View Full Version : Bad Malware Infection
BradPattullo
2010-07-03, 20:06
Hello,
You helped me out once before and my system has been running fine until recently when, in a lapse of good judgment, I used uTorrent. I have since uninstalled the software, but the problems persist. Ironically, the infection seems to be affecting my wife's profile only. She gets popups constantly (I can hear them "popping" as I type this), which are often porn, phony virus removal software, or offers for free Viagra. Additionally, I cannot run Spybot SD or HiJack This or even the Add/Remove Programs utility when logged into her account. If you can help, I'll never run another P2P software again...
I've backed up my registry with Erunt as instructed and run a DDS scan, the results of which I will copy and paste below.
Thanks in advance.
Brad
DDS (Ver_10-03-17.01) - NTFSx86
Run by Brad at 9:45:14.40 on Sat 07/03/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.40 [GMT -5:00]
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brad\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://google.bearshare.com/
mDefault_Page_URL = hxxp://www.dell.com
mSearch Page = hxxp://www.google.com
mStart Page = about:blank
BHO: ADC PlugIn: {149256d5-e103-4523-bb43-2cfb066839d6} - c:\program files\adc_w32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LWBMOUSE] c:\program files\tech\wheel mouse\5.0\MOUSE32A.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Elovikugomukedom] rundll32.exe "c:\windows\ebigocel.dll",Startup
dRun: [vwprdqsp] c:\documents and settings\networkservice\local settings\application data\ssgdosqda\hdeucgdtssd.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?c147b446615c47e88ebe2d75f9881126
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?c147b446615c47e88ebe2d75f9881126
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179880279609
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\brad\applic~1\mozilla\firefox\profiles\7xg2yymc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: c:\documents and settings\brad\application data\mozilla\firefox\profiles\7xg2yymc.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {0F51ED1E-71C1-46BA-9A26-62890149D163} - c:\documents and settings\brad\local settings\application data\{0F51ED1E-71C1-46BA-9A26-62890149D163}
FF - HiddenExtension: XULRunner: {B87AA704-3A2F-45DD-B9FC-0E318AA0ACC8} - c:\documents and settings\jamie\local settings\application data\{B87AA704-3A2F-45DD-B9FC-0E318AA0ACC8}
FF - HiddenExtension: XULRunner: {89354AB9-D0BE-42C9-891F-E790FD721AF0} - c:\documents and settings\bernie\local settings\application data\{89354ab9-d0be-42c9-891f-e790fd721af0}\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-12 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-12 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-27 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-27 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-27 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
=============== Created Last 30 ================
2010-07-03 03:51:58 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-07-02 14:17:26 1580 ----a-w- C:\Sysinternals Antivirus.lnk
2010-07-02 04:25:02 0 d-----w- c:\program files\scdata
2010-07-02 04:20:34 360960 ----a-w- c:\program files\adc_w32.dll
2010-07-02 04:20:32 66 ----a-w- c:\program files\wp4.dat
2010-07-02 04:20:32 4 ----a-w- c:\program files\wp3.dat
2010-07-02 04:20:31 36 ----a-w- c:\program files\skynet.dat
2010-07-02 04:20:29 0 d-----w- c:\program files\Sysinternals Antivirus
2010-06-27 16:17:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-24 18:30:35 2720 ----a-w- c:\windows\Jyewexow.dat
2010-06-24 18:30:35 0 ----a-w- c:\windows\Gpenehulalihocim.bin
2010-06-24 17:44:14 0 d-----w- c:\docume~1\brad\applic~1\uTorrent
==================== Find3M ====================
2010-07-02 04:20:34 9 ----a-w- c:\program files\nuar.old
2010-05-10 21:45:44 4392 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 13:36:53 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2010-04-06 09:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2009-03-20 19:59:38 56 --sh--r- c:\windows\system32\8590E6E4B0.sys
============= FINISH: 9:46:15.28 ===============
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:
Step # 1 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 2: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post.
BradPattullo? Do you still need help?
BradPattullo
2010-07-10, 16:12
Hello km2357! Yes, I still need your help; thank you, I really appreciate what you guys are doing here. And sorry about my delay; it's been a busy week. I ran the scans you requested and am posting the logs now:
DDS log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Brad at 23:43:25.50 on Fri 07/09/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.147 [GMT -5:00]
AV: avast! Antivirus *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brad\My Documents\Downloads\dds(2).scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://google.bearshare.com/
mDefault_Page_URL = hxxp://www.dell.com
mSearch Page = hxxp://www.google.com
mStart Page = about:blank
BHO: ADC PlugIn: {149256d5-e103-4523-bb43-2cfb066839d6} - c:\program files\adc_w32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LWBMOUSE] c:\program files\tech\wheel mouse\5.0\MOUSE32A.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Elovikugomukedom] rundll32.exe "c:\windows\ebigocel.dll",Startup
dRun: [vwprdqsp] c:\documents and settings\networkservice\local settings\application data\ssgdosqda\hdeucgdtssd.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?c147b446615c47e88ebe2d75f9881126
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?c147b446615c47e88ebe2d75f9881126
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179880279609
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\brad\applic~1\mozilla\firefox\profiles\7xg2yymc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: c:\documents and settings\brad\application data\mozilla\firefox\profiles\7xg2yymc.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {0F51ED1E-71C1-46BA-9A26-62890149D163} - c:\documents and settings\brad\local settings\application data\{0F51ED1E-71C1-46BA-9A26-62890149D163}
FF - HiddenExtension: XULRunner: {B87AA704-3A2F-45DD-B9FC-0E318AA0ACC8} - c:\documents and settings\jamie\local settings\application data\{B87AA704-3A2F-45DD-B9FC-0E318AA0ACC8}
FF - HiddenExtension: XULRunner: {89354AB9-D0BE-42C9-891F-E790FD721AF0} - c:\documents and settings\bernie\local settings\application data\{89354ab9-d0be-42c9-891f-e790fd721af0}\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-12 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-12 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-27 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-27 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-27 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
=============== Created Last 30 ================
2010-07-03 03:51:58 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-07-02 14:17:26 1580 ----a-w- C:\Sysinternals Antivirus.lnk
2010-07-02 04:25:02 0 d-----w- c:\program files\scdata
2010-07-02 04:20:34 360960 ----a-w- c:\program files\adc_w32.dll
2010-07-02 04:20:32 66 ----a-w- c:\program files\wp4.dat
2010-07-02 04:20:32 4 ----a-w- c:\program files\wp3.dat
2010-07-02 04:20:31 36 ----a-w- c:\program files\skynet.dat
2010-07-02 04:20:29 0 d-----w- c:\program files\Sysinternals Antivirus
2010-06-27 16:17:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-24 18:30:35 0 ----a-w- c:\windows\Jyewexow.dat
2010-06-24 18:30:35 0 ----a-w- c:\windows\Gpenehulalihocim.bin
2010-06-24 17:44:14 0 d-----w- c:\docume~1\brad\applic~1\uTorrent
==================== Find3M ====================
2010-07-02 04:20:34 9 ----a-w- c:\program files\nuar.old
2010-05-10 21:45:44 4392 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 13:36:53 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-03-20 19:59:38 56 --sh--r- c:\windows\system32\8590E6E4B0.sys
============= FINISH: 23:44:43.25 ===============
DDS "attach" log:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/12/2006 8:50:47 AM
System Uptime: 7/9/2010 5:53:02 PM (6 hours ago)
Motherboard: Dell Inc. | |
Processor: Intel(R) Celeron(R) M processor 1.50GHz | Microprocessor | 1496/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 34 GiB total, 5.455 GiB free.
