Results 1 to 2 of 2

Thread: browser hijacking dds log included

  1. 2010-11-26, 03:40 #1
    cclapper
    cclapper is offline
    Junior Member
    Join Date
    Nov 2010
    Posts
    1

    Default browser hijacking dds log included

    evrytime i try and go to a website i get redirected
    here is my dds log,

    thanks in advance


    DDS (Ver_10-11-26.01) - NTFSx86
    Run by Chris at 21:33:02.64 on Thu 11/25/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3582.1661 [GMT -5:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_4c73f4a9a59a84bb\STacSV.exe
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_4c73f4a9a59a84bb\aestsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Windows\system32\dleecoms.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    c:\Program Files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Windows\system32\lxdkcoms.exe
    C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Dell DataSafe Local Backup\sftservice.EXE
    C:\Program Files\Tenable\Nessus\nessus-service.exe
    C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe
    C:\Program Files\Tenable\Nessus\nessusd.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
    C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
    C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
    C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
    C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Dell\DellDock\DellDock.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Dell Remote Access\ezi_ra.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\Citrix\ICA Client\PNAMain.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FN9AUDCK\dds[1].scr
    C:\Windows\system32\conhost.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.facebook.com/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
    TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
    TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
    uRun: [{1F657DEA-B6B7-5AFE-F160-110FD3DB438F}] c:\users\chris\appdata\roaming\gyohu\hued.exe
    uRun: [uPc+kt0NcZaXms] rundll32.exe c:\windows\system32\hu7ifi.dll, SystemServer
    uRun: [Mqqsc] c:\windows\drweb.exe
    uRun: [uPc+kt0NYkZJsiv] rundll32.exe c:\windows\system32\d8jpu3zpe.dll, SystemServer
    uRun: [Mqurb] c:\windows\taskmgr.exe
    uRun: [Mqva] c:\windows\win.exe
    uRun: [Mqqoc] c:\windows\debug.exe
    uRun: [MqvPc] c:\windows\win32.exe
    uRun: [MqrMc] c:\windows\gdi32.exe
    uRun: [MqqZ] c:\windows\cmd.exe
    uRun: [Lveehfngosf] c:\users\chris\appdata\local\temp\taskmgr.exe
    uRun: [Lveehfngpta] c:\users\chris\appdata\local\temp\services.exe
    uRun: [Lveehfngnb] c:\users\chris\appdata\local\temp\cmd.exe
    uRun: [LveehfngM0ycis\AppData\Local\Temp\3433575231.exe] c:\users\chris\appdata\local\temp\3433575231.exe
    uRun: [LveehfngM0ycis\AppData\Local\Temp\1345280333.exe] c:\users\chris\appdata\local\temp\1345280333.exe
    uRun: [Lveehfngoe] c:\users\chris\appdata\local\temp\avp.exe
    uRun: [Lveehfngoe0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9] c:\users\chris\appdata\local\temp\avp.exe
    uRun: [Lveehfngoe0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0] c:\users\chris\appdata\local\temp\avp.exe
    uRun: [Lveehfngoe0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3] c:\users\chris\appdata\local\temp\avp.exe
    uRun: [MqqZlla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9] c:\windows\cmd.exe
    uRun: [MqqZlla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3] c:\windows\cmd.exe
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
    mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
    mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [MqmPgQQ] c:\windows\temp\i1zn3ta98.exe
    mRun: [Bvukozuvovepur] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\utitaduxotoyeful.dll",Startup
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    dRun: [MqmPjd] c:\windows\temp\tq9plu.exe
    dRun: [Mkuwujecazuwipiq] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\geizior.dll",Startup
    dRun: [MqmPgQQ] c:\windows\temp\i1zn3ta98.exe
    dRunOnce: [nIkJn03100] c:\programdata\nikjn03100\nIkJn03100.exe
    StartupFolder: c:\users\chris\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellre~1.lnk - c:\windows\installer\{f66a31d9-7831-4fba-ba02-c411c0047cc5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\online~1.lnk - c:\windows\installer\{7681a1a9-d865-4dc0-a319-41a49f5e78db}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    dPolicies-explorer: NoFolderOptions = 1 (0x1)
    dPolicies-system: DisableRegistryTools = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    Trusted Zone: paradigmsi.com\crm
    DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
    DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {E31B6467-201E-4601-A023-0AE297563F8C} = 10.2.1.18
    Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    Hosts: 10.2.1.67 psblaircrm02
    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\92yzp8qx.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.wildblue.net/
    FF - component: c:\users\chris\appdata\roaming\mozilla\firefox\profiles\92yzp8qx.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
    FF - component: c:\users\chris\appdata\roaming\mozilla\firefox\profiles\92yzp8qx.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPDFusionWebFirefox.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\chris\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\users\chris\appdata\roaming\mozilla\firefox\profiles\92yzp8qx.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {CA2B55BB-A05C-4827-A21F-938D27E5667C} - c:\windows\system32\config\systemprofile\appdata\local\{ca2b55bb-a05c-4827-a21f-938d27e5667c}\

