Need Help.

**Chavezftw** · 2011-05-17, 00:32

I think I need some help. I got a rootkit on this computer but i was searching this forum and found some guy helping someone with the same problem. I followed the instructions the helper was giving the guy as much as I could. I know I should have posted on here but I was getting impatience. I'll post the DDS Report, and all the reports that I can do.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Chavez at 17:03:44.10 on Mon 05/16/2011
Internet Explorer: 7.0.6000.16945 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.249 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\java.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\DELL\E-Center\EULALauncher.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Chavez\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZKfox000&ptb=lP8cQFZNV_EY6giU73RdLA
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\chavez\appdata\roaming\mozilla\firefox\profiles\g42zou10.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=lP8cQFZNV_EY6giU73RdLA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\chavez\appdata\roaming\mozilla\firefox\profiles\g42zou10.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: RedShift V3.6: redshift_V2@shift-themes.com - %profile%\extensions\redshift_V2@shift-themes.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-3-18 1153368]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-11-10 19456]
.
=============== Created Last 30 ================
.
2011-05-16 05:26:03 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-16 05:03:11 -------- d-----w- C:\ComboFix
2011-05-16 04:55:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 04:55:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 04:14:46 98816 ----a-w- c:\windows\sed.exe
2011-05-16 04:14:46 89088 ----a-w- c:\windows\MBR.exe
2011-05-16 04:14:46 256512 ----a-w- c:\windows\PEV.exe
2011-05-16 04:14:46 161792 ----a-w- c:\windows\SWREG.exe
2011-05-15 20:40:36 -------- d-----w- C:\$AVG
2011-05-15 05:23:52 -------- d-----w- c:\progra~2\AVG10
2011-05-15 05:22:22 -------- d-----w- c:\program files\AVG
2011-05-15 04:56:59 -------- d--h--w- c:\progra~2\Common Files
2011-05-15 04:47:21 -------- d-----w- c:\program files\common files\Adobe(370)
2011-05-15 04:47:21 -------- d-----w- c:\program files\Adobe(278)
2011-05-15 04:39:55 -------- d-----w- c:\progra~2\MFAData
2011-05-15 01:43:27 -------- d-----w- c:\users\chavez\appdata\roaming\Malwarebytes
2011-05-15 01:43:18 -------- d-----w- c:\progra~2\Malwarebytes
2011-05-15 01:43:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-15 00:21:15 0 ---ha-w- c:\users\chavez\appdata\local\Kmigocayewidu.bin
2011-05-15 00:19:05 -------- d-----w- c:\progra~2\fO06511IhBeG06511
2011-05-02 03:47:28 -------- d--h--w- c:\users\chavez\FrostWire
2011-05-02 03:47:13 -------- d-----w- c:\users\chavez\appdata\roaming\FrostWire
2011-05-02 03:46:51 -------- d-----w- c:\program files\Ask.com
2011-05-02 03:46:11 -------- d-----w- c:\program files\FrostWire
.
==================== Find3M ====================
.
.
============= FINISH: 17:05:40.26 ===============

**Chavezftw** · 2011-05-17, 00:37

Malware Log.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6587

Windows 6.0.6000
Internet Explorer 7.0.6000.16945

5/16/2011 5:35:58 PM
mbam-log-2011-05-16 (17-35-58).txt

Scan type: Quick scan
Objects scanned: 188755
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**Chavezftw** · 2011-05-17, 00:39

I ran the ComboFix last night and it had found the rootkit. It was called mdr4 or something or another.

**Chavezftw** · 2011-05-17, 00:46

I found my log report of CombatFix from last night. Don't know if I need to run another 1. I also ran ATF-Cleaner.

ComboFix 11-05-15.04 - Chavez 05/16/2011 0:04:38.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.392 [GMT -5:00]
Running from: C:\Users\Chavez\Desktop\ComboFix.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

Infected copy of C:\Windows\system32\userinit.exe was found and disinfected
Restored copy from - C:\Windows\ERDNT\cache\userinit.exe

((((((((((((((((((((((((( Files Created from 2011-04-16 to 2011-05-16 )))))))))))))))))))))))))))))))

