allybain
2010-11-17, 19:14
Hi There
Complete noob to the forum guys so hopefully you can help me here. From what I read the PWS.LDPinchIE is a rootkit that basically screws up the comp, so i wanted to get this in nice and early.
My computer keeps popping up with a "Windows has blocked some startup programs" the run block progams gives me 3 install options so naturally something smelt fishy.
I have ran Spybot and Superanti Spyware, both found the trojan and deleted it, but on reboot it manages to worm its way back in.
Here are the details of my dds file:
DDS (Ver_10-11-10.01) - NTFSx86
Run by Ally Bain at 18:09:50.94 on Wed 11/17/2010
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista 6.0.6001.1.1252.1.1033.18.1982.1033 [GMT 0:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\Dwm.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
C:\Windows\system32\WUDFHost.exe
C:\Users\Ally Bain\AppData\Local\temp\qwqjlh.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ally Bain\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://flvtubesearch.co/?tmp=toolbar_FlvTube_homepage&prt=flvtubetb04ie&clid=c632fac7faf5423d8acdfe59051b4fef
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
mURLSearchHooks: H - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [nqqka] rundll32 "c:\users\ally bain\appdata\roaming\olecli9.dll",Hikmzbwr
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [9656861CDC864E9A3B36650A75B64E5B8B7E663EE0C84F19719CFF67CCE94901] cmd.exe /c start "1" "c:\windows\system32\config\systemprofile\appdata\roaming\moz7f52\ky7F72.exe" 00 22
uPolicies-explorer: HideSCANetwork = 0 (0x0)
uPolicies-explorer: HideSCAVolume = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\iobit\advanced systemcare 3\SPICtrl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\users\allyba~1\appdata\roaming\mozilla\firefox\profiles\0rcy3u4s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo-FlvTube
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://flvtubesearch.co/?prt=02ff&clid=&subid=&Keywords=
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\ally bain\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\ally bain\appdata\roaming\mozilla\firefox\profiles\0rcy3u4s.default\extensions\{9eb34849-81d3-4841-939d-666d522b889a}\plugins\npSlingPlayer.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-4 59240]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-29 108792]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-4 34792]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-4 169320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-29 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-9-29 95896]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-4 767208]
S2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-17 38224]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-3-17 30560]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-10-27 27192]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-7-29 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-7-29 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-7-29 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-7-29 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-7-29 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-7-29 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-7-29 115752]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-7-17 16896]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-12-9 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-12-9 234888]
S4 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
=============== Created Last 30 ================
2010-11-17 17:44:53 -------- d-----w- c:\program files\Sophos
2010-11-17 17:02:39 -------- d-sh--w- C:\$RECYCLE.BIN
2010-11-17 14:52:40 -------- d-----w- c:\users\allyba~1\appdata\local\temp
2010-11-17 14:27:13 -------- d-----w- c:\users\allyba~1\appdata\roaming\SUPERAntiSpyware.com
2010-11-17 14:27:13 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-11-17 14:27:00 89088 ----a-w- c:\windows\MBR.exe
2010-11-17 14:26:58 256512 ----a-w- c:\windows\PEV.exe
2010-11-17 14:26:57 98816 ----a-w- c:\windows\sed.exe
2010-11-17 14:26:57 161792 ----a-w- c:\windows\SWREG.exe
2010-11-17 14:25:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-17 13:53:53 -------- d-----w- C:\SDFix
2010-11-17 13:30:23 -------- d-----w- c:\program files\STOPzilla!
2010-11-17 11:49:21 -------- d-----w- c:\program files\CCleaner
2010-11-17 11:48:39 -------- d-----w- c:\program files\ESET
2010-11-17 09:21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 09:21:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 15:54:07 -------- d-----w- c:\users\allyba~1\appdata\roaming\Vodafone
2010-11-16 15:53:54 101504 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-11-16 15:53:11 -------- d-----w- c:\progra~2\Vodafone
2010-11-16 15:52:58 -------- d-----w- c:\program files\Vodafone
2010-11-16 15:52:13 -------- d-----w- c:\users\allyba~1\appdata\local\{3B8B09B1-BF28-4F18-9905-7E5CA2899C01}
2010-11-11 13:22:22 -------- d-----w- c:\users\allyba~1\appdata\roaming\Sling Media
2010-11-06 13:47:45 -------- d-----w- c:\users\allyba~1\appdata\local\Sports Interactive
2010-11-06 11:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 11:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-11-04 00:08:01 256 ----a-w- c:\windows\system32\pool.bin
2010-11-04 00:07:56 -------- d-----w- c:\users\allyba~1\appdata\roaming\Research In Motion
2010-11-04 00:05:02 -------- d-----w- c:\program files\Research In Motion
2010-10-28 04:08:25 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-10-28 04:08:24 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-10-27 21:42:20 -------- d-----w- c:\users\allyba~1\appdata\local\VS Revo Group
2010-10-27 21:42:13 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-10-27 21:42:11 -------- d-----w- c:\program files\VS Revo Group
2010-10-27 14:18:48 -------- d-----w- c:\progra~2\IObit
2010-10-23 16:40:28 -------- d-----w- c:\program files\IPODRIP
2010-10-22 19:02:58 -------- d-----w- c:\program files\iPod
2010-10-22 19:02:48 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-22 18:46:13 -------- d-----w- c:\program files\Bonjour
2010-10-20 18:39:53 -------- d-----w- c:\program files\vShare
==================== Find3M ====================
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
============= FINISH: 18:10:21.49 ===============
I had started this stream already on:
http://forums.spybot.info/showthread.php?t=60459
Complete noob to the forum guys so hopefully you can help me here. From what I read the PWS.LDPinchIE is a rootkit that basically screws up the comp, so i wanted to get this in nice and early.
