Jump to content

Recommended Posts

Hello,

I am new to Malwarebytes and have just recently rid my computer with a virus using the Malwarebytes program and AVG Free. The virus closed virus protection software and all browsers and opened a window claiming I needed virus protection. I scanned my computer in safe mode and the virus seems to have gone, but now I get intermittent warnings from Malwarebytes stating it "successfully blocked access to a potentially malicious website", giving an IP address, port number and stating it was an "outgoing" type. Now I cannot access any Google sites, cannot read captchas, and cannot browse with Google Chrome. I am using Firefox at the moment. I have not taken any action other than what was posted in the sticky and doing a quick scan with Malwarebytes again because I am unsure of what to do.

Thanks for your time, I really appreciate it.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_27

Run by An at 23:45:11 on 2011-09-03

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3001.1608 [GMT -10:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

"C:\Windows\system32\svchost.exe"

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\mobsync.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Windows\PLFSetI.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Launch Manager\dsiwmis.exe

C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe

C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\InterVideo\Common\Bin\WinRemote.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\AIM\aim.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\Program Files\PowerStrip\PStrip.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\igfxext.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\conime.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.bing.com/?pc=Z036&form=ZGAPHP

uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0509&m=aspire_4810t

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0509&m=aspire_4810t

mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0509&m=aspire_4810t

uURLSearchHooks: H - No File

BHO: {0000fe90-ad71-4e50-937f-fdd2c5fa488b} - c:\windows\system32\wscui32.dll

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [MozillaUpdate] c:\windows\system32\config\systemprofile\appdata\local\mozilla\mozillaupdate\Mozillaupdt32.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [PLFSetI] c:\windows\PLFSetI.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [LManager] c:\program files\launch manager\LManager.exe

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [Acer ePower Management] c:\program files\acer\acer powersmart manager\ePowerTrayLauncher.exe

mRun: [ODDPwr] "c:\program files\acer\optical drive power management\ODDPwr.exe"

mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe

mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Home Theater SchSvr] "c:\program files\common files\intervideo\schsvr\SchSvr.exe"

mRun: [WINCINEMAMGR] "c:\program files\intervideo\common\bin\WinCinemaMgr.exe"

mRun: [WINREMOTE] "c:\program files\intervideo\common\bin\WinRemote.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [MozillaUpdate] c:\windows\system32\config\systemprofile\appdata\local\mozilla\mozillaupdate\Mozillaupdt32.exe

StartupFolder: c:\users\an\appdata\roaming\micros~1\windows\startm~1\programs\startup\neroba~1.lnk - c:\windows\system32\nero.bat

StartupFolder: c:\users\an\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\users\an\appdata\roaming\micros~1\windows\startm~1\programs\startup\powers~1.lnk - c:\program files\powerstrip\PStrip.exe

StartupFolder: c:\users\an\appdata\roaming\micros~1\windows\startm~1\programs\startup\winwor~1.lnk - c:\windows\system32\winword.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53

TCP: Interfaces\{44CB7E77-224C-4484-B4EE-E89E3D557A02} : DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL, avgrsstx.dll

Hosts: 95.64.61.141 www.google.com

Hosts: 95.64.61.142 www.bing.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\an\appdata\roaming\mozilla\firefox\profiles\vy0nmmvy.default\

FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z036&form=ZGAADF&q=

FF - prefs.js: network.proxy.type - 4

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\netmarbleglobal\glbnmnpapiplugins\npGlbNMNPAPIUpdater.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chemdrawmgh\NPCDPMGH32.DLL

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\musicnotes\npmusicn.dll

FF - plugin: c:\program files\musicnotes\NPSibelius.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll

FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\users\an\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\users\an\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\users\an\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

============= SERVICES / DRIVERS ===============

.

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-8 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-8 27784]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-8 297752]

R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2009-5-14 117256]

R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer powersmart manager\ePowerSvc.exe [2009-5-14 703008]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-11 366640]

R2 ODDPwrSvc;Acer ODD Power Service;c:\program files\acer\optical drive power management\ODDPWRSvc.exe [2009-5-14 118784]

R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]

R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-5-14 237568]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-8 24652]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-3-15 127488]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-5-14 50176]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-11 22712]

S2 RPCER;Remote Procedure Call (HNM);c:\program files\common files\odbc\comp.exe --> c:\program files\common files\odbc\comp.exe [?]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]

S3 Ma1FL;Mayflash 2801 Filter Service;c:\windows\system32\drivers\Ma1FL.sys [2010-9-11 20512]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-11 41272]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

.

=============== Created Last 30 ================

.

