Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Win32 Bamital-w infected and polymorhphic?

  1. #1
    Junior Member Veggedout's Avatar
    Join Date
    May 2009
    Posts
    15

    Exclamation Win32 Bamital-w infected and polymorhphic?

    I have a nasty google hijacker that was deleted by Avast, although seems to be morphing and now has wiped out 1/2 of my desktop, my favorites, my sound, and caused a windows host error. A remote 'virus specialist' ran combo fix and malwarebytes last night with no success, thus said goodbye and gave me my $50 back.
    Unfortunately, my McAffee had expired and my teenager didn't notice, thus got the bug. Spybot was running and apparently didn't detect the virus. I immediately downloaded Avast. The Google Chrome did download but would not run. Spybot checks only show right media as a problem and repaired them.
    Here are the DDS logs after disabling teatimer. I have the Erunt backup.
    Help, please.



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by SYSTEM at 14:02:02.99 on Tue 06/08/2010
    Internet Explorer: 8.0.6001.18904
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1967 [GMT -6:00]

    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\2Wire Wireless Manager\2Wire.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Electronic Arts\EADM\Core.exe
    C:\Program Files\MozyHome\mozystat.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LV1R80Q4\dds[1].com
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uDefault_Page_URL = hxxp://www.msn.com
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [EPSON Stylus CX4200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaea.exe /fu "c:\windows\temp\E_S42A5.tmp" /EF "HKCU"
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: finishedbasement.com\mail
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {00000130-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/ACELPACM.CAB
    DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} - hxxp://p.playfirst.com/play/game/spongebobdash/SpongeBobDinerDashWeb.1.0.0.17.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://p.playfirst.com/play/game/chocolatier/ChocolatierWeb.1.0.0.13.cab
    DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-13 28544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-7 164048]
    R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-9-18 297472]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-4-28 176128]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-7 19024]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-7 51792]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-7 40384]
    R2 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
    R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
    R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-3-16 1153368]
    R3 2WXG7053;2W 802.11g XG705 SP3 Driver;c:\windows\system32\drivers\wlanUIG.sys [2007-4-24 358304]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-7 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-7 40384]
    R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2008-3-25 5504]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-7 136176]
    S4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]

    =============== Created Last 30 ================

    2010-06-08 05:56:07 0 d-s---w- C:\cf20359c
    2010-06-08 05:51:11 0 d-s---w- C:\cf
    2010-06-08 05:32:06 98816 ----a-w- c:\windows\sed.exe
    2010-06-08 05:32:06 77312 ----a-w- c:\windows\MBR.exe
    2010-06-08 05:32:06 256512 ----a-w- c:\windows\PEV.exe
    2010-06-08 05:32:06 161792 ----a-w- c:\windows\SWREG.exe
    2010-06-08 05:30:28 0 d-sh--w- C:\%APPDATA%
    2010-06-08 05:20:12 0 d-----w- c:\windows\system32\config\system~1\appdata\roaming\Malwarebytes
    2010-06-08 05:20:03 0 d-----w- C:\mb1
    2010-06-08 05:07:45 0 d-----w- c:\program files\remotehelp35
    2010-06-07 18:29:56 0 d-----w- c:\program files\Safer Networking
    2010-06-07 16:34:29 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-06-07 16:34:05 0 d-----w- c:\programdata\Alwil Software
    2010-05-25 01:05:35 47 ----a-w- C:\config.ini
    2010-05-12 13:43:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

    ==================== Find3M ====================

    2010-04-29 21:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 21:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-16 22:49:20 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-03-16 22:49:20 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-03-16 22:49:19 143360 ----a-w- c:\windows\inf\infstor.dat
    2009-12-11 00:37:25 665600 ----a-w- c:\windows\inf\drvindex.dat
    2009-08-10 15:29:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-07-29 07:32:29 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
    2009-07-29 07:32:29 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
    2009-07-29 07:32:29 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
    2010-01-03 08:39:39 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-12-10 06:08:45 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2008-03-25 21:15:27 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 14:03:28.64 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 3/25/2008 7:22:02 AM
    System Uptime: 6/8/2010 1:54:10 PM (1 hours ago)