2011-05-16 05:16:19 . 2011-05-16 05:16:19 -------- d-----w- C:\Users\Yvett\AppData\Local\temp
2011-05-16 05:16:19 . 2011-05-16 05:16:19 -------- d-----w- C:\Users\Mini\AppData\Local\temp
2011-05-16 05:16:19 . 2011-05-16 05:16:19 -------- d-----w- C:\Users\Default\AppData\Local\temp
2011-05-16 05:16:19 . 2011-05-16 05:16:19 -------- d-----w- C:\Users\aarons\AppData\Local\temp
2011-05-16 04:55:48 . 2010-12-20 23:09:00 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2011-05-16 04:55:42 . 2010-12-20 23:08:40 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
2011-05-15 20:40:36 . 2011-05-15 20:40:36 -------- d-----w- C:\$AVG
2011-05-15 05:23:52 . 2011-05-15 05:34:29 -------- d-----w- C:\ProgramData\AVG10
2011-05-15 05:22:22 . 2011-05-15 05:22:22 -------- d-----w- C:\Program Files\AVG
2011-05-15 04:56:59 . 2011-05-15 04:56:59 -------- d--h--w- C:\ProgramData\Common Files
2011-05-15 04:47:21 . 2011-05-15 04:49:03 -------- d-----w- C:\Program Files\Common Files\Adobe(370)
2011-05-15 04:47:21 . 2011-05-15 04:47:21 -------- d-----w- C:\Program Files\Adobe(278)
2011-05-15 04:39:55 . 2011-05-15 05:22:50 -------- d-----w- C:\ProgramData\MFAData
2011-05-15 01:43:27 . 2011-05-15 01:43:27 -------- d-----w- C:\Users\Chavez\AppData\Roaming\Malwarebytes
2011-05-15 01:43:18 . 2011-05-15 01:43:18 -------- d-----w- C:\ProgramData\Malwarebytes
2011-05-15 01:43:14 . 2011-05-16 04:55:48 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2011-05-15 00:21:15 . 2011-05-15 00:21:15 0 ---ha-w- C:\Users\Chavez\AppData\Local\Kmigocayewidu.bin
2011-05-15 00:19:05 . 2011-05-15 00:19:06 -------- d-----w- C:\ProgramData\fO06511IhBeG06511
2011-05-02 03:47:28 . 2011-05-02 03:47:56 -------- d--h--w- C:\Users\Chavez\FrostWire
2011-05-02 03:47:13 . 2011-05-03 04:03:37 -------- d-----w- C:\Users\Chavez\AppData\Roaming\FrostWire
2011-05-02 03:46:51 . 2011-05-02 03:47:08 -------- d-----w- C:\Program Files\Ask.com
2011-05-02 03:46:11 . 2011-05-02 03:48:02 -------- d-----w- C:\Program Files\FrostWire
.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 00:17:24 1487240 ----a-w- C:\Program Files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files\Ask.com\GenericAskToolbar.dll" [2011-02-02 00:17:24 1487240]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 04:12:38 3872080]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 21:07:20 2260480]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 20:35:36 67112]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2007-06-02 21:59:08 1457152]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 00:03:40 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 06:03:00 17920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 13:22:20 4907008]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 16:37:04 81920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 22:23:38 118784]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 14:24:00 16384]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-11-10 18:23:40 157312]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 21:09:14 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-11-20 19:20:54 290088]
"LELA"="C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 11:38:00 131072]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 06:15:10 648504]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 20:57:24 153136]
"Monitor"="C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 16:14:38 443728]
"USBToolTip"="C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 18:07:40 199752]
"USB2Check"="C:\Windows\system32\PCLECoInst.dll" [2006-11-06 19:31:08 81920]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-12 02:13:12 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-12 02:13:02 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-12 02:13:08 133656]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 02:04:47 35760]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 08:06:33 976832]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 16:44:46 248552]

C:\Users\Mini\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2009-7-31 139776]

C:\Users\Yvett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2009-7-31 139776]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-3-19 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R3 FlyUsb;FLY Fusion;C:\Windows\system32\DRIVERS\FlyUsb.sys [2009-11-10 15:27:06 19456]
S2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSrv.exe [2007-12-05 12:17:24 77824]
S2 LinksysUpdater;Linksys Updater;C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 09:30:43 204800]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 20:31:10 1153368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

------- Supplementary Scan -------

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZKfox000&ptb=lP8cQFZNV_EY6giU73RdLA
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - C:\Users\Chavez\AppData\Roaming\Mozilla\Firefox\Profiles\g42zou10.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=lP8cQFZNV_EY6giU73RdLA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: RedShift V3.6: redshift_V2@shift-themes.com - %profile%\extensions\redshift_V2@shift-themes.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

**Chavezftw** · 2011-05-17, 23:36

Can anybody help me?

**Chavezftw** · 2011-05-20, 05:56

I mean, anybody...somebody?

**Chavezftw** · 2011-05-28, 18:18

Only way I could run DDS was in safe mode. Need Help ASAP

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Chavez at 11:13:34.83 on Sat 05/28/2011
Internet Explorer: 7.0.6000.16945 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.640 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Chavez\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZKfox000&ptb=lP8cQFZNV_EY6giU73RdLA
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10n_Plugin.exe -update plugin
uRunOnce: [cA06509HdBhB06509] c:\programdata\ca06509hdbhb06509\cA06509HdBhB06509.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\chavez\appdata\roaming\mozilla\firefox\profiles\g42zou10.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=lP8cQFZNV_EY6giU73RdLA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\chavez\appdata\roaming\mozilla\firefox\profiles\g42zou10.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: TVU Web Player:

- %profile%\extensions\firefox@tvunetworks.com
FF - Ext: RedShift V3.6:

- %profile%\extensions\redshift_V2@shift-themes.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
S2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-3-18 1153368]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-11-10 19456]
.
=============== Created Last 30 ================
.
2011-05-28 15:34:01 -------- d-----w- c:\progra~2\cA06509HdBhB06509
2011-05-28 15:34:00 -------- d-----w- c:\users\chavez\appdata\local\Adobe
2011-05-16 05:26:03 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-16 05:03:11 -------- d-----w- C:\ComboFix
2011-05-16 04:55:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 04:55:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 04:14:46 98816 ----a-w- c:\windows\sed.exe
2011-05-16 04:14:46 89088 ----a-w- c:\windows\MBR.exe
2011-05-16 04:14:46 256512 ----a-w- c:\windows\PEV.exe
2011-05-16 04:14:46 161792 ----a-w- c:\windows\SWREG.exe
2011-05-15 20:40:36 -------- d-----w- C:\$AVG
2011-05-15 05:23:52 -------- d-----w- c:\progra~2\AVG10
2011-05-15 05:22:22 -------- d-----w- c:\program files\AVG
2011-05-15 04:56:59 -------- d--h--w- c:\progra~2\Common Files
2011-05-15 04:47:21 -------- d-----w- c:\program files\common files\Adobe(370)
2011-05-15 04:47:21 -------- d-----w- c:\program files\Adobe(278)
2011-05-15 04:39:55 -------- d-----w- c:\progra~2\MFAData
2011-05-15 01:43:27 -------- d-----w- c:\users\chavez\appdata\roaming\Malwarebytes
2011-05-15 01:43:18 -------- d-----w- c:\progra~2\Malwarebytes
2011-05-15 01:43:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-15 00:21:15 0 ---ha-w- c:\users\chavez\appdata\local\Kmigocayewidu.bin
2011-05-15 00:19:05 -------- d-----w- c:\progra~2\fO06511IhBeG06511
2011-05-02 03:47:28 -------- d--h--w- c:\users\chavez\FrostWire
2011-05-02 03:47:13 -------- d-----w- c:\users\chavez\appdata\roaming\FrostWire
2011-05-02 03:46:51 -------- d-----w- c:\program files\Ask.com
2011-05-02 03:46:11 -------- d-----w- c:\program files\FrostWire
.
==================== Find3M ====================
.
.
============= FINISH: 11:15:21.58 ===============

**tashi** · 2011-05-28, 20:26

Hello Chavezftw,

Please read the FAQ for this forum. "BEFORE You POST"(Please read this Procedure Before Requesting Assistance)

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts if there is time but please do not count on it.

Please do not start more than one topic for the same computer during the same period. It will either be removed, closed or merged with your original thread.

Originally Posted by Chavezftw

I think I need some help. I got a rootkit on this computer but i was searching this forum and found some guy helping someone with the same problem. I followed the instructions the helper was giving the guy as much as I could. I know I should have posted on here but I was getting impatience.

Note that all instructions given are customized for that member's personal computer only, the tools used may cause damage if run on a machine with different specs/infections. Please do not take fixes given to another user and apply to your own machine.

Also, Please do NOT run 'FIXES' (ComboFix etc) without being asked

You can try posting a link to this topic in The Waiting Room and see if a volunteer analyst picks it up.

Best regards.

**jeffce** · 2011-06-01, 14:01

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Having said that....Let's get going!! :thumbup:

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible. Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

**jeffce** · 2011-06-03, 00:59

Hi Chavezftw,

aswMBR

Lets get a scan of your Master Boot Record shall we:

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the Scan button to start scan
On completion of the scan click Save Log, save it to your Desktop and post in your next reply

Please do not run any other tools without being asked to do so and post the log created by aswMBR into your next reply.

Thread: Need Help.

Thread Tools

Display

Need Help.

RootKit problem Again?

Posting Permissions