View Full Version : Click.GiftLoad - a week of hell
Hello,
I hope you can help. A week ago I began having redirects and ran Spybot only to discover this hijacker/trojan in my registry which it removed - only to return on the next boot. The symptoms include:
1. IE 8 redirects.
2. An ever increasing svchost process in task manager which becomes huge and takes over cpu usage, causing the system to slow to an unacceptable level.
3. An inability to reach the microsoft windows update site getting a "cannot connect" IE error message.
I tried running malwarebytes, avg, ccleaner and any other programs available but they neither find problem or fix it. I tried Microsoft Security Enhancement program but it too did nothing to solve the problem. I tried to update the virus database but couldn't connect to their site. Then I called them and
worked with tech support via remote access and they ran all kinds or programs with no success, finally telling me to format my drive and reinstall windows (my last and most undesireable recourse).
And here's the latest-when I try to send this post to you, I receive the same IE can't connect message so I'm using my laptop to get this message to you, with attach and dds from my infected desktop, for which I've run the backup program as stated in the instructions for posting.
Thanks in advance for your help.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Morris at 18:12:56.03 on Sat 04/30/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.586 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
F:\Nero 7\InCD\InCDsrv.exe
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
svchost.exe
C:\WINDOWS\regedit.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Morris\Desktop\Virus Problems\spybot support\dds.pif
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: ieCom Class: {c6ceac32-d45c-11d4-94af-0050babd5fd6} - c:\program files\url organizer\UrlOrgIE.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: &4 Edit Passcards
IE: &7 Fill Forms
IE: &8 Save Forms
IE: &Copy Location
IE: &Highlight
IE: &Links List
IE: Add to Google Photos Screensa&ver
IE: Customize Menu &4
IE: Fill Forms &]
IE: I&mages List
IE: Open Frame in &New Window
IE: Save Forms &[
IE: Zoom &In
IE: Zoom O&ut
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\system32\oline.dll
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}
DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8}
DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxps://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303957118671
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281675242218
DPF: {6F750200-1362-4815-A476-88533DE61D0C}
DPF: {6F750202-1362-4815-A476-88533DE61D0C}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D}
DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A}
DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - hxxp://moneycentral.msn.com/cabs/pmupdate2.exe
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429}
DPF: {AECD14A8-F662-11D1-A395-00805F535788}
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747}
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB}
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B}
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003}
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5}
TCP: {894A79C5-4324-4432-A90F-654335FBE272} = 4.2.2.1,4.2.2.2
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-7 13496]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [1999-2-16 52800]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-3-7 1373480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-4-17 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-4-17 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-4-17 60816]
.
=============== Created Last 30 ================
.
2011-04-30 14:35:56 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-30 14:35:34 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{64b81509-fdf8-4fe9-8bfc-714292c3896c}\mpengine.dll
2011-04-30 04:48:33 -------- d-sha-r- C:\cmdcons
2011-04-29 04:14:08 2476 ----a-w- C:\regbak.reg
2011-04-28 04:17:33 -------- d-----w- c:\program files\ESET
2011-04-28 02:43:36 98816 ----a-w- c:\windows\sed.exe
2011-04-28 02:43:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-28 02:43:36 256512 ----a-w- c:\windows\PEV.exe
2011-04-28 02:43:36 161792 ----a-w- c:\windows\SWREG.exe
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\{7CBA73E9-288D-47ED-8FD7-A2540E3C5FAC}
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\Huuziz
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\2874392D513E59CB58D1165949F560A5
2011-04-27 01:19:18 -------- d--h--w- c:\windows\ie8
2011-04-26 23:39:44 -------- dc----w- c:\windows\ie8(2)
2011-04-26 06:47:41 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-25 15:09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 14:54:09 106496 --sha-r- c:\windows\system32\winmineq.dll
2011-04-25 14:49:24 -------- d-----w- c:\docume~1\morris\applic~1\TeamViewer
2011-04-25 05:34:47 -------- d-----w- c:\windows\ERDNT -registry backup 04252011
2011-04-24 02:58:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-24 02:11:05 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-24 02:09:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applications
2011-04-23 06:04:59 -------- d-----w- c:\program files\AVG
2011-04-22 06:29:33 -------- d-----w- c:\program files\common files\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\morris\applic~1\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-04-22 06:28:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-22 06:15:57 -------- d-----w- c:\docume~1\morris\applic~1\DriverCure
2011-04-22 05:51:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-21 08:06:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-17 06:20:35 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\PackageAware
2011-04-15 22:52:58 -------- d-----w- c:\docume~1\morris\applic~1\Umxye
2011-04-07 04:40:15 -------- d-----w- c:\docume~1\morris\applic~1\IObit
2011-04-07 04:40:02 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-04-07 04:40:02 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-04-07 04:39:57 -------- d-----w- c:\program files\IObit
2011-04-04 02:32:31 -------- d-----w- c:\program files\NirSoft
.
==================== Find3M ====================
.
2011-04-24 04:14:23 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-04-10 04:11:26 256 ----a-w- c:\windows\system32\pool.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75CAA0 rev.16.06V16 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll >>UNKNOWN [0x8ACE54E7]<<
c:\windows\system32\drivers\iomdisk.sys Iomega Corporation Microsoft(R) Windows NT(R) Operating System
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8aceb7d0]; MOV EAX, [0x8aceb84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8AD89AB8]
3 CLASSPNP[0xF7647FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8AD8CB08]
5 iomdisk[0xF7717BC3] -> nt!IofCallDriver[0x804E37D5] -> [0x8AD6AD98]
\Driver\atapi[0x8AD9DB08] -> IRP_MJ_CREATE -> 0x8ACE54E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8ACE5332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:14:17.25 ===============
Here's the DDS file:
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:
Step # 1 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.infospyware.net/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.com)
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 2: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post
KM2357,
Here's the data you asked for.
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-04 08:31:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400BB-75CAA0 rev.16.06V16
Running: gmer.exe; Driver: C:\DOCUME~1\Morris\LOCALS~1\Temp\uwlyypog.sys
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\System32\Drivers\HPFECP15.SYS entry point in "init" section [0xB38D3080]
? C:\DOCUME~1\Morris\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[420] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[420] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0071000A
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0070000C
.text C:\WINDOWS\System32\svchost.exe[916] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[916] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\SearchIndexer.exe[2432] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[2804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\wuauclt.exe[2804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\wuauclt.exe[2804] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E2000C
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8ACFF332
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8ACFF332
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\3ivx MPEG-4 5.0.3@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BlackBerry_{CE5E3F15-320A-4865-97D3-F07227C5BB2F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ie8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB954155_WM9@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB954550-v5@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB956744@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB956844@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB958869@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB960859@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB961118@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB968389@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB968816_WM9@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB969059@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB969947@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB970653-v3@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971486@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971557@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971657@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971961-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB972260-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB972636-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973354@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973507@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973525@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973540_WM9@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973687@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973815@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973869@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB974112@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB974455-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB974571@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB975025@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB975467@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB976098-v2@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB976749-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\M953297@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Microsoft .NET Framework 3.5 SP1@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Portrait Professional 6_is1@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Tunatic@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{0D3F9802-689F-9B6D-8E44-B55971F0CCBB}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1C8DFA71-4079-4F02-B8BB-47B12C1A565F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1EFE09D3-6C77-4E6D-876F-76CB30D2056C}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{268789C4-53E6-4DDB-8F33-8D0F9E000BEA}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{298ED0E9-EF39-3BB9-8389-2FE41DC8FC80}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2D1AC484-E516-408C-8825-ACB1C356AC7A}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2F3AB6ED-951C-4CE7-8AC9-8546FDCF1F5A}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{309E2514-29D4-405C-B3B1-14D7231BFA16}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{4582C7EB-93F5-408D-9F29-5A5BE1E76845}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{494AD45E-E071-4819-8E15-E1041FBFF073}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{4B719A70-F14A-4f5c-90B5-346B24B7FFF1}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{724309E5-E712-426C-B94D-B6B42511C29F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{81719652-18E0-47B1-9A12-F82BF075D4DB}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{971D6F8B-E8C5-49A4-9ED3-89C010B0D8D2}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{AF5D3F34-843A-41BF-A0F3-2FBBA00BA9B9}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{BEEBFC3C-48B1-4A38-A3C5-81BA19DF5F40}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C96D1542-585F-412D-8C5A-0240BDA164B9}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB953595@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB958484@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CF24EDF1-E236-4332-83CB-4C701A9BCBF0}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DAC0309E-07F6-45AD-B5BF-5B0DEF71FFEE}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DB164C6E-8E4A-4730-97C6-DE8486EB367F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DF76B188-11DB-43DC-A389-10422995A979}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{ECD82B28-48BE-426C-B55B-6EC022616285}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F0B7330E-24B8-43EA-8CD6-D114428A1CEC}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F4D03C19-DCA0-4B09-83E7-BE3B06C8D4DC}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}@Changed 0
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-04 08:31:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400BB-75CAA0 rev.16.06V16
Running: gmer.exe; Driver: C:\DOCUME~1\Morris\LOCALS~1\Temp\uwlyypog.sys
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\System32\Drivers\HPFECP15.SYS entry point in "init" section [0xB38D3080]
? C:\DOCUME~1\Morris\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[420] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[420] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0071000A
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0070000C
.text C:\WINDOWS\System32\svchost.exe[916] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[916] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\SearchIndexer.exe[2432] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[2804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\wuauclt.exe[2804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\wuauclt.exe[2804] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E2000C
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8ACFF332
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8ACFF332
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\3ivx MPEG-4 5.0.3@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BlackBerry_{CE5E3F15-320A-4865-97D3-F07227C5BB2F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ie8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB954155_WM9@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB954550-v5@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB956744@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB956844@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB958869@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB960859@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB961118@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB968389@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB968816_WM9@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB969059@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB969947@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB970653-v3@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971486@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971557@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971657@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971961-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB972260-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB972636-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973354@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973507@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973525@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973540_WM9@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973687@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973815@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973869@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB974112@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB974455-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB974571@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB975025@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB975467@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB976098-v2@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB976749-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\M953297@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Microsoft .NET Framework 3.5 SP1@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Portrait Professional 6_is1@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Tunatic@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{0D3F9802-689F-9B6D-8E44-B55971F0CCBB}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1C8DFA71-4079-4F02-B8BB-47B12C1A565F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1EFE09D3-6C77-4E6D-876F-76CB30D2056C}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{268789C4-53E6-4DDB-8F33-8D0F9E000BEA}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{298ED0E9-EF39-3BB9-8389-2FE41DC8FC80}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2D1AC484-E516-408C-8825-ACB1C356AC7A}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2F3AB6ED-951C-4CE7-8AC9-8546FDCF1F5A}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{309E2514-29D4-405C-B3B1-14D7231BFA16}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{4582C7EB-93F5-408D-9F29-5A5BE1E76845}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{494AD45E-E071-4819-8E15-E1041FBFF073}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{4B719A70-F14A-4f5c-90B5-346B24B7FFF1}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{724309E5-E712-426C-B94D-B6B42511C29F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{81719652-18E0-47B1-9A12-F82BF075D4DB}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{971D6F8B-E8C5-49A4-9ED3-89C010B0D8D2}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{AF5D3F34-843A-41BF-A0F3-2FBBA00BA9B9}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{BEEBFC3C-48B1-4A38-A3C5-81BA19DF5F40}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C96D1542-585F-412D-8C5A-0240BDA164B9}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB953595@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB958484@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CF24EDF1-E236-4332-83CB-4C701A9BCBF0}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DAC0309E-07F6-45AD-B5BF-5B0DEF71FFEE}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DB164C6E-8E4A-4730-97C6-DE8486EB367F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DF76B188-11DB-43DC-A389-10422995A979}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{ECD82B28-48BE-426C-B55B-6EC022616285}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F0B7330E-24B8-43EA-8CD6-D114428A1CEC}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F4D03C19-DCA0-4B09-83E7-BE3B06C8D4DC}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}@Changed 0
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- EOF - GMER 1.0.15 ----
Here's the DDS file:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Morris at 1:37:30.48 on Wed 05/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.699 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
F:\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
svchost.exe
C:\Documents and Settings\Morris\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: ieCom Class: {c6ceac32-d45c-11d4-94af-0050babd5fd6} - c:\program files\url organizer\UrlOrgIE.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\system32\oline.dll
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}
DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8}
DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxps://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303957118671
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281675242218
DPF: {6F750200-1362-4815-A476-88533DE61D0C}
DPF: {6F750202-1362-4815-A476-88533DE61D0C}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D}
DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A}
DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - hxxp://moneycentral.msn.com/cabs/pmupdate2.exe
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429}
DPF: {AECD14A8-F662-11D1-A395-00805F535788}
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747}
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB}
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B}
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003}
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5}
TCP: {894A79C5-4324-4432-A90F-654335FBE272} = 4.2.2.1,4.2.2.2
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-7 13496]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl3b820920;MpKsl3b820920;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4491624-2c96-4b7f-a2b1-89b37bd3d829}\MpKsl3b820920.sys [2011-5-4 28752]
R2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [1999-2-16 52800]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-3-7 1373480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-4-17 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-4-17 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-4-17 60816]
.
=============== Created Last 30 ================
.
2011-05-04 05:35:21 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{f4491624-2c96-4b7f-a2b1-89b37bd3d829}\MpKsl3b820920.sys
2011-05-03 00:03:24 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{f4491624-2c96-4b7f-a2b1-89b37bd3d829}\mpengine.dll
2011-05-01 03:21:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-01 03:21:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-30 14:35:56 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-30 04:48:33 -------- d-sha-r- C:\cmdcons
2011-04-29 04:14:08 2476 ----a-w- C:\regbak.reg
2011-04-28 04:17:33 -------- d-----w- c:\program files\ESET
2011-04-28 02:43:36 98816 ----a-w- c:\windows\sed.exe
2011-04-28 02:43:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-28 02:43:36 256512 ----a-w- c:\windows\PEV.exe
2011-04-28 02:43:36 161792 ----a-w- c:\windows\SWREG.exe
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\{7CBA73E9-288D-47ED-8FD7-A2540E3C5FAC}
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\Huuziz
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\2874392D513E59CB58D1165949F560A5
2011-04-27 01:19:18 -------- d--h--w- c:\windows\ie8
2011-04-26 23:39:44 -------- dc----w- c:\windows\ie8(2)
2011-04-26 06:47:41 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-25 15:09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 14:54:09 106496 --sha-r- c:\windows\system32\winmineq.dll
2011-04-25 14:49:24 -------- d-----w- c:\docume~1\morris\applic~1\TeamViewer
2011-04-25 05:34:47 -------- d-----w- c:\windows\ERDNT -registry backup 04252011
2011-04-24 02:58:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-24 02:11:05 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-24 02:09:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applications
2011-04-23 06:04:59 -------- d-----w- c:\program files\AVG
2011-04-22 06:29:33 -------- d-----w- c:\program files\common files\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\morris\applic~1\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-04-22 06:28:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-22 06:15:57 -------- d-----w- c:\docume~1\morris\applic~1\DriverCure
2011-04-22 05:51:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-21 08:06:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-17 06:20:35 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\PackageAware
2011-04-15 22:52:58 -------- d-----w- c:\docume~1\morris\applic~1\Umxye
2011-04-07 04:40:15 -------- d-----w- c:\docume~1\morris\applic~1\IObit
2011-04-07 04:40:02 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-04-07 04:40:02 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-04-07 04:39:57 -------- d-----w- c:\program files\IObit
.
==================== Find3M ====================
.
2011-05-04 04:28:46 14336 ----a-w- c:\windows\system32\svchost.exe
2011-05-01 01:34:01 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2011-05-01 01:34:01 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2011-04-24 04:14:23 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-04-10 04:11:26 256 ----a-w- c:\windows\system32\pool.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75CAA0 rev.16.06V16 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll >>UNKNOWN [0x8ACFF4E7]<<
c:\windows\system32\drivers\iomdisk.sys Iomega Corporation Microsoft(R) Windows NT(R) Operating System
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ad057d0]; MOV EAX, [0x8ad0584c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8AD95AB8]
3 CLASSPNP[0xF7647FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8AD97B08]
5 iomdisk[0xF7717BC3] -> nt!IofCallDriver[0x804E37D5] -> [0x8AD883B0]
\Driver\atapi[0x8AD6AB08] -> IRP_MJ_CREATE -> 0x8ACFF4E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8ACFF332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 1:43:22.42 ===============
If you have already downloaded ComboFix.exe, please delete it from your computer. You'll be downloading the latest version of ComboFix in this post.
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Azureus
BitTorrent 5.0.9
I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.
Also available here (http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394).
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Step # 1 Download and Run mbr.exe
Please download mbr.exe (http://www2.gmer.net/mbr/mbr.exe) by GMER and save it to the C:\Windows\System32 folder.
Next, click Start-->Run
Once the Run box is open, type "mbr -f" and press Enter.
A DOS box will pop up then close.
Once the DOS box opens and closes, double-click mbr.exe and a log will appear on screen. Post back the log in your next post.
Step # 2: Download and Run ComboFix
Download ComboFix from any of the links below. You must rename it to alene.exe before saving it. Save it to your Desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
--------------------------------------------------------------------
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on alene.exe & follow the prompts.
When finished, it will produce a report for you.
Please include C:\ComboFix.txt in your next reply so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In your next post/reply, I need to see the following:
1. The mbr.exe log
2. The ComboFix log
Attached are the files you asked for.
I deleted the 2 p@p programs as well as disabled the microsoft security essentials as you asked. Combosfix said something about detecting a rootkit or something like that and needed to look for it and the system shut down and rebooted. I entered my password (administrator), windows loaded and it begun to run.
Here are the files which were generated. I was also unable to uplaod this via the posting and had to copy it to another computer to upload.
Hope they tell you something you can work with. I will be away for the next 24 hours so I may not be able to reply to your next post until Friday. Thanks
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-04 08:31:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400BB-75CAA0 rev.16.06V16
Running: gmer.exe; Driver: C:\DOCUME~1\Morris\LOCALS~1\Temp\uwlyypog.sys
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\System32\Drivers\HPFECP15.SYS entry point in "init" section [0xB38D3080]
? C:\DOCUME~1\Morris\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[420] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[420] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0071000A
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0070000C
.text C:\WINDOWS\System32\svchost.exe[916] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[916] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\SearchIndexer.exe[2432] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[2804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\wuauclt.exe[2804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\wuauclt.exe[2804] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E2000C
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8ACFF332
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8ACFF332
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\3ivx MPEG-4 5.0.3@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BlackBerry_{CE5E3F15-320A-4865-97D3-F07227C5BB2F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ie8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB954155_WM9@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB954550-v5@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB956744@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB956844@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB958869@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB960859@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB961118@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB968389@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB968816_WM9@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB969059@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB969947@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB970653-v3@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971486@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971557@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971657@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB971961-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB972260-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB972636-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973354@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973507@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973525@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973540_WM9@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973687@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973815@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB973869@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB974112@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB974455-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB974571@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB975025@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB975467@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB976098-v2@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB976749-IE8@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\M953297@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Microsoft .NET Framework 3.5 SP1@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Portrait Professional 6_is1@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Tunatic@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{0D3F9802-689F-9B6D-8E44-B55971F0CCBB}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1C8DFA71-4079-4F02-B8BB-47B12C1A565F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1EFE09D3-6C77-4E6D-876F-76CB30D2056C}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{268789C4-53E6-4DDB-8F33-8D0F9E000BEA}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{298ED0E9-EF39-3BB9-8389-2FE41DC8FC80}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2D1AC484-E516-408C-8825-ACB1C356AC7A}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2F3AB6ED-951C-4CE7-8AC9-8546FDCF1F5A}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{309E2514-29D4-405C-B3B1-14D7231BFA16}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{4582C7EB-93F5-408D-9F29-5A5BE1E76845}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{494AD45E-E071-4819-8E15-E1041FBFF073}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{4B719A70-F14A-4f5c-90B5-346B24B7FFF1}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{724309E5-E712-426C-B94D-B6B42511C29F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{81719652-18E0-47B1-9A12-F82BF075D4DB}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{971D6F8B-E8C5-49A4-9ED3-89C010B0D8D2}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{AF5D3F34-843A-41BF-A0F3-2FBBA00BA9B9}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{BEEBFC3C-48B1-4A38-A3C5-81BA19DF5F40}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C96D1542-585F-412D-8C5A-0240BDA164B9}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB953595@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB958484@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CF24EDF1-E236-4332-83CB-4C701A9BCBF0}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DAC0309E-07F6-45AD-B5BF-5B0DEF71FFEE}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DB164C6E-8E4A-4730-97C6-DE8486EB367F}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DF76B188-11DB-43DC-A389-10422995A979}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{ECD82B28-48BE-426C-B55B-6EC022616285}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F0B7330E-24B8-43EA-8CD6-D114428A1CEC}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F4D03C19-DCA0-4B09-83E7-BE3B06C8D4DC}@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}@Changed 0
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- EOF - GMER 1.0.15 ----
ComboFix 11-05-04.02 - Morris 05/04/2011 19:19:26.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.813 [GMT -4:00]
Running from: c:\documents and settings\Morris\Desktop\Alene.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-04 22:56 . 2011-05-04 22:56 89088 ----a-w- c:\windows\system32\mbr.exe
2011-05-04 03:00 . 2011-05-04 03:05 -------- d-----w- c:\documents and settings\Morris\Application Data\vlc
2011-05-03 00:03 . 2011-04-18 13:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4491624-2C96-4B7F-A2B1-89B37BD3D829}\mpengine.dll
2011-05-02 23:42 . 2011-05-02 23:42 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-05-02 05:16 . 2011-05-02 05:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2011-05-02 05:12 . 2011-05-02 05:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\ArcSoft
2011-05-01 14:09 . 2011-05-01 14:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-05-01 03:21 . 2011-05-01 03:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-01 03:21 . 2011-05-01 03:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-30 14:35 . 2011-04-18 13:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-30 00:05 . 2011-04-30 00:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2011-04-29 04:14 . 2011-04-29 04:14 2476 ----a-w- C:\regbak.reg
2011-04-28 04:17 . 2011-04-28 04:17 -------- d-----w- c:\program files\ESET
2011-04-28 04:09 . 2011-04-28 04:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer
2011-04-27 01:23 . 2011-04-27 01:23 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-27 01:22 . 2011-04-27 01:22 -------- d-----w- c:\documents and settings\Morris\Local Settings\Application Data\{7CBA73E9-288D-47ED-8FD7-A2540E3C5FAC}
2011-04-27 01:22 . 2011-04-27 01:22 -------- d-----w- c:\documents and settings\Morris\Application Data\Huuziz
2011-04-27 01:22 . 2011-04-27 01:22 -------- d-----w- c:\documents and settings\Morris\Application Data\2874392D513E59CB58D1165949F560A5
2011-04-27 01:19 . 2011-04-27 01:21 -------- d--h--w- c:\windows\ie8
2011-04-26 06:47 . 2011-05-04 23:17 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-25 15:09 . 2011-04-30 14:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 15:01 . 2011-04-25 15:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-25 14:54 . 2011-04-25 14:54 106496 --sha-r- c:\windows\system32\winmineq.dll
2011-04-25 14:49 . 2011-04-25 14:49 -------- d-----w- c:\documents and settings\Morris\Application Data\TeamViewer
2011-04-25 05:34 . 2011-04-25 05:34 -------- d-----w- c:\windows\ERDNT -registry backup 04252011
2011-04-25 05:30 . 2011-04-25 05:32 -------- d-----w- c:\program files\ERUNT
2011-04-24 04:44 . 2011-04-24 04:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-04-24 02:58 . 2011-04-24 02:58 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-24 02:11 . 2011-04-24 02:11 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-24 02:09 . 2011-04-24 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2011-04-23 07:33 . 2011-04-23 07:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG10
2011-04-23 06:04 . 2011-04-24 02:32 -------- d-----w- c:\program files\AVG
2011-04-22 23:53 . 2011-04-22 23:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-04-22 23:17 . 2011-04-22 23:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2011-04-22 06:29 . 2011-04-22 06:29 -------- d-----w- c:\program files\Common Files\ParetoLogic
2011-04-22 06:29 . 2011-04-22 06:29 -------- d-----w- c:\documents and settings\Morris\Application Data\ParetoLogic
2011-04-22 06:29 . 2011-04-22 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-04-22 06:28 . 2011-04-24 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-04-22 06:28 . 2011-04-22 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-04-22 06:15 . 2011-04-22 06:15 -------- d-----w- c:\documents and settings\Morris\Application Data\DriverCure
2011-04-22 05:51 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-21 08:06 . 2011-04-21 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-18 18:27 . 2011-04-18 18:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-17 06:20 . 2011-04-17 06:20 -------- d-----w- c:\documents and settings\Morris\Local Settings\Application Data\PackageAware
2011-04-15 22:52 . 2011-04-15 23:08 -------- d-----w- c:\documents and settings\Morris\Application Data\Umxye
2011-04-07 04:40 . 2011-04-07 04:40 -------- d-----w- c:\documents and settings\Morris\Application Data\IObit
2011-04-07 04:40 . 2011-02-23 21:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-04-07 04:40 . 2011-02-23 20:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-04-07 04:39 . 2011-04-07 04:39 -------- d-----w- c:\program files\IObit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 04:28 . 2001-08-18 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
2011-05-01 01:34 . 2009-12-19 00:23 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2011-05-01 01:34 . 2009-12-19 00:23 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2011-04-21 08:06 . 2010-07-28 02:47 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-07 05:33 . 2004-06-07 18:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2003-04-05 23:49 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-18 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2003-04-05 23:46 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2003-04-05 23:46 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2001-08-18 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-18 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-14 21:37 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2001-08-18 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2003-04-05 23:45 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2003-04-05 23:47 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-04-05 23:47 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2001-08-18 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-28_03.09.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-04 23:15 . 2011-05-04 23:15 16384 c:\windows\Temp\usgthrsvc\Perflib_Perfdata_3a8.dat
+ 2004-08-14 15:09 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2002-08-03 07:01 . 2009-08-06 23:24 53472 c:\windows\system32\wuauclt.exe
+ 2004-08-14 15:09 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2002-08-03 07:01 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2001-08-18 12:00 . 2011-05-04 04:28 14336 c:\windows\system32\dllcache\svchost.exe
+ 2009-07-02 03:36 . 2011-05-02 05:32 87699 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2011-04-26 06:51 . 2011-04-26 06:51 98304 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2011-04-26 06:07 . 2011-04-26 06:07 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2011-04-26 06:07 . 2011-04-26 06:07 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
+ 2011-04-26 07:00 . 2011-04-26 07:00 68536 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2011-05-01 14:11 . 2011-05-01 14:11 21504 c:\windows\Installer\27b94.msi
- 2002-09-01 18:06 . 2010-12-19 07:14 69120 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2002-09-01 18:06 . 2011-04-30 23:24 69120 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2002-09-01 18:06 . 2011-04-30 23:24 35328 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2002-09-01 18:06 . 2010-12-19 07:14 35328 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2002-09-01 18:06 . 2010-12-19 07:14 30208 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2002-09-01 18:06 . 2011-04-30 23:24 30208 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2002-09-01 18:06 . 2010-12-19 07:14 11264 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2002-09-01 18:06 . 2011-04-30 23:24 11264 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2002-09-01 18:06 . 2011-04-30 23:24 28160 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2002-09-01 18:06 . 2010-12-19 07:14 28160 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2002-09-01 18:06 . 2011-04-30 23:24 73216 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2002-09-01 18:06 . 2010-12-19 07:14 73216 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2002-09-01 18:06 . 2011-04-30 23:24 22528 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2002-09-01 18:06 . 2010-12-19 07:14 22528 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2009-06-04 12:17 . 2009-06-04 12:17 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2011-04-26 06:52 . 2011-04-26 06:52 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2011-05-02 02:16 . 2011-05-02 06:11 5722 c:\windows\SoftwareDistribution\EventCache\{7995080B-BD4F-4FF6-9A5E-D0C4320F3BCA}.bin
+ 2011-05-02 02:32 . 2011-05-02 02:34 2366 c:\windows\SoftwareDistribution\EventCache\{5D8EEBEE-86B7-4978-9F2F-2CC33781526A}.bin
+ 2011-04-27 22:45 . 2011-04-28 03:51 5838 c:\windows\SoftwareDistribution\EventCache\{50C72C69-AACD-4F72-BC5C-7DD48FED342E}.bin
+ 2011-04-30 01:21 . 2011-04-29 01:24 8530 c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat
+ 2004-08-14 15:09 . 2009-08-06 23:24 327896 c:\windows\system32\wucltui.dll
+ 2004-08-14 15:09 . 2009-08-06 23:23 575704 c:\windows\system32\wuapi.dll
+ 2011-05-01 03:21 . 2011-05-01 03:20 157472 c:\windows\system32\javaws.exe
+ 2011-05-01 03:21 . 2011-05-01 03:20 145184 c:\windows\system32\javaw.exe
+ 2011-05-01 03:21 . 2011-05-01 03:20 145184 c:\windows\system32\java.exe
+ 2002-08-03 02:51 . 2011-04-29 06:40 501824 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-14 15:09 . 2009-08-06 23:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-14 15:09 . 2009-08-06 23:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2011-04-26 06:51 . 2011-04-26 06:51 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
- 2009-06-04 12:15 . 2009-06-04 12:15 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2011-04-26 07:00 . 2011-04-26 07:00 469944 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1159620.exe
+ 2011-04-26 06:07 . 2011-04-26 06:07 136568 c:\windows\system32\Adobe\Shockwave 11\SCC.dll
+ 2011-04-26 06:53 . 2011-04-26 06:53 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
- 2009-06-04 12:17 . 2009-06-04 12:17 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2011-04-26 06:52 . 2011-04-26 06:52 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
- 2009-06-04 12:16 . 2009-06-04 12:16 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2011-04-26 06:53 . 2011-04-26 06:53 880640 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2011-04-26 06:51 . 2011-04-26 06:51 503808 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2011-04-26 07:00 . 2011-04-26 07:00 215992 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2011-04-26 06:52 . 2011-04-26 06:52 135168 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2011-05-01 03:21 . 2011-05-01 03:21 180224 c:\windows\Installer\77d36.msi
+ 2011-05-01 03:20 . 2011-05-01 03:20 675840 c:\windows\Installer\77d30.msi
+ 2002-09-01 18:06 . 2011-04-30 23:24 104960 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2002-09-01 18:06 . 2010-12-19 07:14 104960 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2002-09-01 18:06 . 2010-12-19 07:14 155136 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2002-09-01 18:06 . 2011-04-30 23:24 155136 c:\windows\Installer\{00020409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2011-04-30 21:51 . 2005-10-20 16:02 163328 c:\windows\ERDNT\4-30-2011\ERDNT.EXE
+ 2002-08-03 07:01 . 2009-08-06 23:23 1929952 c:\windows\system32\wuaueng.dll
+ 1999-05-10 05:00 . 2004-02-24 00:42 1386496 c:\windows\system32\MSVBVM60.DLL
- 1999-05-10 05:00 . 2004-02-24 01:42 1386496 c:\windows\system32\msvbvm60.dll
+ 2002-08-03 07:01 . 2009-08-06 23:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2011-04-26 06:44 . 2011-04-26 06:44 1019904 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2011-04-26 06:07 . 2011-04-26 06:07 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2011-04-26 06:46 . 2011-04-26 06:46 1802240 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2005-05-11 02:46 . 2011-04-18 19:46 42181064 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-01-10 519584]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-04-22 160592]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Uninstall LastPass RunOnce.lnk - c:\documents and settings\Administrator\Application Data\lpuninstall.exe [N/A]
.
c:\documents and settings\Guest\Start Menu\Programs\Startup\
Uninstall LastPass RunOnce.lnk - c:\documents and settings\Guest\Application Data\lpuninstall.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ask and Record FLV Service]
2009-09-22 19:09 156672 ----a-w- f:\program files\Flash downloader\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
2009-06-05 11:38 468408 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IntuitUpdateService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A209F-X00-F4R7-80H6-J3"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Road Runner Video Mail\\RoadRunner_Video_Mail.exe"=
"c:\\Program Files\\HP\\Image Zone Express\\HP_IZE.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"f:\\torrents\\utorrent.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"f:\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitPim\\bitpim.exe"=
"c:\\StubInstaller.exe"=
"f:\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\ASUS\\WL-520GU Wireless Router Utilities\\Discovery.exe"=
"c:\\Program Files\\ASUS\\WL-330gE Wireless AP Utilities\\Discovery.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/7/2011 12:40 AM 13496]
R2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [2/16/1999 12:28 PM 52800]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [3/7/2008 8:46 PM 1373480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:01 PM 135664]
S3 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/18/2001 8:00 AM 14336]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [4/17/2007 12:00 AM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [4/17/2007 12:01 AM 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [4/17/2007 12:01 AM 60816]
.
Contents of the 'Scheduled Tasks' folder
.
2008-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]
.
2011-05-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-08 23:40]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:00]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:00]
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1547161642-1801674531-1004Core.job
- c:\documents and settings\Morris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-28 15:27]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1547161642-1801674531-1004UA.job
- c:\documents and settings\Morris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-28 15:27]
.
2011-05-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-05-04 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-05-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1483187262-3002692871-3226700285-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-05-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1483187262-3002692871-3226700285-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\System32\webzone.dll
IE: {{BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\System32\webzone.dll
IE: {{FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\System32\oline.dll
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
TCP: {894A79C5-4324-4432-A90F-654335FBE272} = 4.2.2.1,4.2.2.2
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-DVD2SVCD Software Bundle_is1 - c:\program files\DVD2SVCD\unins000.exe
AddRemove-Google Updater - c:\program files\Google\Google Updater\GoogleUpdater.exe
AddRemove-XTerm Medical Dictionary - c:\program files\XTerm Medical Dictionary\uninstall.exe
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_C8CBFED7F00D3A8C.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 19:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75CAA0 rev.16.06V16 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8ACF2332
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,e6,f9,11,b1,bf,d4,43,a6,c7,45,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,e6,f9,11,b1,bf,d4,43,a6,c7,45,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(472)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(532)
c:\windows\system32\WININET.dll
.
Completion time: 2011-05-04 19:41:01
ComboFix-quarantined-files.txt 2011-05-04 23:40
ComboFix2.txt 2011-04-30 05:10
ComboFix3.txt 2011-04-28 03:15
ComboFix4.txt 2011-04-26 06:06
.
Pre-Run: 9,084,432,384 bytes free
Post-Run: 9,118,253,056 bytes free
.
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - B641364104AFC95749576FD2FD595008
Step # 1: Download and Run TDSSKiller
Download TDSSKiller.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop.
Double-click TDSSKiller.exe to run it.
Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
Click Start scan and allow it to scan for Malicious objects.
If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
A log will be created on your root (usually C: ) drive. The log is like UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
If no reboot is required, click on Report. A log file should appear.
Please post the contents of the logfile in your next reply
If TDSSKiller does not reboot your computer, please reboot it.
Once it has booted back up, do the following:
---------------
Run Batchfile
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it mbrlog.bat Please save it on your desktop.
@echo off
mbr.exe -t
start mbr.log
del %0
Double click mbrlog.bat. A window will open and close. This is normal.
In your next post/reply, I need to see the following:
1. TDSSKiller Log
2. The mrblog.bat Log
Followed your instructions and TDSkiller found did detect somethng called Rootkit.Win32TDSS.tdl4. I ran the reports and here they are:
2011/05/05 23:17:19.0265 3008 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/05 23:17:20.0000 3008 ================================================================================
2011/05/05 23:17:20.0000 3008 SystemInfo:
2011/05/05 23:17:20.0000 3008
2011/05/05 23:17:20.0000 3008 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/05 23:17:20.0000 3008 Product type: Workstation
2011/05/05 23:17:20.0000 3008 ComputerName: BLACKDELL
2011/05/05 23:17:20.0000 3008 UserName: Morris
2011/05/05 23:17:20.0000 3008 Windows directory: C:\WINDOWS
2011/05/05 23:17:20.0000 3008 System windows directory: C:\WINDOWS
2011/05/05 23:17:20.0000 3008 Processor architecture: Intel x86
2011/05/05 23:17:20.0000 3008 Number of processors: 1
2011/05/05 23:17:20.0000 3008 Page size: 0x1000
2011/05/05 23:17:20.0000 3008 Boot type: Normal boot
2011/05/05 23:17:20.0000 3008 ================================================================================
2011/05/05 23:17:21.0171 3008 Initialize success
2011/05/05 23:17:36.0140 3428 ================================================================================
2011/05/05 23:17:36.0140 3428 Scan started
2011/05/05 23:17:36.0140 3428 Mode: Manual;
2011/05/05 23:17:36.0140 3428 ================================================================================
2011/05/05 23:17:39.0546 3428 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/05/05 23:17:40.0140 3428 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/05/05 23:17:40.0421 3428 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/05 23:17:40.0593 3428 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/05 23:17:40.0859 3428 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/05 23:17:40.0937 3428 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2011/05/05 23:17:41.0109 3428 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/05 23:17:41.0421 3428 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/05 23:17:41.0687 3428 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/05/05 23:17:42.0031 3428 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/05 23:17:42.0265 3428 ASNDIS5 (05a56c3156e1b6cc7bbd8e1d54d491f2) C:\WINDOWS\system32\ASNDIS5.SYS
2011/05/05 23:17:42.0500 3428 Aspi32 (20d04091eba710f6988f710507d85868) C:\WINDOWS\system32\drivers\Aspi32.sys
2011/05/05 23:17:42.0671 3428 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/05 23:17:42.0781 3428 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/05 23:17:43.0062 3428 ati2mtag (492bd2a5f65f218d4ede5764a3bb67e9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/05 23:17:43.0296 3428 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/05 23:17:43.0468 3428 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/05 23:17:43.0546 3428 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/05/05 23:17:43.0718 3428 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/05/05 23:17:43.0843 3428 basic2 (9372cc48814a17e67c28945eb4acc189) C:\WINDOWS\system32\DRIVERS\basic2.sys
2011/05/05 23:17:44.0031 3428 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/05 23:17:44.0453 3428 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/05 23:17:44.0578 3428 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/05 23:17:44.0812 3428 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/05 23:17:44.0984 3428 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/05 23:17:45.0093 3428 Cdr4_xp (837eef65af62d4e8a37c41d3879f7274) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/05/05 23:17:45.0250 3428 Cdralw2k (579da2f9f5401f55dae2cf8779d61dfc) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/05/05 23:17:45.0437 3428 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2011/05/05 23:17:45.0640 3428 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/05 23:17:45.0890 3428 cdudf_xp (557bb630d2011f40214ef91b90e7df6d) C:\WINDOWS\system32\drivers\cdudf_xp.sys
2011/05/05 23:17:46.0484 3428 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/05 23:17:46.0640 3428 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/05 23:17:46.0828 3428 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/05 23:17:46.0968 3428 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/05 23:17:47.0125 3428 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/05 23:17:47.0312 3428 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/05 23:17:47.0531 3428 DVDVRRdr_xp (79cedb9f3d18b6c7dc99ddda2e734b17) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
2011/05/05 23:17:47.0734 3428 dvd_2K (543808acfedf574e7714c9091ad9c638) C:\WINDOWS\system32\drivers\dvd_2K.sys
2011/05/05 23:17:48.0031 3428 Fallback (9ea76a7f28cd968f8adc709e479f23b2) C:\WINDOWS\system32\DRIVERS\fallback.sys
2011/05/05 23:17:48.0218 3428 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/05 23:17:48.0437 3428 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/05 23:17:48.0562 3428 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/05 23:17:48.0734 3428 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/05 23:17:48.0921 3428 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/05 23:17:49.0312 3428 Fsks (b7b262d0431374f3afd1349e35b368d9) C:\WINDOWS\system32\DRIVERS\fsksnt.sys
2011/05/05 23:17:49.0718 3428 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/05 23:17:50.0125 3428 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/05 23:17:50.0265 3428 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/05/05 23:17:50.0343 3428 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/05 23:17:50.0531 3428 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/05 23:17:50.0656 3428 HPFECP15 (b5802e7642220d5b835d2b5925385a21) C:\WINDOWS\system32\drivers\HPFECP15.sys
2011/05/05 23:17:50.0953 3428 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys
2011/05/05 23:17:51.0156 3428 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/05 23:17:51.0437 3428 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/05 23:17:51.0640 3428 Icam4USB (222f74130a2e3a2ed655226d97f03812) C:\WINDOWS\system32\Drivers\Icam4USB.sys
2011/05/05 23:17:51.0796 3428 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/05 23:17:51.0937 3428 InCDfs (98f28f29d29d0480cf9974c986ee426e) C:\WINDOWS\system32\drivers\InCDFs.sys
2011/05/05 23:17:52.0093 3428 InCDPass (28b194f68984d1c77c62a95c99ebb8f2) C:\WINDOWS\system32\drivers\InCDPass.sys
2011/05/05 23:17:52.0265 3428 InCDrec (7e5fadcc635beaa61ce12e690193da5d) C:\WINDOWS\system32\drivers\InCDrec.sys
2011/05/05 23:17:52.0515 3428 incdrm (d34e6a988f5e3bc7da759af1d2a07446) C:\WINDOWS\system32\drivers\InCDRm.sys
2011/05/05 23:17:52.0687 3428 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/05 23:17:52.0781 3428 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/05 23:17:52.0984 3428 iomdisk (9d7069d72c0c72952f05e1688a5ae89d) C:\WINDOWS\system32\DRIVERS\iomdisk.sys
2011/05/05 23:17:53.0171 3428 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/05 23:17:53.0359 3428 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/05 23:17:53.0468 3428 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/05 23:17:53.0609 3428 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/05 23:17:53.0812 3428 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/05 23:17:54.0046 3428 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/05 23:17:54.0218 3428 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/05 23:17:54.0484 3428 K56 (a4e3277398c8aba999483d4c658c9696) C:\WINDOWS\system32\DRIVERS\k56nt.sys
2011/05/05 23:17:54.0734 3428 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/05 23:17:54.0906 3428 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/05 23:17:55.0125 3428 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/05 23:17:55.0265 3428 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/05 23:17:55.0406 3428 l8042pr2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\WINDOWS\system32\DRIVERS\L8042Pr2.sys
2011/05/05 23:17:55.0656 3428 lgatbus (ed8854a04430f17a4a237d14ca707cc0) C:\WINDOWS\system32\DRIVERS\lgatbus.sys
2011/05/05 23:17:55.0828 3428 lgatmdm (0e869725086064ff6695a9cb71f27869) C:\WINDOWS\system32\DRIVERS\lgatmdm.sys
2011/05/05 23:17:56.0015 3428 lgatserd (ddfa2e84af1a804aaa24d3d5b6291778) C:\WINDOWS\system32\DRIVERS\lgatserd.sys
2011/05/05 23:17:56.0187 3428 LHidFlt2 (3c357dfdbbf2b4b01aa4b9c8a26e4416) C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
2011/05/05 23:17:56.0343 3428 LHidUsb (ffb851b1b2f6596b7d3182b977a85206) C:\WINDOWS\system32\Drivers\LHidUsb.Sys
2011/05/05 23:17:56.0500 3428 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\DRIVERS\LMouFlt2.sys
2011/05/05 23:17:56.0750 3428 mmc_2K (db790a7675d595d96588429cc14028ca) C:\WINDOWS\system32\drivers\mmc_2K.sys
2011/05/05 23:17:56.0953 3428 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/05 23:17:57.0125 3428 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/05 23:17:57.0250 3428 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/05 23:17:57.0390 3428 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/05 23:17:57.0500 3428 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/05 23:17:57.0671 3428 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/05/05 23:17:57.0906 3428 MpKsl6fc15b32 (5f53edfead46fa7adb78eee9ecce8fdf) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E24BBEA6-7BD6-4546-9DE6-1C2DF0B30BE4}\MpKsl6fc15b32.sys
2011/05/05 23:17:58.0125 3428 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/05 23:17:58.0328 3428 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/05 23:17:58.0671 3428 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/05/05 23:17:58.0843 3428 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/05 23:17:59.0140 3428 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/05 23:17:59.0265 3428 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/05 23:17:59.0343 3428 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/05 23:17:59.0515 3428 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/05 23:17:59.0687 3428 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/05 23:17:59.0843 3428 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/05 23:18:00.0125 3428 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/05 23:18:00.0593 3428 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/05 23:18:00.0781 3428 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/05 23:18:00.0953 3428 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/05 23:18:01.0109 3428 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/05 23:18:01.0281 3428 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/05 23:18:01.0453 3428 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/05 23:18:01.0593 3428 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/05 23:18:01.0781 3428 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/05 23:18:02.0062 3428 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/05 23:18:02.0203 3428 Nokia USB Generic (19cbcc1c8168fd6736de06f287a1413e) C:\WINDOWS\system32\drivers\nmwcdc.sys
2011/05/05 23:18:02.0281 3428 Nokia USB Phone Parent (09899ca1e1df288beb768461401d18ee) C:\WINDOWS\system32\drivers\nmwcd.sys
2011/05/05 23:18:02.0421 3428 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/05 23:18:02.0593 3428 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/05 23:18:02.0828 3428 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/05 23:18:03.0000 3428 nv (71dbdc08df86b80511e72953fa1ad6b0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/05 23:18:03.0250 3428 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/05 23:18:03.0375 3428 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/05 23:18:03.0484 3428 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/05 23:18:03.0625 3428 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/05/05 23:18:03.0812 3428 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/05 23:18:04.0062 3428 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/05 23:18:04.0312 3428 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/05 23:18:04.0453 3428 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/05 23:18:04.0812 3428 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/05 23:18:04.0921 3428 Pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\Pcouffin.sys
2011/05/05 23:18:05.0375 3428 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/05 23:18:05.0546 3428 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/05 23:18:05.0796 3428 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/05 23:18:05.0953 3428 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/05 23:18:06.0187 3428 pwd_2k (a9694824a73dad758f863ae3b3e8c4b6) C:\WINDOWS\system32\drivers\pwd_2k.sys
2011/05/05 23:18:06.0343 3428 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/05/05 23:18:06.0765 3428 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/05 23:18:06.0968 3428 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/05 23:18:07.0171 3428 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/05 23:18:07.0328 3428 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/05 23:18:07.0515 3428 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/05 23:18:07.0781 3428 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/05 23:18:07.0921 3428 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/05 23:18:08.0078 3428 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/05 23:18:08.0218 3428 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/05/05 23:18:08.0328 3428 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/05/05 23:18:08.0437 3428 Rksample (4c35e57300a2dc5932a8e29efa527c32) C:\WINDOWS\system32\DRIVERS\rksample.sys
2011/05/05 23:18:08.0562 3428 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/05/05 23:18:08.0812 3428 RTL8023 (265e3427e74cf322126c83e12c7869ec) C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys
2011/05/05 23:18:08.0953 3428 RTL8023xp (e9877aa069dc11b03dbd1d33b8b2a3ca) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2011/05/05 23:18:09.0031 3428 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/05/05 23:18:09.0187 3428 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/05 23:18:09.0359 3428 Ser2pl (b490ad520257dda26c1d587a71e527b5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
2011/05/05 23:18:09.0796 3428 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/05 23:18:10.0015 3428 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/05 23:18:10.0281 3428 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/05 23:18:10.0531 3428 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/05 23:18:10.0640 3428 SmartDefragDriver (972dea0d8149d73c5b7a2c97b2e749e3) C:\WINDOWS\system32\Drivers\SmartDefragDriver.sys
2011/05/05 23:18:10.0906 3428 smwdm (bd3e236281547c681dfc7c947531b726) C:\WINDOWS\system32\drivers\smwdm.sys
2011/05/05 23:18:11.0140 3428 SoftFax (413cfa795cad19a010889df0ec060408) C:\WINDOWS\system32\DRIVERS\faxnt.sys
2011/05/05 23:18:11.0296 3428 sonypvs1 (dfadfc2c86662f40759bf02add27d569) C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
2011/05/05 23:18:11.0484 3428 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/05 23:18:11.0625 3428 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/05 23:18:11.0796 3428 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/05 23:18:12.0031 3428 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/05 23:18:12.0140 3428 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/05 23:18:12.0265 3428 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/05 23:18:12.0671 3428 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/05 23:18:12.0906 3428 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/05 23:18:13.0109 3428 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/05 23:18:13.0218 3428 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/05 23:18:13.0328 3428 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/05 23:18:13.0546 3428 Tones (e0f10a379239b4fab319c55a9cd6bc96) C:\WINDOWS\system32\DRIVERS\tonesnt.sys
2011/05/05 23:18:13.0859 3428 UDFReadr (cd0cbedd42180d60b9fab4b0cf237766) C:\WINDOWS\system32\drivers\UDFReadr.sys
2011/05/05 23:18:14.0031 3428 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/05 23:18:14.0187 3428 UIUSys (7020c64a20709b39cbe4a1cf371a9cd5) C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS
2011/05/05 23:18:14.0359 3428 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/05 23:18:14.0515 3428 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/05 23:18:14.0640 3428 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/05 23:18:14.0734 3428 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/05 23:18:14.0875 3428 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/05 23:18:15.0078 3428 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/05 23:18:15.0171 3428 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/05 23:18:15.0265 3428 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/05 23:18:15.0406 3428 V124 (177b65899d418f8c8f037b20567a99d6) C:\WINDOWS\system32\DRIVERS\v124nt.sys
2011/05/05 23:18:15.0593 3428 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/05 23:18:15.0828 3428 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/05 23:18:16.0125 3428 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2011/05/05 23:18:16.0328 3428 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2011/05/05 23:18:16.0468 3428 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
2011/05/05 23:18:16.0562 3428 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/05 23:18:16.0812 3428 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/05 23:18:17.0078 3428 winachsf (a941aa38e3951058e584c4bbddd56ed9) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/05/05 23:18:17.0328 3428 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/05 23:18:17.0484 3428 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/05 23:18:17.0640 3428 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/05 23:18:17.0828 3428 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/05 23:18:18.0062 3428 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/05 23:18:18.0203 3428 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/05 23:18:18.0375 3428 ================================================================================
2011/05/05 23:18:18.0375 3428 Scan finished
2011/05/05 23:18:18.0375 3428 ================================================================================
2011/05/05 23:18:18.0390 3508 Detected object count: 1
2011/05/05 23:20:29.0921 3508 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/05 23:20:29.0921 3508 \HardDisk0 - ok
2011/05/05 23:20:29.0921 3508 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/05 23:21:04.0750 3768 Deinitialize success
and:
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75CAA0 rev.16.06V16 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
C:\WINDOWS\system32\drivers\iomdisk.sys Iomega Corporation Microsoft(R) Windows NT(R) Operating System
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8AD54AB8]
3 CLASSPNP[0xF7647FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8AD3FD78]
5 iomdisk[0xF7717BC3] -> nt!IofCallDriver[0x804E37D5] -> \Device\Ide\IdeDeviceP0T0L0-4[0x8ADA8AD8]
kernel: MBR read successfully
user & kernel MBR OK
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
File::
f:\torrents\utorrent.exe
DirLook::
c:\documents and settings\Morris\Application Data\Umxye
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"f:\\torrents\\utorrent.exe"=-
DDS::
mURLSearchHooks: H - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on Alene's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
Followed your instructions, but had a few snags along the way, but I think I got it all.
When I dragged the code you wrote into Alene.exe (you had me save Combofix.exe as Alene.exe so it was still that name on the desktop), it transferred the file and an hourglass opened and closed a few times but nothing happened so after 2-3 minutes I double clicked Alene.exe and got this error message: Windows cannot find "32788R22FWJFW/Firefox.exe". Make sure you typed the name correctly and try again to search for a file. Click the Start button, and then click search.
I tried to close the error message window but it wouldn't close so after a few tries I did a start/shutdown/restart.
I then redragged your code into Alene.exe and this time it started up but told me that there was a new version of Combofix so I clicked OK to download it. Then it begun to run its scan and when it completed (I assume), I got a windows is shutting down message but after 5 minutes it still was there so I did a hard shutdown (power button off then power button on). It took a while after it started up again, but it finally gave me the log below, so I hope its valid. If not, I'm sure you'll let me know.
As an aside, we must be headed in the right direction because yesterday I was able for the first time to actually click on tools ->windows update in internet explorer and connect to the microsoft update site, which I haven't been able to do in almost 2 weeks. I didn't download any updates yet because I know we're not yet done. I'm still getting a svchost.ext entry in the registry for HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION which is the problem first spotted by Spybot. Anyhow, I'm feeling like we're making process so thanks for your work so far.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Morris at 19:37:42.42 on Fri 05/06/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.732 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
F:\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Microsoft Security Client\msseces.exe
svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Morris\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: ieCom Class: {c6ceac32-d45c-11d4-94af-0050babd5fd6} - c:\program files\url organizer\UrlOrgIE.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\system32\oline.dll
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}
DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8}
DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxps://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303957118671
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281675242218
DPF: {6F750200-1362-4815-A476-88533DE61D0C}
DPF: {6F750202-1362-4815-A476-88533DE61D0C}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D}
DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A}
DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - hxxp://moneycentral.msn.com/cabs/pmupdate2.exe
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429}
DPF: {AECD14A8-F662-11D1-A395-00805F535788}
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747}
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB}
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B}
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003}
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5}
TCP: {894A79C5-4324-4432-A90F-654335FBE272} = 4.2.2.1,4.2.2.2
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-7 13496]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslf389c56f;MpKslf389c56f;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9e85913a-404a-463b-9660-5547de1156bc}\MpKslf389c56f.sys [2011-5-6 28752]
R2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [1999-2-16 52800]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-3-7 1373480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-4-17 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-4-17 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-4-17 60816]
.
=============== Created Last 30 ================
.
2011-05-06 22:47:42 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{9e85913a-404a-463b-9660-5547de1156bc}\MpKslf389c56f.sys
2011-05-06 22:33:09 -------- d-----w- C:\Alene
2011-05-06 22:18:18 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{9e85913a-404a-463b-9660-5547de1156bc}\MpKslbe569c5b.sys
2011-05-06 03:55:01 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{9e85913a-404a-463b-9660-5547de1156bc}\mpengine.dll
2011-05-04 22:56:06 89088 ----a-w- c:\windows\system32\mbr.exe
2011-05-01 03:21:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-01 03:21:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-30 14:35:56 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-30 04:48:33 -------- d-sha-r- C:\cmdcons
2011-04-29 04:14:08 2476 ----a-w- C:\regbak.reg
2011-04-28 04:17:33 -------- d-----w- c:\program files\ESET
2011-04-28 02:43:36 98816 ----a-w- c:\windows\sed.exe
2011-04-28 02:43:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-28 02:43:36 256512 ----a-w- c:\windows\PEV.exe
2011-04-28 02:43:36 161792 ----a-w- c:\windows\SWREG.exe
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\{7CBA73E9-288D-47ED-8FD7-A2540E3C5FAC}
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\Huuziz
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\2874392D513E59CB58D1165949F560A5
2011-04-27 01:19:18 -------- d--h--w- c:\windows\ie8
2011-04-26 23:39:44 -------- dc----w- c:\windows\ie8(2)
2011-04-26 06:47:41 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-25 15:09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 14:54:09 106496 --sha-r- c:\windows\system32\winmineq.dll
2011-04-25 14:49:24 -------- d-----w- c:\docume~1\morris\applic~1\TeamViewer
2011-04-25 05:34:47 -------- d-----w- c:\windows\ERDNT -registry backup 04252011
2011-04-24 02:58:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-24 02:11:05 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-24 02:09:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applications
2011-04-23 06:04:59 -------- d-----w- c:\program files\AVG
2011-04-22 06:29:33 -------- d-----w- c:\program files\common files\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\morris\applic~1\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-04-22 06:28:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-22 06:15:57 -------- d-----w- c:\docume~1\morris\applic~1\DriverCure
2011-04-22 05:51:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-21 08:06:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-17 06:20:35 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\PackageAware
2011-04-15 22:52:58 -------- d-----w- c:\docume~1\morris\applic~1\Umxye
2011-04-07 04:40:15 -------- d-----w- c:\docume~1\morris\applic~1\IObit
2011-04-07 04:40:02 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-04-07 04:40:02 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-04-07 04:39:57 -------- d-----w- c:\program files\IObit
.
==================== Find3M ====================
.
2011-05-04 04:28:46 14336 ----a-w- c:\windows\system32\svchost.exe
2011-05-01 01:34:01 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2011-05-01 01:34:01 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2011-04-24 04:14:23 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-04-10 04:11:26 256 ----a-w- c:\windows\system32\pool.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
============= FINISH: 19:38:07.95 ===============
.
Here's the DDS.txt - the Attach.txt is zipped although I'm not sure you wanted it.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Morris at 19:37:42.42 on Fri 05/06/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.732 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
F:\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Microsoft Security Client\msseces.exe
svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Morris\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: ieCom Class: {c6ceac32-d45c-11d4-94af-0050babd5fd6} - c:\program files\url organizer\UrlOrgIE.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\system32\oline.dll
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}
DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8}
DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxps://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303957118671
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281675242218
DPF: {6F750200-1362-4815-A476-88533DE61D0C}
DPF: {6F750202-1362-4815-A476-88533DE61D0C}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D}
DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A}
DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - hxxp://moneycentral.msn.com/cabs/pmupdate2.exe
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429}
DPF: {AECD14A8-F662-11D1-A395-00805F535788}
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747}
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB}
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B}
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003}
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5}
TCP: {894A79C5-4324-4432-A90F-654335FBE272} = 4.2.2.1,4.2.2.2
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-7 13496]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslf389c56f;MpKslf389c56f;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9e85913a-404a-463b-9660-5547de1156bc}\MpKslf389c56f.sys [2011-5-6 28752]
R2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [1999-2-16 52800]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-3-7 1373480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-4-17 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-4-17 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-4-17 60816]
.
=============== Created Last 30 ================
.
2011-05-06 22:47:42 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{9e85913a-404a-463b-9660-5547de1156bc}\MpKslf389c56f.sys
2011-05-06 22:33:09 -------- d-----w- C:\Alene
2011-05-06 22:18:18 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{9e85913a-404a-463b-9660-5547de1156bc}\MpKslbe569c5b.sys
2011-05-06 03:55:01 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{9e85913a-404a-463b-9660-5547de1156bc}\mpengine.dll
2011-05-04 22:56:06 89088 ----a-w- c:\windows\system32\mbr.exe
2011-05-01 03:21:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-01 03:21:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-30 14:35:56 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-30 04:48:33 -------- d-sha-r- C:\cmdcons
2011-04-29 04:14:08 2476 ----a-w- C:\regbak.reg
2011-04-28 04:17:33 -------- d-----w- c:\program files\ESET
2011-04-28 02:43:36 98816 ----a-w- c:\windows\sed.exe
2011-04-28 02:43:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-28 02:43:36 256512 ----a-w- c:\windows\PEV.exe
2011-04-28 02:43:36 161792 ----a-w- c:\windows\SWREG.exe
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\{7CBA73E9-288D-47ED-8FD7-A2540E3C5FAC}
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\Huuziz
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\2874392D513E59CB58D1165949F560A5
2011-04-27 01:19:18 -------- d--h--w- c:\windows\ie8
2011-04-26 23:39:44 -------- dc----w- c:\windows\ie8(2)
2011-04-26 06:47:41 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-25 15:09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 14:54:09 106496 --sha-r- c:\windows\system32\winmineq.dll
2011-04-25 14:49:24 -------- d-----w- c:\docume~1\morris\applic~1\TeamViewer
2011-04-25 05:34:47 -------- d-----w- c:\windows\ERDNT -registry backup 04252011
2011-04-24 02:58:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-24 02:11:05 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-24 02:09:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applications
2011-04-23 06:04:59 -------- d-----w- c:\program files\AVG
2011-04-22 06:29:33 -------- d-----w- c:\program files\common files\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\morris\applic~1\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-04-22 06:28:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-22 06:15:57 -------- d-----w- c:\docume~1\morris\applic~1\DriverCure
2011-04-22 05:51:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-21 08:06:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-17 06:20:35 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\PackageAware
2011-04-15 22:52:58 -------- d-----w- c:\docume~1\morris\applic~1\Umxye
2011-04-07 04:40:15 -------- d-----w- c:\docume~1\morris\applic~1\IObit
2011-04-07 04:40:02 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-04-07 04:40:02 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-04-07 04:39:57 -------- d-----w- c:\program files\IObit
.
==================== Find3M ====================
.
2011-05-04 04:28:46 14336 ----a-w- c:\windows\system32\svchost.exe
2011-05-01 01:34:01 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2011-05-01 01:34:01 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2011-04-24 04:14:23 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-04-10 04:11:26 256 ----a-w- c:\windows\system32\pool.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
============= FINISH: 19:38:07.95 ===============
I believe I pasted the DDS file twice - here's the Combofix:
ComboFix 11-05-06.03 - Morris 05/06/2011 19:01:58.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.867 [GMT -4:00]
Running from: c:\documents and settings\Morris\Desktop\Alene.exe
Command switches used :: c:\documents and settings\Morris\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"f:\torrents\utorrent.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
f:\torrents\utorrent.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-06 to 2011-05-06 )))))))))))))))))))))))))))))))
.
.
2011-05-06 22:47 . 2011-05-06 22:47 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9E85913A-404A-463B-9660-5547DE1156BC}\MpKslf389c56f.sys
2011-05-06 22:33 . 2011-05-06 22:33 -------- d-----w- C:\Alene
2011-05-06 22:18 . 2011-05-06 22:18 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9E85913A-404A-463B-9660-5547DE1156BC}\MpKslbe569c5b.sys
2011-05-06 03:55 . 2011-04-18 13:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9E85913A-404A-463B-9660-5547DE1156BC}\mpengine.dll
2011-05-04 22:56 . 2011-05-04 22:56 89088 ----a-w- c:\windows\system32\mbr.exe
2011-05-04 03:00 . 2011-05-04 03:05 -------- d-----w- c:\documents and settings\Morris\Application Data\vlc
2011-05-02 23:42 . 2011-05-02 23:42 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-05-02 05:16 . 2011-05-02 05:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2011-05-02 05:12 . 2011-05-02 05:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\ArcSoft
2011-05-01 14:09 . 2011-05-01 14:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-05-01 03:21 . 2011-05-01 03:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-01 03:21 . 2011-05-01 03:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-30 14:35 . 2011-04-18 13:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-30 00:05 . 2011-04-30 00:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2011-04-29 04:14 . 2011-04-29 04:14 2476 ----a-w- C:\regbak.reg
2011-04-28 04:17 . 2011-04-28 04:17 -------- d-----w- c:\program files\ESET
2011-04-28 04:09 . 2011-04-28 04:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer
2011-04-27 01:23 . 2011-04-27 01:23 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-27 01:22 . 2011-04-27 01:22 -------- d-----w- c:\documents and settings\Morris\Local Settings\Application Data\{7CBA73E9-288D-47ED-8FD7-A2540E3C5FAC}
2011-04-27 01:22 . 2011-04-27 01:22 -------- d-----w- c:\documents and settings\Morris\Application Data\Huuziz
2011-04-27 01:22 . 2011-04-27 01:22 -------- d-----w- c:\documents and settings\Morris\Application Data\2874392D513E59CB58D1165949F560A5
2011-04-27 01:19 . 2011-04-27 01:21 -------- d--h--w- c:\windows\ie8
2011-04-26 06:47 . 2011-05-06 23:01 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-25 15:09 . 2011-04-30 14:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 15:01 . 2011-04-25 15:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-25 14:54 . 2011-04-25 14:54 106496 --sha-r- c:\windows\system32\winmineq.dll
2011-04-25 14:49 . 2011-04-25 14:49 -------- d-----w- c:\documents and settings\Morris\Application Data\TeamViewer
2011-04-25 05:34 . 2011-04-25 05:34 -------- d-----w- c:\windows\ERDNT -registry backup 04252011
2011-04-25 05:30 . 2011-04-25 05:32 -------- d-----w- c:\program files\ERUNT
2011-04-24 04:44 . 2011-04-24 04:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-04-24 02:58 . 2011-04-24 02:58 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-24 02:11 . 2011-04-24 02:11 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-24 02:09 . 2011-04-24 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2011-04-23 07:33 . 2011-04-23 07:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG10
2011-04-23 06:04 . 2011-04-24 02:32 -------- d-----w- c:\program files\AVG
2011-04-22 23:53 . 2011-04-22 23:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-04-22 23:17 . 2011-04-22 23:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2011-04-22 06:29 . 2011-04-22 06:29 -------- d-----w- c:\program files\Common Files\ParetoLogic
2011-04-22 06:29 . 2011-04-22 06:29 -------- d-----w- c:\documents and settings\Morris\Application Data\ParetoLogic
2011-04-22 06:29 . 2011-04-22 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-04-22 06:28 . 2011-04-24 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-04-22 06:28 . 2011-04-22 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-04-22 06:15 . 2011-04-22 06:15 -------- d-----w- c:\documents and settings\Morris\Application Data\DriverCure
2011-04-22 05:51 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-21 08:06 . 2011-04-21 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-18 18:27 . 2011-04-18 18:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-17 06:20 . 2011-04-17 06:20 -------- d-----w- c:\documents and settings\Morris\Local Settings\Application Data\PackageAware
2011-04-15 22:52 . 2011-04-15 23:08 -------- d-----w- c:\documents and settings\Morris\Application Data\Umxye
2011-04-07 04:40 . 2011-04-07 04:40 -------- d-----w- c:\documents and settings\Morris\Application Data\IObit
2011-04-07 04:40 . 2011-02-23 21:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-04-07 04:40 . 2011-02-23 20:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-04-07 04:39 . 2011-04-07 04:39 -------- d-----w- c:\program files\IObit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 04:28 . 2001-08-18 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
2011-05-01 01:34 . 2009-12-19 00:23 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2011-05-01 01:34 . 2009-12-19 00:23 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2011-04-21 08:06 . 2010-07-28 02:47 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-07 05:33 . 2004-06-07 18:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2003-04-05 23:49 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-18 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2003-04-05 23:46 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2003-04-05 23:46 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2001-08-18 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-18 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-14 21:37 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2001-08-18 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2003-04-05 23:45 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2003-04-05 23:47 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-04-05 23:47 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2001-08-18 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Morris\Application Data\Umxye ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-01-10 519584]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-04-22 160592]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Uninstall LastPass RunOnce.lnk - c:\documents and settings\Administrator\Application Data\lpuninstall.exe [N/A]
.
c:\documents and settings\Guest\Start Menu\Programs\Startup\
Uninstall LastPass RunOnce.lnk - c:\documents and settings\Guest\Application Data\lpuninstall.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ask and Record FLV Service]
2009-09-22 19:09 156672 ----a-w- f:\program files\Flash downloader\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
2009-06-05 11:38 468408 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IntuitUpdateService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A209F-X00-F4R7-80H6-J3"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Road Runner Video Mail\\RoadRunner_Video_Mail.exe"=
"c:\\Program Files\\HP\\Image Zone Express\\HP_IZE.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"f:\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitPim\\bitpim.exe"=
"c:\\StubInstaller.exe"=
"f:\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\ASUS\\WL-520GU Wireless Router Utilities\\Discovery.exe"=
"c:\\Program Files\\ASUS\\WL-330gE Wireless AP Utilities\\Discovery.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/7/2011 12:40 AM 13496]
R1 MpKslf389c56f;MpKslf389c56f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9E85913A-404A-463B-9660-5547DE1156BC}\MpKslf389c56f.sys [5/6/2011 6:47 PM 28752]
R2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [2/16/1999 12:28 PM 52800]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [3/7/2008 8:46 PM 1373480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:01 PM 135664]
S3 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/18/2001 8:00 AM 14336]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [4/17/2007 12:00 AM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [4/17/2007 12:01 AM 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [4/17/2007 12:01 AM 60816]
.
Contents of the 'Scheduled Tasks' folder
.
2008-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]
.
2011-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-08 23:40]
.
2011-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:00]
.
2011-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:00]
.
2011-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1547161642-1801674531-1004Core.job
- c:\documents and settings\Morris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-28 15:27]
.
2011-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1547161642-1801674531-1004UA.job
- c:\documents and settings\Morris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-28 15:27]
.
2011-05-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-05-06 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-05-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1483187262-3002692871-3226700285-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-05-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1483187262-3002692871-3226700285-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\System32\webzone.dll
IE: {{BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\System32\webzone.dll
IE: {{FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\System32\oline.dll
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
TCP: {894A79C5-4324-4432-A90F-654335FBE272} = 4.2.2.1,4.2.2.2
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-06 19:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,e6,f9,11,b1,bf,d4,43,a6,c7,45,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,e6,f9,11,b1,bf,d4,43,a6,c7,45,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(476)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
f:\nero 7\InCD\InCDsrv.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\ScsiAccess.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
.
**************************************************************************
.
Completion time: 2011-05-06 19:32:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-06 23:32
ComboFix2.txt 2011-05-04 23:41
ComboFix3.txt 2011-04-30 05:10
ComboFix4.txt 2011-04-28 03:15
ComboFix5.txt 2011-05-06 22:58
.
Pre-Run: 8,908,472,320 bytes free
Post-Run: 9,018,318,848 bytes free
.
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 613D13F66B2D7E314F4A9C6D882C5AAA
The ComboFix Log you posted was valid. :)
I didn't download any updates yet because I know we're not yet done.
Definitely a good thing that you can access Windows Update once again. :) I'll let you know when you can start downloading/installing updates again.
Registry Cleaners + "Tweak" Tools
Re. Uniblue RegistryBooster 2
I don't personally recommend the use of ANY Registry Cleaners or "Tweak" Tools
They are marketed as ways to make your machine run faster and more efficiently ...... Some will actually achieve this .... IF you know how to use them correctly.
Removing "Orphaned/Old/Obsolete" registry entries is fine ..... as long as they actually are "Orphaned/Old/Obsolete", it won't speed up your machine though
Stopping services and setting policies can speed up your machine ..... as long as you stop and set the right ones, and even then it's debatable if you will notice the improvement.
Remove the wrong registry entry, or stop the wrong service, and not only can you slow your machine .... you could kill it !
To use a Registry Cleaner or "Tweak" tool to its full advantage, you really need to know what it is they are doing and what else the changes may affect.
In short, if you know how to use them safely ----- you don't actually need them.
discussion on regcleaners >> http://forums.whatthetech.com/Regcleaner_t42862.html
And for more good information see what Miekiemoes has to say >> http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html
Step # 2 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 3 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Post the MalwareBytes' Log in your next post/reply.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6529
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/7/2011 8:52:26 PM
mbam-log-2011-05-07 (20-52-26).txt
Scan type: Quick scan
Objects scanned: 180286
Time elapsed: 4 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Morris\Desktop\svchostanalyzer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Step # 1 Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available. (See Note below)
First, go to Add/Remove Programs and uninstall Adobe Reader 7.0.9.
Please go to this link Adobe Acrobat Reader Download Link (http://get.adobe.com/reader/)
On the right Untick McAfeeŽ Security Scan Plus if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit 4.3.1 instead from http://www.foxitsoftware.com/downloads/index.php
If you decide to install Foxit 4.3.1 instead of Adobe, do the following during Foxit's Setup/Installation process:
Uncheck the following boxes:
I accept the License Terms and want to install Foxit Toolbar
Make Ask.com my default search
Create desktop, quick launch and start menu icon to eBay
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html).
Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
Please go here (http://www.eset.com/us/online-scanner/run) to run the scan.
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
In your next post/reply, I need to see the following:
1. ESET Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
Below are the files you asked for. To answer your other question about how the machine is running:
My computer hasn't had problems connecting to any site I've tried, with the exception of my outlook email account which is provided by my ISP Road Runner - I almost never use this email account and it stopped working around the time I tried to clean/fix the system myself a few weeks ago - to your point about running cleaners without fully understanding them. I plan on calling them to check my settings but thought it should wait until after we're done.
I have not encountered any redirects which is a tremendous relief, thank you. I haven't used the internet in a much more limited way since we started - I'll try to use it a lot more today.
I still see the svchost.exe in the registry under feature_browser_emulation which is where it was originally detected by Spybot as Click.GiftLoad, but I haven't rerun the program.
Further to this point, there is a svchost.exe process I still see in the Windows Taskbar that is twice the mem usage of the next svchost.exe. It's about 30,000K, most others are around 5,000K give or take. At least it hasn't shot up to the 100,000 - 200,000K it would hit a few days ago and I haven't seen it take up CPU percentage as it did then. Again, I can try browing with IE more today.
All in all, I'd say the patient is well on the road to recovery. I'll use the system and spend time browsing the web today. Thanks.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=7e51de01ed2b10428e1a9278ac8f4531
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-28 06:59:17
# local_time=2011-04-28 02:59:17 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776870 42 87 0 15072930 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=139797
# found=19
# cleaned=19
# scan_time=9492
C:\Program Files\NirSoft\ProduKey\ProduKey.exe a variant of Win32/PSWTool.ProductKey application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Road Runner Video Mail\dlls\wcamxmp.exe Win32/Etap virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SnadBoy's Revelation v2\Revelation.exe Win32/PSWTool.SnadBoy.2011 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SnadBoy's Revelation v2\RevelationHelper.dll Win32/PSWTool.SnadBoy.2011 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Uniblue\SpeedUpMyPC\sump.exe Win32/SpeedUpMyPC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe a variant of Win32/UbSpyEraser application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Morris\Application Data\2874392D513E59CB58D1165949F560A5\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Morris\Application Data\2874392D513E59CB58D1165949F560A5\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0DD3B100-C294-4AEC-B5F6-5A5A595CC84E}\RP1\A0003653.ini Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0DD3B100-C294-4AEC-B5F6-5A5A595CC84E}\RP4\A0006400.ini Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0DD3B100-C294-4AEC-B5F6-5A5A595CC84E}\RP4\A0008068.exe a variant of Win32/PSWTool.ProductKey application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0DD3B100-C294-4AEC-B5F6-5A5A595CC84E}\RP4\A0008069.exe Win32/Etap virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0DD3B100-C294-4AEC-B5F6-5A5A595CC84E}\RP4\A0008070.exe Win32/PSWTool.SnadBoy.2011 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0DD3B100-C294-4AEC-B5F6-5A5A595CC84E}\RP4\A0008071.dll Win32/PSWTool.SnadBoy.2011 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0DD3B100-C294-4AEC-B5F6-5A5A595CC84E}\RP4\A0008072.exe Win32/SpeedUpMyPC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0DD3B100-C294-4AEC-B5F6-5A5A595CC84E}\RP4\A0008073.exe a variant of Win32/UbSpyEraser application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
F:\Application Data\Uniblue\SpyEraser\SpyEraser_Setup_1_24_2008.exe a variant of Win32/UbSpyEraser application (deleted - quarantined) 00000000000000000000000000000000 C
F:\Download\Download programs\kf141.zip Win32/PSWTool.RAS.A application (deleted - quarantined) 00000000000000000000000000000000 C
F:\Download\Download programs\VibeRoadRunnerVMInstall.exe Win32/Etap virus (deleted - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=7e51de01ed2b10428e1a9278ac8f4531
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-08 07:39:23
# local_time=2011-05-08 03:39:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1032 16777214 0 1 298684 298684 0 0
# compatibility_mode=5891 16776869 42 87 0 15940327 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=141855
# found=4
# cleaned=0
# scan_time=8499
C:\Documents and Settings\Morris\Application Data\2874392D513E59CB58D1165949F560A5\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Morris\Desktop\Virus Problems\u1008.exe Win32/UltraReach application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Morris\My Documents\How to USB Boot Windows XP\USB_MultiBoot_10\MULTI_CONTENT\wintools\othertools\ProduKey.exe Win32/PSWTool.ProductKey.126 application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\svrwsc.exe.vir a variant of Win32/Injector.GAU trojan (unable to clean) 00000000000000000000000000000000 I
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Morris at 8:44:04.53 on Sun 05/08/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.543 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
F:\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Security Client\msseces.exe
svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Morris\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: ieCom Class: {c6ceac32-d45c-11d4-94af-0050babd5fd6} - c:\program files\url organizer\UrlOrgIE.dll
BHO: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\system32\oline.dll
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\webmail
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}
DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8}
DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxps://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303957118671
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281675242218
DPF: {6F750200-1362-4815-A476-88533DE61D0C}
DPF: {6F750202-1362-4815-A476-88533DE61D0C}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D}
DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A}
DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - hxxp://moneycentral.msn.com/cabs/pmupdate2.exe
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429}
DPF: {AECD14A8-F662-11D1-A395-00805F535788}
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747}
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB}
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B}
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003}
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5}
TCP: {894A79C5-4324-4432-A90F-654335FBE272} = 4.2.2.1,4.2.2.2
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-7 13496]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [1999-2-16 52800]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-3-7 1373480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-4-17 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-4-17 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-4-17 60816]
.
=============== Created Last 30 ================
.
2011-05-08 05:15:06 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\AskToolbar
2011-05-08 05:12:42 -------- d-----w- c:\docume~1\morris\applic~1\Foxit Software
2011-05-08 05:12:22 -------- d-----w- c:\program files\Ask.com
2011-05-08 00:44:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-08 00:44:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-07 22:52:22 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{2d90d330-2135-49a4-af64-72e043397067}\mpengine.dll
2011-05-06 22:33:09 -------- d-----w- C:\Alene
2011-05-04 22:56:06 89088 ----a-w- c:\windows\system32\mbr.exe
2011-05-01 03:21:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-01 03:21:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-30 14:35:56 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-30 04:48:33 -------- d-sha-r- C:\cmdcons
2011-04-29 04:14:08 2476 ----a-w- C:\regbak.reg
2011-04-28 04:17:33 -------- d-----w- c:\program files\ESET
2011-04-28 02:43:36 98816 ----a-w- c:\windows\sed.exe
2011-04-28 02:43:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-28 02:43:36 256512 ----a-w- c:\windows\PEV.exe
2011-04-28 02:43:36 161792 ----a-w- c:\windows\SWREG.exe
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-27 01:23:56 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\{7CBA73E9-288D-47ED-8FD7-A2540E3C5FAC}
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\Huuziz
2011-04-27 01:22:04 -------- d-----w- c:\docume~1\morris\applic~1\2874392D513E59CB58D1165949F560A5
2011-04-27 01:19:18 -------- d--h--w- c:\windows\ie8
2011-04-26 23:39:44 -------- dc----w- c:\windows\ie8(2)
2011-04-26 06:47:41 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-25 15:09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 14:54:09 106496 --sha-r- c:\windows\system32\winmineq.dll
2011-04-25 14:49:24 -------- d-----w- c:\docume~1\morris\applic~1\TeamViewer
2011-04-25 05:34:47 -------- d-----w- c:\windows\ERDNT -registry backup 04252011
2011-04-24 02:58:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-24 02:11:05 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-24 02:09:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applications
2011-04-23 06:04:59 -------- d-----w- c:\program files\AVG
2011-04-22 06:29:33 -------- d-----w- c:\program files\common files\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\morris\applic~1\ParetoLogic
2011-04-22 06:29:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-04-22 06:28:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-22 06:15:57 -------- d-----w- c:\docume~1\morris\applic~1\DriverCure
2011-04-22 05:51:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-21 08:06:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-17 06:20:35 -------- d-----w- c:\docume~1\morris\locals~1\applic~1\PackageAware
2011-04-15 22:52:58 -------- d-----w- c:\docume~1\morris\applic~1\Umxye
.
==================== Find3M ====================
.
2011-05-04 04:28:46 14336 ----a-w- c:\windows\system32\svchost.exe
2011-05-01 01:34:01 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2011-05-01 01:34:01 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2011-04-24 04:14:23 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-04-10 04:11:26 256 ----a-w- c:\windows\system32\pool.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 20:54:12 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
============= FINISH: 8:46:02.98 ===============
Ok, go ahead and use your computer/browser as you normally would over the next few days and let me know how it goes. Let me know if the redirects come back as well. If everything is fine with the computer by Tuesday, we can finish up. :)
Before then I'd like for you to do the following:
I'd like for you to do a scan with Spybot S&D.
Your version of SpyBot S&D is out of date. The latest version is 1.6.2
http://www.safer-networking.org/en/mirrors/index.html
Be sure to uninstall the old version of SpyBot S&D (Spybot - Search & Destroy 1.4) before installing 1.6.2.
Run a scan with the Spybot 1.6.2 and let me know if it finds anything. If it does, post its log in your next post/reply.
I uninstalled Spybot, downloaded the latest version, got the updates, and this is what it found. BTW, I ran it with IE open and Miscrosoft Security Essentials turned off- does it make any difference if IE is open or closed?
08.05.2011 22:01:13 - ##### check started #####
08.05.2011 22:01:13 - ### Version: 1.6.2
08.05.2011 22:01:13 - ### Date: 5/8/2011 10:01:13 PM
08.05.2011 22:01:24 - ##### checking bots #####
08.05.2011 22:01:58 - found: CouponBar Settings
08.05.2011 22:01:58 - found: CouponBar Settings
08.05.2011 22:03:48 - found: Click.GiftLoad User settings
08.05.2011 22:24:10 - ##### check finished #####
Here's the full report after I ran the fix. It seemed large so I zipped it.
I just had to share this with you. After running Spybot fix, I restarted the system and there is NO svchost.exe any longer in the registry. This is amazing to me. I'll continue running the system until Tuesday and then I'll mail you back.:):):). In the meantime, should I run the browser with the TeaTimer and SDHelper features in Spybot as well as Microsoft Security Essentials both on or will this cause some conflict - I read somewhere you shouldn't run 2 security programs at once. When we're done, please tell me how spybot was able to permanently delete it (I hope it's permanent) this time whereas not before I posted. It couldn't just have been that I didin't have the latest version, could it?? I'll let you know on Tuesday how things went but you've really got me excited now. Thanks
After running Spybot fix, I restarted the system and there is NO svchost.exe any longer in the registry.
That's great news. :bigthumb:
In the meantime, should I run the browser with the TeaTimer and SDHelper features in Spybot as well as Microsoft Security Essentials both on or will this cause some conflict - I read somewhere you shouldn't run 2 security programs at once.
You should be just fine running both Microsoft Security Essentials and Spybot on your computer. :) What you don't want to do is run two Anti-Viruses at the same time, that can cause conflicts and crashes. Since Spybot S&D is not an Anti-Virus program, you're fine there.
When we're done, please tell me how spybot was able to permanently delete it (I hope it's permanent) this time whereas not before I posted. It couldn't just have been that I didin't have the latest version, could it??
I think that's exactly what it was. The version you had before (1.4) came out way back in 2005. More likely than not the 1.4 version may have not been able to fix what Spybot 1.6.2. was able to fix. Count this up as lesson learned to always keep your programs (especially security based programs) on your computer always up to date. :)
I wanted to tell you that my system is now operating beautifully without any of the problems which made my life hell. I can't say thank you enough.
I was wondering a couple of things I thought you might help me understand. Microsoft Security Essentials is anti virus but didn't seem to stop the click.giftload infection. Spybot detects spyware and adware, and detected Click.Giftload as a trojan or hijacker and with your help, managed to get rid of it. So do I have it right, that once you have a virus, trojan, or hijacker, MSE can't help? And if so , how often do you run an MSE scan and what's the point if its already there and you need another program like Spybot to get rid of it. And so, how often do you run Spybot. Or do you only run it when something is detected by MSE. Finally, isn't there one program that should do both? Very confusing.
But I can tell you this for sure, Microsoft's tech support, basically couldn't fix this problem, after 3 days of tryinig and connecting remotely to my computer, and finally told me to format and reinstall, which would have been a nightmare. I would have thought that given that their update site was being blocked, they would have done almost anything necessary to resolve this issue. You impressed me and though I hope not to have this problem again, I hope to find someone like you if it should ever reoccur.
All the very best to you and one final thanks.
Alene
Great to hear that your computer is running beautifully. :bigthumb:
I was wondering a couple of things I thought you might help me understand. Microsoft Security Essentials is anti virus but didn't seem to stop the click.giftload infection. Spybot detects spyware and adware, and detected Click.Giftload as a trojan or hijacker and with your help, managed to get rid of it. So do I have it right, that once you have a virus, trojan, or hijacker, MSE can't help? And if so , how often do you run an MSE scan and what's the point if its already there and you need another program like Spybot to get rid of it. And so, how often do you run Spybot. Or do you only run it when something is detected by MSE. Finally, isn't there one program that should do both?
MSE s a good AntiVirus but it can't detect everything out there. You need a backup such as Spybot or MalwareBytes' to help find and remove the things that MSE misses. I would run MSE at least once a month (make sure you update it every day) and would run Spybot and MalwareBytes' at least every two weeks or so. Also make sure you keep both of those updated as well, so when you do scans with them, you'll have the latest definitions/databases. Unfortunately I don't know of any program that does both AntiVirus and Antimalware extremely well, its best to have programs to cover both areas. :)
Since there are no more problems, you're good to go. :)
Delete the following off of your computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
TDSSKiller.exe
The TDSSKiller Log
Mbrlog.bat
The mbrlog.bat log
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. You can find SpywareBlaster here:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload_free.html)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.spybot.info/showthread.php?t=279)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
You've given me a lot to read which I am doing, and a lot of peace of mind.
Thank you again for all your time and efforts. Have a great weekend.
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!
Since this issue appears to be resolved ... this Topic has been closed. Glad we could
help.
Note: If it has been three days or more since your last post, and the helper assisting
you posted a response to that post to which you did not reply, your topic will not be
reopened. At that point, if you still require help, please start a new topic and include
a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread
re-opened, please send me or your helper a private message (pm). A valid, working link to
the closed topic is required.