2011-09-04 00:26:00 0 ---ha-w- c:\windows\system32\ttgrhtufqy.tmp

2011-09-03 18:18:47 239616 ----a-w- c:\windows\system32\wscui32.dll

2011-09-03 03:59:12 -------- d-----w- c:\program files\CCleaner

2011-09-03 02:33:41 -------- d-----w- c:\program files\common files\PC Tools

2011-09-03 02:32:06 -------- d-----w- c:\programdata\PC Tools

.

==================== Find3M ====================

.

2011-08-20 23:36:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-19 15:05:24 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-07 05:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 05:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6001

.

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

.

Disk trace:

called modules: ntkrnlpa.exe >>UNKNOWN [0x87B47A0A]<<

_asm { MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; MOV EAX, [EBX+0x60]; MOV ECX, [EAX+0xc]; OR ECX, [EAX+0x10]; PUSH ESI; JNZ 0x94; MOV ESI, 0x200; CMP [EAX+0x4], ESI; JB 0x94; }

1 ntkrnlpa!IofCallDriver[0x820C1F6F] -> \Device\Harddisk0\DR0[0x86148940]

\Driver\disk[0x861295B0] -> IRP_MJ_READ -> 0x87B47A0A

kernel: MBR read successfully

_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }

user != kernel MBR !!!

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

.

============= FINISH: 23:45:43.50 ===============

Attach.zip

mbam-log-2011-09-03 (23-28-52).txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

MBAM log:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7680

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

9/8/2011 12:32:51 PM

mbam-log-2011-09-08 (12-32-51).txt

Scan type: Quick scan

Objects scanned: 164656

Time elapsed: 20 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\Temp\5609.sys (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\Windows\Temp\61FF.tmp (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\local settings\temporary internet files\Content.IE5\YSLIK2KI\readme[1].exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

Combofix report:

ComboFix 11-09-08.03 - An 09/08/2011 12:48:46.1.1 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3001.1167 [GMT -10:00]

Running from: c:\users\An\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Search Toolbar

c:\program files\Search Toolbar\icon.ico

c:\program files\Search Toolbar\SearchToolbar.dll

c:\program files\Search Toolbar\SearchToolbarUninstall.exe

c:\program files\Search Toolbar\SearchToolbarUpdater.exe

c:\programdata\aP21101FnNcF21101

c:\programdata\aP21101FnNcF21101\aP21101FnNcF21101

c:\programdata\aP21101FnNcF21101\aP21101FnNcF21101.exe

c:\programdata\khio.exe

c:\programdata\mqpq.exe

c:\programdata\nwoh.exe

c:\programdata\vnco.exe

c:\users\An\AppData\Roaming\.#

c:\users\An\AppData\Roaming\FFSJ

c:\users\An\AppData\Roaming\FFSJ\FFSJ.cfg

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{5aacee58-14fd-4889-bcd9-d0ada7fa391c}

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{5aacee58-14fd-4889-bcd9-d0ada7fa391c}\chrome\xulcache.jar

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{5aacee58-14fd-4889-bcd9-d0ada7fa391c}\install.rdf

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{8d4a9829-b073-4510-b037-74c599850fda}

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{8d4a9829-b073-4510-b037-74c599850fda}\chrome\xulcache.jar

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{8d4a9829-b073-4510-b037-74c599850fda}\install.rdf

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{d55e333d-0b8c-412b-b964-feee3541ebae}

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{d55e333d-0b8c-412b-b964-feee3541ebae}\chrome\xulcache.jar

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{d55e333d-0b8c-412b-b964-feee3541ebae}\install.rdf

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{f6b31a85-7bab-47dc-a0c6-356d0312c4b2}

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{f6b31a85-7bab-47dc-a0c6-356d0312c4b2}\chrome\xulcache.jar

c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\extensions\{f6b31a85-7bab-47dc-a0c6-356d0312c4b2}\install.rdf

.

.

((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))

.

.

2011-09-08 23:10 . 2011-09-08 23:10 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-08 23:10 . 2011-09-08 23:11 -------- d-----w- c:\users\An\AppData\Local\temp

2011-09-08 22:32 . 2011-09-08 22:32 54016 ----a-w- c:\windows\system32\drivers\apllwk.sys

2011-09-06 02:22 . 2011-09-06 02:22 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS

2011-09-06 02:22 . 2011-09-06 02:22 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS

2011-09-06 02:22 . 2011-09-06 02:22 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS

2011-09-06 02:22 . 2011-09-06 02:22 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS

2011-09-06 02:22 . 2011-09-06 02:22 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS

2011-09-06 02:22 . 2011-09-06 02:22 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS

2011-09-06 02:22 . 2011-09-06 02:22 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS

2011-09-06 02:22 . 2011-09-06 02:22 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS

2011-09-06 02:22 . 2011-09-06 02:22 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS

2011-09-06 02:22 . 2011-09-06 02:22 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS

2011-09-06 02:22 . 2011-09-06 02:22 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS

2011-09-06 02:22 . 2011-09-06 02:22 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS

2011-09-06 02:21 . 2011-09-06 02:21 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS

2011-09-06 02:21 . 2011-09-06 02:21 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS

2011-09-06 02:21 . 2011-09-06 02:21 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS

2011-09-06 02:21 . 2011-09-06 02:21 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS

2011-09-06 02:21 . 2011-09-06 02:21 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-20 23:36 . 2011-05-31 17:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-07 05:52 . 2011-03-12 05:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 05:52 . 2011-03-12 05:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 04:37 . 2009-09-04 04:37 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll

2009-09-04 04:58 . 2009-09-04 04:58 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2011-08-20 04:40 . 2011-03-24 06:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\Steam.exe" [2011-08-20 1242448]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

"oovoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-18 22631608]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-11 5244216]

"Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2011-06-30 2648184]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-12 186904]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-11 7399968]

"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]

"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-04-09 1071624]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2009-03-31 62760]

"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2009-04-27 440864]

"ODDPwr"="c:\program files\Acer\Optical Drive Power Management\ODDPwr.exe" [2009-04-30 176128]

"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]

"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-10 2048352]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-16 137752]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-16 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-16 170520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-11-04 106496]

"WINCINEMAMGR"="c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2005-11-04 266240]

"WINREMOTE"="c:\program files\InterVideo\Common\Bin\WinRemote.exe" [2005-11-04 266240]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]

.

c:\users\An\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

nero.bat.lnk - c:\windows\System32\nero.bat [2008-11-20 180]

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

PowerStrip.lnk - c:\program files\PowerStrip\PStrip.exe [2009-11-1 744992]

winword.exe.lnk - c:\windows\System32\winword.exe [N/A]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-5-14 565248]

Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-9-11 1719568]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

.

R2 RPCER;Remote Procedure Call (HNM);c:\program files\Common Files\ODBC\comp.exe [x]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]

R3 Ma1FL;Mayflash 2801 Filter Service;c:\windows\system32\Drivers\Ma1FL.sys [2009-03-25 20512]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-08-30 3791352]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-07-09 721904]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-19 335240]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-19 297752]

S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2009-04-11 117256]

S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [2009-04-27 703008]

S2 Giraffic;Giraffic Video Accelerator;c:\program files\Giraffic\GirafficWatchdog.exe [2011-08-24 2219664]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-07 366640]

S2 ODDPwrSvc;Acer ODD Power Service;c:\program files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [2009-04-30 118784]

S2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-15 27992]

S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2009-02-05 237568]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-03-15 127488]

S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-04-01 50176]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-07 22712]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 5609

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1720379602-1228894725-3667951651-1000Core1cc4f645c181db0.job

- c:\users\An\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-08 19:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bing.com/?pc=Z036&form=ZGAPHP

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0509&m=aspire_4810t

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53

FF - ProfilePath - c:\users\An\AppData\Roaming\Mozilla\Firefox\Profiles\vy0nmmvy.default\

FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z036&form=ZGAADF&q=

FF - prefs.js: network.proxy.type - 4

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKLM-Run-CheckSound - c:\program files\Common Files\Audio\snddrv.exe

HKU-Default-RunOnce-aP21101FnNcF21101 - c:\programdata\aP21101FnNcF21101\aP21101FnNcF21101.exe

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-08 13:11

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

c:\program files\Internet Explorer\iexplore.exe [5436] 0x88483330

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6001

.

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

kernel: MBR read successfully

user != kernel MBR !!!

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

Completion time: 2011-09-08 13:17:58

ComboFix-quarantined-files.txt 2011-09-08 23:17

.

Pre-Run: 178,065,485,824 bytes free

Post-Run: 178,474,491,904 bytes free

.

- - End Of File - - BA75EA09C84A8D7E7A6ACD378A190AF8

DDS file:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_20

Run by An at 18:14:48 on 2011-09-08

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3001.1271 [GMT -10:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

"C:\Windows\system32\svchost.exe"

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Launch Manager\dsiwmis.exe

C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe

C:\Program Files\Giraffic\GirafficWatchdog.exe

C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Giraffic\Giraffic.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Windows\PLFSetI.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\InterVideo\Common\Bin\WinRemote.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe

C:\Program Files\PowerStrip\PStrip.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\conime.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\SearchFilterHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.bing.com/?pc=Z036&form=ZGAPHP

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0509&m=aspire_4810t

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun

uRun: [oovoo.exe] c:\program files\oovoo\oovoo.exe /minimized

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [PLFSetI] c:\windows\PLFSetI.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [LManager] c:\program files\launch manager\LManager.exe

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [Acer ePower Management] c:\program files\acer\acer powersmart manager\ePowerTrayLauncher.exe

mRun: [ODDPwr] "c:\program files\acer\optical drive power management\ODDPwr.exe"

mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe

mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Home Theater SchSvr] "c:\program files\common files\intervideo\schsvr\SchSvr.exe"

mRun: [WINCINEMAMGR] "c:\program files\intervideo\common\bin\WinCinemaMgr.exe"

mRun: [WINREMOTE] "c:\program files\intervideo\common\bin\WinRemote.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\users\an\appdata\roaming\micros~1\windows\startm~1\programs\startup\neroba~1.lnk - c:\windows\system32\nero.bat

StartupFolder: c:\users\an\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\users\an\appdata\roaming\micros~1\windows\startm~1\programs\startup\powers~1.lnk - c:\program files\powerstrip\PStrip.exe

StartupFolder: c:\users\an\appdata\roaming\micros~1\windows\startm~1\programs\startup\winwor~1.lnk - c:\windows\system32\winword.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53

TCP: Interfaces\{44CB7E77-224C-4484-B4EE-E89E3D557A02} : DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\avgrsstx.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\an\appdata\roaming\mozilla\firefox\profiles\vy0nmmvy.default\

FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z036&form=ZGAADF&q=

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\netmarbleglobal\glbnmnpapiplugins\npGlbNMNPAPIUpdater.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chemdrawmgh\NPCDPMGH32.DLL

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\musicnotes\npmusicn.dll

FF - plugin: c:\program files\musicnotes\NPSibelius.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll

FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\users\an\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\users\an\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\users\an\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

.

============= SERVICES / DRIVERS ===============

.

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-8 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-8 27784]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-8 297752]

R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2009-5-14 117256]

R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer powersmart manager\ePowerSvc.exe [2009-5-14 703008]

R2 Giraffic;Giraffic Video Accelerator;c:\program files\giraffic\girafficwatchdog.exe --service --> c:\program files\giraffic\GirafficWatchdog.exe --service [?]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-11 366640]

R2 ODDPwrSvc;Acer ODD Power Service;c:\program files\acer\optical drive power management\ODDPWRSvc.exe [2009-5-14 118784]

R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]

R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-5-14 237568]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-8 24652]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-3-15 127488]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-5-14 50176]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-11 22712]

S2 RPCER;Remote Procedure Call (HNM);c:\program files\common files\odbc\comp.exe --> c:\program files\common files\odbc\comp.exe [?]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]

S3 Ma1FL;Mayflash 2801 Filter Service;c:\windows\system32\drivers\Ma1FL.sys [2010-9-11 20512]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-11 41272]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

.

=============== Created Last 30 ================

.

2011-09-08 23:18:19 -------- d-sh--w- C:\$RECYCLE.BIN

2011-09-08 23:18:02 -------- d-----w- c:\users\an\appdata\local\temp

2011-09-08 22:44:03 98816 ----a-w- c:\windows\sed.exe

2011-09-08 22:44:03 518144 ----a-w- c:\windows\SWREG.exe

2011-09-08 22:44:03 256000 ----a-w- c:\windows\PEV.exe

2011-09-08 22:44:03 208896 ----a-w- c:\windows\MBR.exe

.

==================== Find3M ====================

.

2011-08-20 23:36:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-07 05:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 05:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6001

.

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

.

Disk trace:

called modules: ntkrnlpa.exe >>UNKNOWN [0x88028A0A]<<

_asm { MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; MOV EAX, [EBX+0x60]; MOV ECX, [EAX+0xc]; OR ECX, [EAX+0x10]; PUSH ESI; JNZ 0x94; MOV ESI, 0x200; CMP [EAX+0x4], ESI; JB 0x94; }

1 ntkrnlpa!IofCallDriver[0x820D8F6F] -> \Device\Harddisk0\DR0[0x863B7968]

\Driver\disk[0x8590B508] -> IRP_MJ_READ -> 0x88028A0A

kernel: MBR read successfully

_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }

detected disk devices:

detected hooks:

\Driver\atapi -> 0x8586b1f8

user != kernel MBR !!!

Warning: possible MBR rootkit infection !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

.

============= FINISH: 18:15:22.01 ===============

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.