    ============= SERVICES / DRIVERS ===============

    R0 ZetSFD;Zetera Storage Class Filter Driver;c:\windows\system32\drivers\ZetSFD.sys [2009-7-17 13824]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-24 165584]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_4c73f4a9a59a84bb\AEstSrv.exe [2009-7-15 81920]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-24 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-11-24 50768]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-24 40384]
    R2 dlee_device;dlee_device;c:\windows\system32\dleecoms.exe -service --> c:\windows\system32\dleecoms.exe -service [?]
    R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
    R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
    R2 SftService;SoftThinks Agent Service;c:\program files\dell datasafe local backup\SftService.exe [2009-7-5 636144]
    R2 TVService;TVService;c:\program files\team mediaportal\mediaportal tv server\TvService.exe [2010-10-1 196608]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-24 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-24 40384]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-7-15 29736]
    R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-7-5 144128]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [2009-7-15 133632]
    R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [2009-7-15 271552]
    R3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2009-10-12 38976]
    R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-4-25 25704]
    R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-4-25 25704]
    R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-4-25 25704]
    R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-4-25 25704]
    R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-4-25 25704]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1ca321445086810;Google Update Service (gupdate1ca321445086810);c:\program files\google\update\GoogleUpdate.exe [2009-9-10 133104]
    S2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2009-9-5 99248]
    S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-7-5 79360]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-7-5 79360]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-5 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-5 40552]
    S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
    S3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\hwdiag\bin\pcd5srvc.pkms [2008-11-4 22904]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\program files\verizon wireless\vzaccess manager\SMSIVZAM5.sys [2009-3-20 32408]
    S3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files\common files\creative labs shared\service\XMBLicensing.exe [2009-7-5 79360]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-26 1343400]
    S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2010-4-25 16896]

    =============== Created Last 30 ================

    2010-11-26 02:19:10 388096 ----a-r- c:\users\chris\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2010-11-26 02:19:10 -------- d-----w- c:\program files\Trend Micro
    2010-11-26 02:12:52 -------- d-----w- c:\program files\FLAC to MP3 Converter
    2010-11-25 04:56:54 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-11-25 04:56:49 38848 ----a-w- c:\windows\avastSS.scr
    2010-11-25 04:56:47 -------- d-----w- c:\progra~2\Alwil Software
    2010-11-25 02:56:58 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-11-25 02:56:47 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-11-25 02:56:13 -------- d-----w- c:\progra~2\Hitman Pro
    2010-11-25 01:01:13 -------- d-----w- c:\progra~2\nIkJn03100
    2010-11-25 01:00:39 -------- d-----w- c:\progra~2\WSTB
    2010-11-24 14:16:20 -------- d-----w- c:\windows\pss
    2010-11-24 13:38:10 -------- d-----w- c:\users\chris\appdata\roaming\Leeqi
    2010-11-24 13:38:10 -------- d-----w- c:\users\chris\appdata\roaming\Gyohu
    2010-11-24 13:36:43 30000 ----a-w- c:\windows\system32\xvafii3mw.dll
    2010-11-24 03:25:57 -------- d-----w- c:\program files\whitesmoketoolbar
    2010-11-24 02:18:39 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
    2010-11-20 18:29:50 -------- d-----w- C:\Music Label Databases
    2010-11-20 18:29:28 -------- d-----w- c:\users\chris\appdata\roaming\Music Label
    2010-11-20 18:28:58 -------- d-----w- c:\program files\Music Label 2010
    2010-11-12 03:20:42 -------- d-----w- c:\program files\BitTorrent
    2010-11-12 03:20:04 -------- d-----w- c:\users\chris\appdata\roaming\BitTorrent
    2010-11-04 13:26:24 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-11-04 08:47:08 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{e8b0a3b5-85b8-4418-8c2c-48a763efa8a6}\mpengine.dll
    2010-11-04 06:09:20 -------- d-----w- c:\program files\TuneSleeve
    2010-11-04 06:09:20 -------- d-----w- c:\progra~2\eSellerate
    2010-10-31 15:22:12 -------- d-----w- c:\program files\iTunes
    2010-10-31 15:22:12 -------- d-----w- c:\program files\iPod
    2010-10-31 15:22:12 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-10-31 15:16:10 -------- d-----w- c:\program files\Bonjour

    ==================== Find3M ====================

    2010-10-19 20:51:33 222080 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec
    2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys
    2010-08-31 04:32:30 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.1.7600 Disk: ST950032 rev.0003 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87230446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87236504]; MOV EAX, [0x87236580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x82E4F458] -> \Device\Harddisk0\DR0[0x864C87C8]
    3 CLASSPNP[0x8CA9D59E] -> ntkrnlpa!IofCallDriver[0x82E4F458] -> [0x86461548]
    \Driver\iaStor[0x85B651D8] -> IRP_MJ_CREATE -> 0x87230446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskST9500325AS_____________________________0003DEM1#4&17df1b88&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 976773166 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 21:33:48.56 ===============
    Last edited by tashi; 2010-11-26 at 05:09. Reason: email address in username removed ;-)
  2. 2010-11-30, 01:48 #2
    shelf life
    shelf life is offline
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi cclapper,

    Sorry for the delay, no shortage of posters. If you still need help post back. You should not use this computer until its cleaned up. Power if off so there is no connectivity.
    Last edited by tashi; 2010-12-17 at 00:21. Reason: Date of archive
    How Can I Reduce My Risk?
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules