b.exe

D

DawnAngel

New member
I recently got my laptop back from someone and when I got it back it said there was some kind of hard disk failure so I assumed it either overheated or was dropped. As it turns out there's a trojan.... it's the b.exe virus. I end processed it a few times and at some point my computer began to restart after one minute of being on. I went into safe mode, deacitvated the activex control after some research and now I can get into my computer without it restarting over and over and without having to go into safe mode. There was a "Backweb" folder and a "TurboNet" folder in the registry which I have removed. There was also the "b.exe" file in the C:\Windows\System32\Tasks directory and a "{66BA574B-1E11-49b8-909C-8CC9E0E8E015}" interfering with Windows Defender (I am running Vista unfortunately) The EventViewer is how I found out the date and time the virus was downloaded and where the files were downloaded to. It was November 12, 2009 around 8 am. There was another "b.exe" file in C:\Users\test\AppData\Local\Temp which has also been deleted. Now, if I attempt to run Spybot it opens and I can update and immunize but as soon as I attempt to run a scan it closes out the program and tells me it can't find the path specified when I try to run it again. If I rename the randomly named *.scr file or the SpybotSD.exe file I am able to reopen Spybot but once again it closes and disables the path so I can't run a scan.

Okay so that being said I tried to run HJT but it closed out too before the scan completed so I couldn't save the log.

Thank you very much for your time.
 
Hi,

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
 
Running from: C:\Users\test\Desktop\Win32kDiag.exe

Log file at : C:\Users\test\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP69C5.tmp\ZAP69C5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCD0A.tmp\ZAPCD0A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-11-18 21:34:55 1660 C:\Windows\bthservsdp.dat ()
 
Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0

Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
 
Volume in drive C has no label.
Volume Serial Number is 6A88-6493

Directory of C:\WINDOWS\System32

11/02/2006 03:46 AM 176,640 scecli.dll

Directory of C:\WINDOWS\System32

11/02/2006 03:46 AM 559,616 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 03:46 AM 61,952 cngaudit.dll
3 File(s) 798,208 bytes
 
Hi,

Let's run another batch.

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /a/s C:\WINDOWS\logevent.dll >Log.txt
START Log.txt
DEL %0

Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
 
Volume in drive C has no label.
Volume Serial Number is 6A88-6493

Directory of C:\WINDOWS\System32

11/02/2006 03:46 AM 11,776 logevent.dll
1 File(s) 11,776 bytes

Total Files Listed:
1 File(s) 11,776 bytes
0 Dir(s) 35,308,630,016 bytes free
 
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Code: 
    Files to move:
C:\WINDOWS\System32\logevent.dll|C:\WINDOWS\System32\cngaudit.dll
  • In the avenger window, click the Paste Script from Clipboard,
    pastets4.png
    button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
 
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\System32\logevent.dll|C:\WINDOWS\System32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.
 
Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
 
Running from: C:\Users\test\Desktop\win32kdiag.exe

Log file at : C:\Users\test\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP69C5.tmp\ZAP69C5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP69C5.tmp\ZAP69C5.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCD0A.tmp\ZAPCD0A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCD0A.tmp\ZAPCD0A.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Cannot access: C:\Windows\bthservsdp.dat

Attempting to restore permissions of : C:\Windows\bthservsdp.dat

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\inf\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\inf\en-US\en-US

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ModemLogs\ModemLogs

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\nap\configuration\configuration

Found mount point : C:\Windows\panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\panther\setup.exe\setup.exe

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PIF\PIF

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Registration\CRMLog\CRMLog

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Xfire\Xfire

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Xfire\Xfire

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\SMINST\APPS\DTA\DTA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SMINST\APPS\DTA\DTA

Found mount point : C:\Windows\SMINST\DRV\DTA\DTA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SMINST\DRV\DTA\DTA

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\Windows\SoftwareDistribution\Download\224d26232b4c41567ae1c8e26be88837\224d26232b4c41567ae1c8e26be88837

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\224d26232b4c41567ae1c8e26be88837\224d26232b4c41567ae1c8e26be88837

Found mount point : C:\Windows\SoftwareDistribution\Download\8413d9667e29d0d3098b154acb383686\8413d9667e29d0d3098b154acb383686

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\8413d9667e29d0d3098b154acb383686\8413d9667e29d0d3098b154acb383686

Found mount point : C:\Windows\SoftwareDistribution\Download\fa639185eff8643121cbf815b40ddfbb\fa639185eff8643121cbf815b40ddfbb

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\fa639185eff8643121cbf815b40ddfbb\fa639185eff8643121cbf815b40ddfbb

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Sun\Java\Deployment\Deployment

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-11-24 10:21:27 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-11-24 10:20:44 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-11-24 10:20:44 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-11-24 10:20:44 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-11-24 10:23:01 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()



Cannot access: C:\Windows\System32\mrt.exe

Attempting to restore permissions of : C:\Windows\System32\mrt.exe

Found mount point : C:\Windows\Temp\SxsTemp\SxsTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Temp\SxsTemp\SxsTemp

Found mount point : C:\Windows\Temp\UmxAgent10078413\UmxAgent10078413

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Temp\UmxAgent10078413\UmxAgent10078413

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\tracing\tracing



Finished!
 
DDS (Ver_09-11-24.02) - NTFSx86
Run by test at 10:37:14.06 on Tue 11/24/2009
Internet Explorer: 7.0.6000.16916
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1533.771 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: CA AntiSpyware *enabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\test\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\test\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\test\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\test\appdata\roaming\mozilla\firefox\profiles\vcub4ky9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\test\appdata\roaming\mozilla\firefox\profiles\vcub4ky9.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2006-10-18 73344]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2006-10-18 43904]

=============== Created Last 30 ================

2009-11-21 20:53:37 0 d-----w- c:\users\test\appdata\roaming\OpenOffice.org
2009-11-21 20:32:59 0 d-----w- c:\program files\JRE
2009-11-21 20:32:49 0 d-----w- c:\program files\OpenOffice.org 3
2009-11-18 13:56:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-18 13:53:21 1657350 ----a-w- c:\windows\system32\wlan.tmf
2009-11-18 13:53:21 12876 ----a-w- c:\windows\system32\wbem\wlan.mof
2009-11-18 13:53:21 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2009-11-18 13:53:20 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-11-18 13:53:20 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-11-18 13:53:20 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-11-18 13:53:20 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-11-18 13:53:20 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-11-18 13:51:56 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-11-18 13:51:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-11-18 13:51:56 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-11-18 13:51:56 24064 ----a-w- c:\windows\system32\lpk.dll
2009-11-18 13:51:56 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-11-18 13:51:56 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-11-18 13:51:08 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-18 13:49:30 98816 ----a-w- c:\windows\system32\mfps.dll
2009-11-18 13:49:30 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-11-18 13:49:30 2855424 ----a-w- c:\windows\system32\mf.dll
2009-11-18 13:49:30 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-11-18 13:49:30 2048 ----a-w- c:\windows\system32\mferror.dll
2009-11-18 13:47:58 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2009-11-18 13:47:56 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 13:47:54 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-11-18 13:46:05 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-18 13:46:04 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-11-18 13:43:36 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-11-18 13:43:02 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-11-18 13:43:02 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-11-18 13:43:02 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-11-18 13:42:27 268800 ----a-w- c:\windows\system32\es.dll
2009-11-18 13:42:04 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-18 13:38:31 696832 ----a-w- c:\windows\system32\localspl.dll
2009-11-18 13:38:00 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-11-18 13:38:00 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-11-18 13:38:00 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-11-18 13:38:00 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-18 13:38:00 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-11-18 13:38:00 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-11-18 13:37:04 2923520 ----a-w- c:\windows\explorer.exe
2009-11-18 13:36:12 494592 ----a-w- c:\windows\system32\kerberos.dll
2009-11-18 13:36:11 7680 ----a-w- c:\windows\system32\lsass.exe
2009-11-18 13:36:11 72704 ----a-w- c:\windows\system32\secur32.dll
2009-11-18 13:36:11 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-11-18 13:36:11 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-11-18 13:36:11 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2009-11-18 13:36:10 272384 ----a-w- c:\windows\system32\schannel.dll
2009-11-18 13:35:49 24064 ----a-w- c:\windows\system32\netcfg.exe
2009-11-18 13:35:02 29184 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2009-11-18 13:35:02 220160 ----a-w- c:\windows\system32\drivers\bthport.sys
2009-11-18 13:35:02 19456 ----a-w- c:\windows\system32\drivers\bthenum.sys
2009-11-18 13:35:02 181760 ----a-w- c:\windows\system32\fsquirt.exe
2009-11-18 13:31:53 549888 ----a-w- c:\windows\system32\rpcss.dll
2009-11-18 13:31:51 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-11-18 13:31:51 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-11-18 13:31:51 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2009-11-18 13:31:51 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2009-11-18 13:31:51 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-11-18 13:31:51 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2009-11-18 13:31:50 97280 ----a-w- c:\windows\system32\iasrecst.dll
2009-11-18 13:31:50 53248 ----a-w- c:\windows\system32\iasads.dll
2009-11-18 13:31:50 37888 ----a-w- c:\windows\system32\iasdatastore.dll
2009-11-18 13:31:50 158720 ----a-w- c:\windows\system32\sdohlp.dll
2009-11-18 13:30:46 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-18 13:23:11 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-11-18 13:22:30 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-11-18 13:22:09 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-18 13:21:02 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-11-18 12:08:41 0 d-----w- c:\windows\Downloaded Installations
2009-11-18 08:41:57 0 d-----w- c:\program files\Spybot
2009-11-18 08:20:47 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-18 05:17:29 0 d--h--w- c:\windows\PIF
2009-11-12 14:11:22 0 ----a-w- c:\windows\win32k.sys

==================== Find3M ====================

2009-11-24 16:19:32 1660 ----a-w- c:\windows\bthservsdp.dat
2009-11-18 14:08:11 174 --sha-w- c:\program files\desktop.ini
2009-11-18 14:01:41 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 14:01:32 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-18 14:01:32 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 14:01:31 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-11-18 13:48:08 72704 ----a-w- c:\windows\system32\admparse.dll
2009-11-18 13:48:07 832512 ----a-w- c:\windows\system32\wininet.dll
2009-11-18 13:48:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-11-18 13:48:02 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-11-18 04:19:57 12978 ----a-w- c:\users\test\appdata\roaming\nvModes.dat
2009-11-01 07:33:42 158735559 ----a-w- c:\windows\DUMP7676.tmp
2009-10-20 09:10:11 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-20 09:09:51 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-20 09:09:38 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-20 09:09:38 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-09-11 00:00:34 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-02 21:48:14 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-02 21:48:03 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2009-09-02 21:44:38 9728 ----a-w- c:\windows\system32\LAPRXY.DLL
2009-09-02 21:44:38 223232 ----a-w- c:\windows\system32\WMASF.DLL
2009-09-02 21:44:38 2048 ----a-w- c:\windows\system32\asferror.dll
2009-09-02 21:44:28 25600 ----a-w- c:\windows\system32\amxread.dll
2009-09-02 21:44:28 14848 ----a-w- c:\windows\system32\apilogen.dll
2009-09-02 21:44:15 441856 ----a-w- c:\windows\system32\win32spl.dll
2009-09-02 21:44:15 37376 ----a-w- c:\windows\system32\printcom.dll
2009-09-02 21:44:04 14848 ----a-w- c:\windows\system32\wshrm.dll
2009-09-02 21:43:52 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-02 21:43:50 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-02 21:43:50 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-02 21:43:46 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-09-02 21:43:12 11776 ----a-w- c:\windows\system32\sbunattend.exe
2009-09-02 21:42:46 83968 ----a-w- c:\windows\system32\dnsrslvr.dll
2009-09-02 21:42:46 24576 ----a-w- c:\windows\system32\dnscacheugc.exe
2009-09-02 21:40:01 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-09-02 21:40:01 11264 ----a-w- c:\windows\system32\icardres.dll
2009-09-02 21:40:00 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-09-02 21:39:57 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-09-02 21:39:56 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-09-02 21:39:56 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-09-02 21:39:56 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-08-03 16:26:59 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-08-03 16:26:59 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-08-03 16:26:59 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 10:37:42.27 ===============
 
Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
ComboFix 09-11-27.05 - test 11/28/2009 6:07.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1533.978 [GMT -6:00]
Running from: c:\users\test\Desktop\ComboFix.exe
SP: CA AntiSpyware *enabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3135756699-365795455-3268573817-500
c:\$recycle.bin\S-1-5-21-3790955515-317854551-3382692383-1001
c:\$recycle.bin\S-1-5-21-3790955515-317854551-3382692383-1002

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-28 12:15 . 2009-11-28 12:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-27 06:19 . 2009-11-24 23:39 1093064 ----a-w- c:\users\test\AppData\Roaming\Mozilla\Firefox\Profiles\vcub4ky9.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
2009-11-26 05:56 . 2009-11-26 05:57 4096 d-----w- c:\program files\Oblivion Savegame Manager V2
2009-11-24 15:59 . 2009-11-24 15:59 4096 d-----w- c:\program files\ERUNT
2009-11-21 20:54 . 2009-11-26 06:52 1 ----a-w- c:\users\test\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-21 20:53 . 2009-11-21 20:53 -------- d-----w- c:\users\test\AppData\Roaming\OpenOffice.org
2009-11-21 20:34 . 2009-11-21 20:34 7424000 ----a-r- c:\users\test\AppData\Roaming\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-11-21 20:32 . 2009-11-21 20:32 -------- d-----w- c:\program files\JRE
2009-11-21 20:32 . 2009-11-21 20:32 4096 d-----w- c:\program files\OpenOffice.org 3
2009-11-18 13:56 . 2009-11-18 13:56 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-18 13:53 . 2009-11-18 13:53 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2009-11-18 13:53 . 2009-11-18 13:53 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-11-18 13:53 . 2009-11-18 13:53 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-11-18 13:53 . 2009-11-18 13:53 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-11-18 13:53 . 2009-11-18 13:53 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-11-18 13:53 . 2009-11-18 13:53 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-11-18 13:51 . 2009-11-18 13:51 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-11-18 13:51 . 2009-11-18 13:51 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-11-18 13:51 . 2009-11-18 13:51 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-11-18 13:51 . 2009-11-18 13:51 24064 ----a-w- c:\windows\system32\lpk.dll
2009-11-18 13:51 . 2009-11-18 13:51 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-11-18 13:51 . 2009-11-18 13:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-11-18 13:51 . 2009-11-18 13:51 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-18 13:49 . 2009-11-18 13:49 2855424 ----a-w- c:\windows\system32\mf.dll
2009-11-18 13:49 . 2009-11-18 13:49 98816 ----a-w- c:\windows\system32\mfps.dll
2009-11-18 13:49 . 2009-11-18 13:49 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-11-18 13:49 . 2009-11-18 13:49 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-11-18 13:49 . 2009-11-18 13:49 2048 ----a-w- c:\windows\system32\mferror.dll
2009-11-18 13:47 . 2009-11-18 13:47 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 13:47 . 2009-11-18 13:47 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-11-18 13:46 . 2009-11-18 13:46 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-18 13:46 . 2009-11-18 13:46 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-11-18 13:43 . 2009-11-18 13:43 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-11-18 13:43 . 2009-11-18 13:43 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-11-18 13:43 . 2009-11-18 13:43 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-11-18 13:43 . 2009-11-18 13:43 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-11-18 13:42 . 2009-11-18 13:42 268800 ----a-w- c:\windows\system32\es.dll
2009-11-18 13:42 . 2009-11-03 02:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-18 13:38 . 2009-11-18 13:38 696832 ----a-w- c:\windows\system32\localspl.dll
2009-11-18 13:38 . 2009-11-18 13:38 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-11-18 13:38 . 2009-11-18 13:38 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-11-18 13:38 . 2009-11-18 13:38 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-11-18 13:38 . 2009-11-18 13:38 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-18 13:38 . 2009-11-18 13:38 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-11-18 13:38 . 2009-11-18 13:38 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-11-18 13:37 . 2009-11-18 13:37 2923520 ----a-w- c:\windows\explorer.exe
2009-11-18 13:36 . 2009-11-18 13:36 494592 ----a-w- c:\windows\system32\kerberos.dll
2009-11-18 13:36 . 2009-11-18 13:36 7680 ----a-w- c:\windows\system32\lsass.exe
2009-11-18 13:36 . 2009-11-18 13:36 72704 ----a-w- c:\windows\system32\secur32.dll
2009-11-18 13:36 . 2009-11-18 13:36 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-11-18 13:36 . 2009-11-18 13:36 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-11-18 13:36 . 2009-11-18 13:36 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2009-11-18 13:36 . 2009-11-18 13:36 272384 ----a-w- c:\windows\system32\schannel.dll
2009-11-18 13:35 . 2009-11-18 13:35 24064 ----a-w- c:\windows\system32\netcfg.exe
2009-11-18 13:35 . 2009-11-18 13:35 29184 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2009-11-18 13:35 . 2009-11-18 13:35 220160 ----a-w- c:\windows\system32\drivers\bthport.sys
2009-11-18 13:35 . 2009-11-18 13:35 19456 ----a-w- c:\windows\system32\drivers\bthenum.sys
2009-11-18 13:35 . 2009-11-18 13:35 181760 ----a-w- c:\windows\system32\fsquirt.exe
2009-11-18 13:31 . 2009-11-18 13:31 549888 ----a-w- c:\windows\system32\rpcss.dll
2009-11-18 13:31 . 2009-11-18 13:31 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-11-18 13:31 . 2009-11-18 13:31 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-11-18 13:31 . 2009-11-18 13:31 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2009-11-18 13:31 . 2009-11-18 13:31 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2009-11-18 13:31 . 2009-11-18 13:31 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-11-18 13:31 . 2009-11-18 13:31 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2009-11-18 13:31 . 2009-11-18 13:31 97280 ----a-w- c:\windows\system32\iasrecst.dll
2009-11-18 13:31 . 2009-11-18 13:31 53248 ----a-w- c:\windows\system32\iasads.dll
2009-11-18 13:31 . 2009-11-18 13:31 37888 ----a-w- c:\windows\system32\iasdatastore.dll
2009-11-18 13:31 . 2009-11-18 13:31 158720 ----a-w- c:\windows\system32\sdohlp.dll
2009-11-18 13:30 . 2009-11-18 13:30 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-18 13:23 . 2009-11-18 13:23 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-11-18 13:22 . 2009-11-18 13:22 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-11-18 13:22 . 2009-11-18 13:22 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-18 13:21 . 2009-11-18 13:21 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-11-18 12:08 . 2009-11-18 12:08 -------- d-----w- c:\windows\Downloaded Installations
2009-11-18 08:41 . 2009-11-18 10:01 8192 d-----w- c:\program files\Spybot
2009-11-18 08:20 . 2009-11-18 09:58 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-18 05:17 . 2009-11-24 16:33 -------- d--h--w- c:\windows\PIF
2009-11-12 14:11 . 2009-11-19 04:10 0 ----a-w- c:\windows\win32k.sys
2009-11-06 02:14 . 2009-11-06 02:14 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 05:49 . 2009-07-08 17:55 4096 d-----w- c:\programdata\Xfire
2009-11-26 05:49 . 2009-07-08 17:55 8192 d-----w- c:\program files\Xfire
2009-11-25 17:38 . 2009-07-08 17:55 -------- d-----w- c:\users\test\AppData\Roaming\Xfire
2009-11-24 16:19 . 2007-11-09 00:22 1660 ----a-w- c:\windows\bthservsdp.dat
2009-11-21 20:50 . 2008-09-23 15:47 113632 ----a-w- c:\users\test\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-21 20:32 . 2007-11-09 01:50 -------- d-----w- c:\program files\Java
2009-11-18 14:01 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 13:52 . 2007-11-09 01:09 8192 d-----w- c:\programdata\Microsoft Help
2009-11-18 13:48 . 2009-11-18 13:48 72704 ----a-w- c:\windows\system32\admparse.dll
2009-11-18 13:48 . 2009-11-18 13:48 832512 ----a-w- c:\windows\system32\wininet.dll
2009-11-18 13:48 . 2009-11-18 13:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-11-18 13:48 . 2009-11-18 13:48 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-11-18 04:19 . 2009-04-28 20:41 12978 ----a-w- c:\users\test\AppData\Roaming\nvModes.dat
2009-11-18 03:45 . 2007-11-09 00:47 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-11-18 02:41 . 2009-06-14 16:53 7484 ----a-w- c:\users\test\AppData\Local\d3d9caps.dat
2009-11-01 07:33 . 2007-11-09 02:05 158735559 ----a-w- c:\windows\DUMP7676.tmp
2009-10-20 09:10 . 2009-10-20 09:10 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-20 09:10 . 2009-10-20 09:10 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-20 09:10 . 2009-10-20 09:10 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-20 09:10 . 2009-10-20 09:10 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-20 09:09 . 2009-10-20 09:09 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-20 09:09 . 2009-10-20 09:09 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-20 09:09 . 2009-10-20 09:09 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-20 09:09 . 2009-10-20 09:09 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-20 09:09 . 2009-10-20 09:09 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-09-25 06:17 . 2009-09-08 05:15 54179488 ----a-w- c:\programdata\Xfire\downloads\Fallout3_1.7_English_US.exe
2009-09-02 21:48 . 2009-09-02 21:48 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-02 21:48 . 2009-09-02 21:48 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2009-09-02 21:44 . 2009-09-02 21:44 9728 ----a-w- c:\windows\system32\LAPRXY.DLL
2009-09-02 21:44 . 2009-09-02 21:44 223232 ----a-w- c:\windows\system32\WMASF.DLL
2009-09-02 21:44 . 2009-09-02 21:44 2048 ----a-w- c:\windows\system32\asferror.dll
2009-09-02 21:44 . 2009-09-02 21:44 25600 ----a-w- c:\windows\system32\amxread.dll
2009-09-02 21:44 . 2009-09-02 21:44 14848 ----a-w- c:\windows\system32\apilogen.dll
2009-09-02 21:44 . 2009-09-02 21:44 441856 ----a-w- c:\windows\system32\win32spl.dll
2009-09-02 21:44 . 2009-09-02 21:44 37376 ----a-w- c:\windows\system32\printcom.dll
2009-09-02 21:44 . 2009-09-02 21:44 14848 ----a-w- c:\windows\system32\wshrm.dll
2009-09-02 21:44 . 2009-09-02 21:44 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-09-02 21:43 . 2009-09-02 21:43 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-02 21:43 . 2009-09-02 21:43 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-02 21:43 . 2009-09-02 21:43 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-02 21:43 . 2009-09-02 21:43 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-09-02 21:43 . 2009-09-02 21:43 11776 ----a-w- c:\windows\system32\sbunattend.exe
2009-09-02 21:42 . 2009-09-02 21:42 290304 ----a-w- c:\windows\system32\drivers\srv.sys
2009-09-02 21:42 . 2009-09-02 21:42 83968 ----a-w- c:\windows\system32\dnsrslvr.dll
2009-09-02 21:42 . 2009-09-02 21:42 24576 ----a-w- c:\windows\system32\dnscacheugc.exe
2009-09-02 21:40 . 2009-09-02 21:40 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-09-02 21:40 . 2009-09-02 21:40 11264 ----a-w- c:\windows\system32\icardres.dll
2009-09-02 21:40 . 2009-09-02 21:40 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-09-02 21:39 . 2009-09-02 21:39 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-09-02 21:39 . 2009-09-02 21:39 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-09-02 21:39 . 2009-09-02 21:39 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-09-02 21:39 . 2009-09-02 21:39 326160 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-16 148888]

c:\users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2007-11-8 34520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy2\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
"WirelessAssistant"=c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvSvc"=RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
"QlbCtrl"=%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
"QPService"="c:\program files\HP\QuickPlay\QPService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3790955515-317854551-3382692383-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [10/18/2006 2:09 AM 73344]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [10/18/2006 2:09 AM 43904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-26 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\test\AppData\Roaming\Mozilla\Firefox\Profiles\vcub4ky9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\test\AppData\Roaming\Mozilla\Firefox\Profiles\vcub4ky9.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-HijackThis - g:\spybot\HijackThis.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\NVUNINST.EXE UninstallGUI
AddRemove-Steam App 240 - c:\program files\Steam\steam.exe steam://uninstall/240



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 06:20
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8448E1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82670d1f
\Driver\ACPI -> acpi.sys @ 0x804439d6
\Driver\atapi -> 0x8448e1f8
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\ehome\ehmsas.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-11-28 06:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-28 12:24

Pre-Run: 36,616,740,864 bytes free
Post-Run: 36,550,516,736 bytes free

- - End Of File - - D7EC7C2587D78325631876717B85EAEB
 
Hi again,

There're also some Symantec remnants there. Download & run removal tool here.


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
     and OK any prompts.
  • Restart your computer


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Rootkit::
c:\windows\win32k.sys
SecCenter::
{6B98D35F-BB76-41C0-876B-A50645ED099A}
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
 
I don't know which one to use because I never installed Norton on this computer and it wasn't on here when I got it and TeaTimer wasn't enabled....
 
You must log in or register to reply here.
Back
Top