My computer keeps popping up with a "Windows has blocked some startup programs" the run block progams gives me 3 install options so naturally something smelt fishy.
I have ran Spybot and Superanti Spyware, both found the trojan and deleted it, but on reboot it manages to worm its way back in.
Here are the details of my dds file:
DDS (Ver_10-11-10.01) - NTFSx86
Run by Ally Bain at 18:09:50.94 on Wed 11/17/2010
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista 6.0.6001.1.1252.1.1033.18.1982.1033 [GMT 0:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\Dwm.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
C:\Windows\system32\WUDFHost.exe
C:\Users\Ally Bain\AppData\Local\temp\qwqjlh.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ally Bain\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://flvtubesearch.co/?tmp=toolbar_FlvTube_homepage&prt=flvtubetb04ie&clid=c632fac7faf5423d8acdfe59051b4fef
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
mURLSearchHooks: H - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [nqqka] rundll32 "c:\users\ally bain\appdata\roaming\olecli9.dll",Hikmzbwr
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [9656861CDC864E9A3B36650A75B64E5B8B7E663EE0C84F19719CFF67CCE94901] cmd.exe /c start "1" "c:\windows\system32\config\systemprofile\appdata\roaming\moz7f52\ky7F72.exe" 00 22
uPolicies-explorer: HideSCANetwork = 0 (0x0)
uPolicies-explorer: HideSCAVolume = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\iobit\advanced systemcare 3\SPICtrl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\users\allyba~1\appdata\roaming\mozilla\firefox\profiles\0rcy3u4s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo-FlvTube
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://flvtubesearch.co/?prt=02ff&clid=&subid=&Keywords=
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\ally bain\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\ally bain\appdata\roaming\mozilla\firefox\profiles\0rcy3u4s.default\extensions\{9eb34849-81d3-4841-939d-666d522b889a}\plugins\npSlingPlayer.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-4 59240]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-29 108792]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-4 34792]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-4 169320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-29 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-9-29 95896]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-4 767208]
S2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-17 38224]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-3-17 30560]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-10-27 27192]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-7-29 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-7-29 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-7-29 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-7-29 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-7-29 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-7-29 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-7-29 115752]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-7-17 16896]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-12-9 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-12-9 234888]
S4 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
=============== Created Last 30 ================
2010-11-17 17:44:53 -------- d-----w- c:\program files\Sophos
2010-11-17 17:02:39 -------- d-sh--w- C:\$RECYCLE.BIN
2010-11-17 14:52:40 -------- d-----w- c:\users\allyba~1\appdata\local\temp
2010-11-17 14:27:13 -------- d-----w- c:\users\allyba~1\appdata\roaming\SUPERAntiSpyware.com
2010-11-17 14:27:13 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-11-17 14:27:00 89088 ----a-w- c:\windows\MBR.exe
2010-11-17 14:26:58 256512 ----a-w- c:\windows\PEV.exe
2010-11-17 14:26:57 98816 ----a-w- c:\windows\sed.exe
2010-11-17 14:26:57 161792 ----a-w- c:\windows\SWREG.exe
2010-11-17 14:25:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-17 13:53:53 -------- d-----w- C:\SDFix
2010-11-17 13:30:23 -------- d-----w- c:\program files\STOPzilla!
2010-11-17 11:49:21 -------- d-----w- c:\program files\CCleaner
2010-11-17 11:48:39 -------- d-----w- c:\program files\ESET
2010-11-17 09:21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 09:21:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 15:54:07 -------- d-----w- c:\users\allyba~1\appdata\roaming\Vodafone
2010-11-16 15:53:54 101504 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-11-16 15:53:11 -------- d-----w- c:\progra~2\Vodafone
2010-11-16 15:52:58 -------- d-----w- c:\program files\Vodafone
2010-11-16 15:52:13 -------- d-----w- c:\users\allyba~1\appdata\local\{3B8B09B1-BF28-4F18-9905-7E5CA2899C01}
2010-11-11 13:22:22 -------- d-----w- c:\users\allyba~1\appdata\roaming\Sling Media
2010-11-06 13:47:45 -------- d-----w- c:\users\allyba~1\appdata\local\Sports Interactive
2010-11-06 11:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 11:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-11-04 00:08:01 256 ----a-w- c:\windows\system32\pool.bin
2010-11-04 00:07:56 -------- d-----w- c:\users\allyba~1\appdata\roaming\Research In Motion
2010-11-04 00:05:02 -------- d-----w- c:\program files\Research In Motion
2010-10-28 04:08:25 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-10-28 04:08:24 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-10-27 21:42:20 -------- d-----w- c:\users\allyba~1\appdata\local\VS Revo Group
2010-10-27 21:42:13 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-10-27 21:42:11 -------- d-----w- c:\program files\VS Revo Group
2010-10-27 14:18:48 -------- d-----w- c:\progra~2\IObit
2010-10-23 16:40:28 -------- d-----w- c:\program files\IPODRIP
2010-10-22 19:02:58 -------- d-----w- c:\program files\iPod
2010-10-22 19:02:48 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-22 18:46:13 -------- d-----w- c:\program files\Bonjour
2010-10-20 18:39:53 -------- d-----w- c:\program files\vShare
==================== Find3M ====================
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
============= FINISH: 18:10:21.49 ===============
I had started this stream already on:
http://forums.spybot.info/showthread.php?t=60459