    Motherboard: Dell Inc. | | 0WG860
    Processor: Intel(R) Core(TM)2 CPU 6420 @ 2.13GHz | Microprocessor | 2128/1066mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 288 GiB total, 129.074 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 3.542 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    2Wire Wireless Manager
    3D Home Design Suite
    926plv32
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.1.5
    Adobe Shockwave Player 11.5
    Amazon Games & Software Downloader
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Panorama Maker 4
    Ask Toolbar
    ATI Catalyst Install Manager
    avast! Free Antivirus
    Avenue Flo
    Bonjour
    Bonus Content - Architectural Accents
    Bonus Content - Ceiling Fans
    Bonus Content - Dining Room Items December 2005
    Bonus Content - Exterior Fireplaces
    Bonus Content - Home Gym Items
    Bonus Content - Home Theater Items
    Bonus Content - Indoor Fireplaces
    Bonus Content - Kitchen Accessories
    Bonus Content - Kitchen Appliances
    Bonus Content - Landscape Beds
    Bonus Content - Landscape Statuary
    Bonus Content - Rec-Room Items
    Bonus Content - Vehicles
    Browser Address Error Redirector
    Burger Shop 2
    Chocolatier - Decadence by Design
    Chocolatier 2 Secret Ingredients
    Comcast High-Speed Internet Install Wizard
    Conexant HDA D110 MDC V.92 Modem
    Cooking Academy 2
    Cooking Academy!
    Cooking Dash
    Dell Getting Started Guide
    Dell Support Center (Support Software)
    DellSupport
    Desktop Doctor
    Digital Line Detect
    Diner Dash - Flo on the Go
    Diner Dash 2
    Dream Day First Home
    EA Download Manager
    EPSON Printer Software
    EPSON Scan
    ERUNT 1.1j
    Fee Fi Flo Fun (Diner Dash Hometown Hero - Gourmet)
    Garmin WebUpdater
    Go-Go Gourmet
    Google Chrome
    Google Update Helper
    GoToAssist 8.0.0.514
    GoToMeeting 4.0.0.320
    HijackThis 2.0.2
    Home Designer Suite 8
    Home Designer Tutorial Training Videos
    Home Sweet Home 2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Matrix Storage Manager
    Intel(R) PRO Network Connections 11.2.1.69
    Intel(R) Viiv(TM) Software
    iTunes
    Java(TM) SE Runtime Environment 6
    JoJo's Fashion Show 2
    Jojos Fashion Show
    KB408682
    Malwarebytes' Anti-Malware
    McAfee Virtual Technician
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft IntelliPoint 7.0
    Microsoft IntelliType Pro 6.2
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Microsoft WSE 3.0 Runtime
    Microsoft Zoo Tycoon
    MobileMe Control Panel
    Modem Diagnostic Tool
    Move Media Player
    MozyHome Remote Backup
    MSN Toolbar
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Music Transfer
    Music, Photos & Videos Launcher
    NetWaiting
    Nikon Message Center
    Nikon Transfer
    OGA Notifier 2.0.0048.0
    Panda ActiveScan 2.0
    Picasa 3
    Primo
    Product Documentation Launcher
    QuickTime
    Restaurant Empire
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    RunAlyzer
    Safari
    SCION OEL Screensaver Studio
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB978380)
    Security Update for Microsoft Office Excel 2007 (KB978382)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB980470)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Shockwave
    SigmaTel Audio
    Sonic Activation Module
    Sony Picture Utility
    Spelling Dictionaries Support For Adobe Reader 8
    Spybot - Search & Destroy
    Supermarket Management
    The Great Chocolate Chase
    The Sims 2
    The Sims 2 Open For Business
    The Sims 2 Pets
    The Sims™ 3
    Typing Instructor Deluxe
    Update for 2007 Microsoft Office System (KB967642)
    Update for 2007 Microsoft Office System (KB981715)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office Access 2007 Help (KB957241)
    Update for Microsoft Office Excel 2007 Help (KB957242)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB957245)
    Update for Microsoft Office Outlook 2007 Help (KB957246)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB957249)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Microsoft Script Editor Help (KB957253)
    Update for Outlook 2007 Junk Email Filter (kb981726)
    User's Guides
    Windows Live installer
    Windows Live Mail
    Windows Live Sign-in Assistant
    WMC - A Darker Shade of Grey
    XnView 1.96

    ==== End Of File ===========================

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Update MBAM and run quick scan with it deleting all found items. Post back the report.