D: is CDROM (CDFS)
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1274: 5/21/2010 9:18:19 AM - System Checkpoint
RP1275: 5/22/2010 11:11:20 AM - System Checkpoint
RP1276: 5/23/2010 1:46:09 PM - System Checkpoint
RP1277: 5/24/2010 2:23:20 PM - System Checkpoint
RP1278: 5/25/2010 4:03:21 PM - System Checkpoint
RP1279: 5/26/2010 5:51:48 PM - System Checkpoint
RP1280: 5/27/2010 12:42:49 PM - Removed Adobe After Effects 5.5
RP1281: 5/27/2010 12:50:38 PM - Removed Star Wars Galactic Battlegrounds: Clone Campaigns
RP1282: 5/27/2010 12:52:07 PM - Removed MP3 Player Utilities 3.57
RP1283: 5/28/2010 4:01:47 PM - System Checkpoint
RP1284: 6/5/2010 5:01:22 PM - Software Distribution Service 3.0
RP1285: 6/6/2010 5:51:30 PM - System Checkpoint
RP1286: 6/7/2010 7:38:06 PM - System Checkpoint
RP1287: 6/8/2010 10:44:01 PM - System Checkpoint
RP1288: 6/9/2010 11:13:17 PM - System Checkpoint
RP1289: 6/11/2010 9:13:43 AM - System Checkpoint
RP1290: 6/13/2010 3:36:36 PM - Software Distribution Service 3.0
RP1291: 6/14/2010 4:50:16 PM - System Checkpoint
RP1292: 6/14/2010 6:57:20 PM - Software Distribution Service 3.0
RP1293: 6/15/2010 8:31:48 PM - System Checkpoint
RP1294: 6/17/2010 12:05:58 AM - System Checkpoint
RP1295: 6/18/2010 12:15:40 AM - System Checkpoint
RP1296: 6/19/2010 11:00:57 AM - System Checkpoint
RP1297: 6/20/2010 11:47:42 AM - System Checkpoint
RP1298: 6/21/2010 12:59:10 PM - System Checkpoint
RP1299: 6/22/2010 2:47:41 PM - System Checkpoint
RP1300: 6/23/2010 3:15:27 PM - System Checkpoint
RP1301: 6/24/2010 7:12:15 PM - System Checkpoint
RP1302: 6/25/2010 7:21:47 PM - System Checkpoint
RP1303: 6/26/2010 8:44:25 PM - System Checkpoint
RP1304: 6/27/2010 9:37:02 AM - Software Distribution Service 3.0
RP1305: 6/27/2010 11:18:52 AM - avast! Free Antivirus Setup
RP1306: 6/28/2010 1:05:46 PM - System Checkpoint
RP1307: 6/29/2010 7:38:11 PM - System Checkpoint
RP1308: 7/1/2010 10:57:37 AM - System Checkpoint
RP1309: 7/2/2010 11:57:43 AM - System Checkpoint
RP1310: 7/2/2010 12:22:32 PM - Removed MP3 Player Product Tool 5.12
RP1311: 7/2/2010 12:23:12 PM - Removed MP3 Player Utilities 1.47
RP1312: 7/3/2010 2:27:55 PM - System Checkpoint
RP1313: 7/4/2010 5:24:55 PM - System Checkpoint
RP1314: 7/5/2010 8:38:45 PM - System Checkpoint
RP1315: 7/6/2010 9:18:54 PM - System Checkpoint
RP1316: 7/7/2010 11:11:06 PM - System Checkpoint
RP1317: 7/9/2010 11:47:08 AM - System Checkpoint
==== Installed Programs ======================
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 9.2
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
AviSynth 2.5
Belkin 54Mbps Wireless Network Adapter
Bonjour
Broadcom Management Programs
Conexant HDA D110 MDC V.92 Modem
Corel Paint Shop Pro X
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support Center
Dell System Restore
DellConnect
DellSupport
Digital Content Portal
Digital Line Detect
DJ_AIO_05_F4400_Software_Min
Documentation & Support Launcher
ELIcon
EPSON Printer Software
ERUNT 1.1j
FinePix Studio
Form Fill (Windows Live Toolbar)
Games, Music, & Photos Launcher
Google Earth
Google Update Helper
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet F4400 Printer Driver 13.0 Rel .5
Intel(R) Graphics Media Accelerator Driver for Mobile
Internal Network Card Power Management
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Professional Edition 2003
Microsoft Phishing Filter Add-in
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WinUsb 1.0
Modem Helper
MonkeyJam 3_050529
Mozilla (1.7.3)
Mozilla Firefox (3.5.8)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch for Windows Media Player
NetWaiting
Photo Viewer
PowerDVD 5.5
QuickSet
QuickTime
Riva FLV Encoder 2.0
Scan
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Sonic DLA
Sonic Foundry Sound Forge 6.0a
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Tabbed Browsing (Windows Live Toolbar)
Tech Wheel Mouse 5.0
Toolbox
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0)
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Toolbar MSN Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WordPerfect Office 12
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
7/9/2010 5:53:42 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 94445200DB06 has been denied by the DHCP server 147.64.180.1 (The DHCP Server sent a DHCPNACK message).
7/6/2010 9:08:06 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
7/6/2010 5:24:27 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 94445200DB06. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
7/6/2010 1:03:47 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{4426BA3D-8207-44DF-8499-5332564B5F72} because another computer on the network has the same name. The server could not start.
7/5/2010 9:20:13 AM, error: Dhcp [1002] - The IP address lease 192.168.1.107 for the Network Card with network address 94445200DB06 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/5/2010 9:19:44 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 94445200DB06 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/4/2010 10:41:53 AM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
7/4/2010 10:41:52 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
7/4/2010 10:41:48 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 94445200DB06 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/2/2010 9:17:59 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
7/2/2010 5:32:01 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 94445200DB06 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/2/2010 12:23:23 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/2/2010 12:18:12 PM, error: Service Control Manager [7000] - The Adobe Update Service service failed to start due to the following error: The system cannot find the file specified.
7/2/2010 12:17:59 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/2/2010 12:17:59 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
==== End Of File ===========================
GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-10 09:06:58
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Brad\LOCALS~1\Temp\uxtdapow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAA314C7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAA314B36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xAA3150EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAA315014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA31470C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAA314C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAA31464C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAA3146B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAA314D30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xAA3151B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA314CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAA314E70]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAA321AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAA3218EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAA321A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2468 80501C60 4 Bytes JMP C2AA3150
PAGE ntkrnlpa.exe!ZwLoadDriver 8057929C 7 Bytes JMP AA321A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A041E 7 Bytes JMP AA3218EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B192A 5 Bytes JMP AA31D536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8618 5 Bytes JMP AA31EEC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C6EFC 7 Bytes JMP AA321ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007A000A
.text C:\WINDOWS\System32\svchost.exe[1280] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1280] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0079000C
.text C:\WINDOWS\System32\svchost.exe[1280] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00A8000A
.text C:\WINDOWS\System32\svchost.exe[1280] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 0094000A
.text C:\WINDOWS\Explorer.EXE[2300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[2300] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\Explorer.EXE[2300] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[864] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[864] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \FileSystem\Fastfat \Fat A8FFBC8A
Device \FileSystem\Fastfat \Fat A9002821
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- EOF - GMER 1.0.15 ----
Thanks again!
According to your DDS log, Avast is out of date. Please update it, as soon as possible.
Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.
* Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
* Right click on this icon again and select Program Settings.
* On the left, click on Troubleshooting.
* Uncheck (untick) this box - Disable avast! self-defense module.
* Click OK to apply the settings
If the above doesn't work, do the following:
Right click on the toolbar icon, then pull down "avast shield control" and click "Disable for 1 hour".
Step # 1: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
BradPattullo
2010-07-12, 16:11
I tried several times to update avast! but kept getting errors. There are some things I have not been able to do since this infection started, like post on this forum or use the Add/Remove Programs function in the control panel. I have been bringing my logs over to my Mac in order to reply to this thread. I will keep trying to update avast! but I suspect that I will have better luck once the malware is removed. In the meantime, here is the combo fix log:
ComboFix 10-07-11.03 - Brad 07/12/2010 8:41.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.265 [GMT -5:00]
Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Bernie\Local Settings\Application Data\{89354AB9-D0BE-42C9-891F-E790FD721AF0}
c:\documents and settings\Bernie\Local Settings\Application Data\{89354AB9-D0BE-42C9-891F-E790FD721AF0}\chrome.manifest
c:\documents and settings\Bernie\Local Settings\Application Data\{89354AB9-D0BE-42C9-891F-E790FD721AF0}\chrome\content\_cfg.js
c:\documents and settings\Bernie\Local Settings\Application Data\{89354AB9-D0BE-42C9-891F-E790FD721AF0}\chrome\content\overlay.xul
c:\documents and settings\Bernie\Local Settings\Application Data\{89354AB9-D0BE-42C9-891F-E790FD721AF0}\install.rdf
c:\documents and settings\Brad\Local Settings\Application Data\{0F51ED1E-71C1-46BA-9A26-62890149D163}
c:\documents and settings\Brad\Local Settings\Application Data\{0F51ED1E-71C1-46BA-9A26-62890149D163}\chrome.manifest
c:\documents and settings\Brad\Local Settings\Application Data\{0F51ED1E-71C1-46BA-9A26-62890149D163}\chrome\content\_cfg.js
c:\documents and settings\Brad\Local Settings\Application Data\{0F51ED1E-71C1-46BA-9A26-62890149D163}\chrome\content\overlay.xul
c:\documents and settings\Brad\Local Settings\Application Data\{0F51ED1E-71C1-46BA-9A26-62890149D163}\install.rdf
c:\documents and settings\Jamie\Desktop\Sysinternals Antivirus.lnk
c:\documents and settings\Jamie\Local Settings\Application Data\{B87AA704-3A2F-45DD-B9FC-0E318AA0ACC8}
c:\documents and settings\Jamie\Local Settings\Application Data\{B87AA704-3A2F-45DD-B9FC-0E318AA0ACC8}\chrome.manifest
c:\documents and settings\Jamie\Local Settings\Application Data\{B87AA704-3A2F-45DD-B9FC-0E318AA0ACC8}\chrome\content\_cfg.js
c:\documents and settings\Jamie\Local Settings\Application Data\{B87AA704-3A2F-45DD-B9FC-0E318AA0ACC8}\chrome\content\overlay.xul
c:\documents and settings\Jamie\Local Settings\Application Data\{B87AA704-3A2F-45DD-B9FC-0E318AA0ACC8}\install.rdf
c:\documents and settings\Jamie\Start Menu\Programs\Sysinternals Antivirus
c:\documents and settings\Jamie\Start Menu\Programs\Sysinternals Antivirus\Sysinternals Antivirus.lnk
c:\documents and settings\LocalService\Start Menu\Programs\Sysinternals Antivirus
c:\documents and settings\LocalService\Start Menu\Programs\Sysinternals Antivirus\Sysinternals Antivirus.lnk
c:\documents and settings\NetworkService\Local Settings\Application Data\ssgdosqda
c:\documents and settings\NetworkService\Local Settings\Application Data\ssgdosqda\hdeucgdtssd.exe
c:\program files\adC_w32.dll
c:\program files\nuar.old
c:\program files\scdata
c:\program files\scdata\dbsinit.exe
c:\program files\scdata\images\i1.gif
c:\program files\scdata\images\i2.gif
c:\program files\scdata\images\i3.gif
c:\program files\scdata\images\j1.gif
c:\program files\scdata\images\j2.gif
c:\program files\scdata\images\j3.gif
c:\program files\scdata\images\jj1.gif
c:\program files\scdata\images\jj2.gif
c:\program files\scdata\images\jj3.gif
c:\program files\scdata\images\l1.gif
c:\program files\scdata\images\l2.gif
c:\program files\scdata\images\l3.gif
c:\program files\scdata\images\pix.gif
c:\program files\scdata\images\t1.gif
c:\program files\scdata\images\t2.gif
c:\program files\scdata\images\Thumbs.db
c:\program files\scdata\images\up1.gif
c:\program files\scdata\images\up2.gif
c:\program files\scdata\images\w1.gif
c:\program files\scdata\images\w11.gif
c:\program files\scdata\images\w2.gif
c:\program files\scdata\images\w3.jpg
c:\program files\scdata\images\word.doc
c:\program files\scdata\images\wt1.gif
c:\program files\scdata\images\wt2.gif
c:\program files\scdata\images\wt3.gif
c:\program files\scdata\wispex.html
c:\program files\skynet.dat
c:\program files\Sysinternals Antivirus
c:\program files\wp3.dat
c:\program files\wp4.dat
C:\Sysinternals Antivirus.lnk
c:\windows\ebigocel.dll
c:\windows\system32\chbxxujd.ini
c:\windows\system32\eyhnqaks.ini
c:\windows\system32\fladapeh.ini
c:\windows\system32\lqyounbt.ini
c:\windows\system32\penvbewm.ini
c:\windows\system32\raaxctii.ini
c:\windows\xpsp1hfm.log
Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ADBUPD
((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.
2010-07-03 15:04 . 2010-07-03 15:04 -------- d-----w- c:\program files\ERUNT
2010-07-03 03:51 . 2010-07-03 03:51 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-06-30 21:32 . 2010-06-30 21:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-06-27 16:26 . 2010-06-27 16:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-27 16:21 . 2010-06-27 16:33 -------- d-----w- c:\documents and settings\Jamie\Local Settings\Application Data\Temp
2010-06-27 16:21 . 2010-06-27 16:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-06-27 16:17 . 2010-06-27 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-26 16:52 . 2010-06-26 16:52 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-06-25 10:15 . 2010-06-25 10:15 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-24 18:30 . 2010-07-11 03:04 0 ----a-w- c:\windows\Jyewexow.dat
2010-06-24 18:30 . 2010-07-09 13:58 0 ----a-w- c:\windows\Gpenehulalihocim.bin
2010-06-24 17:44 . 2010-07-02 17:25 -------- d-----w- c:\documents and settings\Brad\Application Data\uTorrent
2010-06-13 23:43 . 2010-06-13 23:43 -------- d-----w- c:\documents and settings\Jamie\Local Settings\Application Data\PCHealth
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 16:34 . 2007-12-19 15:21 -------- d-----w- c:\program files\Google
2010-06-27 16:18 . 2006-09-02 19:39 -------- d-----w- c:\program files\Alwil Software
2010-05-27 22:08 . 2010-05-27 22:08 503808 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4147c4d4-n\msvcp71.dll
2010-05-27 22:08 . 2010-05-27 22:08 499712 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4147c4d4-n\jmc.dll
2010-05-27 22:08 . 2010-05-27 22:08 348160 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4147c4d4-n\msvcr71.dll
2010-05-27 20:26 . 2010-05-27 20:26 -------- d-----w- c:\documents and settings\Brad\Application Data\mirage
2010-05-27 17:52 . 2008-08-08 00:19 -------- d-----w- c:\program files\MP3 Player Utilities 3.57
2010-05-27 17:51 . 2006-04-28 00:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-24 21:14 . 2010-05-24 21:14 348160 ----a-w- c:\documents and settings\Bernie\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4155f625-n\msvcr71.dll
2010-05-24 21:14 . 2010-05-24 21:14 503808 ----a-w- c:\documents and settings\Bernie\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4155f625-n\msvcp71.dll
2010-05-24 21:14 . 2010-05-24 21:14 499712 ----a-w- c:\documents and settings\Bernie\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4155f625-n\jmc.dll
2010-05-22 15:26 . 2010-05-22 15:26 503808 ----a-w- c:\documents and settings\Jamie\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-306ac13d-n\msvcp71.dll
2010-05-22 15:26 . 2010-05-22 15:26 499712 ----a-w- c:\documents and settings\Jamie\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-306ac13d-n\jmc.dll
2010-05-22 15:26 . 2010-05-22 15:26 348160 ----a-w- c:\documents and settings\Jamie\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-306ac13d-n\msvcr71.dll
2010-05-10 21:45 . 2006-05-16 18:18 4392 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-10 21:45 . 2006-05-16 18:18 56 --sh--r- c:\windows\system32\5FB4C8F1BE.sys
2010-05-06 20:59 . 2008-02-12 13:11 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2008-02-12 13:11 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2008-02-12 13:11 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2008-04-12 11:38 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2008-02-12 13:11 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2008-02-12 13:11 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2008-02-12 13:11 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2008-04-12 11:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2008-02-12 13:11 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-02 05:56 . 2004-08-10 17:51 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:36 . 2004-08-10 17:51 662016 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-03-20 19:59 . 2009-03-20 19:59 56 --sh--r- c:\windows\system32\8590E6E4B0.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 393216]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 357376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-20 148888]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-12 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-27 24576]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Shortcut Bar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office Shortcut Bar.lnk
backup=c:\windows\pss\Microsoft Office Shortcut Bar.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^TA_Start.lnk]
path=c:\documents and settings\Jamie\Start Menu\Programs\Startup\TA_Start.lnk
backup=c:\windows\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]
[X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 20:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/12/2008 6:38 AM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/12/2008 6:38 AM 19024]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2010 11:21 AM 136176]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-07-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-07 21:26]
2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-27 16:20]
2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-27 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.bearshare.com/
mStart Page = about:blank
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?c147b446615c47e88ebe2d75f9881126
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?c147b446615c47e88ebe2d75f9881126
FF - ProfilePath - c:\documents and settings\Brad\Application Data\Mozilla\Firefox\Profiles\7xg2yymc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: c:\documents and settings\Brad\Application Data\Mozilla\Firefox\Profiles\7xg2yymc.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKLM-Run-Elovikugomukedom - c:\windows\ebigocel.dll
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-Elovikugomukedom - c:\windows\ebigocel.dll
MSConfigStartUp-Hmigob - c:\windows\srfxcp.dll
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\McAgent.exe
MSConfigStartUp-McRegWiz - c:\progra~1\mcafee.com\agent\mcregwiz.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-ProfileWatcher - c:\program files\ProfileWatcher\profilewatcher.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
MSConfigStartUp-vwprdqsp - c:\documents and settings\NetworkService\Local Settings\Application Data\ssgdosqda\hdeucgdtssd.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 08:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Tech\Wheel Mouse\5.0\MOUDL32A.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2010-07-12 09:01:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-12 14:01
ComboFix2.txt 2010-07-03 14:23
Pre-Run: 6,329,409,536 bytes free
Post-Run: 8,792,412,160 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
- - End Of File - - BF02A048384B617A1921500D53236861
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
File::
c:\windows\Jyewexow.dat
c:\windows\Gpenehulalihocim.bin
Folder::
c:\documents and settings\Brad\Application Data\uTorrent
DDS::
BHO: 1 (0x1) - No File
uStart Page = hxxp://google.bearshare.com/
mStart Page = about:blank
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on bradpatullo's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
This topic has been archived due to inactivity.
If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Applies only to the original poster, anyone else with similar problems please start a new topic.