

2010-11-23 05:55:19 -------- d-----w- c:\docume~1\judi\locals~1\applic~1\PackageAware

2010-11-23 04:47:01 -------- d-----w- c:\program files\MSSOAP

2010-11-23 04:46:10 -------- d-----w- c:\program files\Webroot

2010-11-22 23:49:32 38848 ----a-w- c:\windows\avastSS.scr

2010-11-22 23:00:13 -------- d-----w- c:\windows\pss

2010-11-22 20:00:04 -------- d-----w- c:\windows\system32\CatRoot

2010-11-09 03:09:47 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll

2010-11-09 03:09:47 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe

2010-11-09 03:09:47 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll

2010-11-09 03:09:47 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll

2010-11-09 03:09:46 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll

2010-11-09 03:09:46 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll

2010-11-09 03:09:46 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll

2010-11-09 03:09:24 4199768 ----a-w- c:\windows\system32\cdintf400.dll

2010-11-09 03:08:37 -------- d-----w- c:\program files\Quicken

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-30 21:49:03 103720 ----a-w- c:\documents and settings\judi\GoToAssistDownloadHelper.exe

============= FINISH: 12:49:20.04 ===============

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.