    Does c:\ComboFix.txt log exist? If it does, post back its contents.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member Veggedout's Avatar
    Join Date
    May 2009
    Posts
    15

    Unhappy Mbam log

    Thanks for your response!
    Combo fix would not run last week when the remote tech instructed me to try. Should I try again?
    Although the mbam log looks clean, I am still being redirected to random sites on google searches or any links. (I have to manually put intended sites in the address bar to get anywhere). Also, my windows updater appears to have been disabled since May 13. The error message is 80072EFE, which I was unable to fix. I'm now getting a windows error message that a windows host process in windows services had to close. Obviously, I'm still hijacked.
    I appreciate any help you can offer!
    wendy
    Here's the mbam log you requested. I had already run it last week. That log was clean too.




    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18904

    6/14/2010 12:39:54 PM
    mbam-log-2010-06-14 (12-39-54).txt

    Scan type: Quick scan
    Objects scanned: 139945
    Time elapsed: 6 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Yes, please run ComboFix (let it update itself) after making sure Avast components are disabled first.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Still there?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  6. #6
    Junior Member Veggedout's Avatar
    Join Date
    May 2009
    Posts
    15

    Default Combofix would not update itself

    Error said it was out of date and would run in limited funtionality.

  7. #7
    Junior Member Veggedout's Avatar
    Join Date
    May 2009
    Posts
    15

    Default combofix log results

    Redownloaded and here's the log:
    ComboFix 10-06-20.03 - Wendy 06/20/2010 19:35:57.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.2000 [GMT -6:00]
    Running from: c:\users\Wendy\Desktop\ComboFix.exe
    SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\feed.txt
    c:\users\Wendy\AppData\Local\Windows Server
    c:\users\Wendy\AppData\Local\Windows Server\flags.ini
    c:\users\Wendy\AppData\Local\Windows Server\uses32.dat
    c:\users\Wendy\g2mdlhlpx.exe
    c:\users\Wendy\GoToAssistDownloadHelper.exe
    c:\windows\system32\%appdata%

    Infected copy of c:\windows\system32\drivers\ecache.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
    .

    2010-06-21 01:51 . 2010-06-21 01:54 -------- d-----w- c:\users\Wendy\AppData\Local\temp
    2010-06-21 01:51 . 2010-06-21 01:51 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2010-06-21 01:51 . 2010-06-21 01:51 -------- d-----w- c:\users\IUSR_NMPR(923)\AppData\Local\temp
    2010-06-21 01:51 . 2010-06-21 01:51 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-06-21 01:26 . 2010-06-21 01:29 -------- d-----w- c:\windows\system32\catroot2
    2010-06-08 23:15 . 2010-06-08 23:15 -------- d-----w- c:\users\Wendy\AppData\Roaming\Sammsoft
    2010-06-08 22:48 . 2010-06-08 22:48 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Sammsoft
    2010-06-08 22:48 . 2010-06-08 22:48 -------- d-----w- c:\program files\MemTurbo 4
    2010-06-08 22:47 . 2010-06-08 22:48 -------- d-----w- c:\program files\Advanced Registry Optimizer
    2010-06-08 05:51 . 2010-06-08 05:56 -------- d-----w- C:\cf
    2010-06-08 05:30 . 2010-06-08 05:30 -------- d-----w- C:\%APPDATA%
    2010-06-08 05:20 . 2010-06-08 05:20 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
    2010-06-08 05:20 . 2010-06-14 18:32 -------- d-----w- C:\mb1
    2010-06-08 05:07 . 2010-06-08 18:10 -------- d-----w- c:\program files\remotehelp35
    2010-06-08 03:29 . 2010-06-08 03:29 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\GTek
    2010-06-08 03:29 . 2010-06-08 03:29 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Apple Computer
    2010-06-07 18:53 . 2010-06-07 18:53 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\2Wire
    2010-06-07 18:29 . 2010-06-07 18:29 -------- d-----w- c:\program files\Safer Networking
    2010-06-07 16:34 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-07 16:34 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-07 16:34 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-07 16:34 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-07 16:34 . 2010-05-06 20:34 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-06-07 16:34 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-06-07 16:34 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-07 16:34 . 2010-06-07 16:34 -------- d-----w- c:\programdata\Alwil Software
    2010-06-07 16:34 . 2010-06-07 16:34 -------- d-----w- c:\program files\Alwil Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-08 19:45 . 2009-05-01 13:51 -------- d-----w- c:\program files\ERUNT
    2010-06-08 19:40 . 2008-08-15 13:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-06-08 03:29 . 2009-08-10 16:02 -------- d-----w- c:\programdata\McAfee
    2010-06-08 03:29 . 2009-08-10 16:06 -------- d-----w- c:\program files\McAfee
    2010-06-07 16:35 . 2008-03-25 13:39 -------- d-----w- c:\program files\Google
    2010-05-25 01:51 . 2008-04-12 23:10 -------- d-----w- c:\programdata\Microsoft Help
    2010-05-13 09:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-04-29 21:39 . 2009-05-11 14:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 21:39 . 2009-05-11 14:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-29 19:04 . 2009-09-18 15:37 -------- d-----w- c:\program files\Burger Shop 2
    2008-03-25 21:15 . 2008-03-25 21:02 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-02-04 22:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
    @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
    [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
    2010-01-04 18:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
    @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
    [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
    2010-01-04 18:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2009-12-28 2137600]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-09 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-09 106496]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-09 81920]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-05-20 223744]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
    "2Wire Wireless Manager"="c:\program files\2Wire Wireless Manager\2Wire.exe" [2007-05-02 61440]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

    c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2010-6-8 3121760]

    c:\users\Wendy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-12-9 385024]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
    @="FSFilter System Recovery"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk
    backup=c:\windows\pss\Nikon Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^Wendy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
    path=c:\users\Wendy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    backup=c:\windows\pss\ERUNT AutoBackup.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
    FactoryMode [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
    2008-04-24 20:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
    2008-08-14 06:04 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
    2008-02-14 00:21 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 17:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-03-20 23:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2006-03-20 23:34 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):bf,b2,e2,06,fb,79,ca,01

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-139897504-4062219054-472764904-1001]
    "EnableNotificationsRef"=dword:00000002

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 136176]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-04-29 38224]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
    R4 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
    S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
    S1 aswSP;aswSP; [x]
    S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-05-20 297472]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-04-29 176128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
    S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 28672]
    S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 2WXG7053;2W 802.11g XG705 SP3 Driver;c:\windows\system32\DRIVERS\WlanUIG.sys [2007-04-24 358304]
    S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2008-03-25 5504]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb0c3e221e4d60.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 16:34]

    2010-06-21 c:\windows\Tasks\User_Feed_Synchronization-{532FF140-2A09-42FF-8385-73441A00CE30}.job
    - c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]

    2010-06-07 c:\windows\Tasks\User_Feed_Synchronization-{93DC065B-4443-44F7-ACAE-374AA9374DB1}.job
    - c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: finishedbasement.com\mail
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} - hxxp://p.playfirst.com/play/game/spongebobdash/SpongeBobDinerDashWeb.1.0.0.17.cab
    DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://p.playfirst.com/play/game/chocolatier/ChocolatierWeb.1.0.0.13.cab
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
    SafeBoot-dmboot.sys
    SafeBoot-dmio.sys
    SafeBoot-dmload.sys
    SafeBoot-dmadmin
    SafeBoot-dmserver
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    SafeBoot-SRService



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-20 19:53
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-139897504-4062219054-472764904-1001\Software\SecuROM\License information*]
    "datasecu"=hex:fc,f5,f8,db,b6,60,c9,b7,f9,bb,c1,15,32,66,e9,13,6a,90,5d,e3,99,
    db,6b,f2,89,d2,1e,26,be,13,30,00,36,56,09,5f,e3,cb,04,de,9a,a8,9b,7d,c0,c1,\
    "rkeysecu"=hex:13,bc,65,e8,99,ca,9b,6c,d6,f6,b0,9e,31,58,74,dd

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(3968)
    c:\program files\MozyHome\mozyshell.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Intel\IntelDH\CCU\AlertService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\MozyHome\mozybackup.exe
    c:\program files\MozyHome\mozybackup.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2010-06-20 20:04:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-06-21 02:04
    ComboFix2.txt 2009-05-11 16:32

    Pre-Run: 130,736,635,904 bytes free
    Post-Run: 130,702,823,424 bytes free

    - - End Of File - - 02CE756528970B986D78F7BBC4007AA9

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Please post fresh dds log too.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member Veggedout's Avatar
    Join Date
    May 2009
    Posts
    15

    Default Updated DDS file

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Wendy at 0:35:55.21 on Mon 06/21/2010
    Internet Explorer: 8.0.6001.18904
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1498 [GMT -6:00]

    SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\2Wire Wireless Manager\2Wire.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\MozyHome\mozystat.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\wuauclt.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\system32\msiexec.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\mcbuilder.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\SoftwareDistribution\Download\Install\windows-kb890830-v3.8-delta.exe
    c:\bd6ed91238eb8998ebecd4a285e9\mrtstub.exe
    C:\Windows\system32\MRT.exe
    C:\Users\Wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWPUBDZ8\dds[1].scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [AROReminder] c:\program files\advanced registry optimizer\ARO.exe -rem
    mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    StartupFolder: c:\users\wendy\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\users\wendy\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\users\wendy\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: finishedbasement.com\mail
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {00000130-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/ACELPACM.CAB
    DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} - hxxp://p.playfirst.com/play/game/spongebobdash/SpongeBobDinerDashWeb.1.0.0.17.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://p.playfirst.com/play/game/chocolatier/ChocolatierWeb.1.0.0.13.cab
    DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-13 28544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-7 164048]
    R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-9-18 297472]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-4-28 176128]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-7 19024]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-7 51792]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-7 40384]
    R2 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
    R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
    R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-3-16 1153368]
    R3 2WXG7053;2W 802.11g XG705 SP3 Driver;c:\windows\system32\drivers\wlanUIG.sys [2007-4-24 358304]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-7 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-7 40384]
    R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2008-3-25 5504]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-7 136176]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-15 21504]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-11 38224]
    S4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]

    =============== Created Last 30 ================

    2010-06-21 06:35:20 0 d-----w- C:\bd6ed91238eb8998ebecd4a285e9
    2010-06-21 06:35:04 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-06-21 06:15:38 0 d-----w- c:\program files\Windows Portable Devices
    2010-06-21 06:15:27 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    2010-06-21 06:15:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2010-06-21 02:20:42 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
    2010-06-21 02:19:43 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2010-06-21 02:19:43 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2010-06-21 02:19:43 234496 ----a-w- c:\windows\system32\oleacc.dll
    2010-06-21 02:18:17 0 d-sh--w- c:\windows\system32\%APPDATA%
    2010-06-21 02:14:02 310784 ----a-w- c:\windows\system32\unregmp2.exe
    2010-06-21 02:14:01 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-06-21 02:04:06 0 d-sh--w- C:\$RECYCLE.BIN
    2010-06-21 01:26:43 0 d-----w- c:\windows\system32\catroot2
    2010-06-21 01:22:56 98816 ----a-w- c:\windows\sed.exe
    2010-06-21 01:22:56 77312 ----a-w- c:\windows\MBR.exe
    2010-06-21 01:22:56 256512 ----a-w- c:\windows\PEV.exe
    2010-06-21 01:22:56 161792 ----a-w- c:\windows\SWREG.exe
    2010-06-08 23:15:18 0 d-----w- c:\users\wendy\appdata\roaming\Sammsoft
    2010-06-08 22:48:00 0 d-----w- c:\program files\MemTurbo 4
    2010-06-08 22:47:42 0 d-----w- c:\program files\Advanced Registry Optimizer
    2010-06-08 05:51:11 0 d-----w- C:\cf
    2010-06-08 05:30:28 0 d-----w- C:\%APPDATA%
    2010-06-08 05:20:03 0 d-----w- C:\mb1
    2010-06-08 05:07:45 0 d-----w- c:\program files\remotehelp35
    2010-06-07 18:29:56 0 d-----w- c:\program files\Safer Networking
    2010-06-07 16:34:29 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-06-07 16:34:05 0 d-----w- c:\programdata\Alwil Software
    2010-05-25 01:05:35 47 ----a-w- C:\config.ini

    ==================== Find3M ====================

    2010-06-21 06:15:31 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-06-21 06:15:31 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-06-21 06:15:31 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-06-21 06:15:31 143360 ----a-w- c:\windows\inf\infstor.dat
    2010-04-29 21:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 21:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-08-10 15:29:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-07-29 07:32:29 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
    2009-07-29 07:32:29 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
    2009-07-29 07:32:29 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
    2010-01-03 08:39:39 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-12-10 06:08:45 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2008-03-25 21:15:27 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 0:36:56.33 ===============

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Update MBAM on its update tab and run a quick scan (delete its findings). Post back the report.


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    DDS::
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Uninstall Ask Toolbar if not installed on purpose.


    Uninstall old Adobe Reader versions and get the latest one (both 9.3 and update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.



    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.




    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


    Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •