Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] ie popups/slow system/gorumiba.dll

Started by harlequin , Nov 05 2009 04:16 PM

  • This topic is locked This topic is locked
16 replies to this topic

#1 harlequin

harlequin

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 05 November 2009 - 04:16 PM

I recently started receiving pop ups as well as my system is running slower i jumped into msconfig and noticed gorumiba.dll in the start up list. I disabled it in start up and ra adaware to remove it. I also downloaded avast (wanted to get everything done in one reboot) . Now when I boot up the computer I get a RUNDLL error stating: "Error loading c:\windows\system32\gorumbia.dll The specified module could not be found." And avast is telling me a Trojan has been found:

File name: C:\WINDOWS\system32\hivezuto.dll
Malware name: Win32:Y dss-DL [Trj]
Malware type: Trojan Horse
VPS version: 091105-2, 11/05/09

when i try to move it to the chest it says it cannot process the file

I've also downloaded Malwarebytes only it wont run >.< I click the file and nothing happens. HijackThis log below.

Edit: Since the time I posted this I've received several more alerts from Avast:


11/5/2009 5:21:22 PM Alyssa 2340 Sign of "Win32:Tdss-DL [Trj]" has been found in "c:\windows\system32\ketedoti.dll" file.
11/5/2009 5:21:28 PM Alyssa 2340 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\logon.exe" file.
11/5/2009 5:21:57 PM Alyssa 2340 Sign of "Win32:Tdss-DL [Trj]" has been found in "c:\windows\system32\trz7.tmp" file.
11/5/2009 5:30:37 PM Alyssa 2956 Sign of "Win32:Tdss-DL [Trj]" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP16\A0003334.dll" file.
11/5/2009 5:30:45 PM Alyssa 2956 Sign of "Win32:Tdss-DL [Trj]" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP16\A0003346.dll" file.
11/5/2009 5:30:53 PM Alyssa 2956 Sign of "Win32:Tdss-DL [Trj]" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP16\A0003347.dll" file.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:20 PM, on 11/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless USB 2.0 Adapter HW.14 V.1.00\WlanCU.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Flock\flock.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [voduruduy] Rundll32.exe "c:\windows\system32\gorumiba.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless USB 2.0 Adapter HW.14 V.1.00\WlanCU.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1257224427117
O20 - AppInit_DLLs: c:\windows\system32\gorumiba.dll,hivezuto.dll
O21 - SSODL: kelizevef - {c2da0289-41e9-4410-bb2f-d2ebc8824772} - c:\windows\system32\gorumiba.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {c2da0289-41e9-4410-bb2f-d2ebc8824772} - c:\windows\system32\gorumiba.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7667 bytes

Edited by harlequindreamsx, 05 November 2009 - 04:41 PM.

    Advertisements

Register to Remove

#2 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 05 November 2009 - 04:52 PM

Hello! :wavey: Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise. This may cause a delay, but I will do my best to keep it as short as possible. I am checking over your log , I will post back shortly with instructions.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

#3 harlequin

harlequin

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 05 November 2009 - 04:54 PM

ok, thanks :thumbup:

#4 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 05 November 2009 - 07:40 PM

My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems. The logs from our tools can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
Please do not delete anything unless instructed to.

STEP 1.

Please download DDS by sUBs from one of the following links and save it to your desktop.
Posted Image
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by doing the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post
____________________________________________________
STEP 2.

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please make sure you include the following items in your next post:
1. The logs that were produced after running DDS.
2. The log that was produced after running GMER.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

#5 harlequin

harlequin

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 05 November 2009 - 08:27 PM

DDS (Ver_09-10-26.01) - NTFSx86 Run by Alyssa at 20:50:22.42 on Thu 11/05/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.479 [GMT -5:00] AV: avast! antivirus 4.8.1356 [VPS 091105-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\802.11 Wireless LAN\802.11g Wireless USB 2.0 Adapter HW.14 V.1.00\WlanCU.exe C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE C:\Program Files\Flock\flock.exe C:\Program Files\AIM\aim.exe C:\Program Files\WinRAR\WinRAR.exe C:\Documents and Settings\Alyssa\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop mWinlogon: Shell=Explorer.exe logon.exe BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [nwiz] nwiz.exe /installquiet /nodetect mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\802.11 wireless lan\802.11g wireless usb 2.0 adapter hw.14 v.1.00\WlanCU.exe IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257224427117 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab AppInit_DLLs: c:\windows\system32\gorumiba.dll,hivezuto.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: kelizevef - {c2da0289-41e9-4410-bb2f-d2ebc8824772} - c:\windows\system32\gorumiba.dll STS: mujuzedij: {c2da0289-41e9-4410-bb2f-d2ebc8824772} - c:\windows\system32\gorumiba.dll LSA: Notification Packages = scecli ketedoti.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\alyssa\applic~1\mozilla\firefox\profiles\aucromhz.default\ FF - plugin: c:\documents and settings\alyssa\local settings\application data\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-5 64288] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-5 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-5 20560] R3 RTLWUSB;802.11g USB 2.0 WLAN Dongle;c:\windows\system32\drivers\RTL8187.sys [2009-11-3 169472] R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2002-10-2 13532] R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232] =============== Created Last 30 ================ 2009-11-05 22:21:27 52736 ------w- c:\windows\system32\trzE.tmp 2009-11-05 22:15:06 0 d-----w- c:\program files\Trend Micro 2009-11-05 22:08:57 52736 ------w- c:\windows\system32\trz7.tmp 2009-11-05 22:01:45 0 d-----w- c:\docume~1\alyssa\applic~1\Malwarebytes 2009-11-05 21:12:10 0 d-----w- c:\program files\Spyware Doctor 2009-11-05 21:12:10 0 d-----w- c:\program files\common files\PC Tools 2009-11-05 20:51:07 15880 ----a-w- c:\windows\system32\lsdelete.exe 2009-11-05 20:45:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-11-05 20:44:51 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2009-11-05 20:40:55 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-11-05 20:40:27 0 d-----w- c:\program files\Lavasoft 2009-11-05 20:39:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-05 20:39:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-05 20:39:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-11-05 20:39:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-05 20:26:19 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-11-05 19:43:04 31236 ----a-w- c:\windows\system32\logon.exe 2009-11-05 18:01:52 0 d-----w- c:\program files\Mad Scientist Productions 2009-11-05 17:54:48 0 d-----w- C:\ProgramData 2009-11-05 17:54:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Electronic Arts 2009-11-05 17:50:04 447752 ----a-r- c:\windows\system32\vp6vfw.dll 2009-11-05 17:50:04 0 d-----w- c:\program files\Microsoft WSE 2009-11-05 17:47:26 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll 2009-11-05 17:47:23 0 d-----w- c:\windows\Logs 2009-11-05 17:17:12 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-11-05 17:17:02 0 d-----w- c:\program files\DAEMON Tools Lite 2009-11-05 17:16:23 0 d-----w- c:\docume~1\alyssa\applic~1\DAEMON Tools Lite 2009-11-05 17:16:20 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite 2009-11-05 07:39:25 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2009-11-05 07:39:25 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys 2009-11-05 07:39:14 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2009-11-05 07:39:14 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys 2009-11-04 17:43:27 0 d-----w- c:\docume~1\alyssa\applic~1\Flock 2009-11-04 17:43:14 0 d-----w- c:\program files\Flock 2009-11-04 17:35:47 0 d-sh--w- c:\documents and settings\alyssa\IECompatCache 2009-11-04 17:34:20 0 d-sh--w- c:\documents and settings\alyssa\PrivacIE 2009-11-04 17:33:53 0 d-sh--w- c:\documents and settings\alyssa\IETldCache 2009-11-04 17:32:21 92160 ------w- c:\windows\system32\dllcache\iecompat.dll 2009-11-04 17:32:03 0 d-----w- c:\windows\ie8updates 2009-11-04 17:31:55 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-11-04 17:31:54 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll 2009-11-04 17:31:54 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll 2009-11-04 17:31:54 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-11-04 17:31:54 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll 2009-11-04 17:31:54 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll 2009-11-04 17:31:18 0 dc-h--w- c:\windows\ie8 2009-11-04 17:16:34 294912 ------w- c:\windows\system32\dllcache\msctf.dll 2009-11-04 17:11:24 764868 ------w- c:\windows\system32\dllcache\apph_sp.sdb 2009-11-04 17:11:24 217118 ------w- c:\windows\system32\dllcache\apphelp.sdb 2009-11-04 17:10:56 0 d-----w- c:\program files\Windows Media Connect 2 2009-11-04 17:09:34 0 d-----w- C:\7160f71001ce4df48a54 2009-11-04 17:09:27 0 d-----w- c:\windows\system32\LogFiles 2009-11-04 16:43:51 0 d-----w- c:\windows\system32\CatRoot_bak 2009-11-04 05:21:09 0 d-----w- c:\windows\ServicePackFiles 2009-11-04 05:20:40 0 d-----w- c:\program files\MSXML 4.0 2009-11-04 03:20:09 0 d-----w- c:\docume~1\alluse~1\applic~1\JollyBear 2009-11-04 02:54:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Becky Brogan 2009-11-04 02:44:28 0 d-----w- c:\program files\Games 2009-11-04 02:43:49 0 d-----w- c:\windows\Big City Adventure - New York 2009-11-04 02:43:49 0 d-----w- c:\program files\Big City Adventure - New York 2009-11-04 02:41:50 0 d-----w- c:\windows\Becky Brogan The Mystery of Meane Manor 2009-11-04 02:41:50 0 d-----w- c:\program files\Becky Brogan The Mystery of Meane Manor 2009-11-04 02:40:23 0 d-----w- c:\program files\Games Hastra 2009-11-04 02:38:01 272128 ------w- c:\windows\system32\drivers\bthport.sys 2009-11-04 02:38:01 272128 ------w- c:\windows\system32\dllcache\bthport.sys 2009-11-04 02:28:16 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx 2009-11-04 02:27:34 202752 ------w- c:\windows\system32\dllcache\rmcast.sys 2009-11-04 02:27:30 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2009-11-04 02:27:23 333184 ------w- c:\windows\system32\dllcache\srv.sys 2009-11-04 02:27:17 331776 ------w- c:\windows\system32\dllcache\msadce.dll 2009-11-04 02:27:11 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-11-04 02:26:55 683520 ------w- c:\windows\system32\dllcache\inetcomm.dll 2009-11-04 02:24:06 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2009-11-04 02:24:06 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-11-04 02:24:05 2062976 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-11-04 02:24:05 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2009-11-04 02:23:36 655872 ------w- c:\windows\system32\dllcache\mstscax.dll 2009-11-04 02:23:04 332800 ------w- c:\windows\system32\dllcache\netapi32.dll 2009-11-04 02:22:57 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll 2009-11-04 02:21:44 1193414 ------w- c:\windows\system32\dllcache\sysmain.sdb 2009-11-04 02:21:43 215552 ------w- c:\windows\system32\dllcache\wordpad.exe 2009-11-04 01:01:50 0 d-----w- c:\windows\system32\PreInstall 2009-11-03 06:20:37 169472 ----a-w- c:\windows\system32\drivers\RTL8187.sys 2009-11-03 06:20:23 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys 2009-11-03 06:20:13 0 d-----w- c:\windows\OPTIONS 2009-11-03 06:20:12 0 d-----w- c:\program files\802.11 Wireless LAN 2009-11-03 06:15:13 0 d-----w- c:\windows\pss 2009-11-03 05:49:53 0 d-----w- c:\program files\WIDCOMM 2009-11-03 05:46:16 1756 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv8000 (EE944AV)_YN_0Pavi_QCND6111128_E398803002_46_I30A6_SHP_V56.23_BF.08_T060220_WXH2 _L409_M1023_J80_7Intel_8T2400_91.83_#060222_N80861092_(EE944AV)_XMOBILE_CN10_Z_2F .08Tr14_G10DE01D8.MRK 2009-11-03 05:42:51 185344 ----a-w- c:\windows\system32\Thawbrkr.dll 2009-11-03 05:42:50 66594 ----a-w- c:\windows\system32\c_864.nls 2009-11-03 05:42:50 66594 ----a-w- c:\windows\system32\c_862.nls 2009-11-03 05:42:50 66594 ----a-w- c:\windows\system32\c_720.nls 2009-11-03 05:42:50 66082 ----a-w- c:\windows\system32\c_708.nls 2009-11-03 05:42:50 66082 ----a-w- c:\windows\system32\C_28596.NLS 2009-11-03 05:42:50 66082 ----a-w- c:\windows\system32\c_10005.nls 2009-11-03 05:42:50 66082 ----a-w- c:\windows\system32\c_10004.nls 2009-11-03 05:42:50 5632 ----a-w- c:\windows\system32\kbdusa.dll 2009-11-03 05:42:50 10752 ----a-w- c:\windows\system32\c_iscii.dll 2009-11-03 05:42:49 66082 ----a-w- c:\windows\system32\c_10021.nls 2009-11-03 05:42:49 6144 ----a-w- c:\windows\system32\ftlx041e.dll 2009-11-03 05:01:09 21728 ----a-w- c:\windows\system32\wucltui.dll.mui 2009-11-03 05:01:09 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui 2009-11-03 05:01:09 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2009-11-03 05:01:09 15064 ----a-w- c:\windows\system32\wuapi.dll.mui 2009-11-03 05:01:09 0 d-----w- c:\windows\system32\SoftwareDistribution 2009-11-03 05:00:11 0 d-sh--w- c:\documents and settings\alyssa\UserData 2009-11-03 04:57:34 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM 2009-11-03 04:57:30 0 d-----w- c:\program files\AIM 2009-11-03 04:57:28 0 d-----w- c:\program files\common files\Software Update Utility 2009-11-03 04:57:27 0 d-----w- c:\program files\common files\AOL 2009-11-03 04:56:43 457 ---ha-w- C:\IPH.PH 2009-11-03 04:55:40 0 d-----w- c:\program files\uTorrent 2009-11-03 04:55:01 0 d-----w- c:\docume~1\alyssa\applic~1\uTorrent 2009-11-03 04:38:13 749 ---ha-r- c:\windows\WindowsShell.Manifest 2009-11-03 04:38:11 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest 2009-11-03 04:38:06 488 ---ha-r- c:\windows\system32\WindowsLogon.manifest 2009-11-03 04:36:48 749 ---ha-r- c:\windows\system32\cdplayer.exe.manifest 2009-11-03 04:30:02 0 d-----w- c:\docume~1\alyssa\applic~1\Intuit 2009-11-03 04:29:17 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys 2009-11-03 04:29:10 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2009-11-03 04:29:10 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys 2009-11-03 04:29:07 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys 2009-11-03 04:29:07 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys 2009-11-03 04:17:16 250032 --sha-r- C:\ntldr ==================== Find3M ==================== 2009-11-05 17:36:59 37472 ---ha-w- c:\windows\fonts\infoview.fon 2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll 2009-09-25 05:56:35 473600 ------w- c:\windows\system32\dllcache\shlwapi.dll 2009-09-25 05:56:35 1506304 ------w- c:\windows\system32\dllcache\shdocvw.dll 2009-09-25 05:56:32 55808 ------w- c:\windows\system32\dllcache\extmgr.dll 2009-09-25 05:56:32 151040 ------w- c:\windows\system32\dllcache\cdfview.dll 2009-09-25 05:56:32 1054208 ------w- c:\windows\system32\dllcache\danim.dll 2009-09-25 05:56:32 1023488 ------w- c:\windows\system32\dllcache\browseui.dll 2009-09-18 09:56:10 18432 ------w- c:\windows\system32\dllcache\iedw.exe 2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:33:52 133632 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 20:45:26 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 08:08:21 916480 ------w- c:\windows\system32\dllcache\wininet.dll 2009-08-29 08:08:21 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll 2009-08-29 08:08:20 206848 ------w- c:\windows\system32\dllcache\occache.dll 2009-08-29 08:08:18 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll 2009-08-29 08:08:17 184320 ------w- c:\windows\system32\dllcache\iepeers.dll 2009-08-29 08:08:13 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll 2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:16:37 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2007-02-12 08:20:26 0 --sha-w- c:\windows\sminst\HPCD.SYS 2009-08-05 19:47:59 39424 --sha-w- c:\windows\system32\hesanebo.dll 2009-08-05 19:42:47 52736 --sha-w- c:\windows\system32\yulugezu.dll ============= FINISH: 20:51:56.75 ===============

Attached Files


#6 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 06 November 2009 - 09:14 AM

STEP 1.
While reviewing your logs I noticed that you currently have Peer to Peer program(s) installed on your computer.

You currently have the following P2P programs installed:
  • uTorrent
Most of the infections that we see today are through P2P file sharing. By uninstalling the programs that I mentioned above you will be doing yourself a favor. It's impossible to trust the source of what is being downloaded from them and a file may or may not be what it appears to be.

Should you decide to keep these programs installed on your computer PLEASE do not use these programs while we are getting your P.C. cleaned up.

How to Uninstall the P2P Programs:

For Windows XP Users
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    uTorrent
PLEASE NOTE: When your uninstalling the P2P Program(s) some questions are worded in various ways to try and deceive you and keep you from uninstalling their Program.
____________________________________________________
STEP 2.
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Please make sure you include the following items in your next post:
1. The log that was produced after running ComboFix.
2. An update on how your computer is currently running?

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

#7 harlequin

harlequin

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 06 November 2009 - 09:50 AM

The computer is running fine with intermittent times of random slow speed.

ComboFix 09-11-05.05 - Alyssa 11/06/2009 10:36.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.627 [GMT -5:00]
Running from: c:\documents and settings\Alyssa\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091106-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hesanebo.dll
c:\windows\system32\logon.exe
c:\windows\system32\yulugezu.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-06 07:06 . 2009-11-06 07:06 -------- d-----w- c:\program files\Microsoft Reader
2009-11-06 07:06 . 2003-06-05 22:15 57436 ----a-w- c:\windows\DASShp.dll
2009-11-05 22:15 . 2009-11-05 22:15 -------- d-----w- c:\program files\Trend Micro
2009-11-05 22:01 . 2009-11-05 22:01 -------- d-----w- c:\documents and settings\Alyssa\Application Data\Malwarebytes
2009-11-05 21:39 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-05 21:39 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-05 21:39 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-05 21:39 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-05 21:39 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-05 21:39 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-05 21:39 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-05 21:39 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-05 21:38 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-05 21:38 . 2009-11-05 21:38 -------- d-----w- c:\program files\Alwil Software
2009-11-05 21:27 . 2009-11-05 21:27 -------- d-----w- c:\documents and settings\Alyssa\Local Settings\Application Data\Threat Expert
2009-11-05 20:51 . 2009-11-05 20:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-05 20:45 . 2009-11-05 20:45 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-05 20:45 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-05 20:43 . 2009-11-05 20:43 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-05 20:43 . 2009-11-05 20:43 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-05 20:43 . 2009-11-05 20:43 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-05 20:43 . 2009-11-05 20:43 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-05 20:43 . 2009-11-05 20:43 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-05 20:42 . 2009-11-05 20:42 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-05 20:42 . 2009-11-05 20:42 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-05 20:42 . 2009-11-05 20:42 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-05 20:42 . 2009-11-05 20:42 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-05 20:42 . 2009-11-05 20:42 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-05 20:40 . 2009-11-05 20:40 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-05 20:40 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-05 20:40 . 2009-11-05 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-05 20:40 . 2009-11-05 20:40 -------- d-----w- c:\program files\Lavasoft
2009-11-05 20:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 20:39 . 2009-11-05 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 20:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 20:39 . 2009-11-05 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 20:26 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-05 18:01 . 2009-11-05 18:01 -------- d-----w- c:\program files\Mad Scientist Productions
2009-11-05 17:54 . 2009-11-05 17:54 -------- d-----w- C:\ProgramData
2009-11-05 17:54 . 2009-11-05 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-05 17:50 . 2009-11-05 17:50 10134 ----a-r- c:\documents and settings\Alyssa\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-11-05 17:50 . 2009-11-05 17:50 -------- d-----w- c:\program files\Microsoft WSE
2009-11-05 17:50 . 2008-09-04 18:17 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-11-05 17:47 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-11-05 17:47 . 2009-11-05 17:47 -------- d-----w- c:\windows\Logs
2009-11-05 17:37 . 2009-11-05 17:51 -------- d-----w- c:\program files\Electronic Arts
2009-11-05 17:17 . 2009-11-05 17:17 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-05 17:17 . 2009-11-05 17:24 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-11-05 17:16 . 2009-11-05 17:36 -------- d-----w- c:\documents and settings\Alyssa\Application Data\DAEMON Tools Lite
2009-11-05 17:16 . 2009-11-05 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-05 07:39 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-11-05 07:39 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-11-05 07:39 . 2004-08-04 04:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-05 07:39 . 2004-08-04 04:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-05 04:16 . 2009-11-05 04:16 -------- d-sh--w- c:\documents and settings\Liz\IECompatCache
2009-11-05 03:05 . 2009-11-05 03:05 -------- d-sh--w- c:\documents and settings\Liz\PrivacIE
2009-11-05 02:52 . 2009-11-05 02:52 -------- d-sh--w- c:\documents and settings\Liz\IETldCache
2009-11-04 17:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 17:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 17:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-04 17:44 . 2009-07-01 19:45 52224 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{ad605904-0ba5-4d5c-8725-5adbc8912667}\components\FFExternalAlert.dll
2009-11-04 17:44 . 2009-07-01 19:45 114688 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{ad605904-0ba5-4d5c-8725-5adbc8912667}\components\npmozax.dll
2009-11-04 17:43 . 2009-11-04 17:43 -------- d-----w- c:\documents and settings\Alyssa\Local Settings\Application Data\Flock
2009-11-04 17:43 . 2009-11-04 17:43 -------- d-----w- c:\documents and settings\Alyssa\Application Data\Flock
2009-11-04 17:43 . 2009-11-06 15:14 -------- d-----w- c:\program files\Flock
2009-11-04 17:35 . 2009-11-04 17:35 -------- d-sh--w- c:\documents and settings\Alyssa\IECompatCache
2009-11-04 17:34 . 2009-11-04 17:34 -------- d-sh--w- c:\documents and settings\Alyssa\PrivacIE
2009-11-04 17:33 . 2009-11-04 17:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-04 17:33 . 2009-11-04 17:33 -------- d-sh--w- c:\documents and settings\Alyssa\IETldCache
2009-11-04 17:32 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-11-04 17:32 . 2009-11-04 17:32 -------- d-----w- c:\windows\ie8updates
2009-11-04 17:31 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-04 17:31 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-04 17:31 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-04 17:31 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-11-04 17:31 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-04 17:31 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-11-04 17:31 . 2009-11-04 17:31 -------- dc-h--w- c:\windows\ie8
2009-11-04 17:16 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll
2009-11-04 17:15 . 2004-08-04 08:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-11-04 17:10 . 2009-11-04 17:10 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-04 17:09 . 2009-11-04 17:10 -------- d-----w- C:\7160f71001ce4df48a54
2009-11-04 17:09 . 2009-11-04 17:10 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-11-04 17:09 . 2009-11-04 17:09 -------- d-----w- c:\windows\system32\LogFiles
2009-11-04 16:43 . 2009-11-04 17:00 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-11-04 05:21 . 2009-11-04 05:21 -------- d-----w- c:\windows\ServicePackFiles
2009-11-04 05:20 . 2009-11-04 05:20 -------- d-----w- c:\program files\MSXML 4.0
2009-11-04 03:20 . 2009-11-04 03:20 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\JollyBear
2009-11-04 03:20 . 2009-11-04 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2009-11-04 03:20 . 2009-11-06 06:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-04 03:02 . 2009-11-04 03:02 -------- d-----w- c:\documents and settings\Liz\Application Data\Enki Games
2009-11-04 02:54 . 2009-11-04 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan
2009-11-04 02:46 . 2009-11-04 02:46 -------- d-----w- c:\documents and settings\Liz\Application Data\PlayFirst
2009-11-04 02:46 . 2009-11-04 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-11-04 02:46 . 2009-11-04 02:46 -------- d-----w- c:\documents and settings\Liz\Application Data\Big Fish Games
2009-11-04 02:44 . 2009-11-04 02:45 -------- d-----w- c:\program files\Games
2009-11-04 02:43 . 2009-11-04 02:43 -------- d-----w- c:\program files\Big City Adventure - New York
2009-11-04 02:43 . 2009-11-04 02:43 -------- d-----w- c:\windows\Big City Adventure - New York
2009-11-04 02:41 . 2009-11-04 02:43 -------- d-----w- c:\program files\Becky Brogan The Mystery of Meane Manor
2009-11-04 02:41 . 2009-11-04 02:41 -------- d-----w- c:\windows\Becky Brogan The Mystery of Meane Manor
2009-11-04 02:40 . 2009-11-04 02:40 -------- d-----w- c:\program files\Games Hastra
2009-11-04 02:38 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-04 02:38 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-11-04 02:31 . 2009-03-06 14:44 283648 ------w- c:\windows\system32\dllcache\pdh.dll
2009-11-04 02:31 . 2009-02-09 10:20 399360 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-11-04 02:31 . 2009-02-09 10:20 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-11-04 02:31 . 2009-02-09 10:20 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-11-04 02:31 . 2009-02-06 17:14 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-11-04 02:31 . 2009-02-06 16:54 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-11-04 02:31 . 2009-02-06 16:39 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-11-04 02:31 . 2005-07-26 04:39 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-11-04 02:31 . 2009-02-09 10:20 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-11-04 02:31 . 2009-02-09 10:20 616960 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-11-04 02:31 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-11-04 02:27 . 2008-05-08 12:28 202752 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-11-04 02:27 . 2008-10-24 11:10 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-04 02:27 . 2008-12-11 11:57 333184 ------w- c:\windows\system32\dllcache\srv.sys
2009-11-04 02:27 . 2008-05-01 14:30 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-11-04 02:27 . 2009-07-10 13:42 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-11-04 02:26 . 2008-04-11 18:50 683520 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-04 02:24 . 2009-08-04 12:51 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-11-04 02:24 . 2009-08-04 12:49 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-04 02:24 . 2009-08-04 12:02 2062976 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-04 02:24 . 2009-08-04 12:02 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-04 02:23 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 09:01 . 2009-11-03 04:30 63848 ----a-w- c:\documents and settings\Alyssa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 07:06 . 2006-02-22 10:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 06:14 . 2006-02-22 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-03 06:14 . 2006-02-22 11:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-03 06:08 . 2006-02-22 11:12 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-03 05:48 . 2009-11-03 05:46 61752 ----a-w- c:\documents and settings\Liz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 05:48 . 2009-11-03 05:46 126 ----a-w- c:\documents and settings\Liz\Local Settings\Application Data\fusioncache.dat
2009-11-03 05:47 . 2009-11-03 05:46 1756 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv8000 (EE944AV)_YN_0Pavi_QCND6111128_E398803002_46_I30A6_SHP_V56.23_BF.08_T060220_WXH2
_L409_M1023_J80_7Intel_8T2400_91.83_#060222_N80861092_(EE944AV)_XMOBILE_CN10_Z_2F
.08Tr14_G10DE01D8.MRK
2009-11-03 05:42 . 2006-02-22 10:54 -------- d-----w- c:\program files\HPQ
2009-11-03 04:24 . 2006-02-22 11:27 -------- d-----w- c:\program files\Synaptics
2009-11-03 04:24 . 2006-02-22 11:24 -------- d-----w- c:\program files\Sonic
2009-11-03 04:23 . 2006-02-22 11:43 -------- d-----w- c:\program files\Quickensetup
2009-11-03 04:23 . 2006-02-22 11:43 -------- d-----w- c:\program files\Quicken
2009-11-03 04:21 . 2006-02-22 11:42 -------- d-----w- c:\program files\muvee Technologies
2009-11-03 04:21 . 2006-02-22 11:42 -------- d-----w- c:\program files\music_now
2009-11-03 04:21 . 2006-02-22 11:18 -------- d-----w- c:\program files\MSN Encarta Plus
2009-11-03 04:21 . 2006-02-22 11:18 -------- d-----w- c:\program files\Microsoft Works
2009-11-03 04:20 . 2006-02-22 11:13 -------- d-----w- c:\program files\Microsoft Money 2006
2009-11-03 04:20 . 2006-02-22 10:46 -------- d-----w- c:\program files\microsoft frontpage
2009-11-03 04:20 . 2006-02-22 11:00 -------- d-----w- c:\program files\Java
2009-11-03 04:20 . 2006-02-22 10:56 -------- d-----w- c:\program files\Intel
2009-11-03 04:19 . 2006-02-22 11:07 -------- d-----w- c:\program files\HP
2009-11-03 04:18 . 2006-02-22 11:25 -------- d-----w- c:\program files\Common Files\TiVo Shared
2009-11-03 04:18 . 2006-02-22 10:55 -------- d-----w- c:\program files\CONEXANT
2009-11-03 04:18 . 2006-02-22 11:25 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-11-03 04:18 . 2006-02-22 11:08 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-03 04:18 . 2006-02-22 11:43 -------- d-----w- c:\program files\Common Files\Palo Alto Software
2009-11-03 04:18 . 2006-02-22 11:42 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-11-03 04:17 . 2006-02-22 11:47 -------- d-----w- c:\program files\Common Files\LightScribe
2009-11-03 04:17 . 2006-02-22 11:00 -------- d-----w- c:\program files\Common Files\Java
2009-11-03 04:17 . 2006-02-22 11:43 -------- d-----w- c:\program files\Common Files\Intuit
2009-11-03 04:17 . 2006-02-22 10:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-03 04:17 . 2006-02-22 11:07 -------- d-----w- c:\program files\Common Files\HP
2009-11-03 04:15 . 2009-11-03 05:46 -------- d-----w- c:\documents and settings\Liz\Application Data\Intuit
2009-11-03 04:15 . 2009-11-03 04:30 -------- d-----w- c:\documents and settings\Alyssa\Application Data\Intuit
2009-11-03 04:15 . 2006-02-22 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-11-03 04:15 . 2006-02-22 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SBSI
2009-11-03 04:15 . 2006-02-22 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies
2009-11-03 04:15 . 2006-02-22 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-11-03 04:15 . 2006-02-22 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-11-03 04:15 . 2006-02-22 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-11-03 04:15 . 2006-02-22 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-11 14:33 . 2004-08-04 08:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:16 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2007-02-12 08:20 . 2009-11-03 04:39 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-15 7331840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-15 86016]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-14 507904]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"combofix"="c:\combofix\CF5052.exe" [2009-11-06 388608]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-15 1519616]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2005-11-08 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.14.lnk - c:\program files\802.11 Wireless LAN\802.11g Wireless USB 2.0 Adapter HW.14 V.1.00\WlanCU.exe [2006-9-12 569344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe logon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\explorer.exe"=
"c:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/5/2009 3:45 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/5/2009 4:39 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/5/2009 4:39 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
R3 RTLWUSB;802.11g USB 2.0 WLAN Dongle;c:\windows\system32\drivers\RTL8187.sys [11/3/2009 1:20 AM 169472]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 9:57 AM 13532]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:42]

2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{1C898877-50F0-40ED-9AFF-149ADEDD1193}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Alyssa\Application Data\Mozilla\Firefox\Profiles\aucromhz.default\
FF - plugin: c:\documents and settings\Alyssa\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
SharedTaskScheduler-{c2da0289-41e9-4410-bb2f-d2ebc8824772} - c:\windows\system32\gorumiba.dll
SSODL-kelizevef-{c2da0289-41e9-4410-bb2f-d2ebc8824772} - c:\windows\system32\gorumiba.dll
AddRemove-HP Game Console - c:\program files\WildTangent\Apps\hpuninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 10:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys spxc.sys >>UNKNOWN [0x86787938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x867671f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0xF186 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0xF186 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x12896 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x12B58 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0x17E66 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x17FC6 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor IRP hooks detected !

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\RUNDLL32.EXE
c:\progra~1\HPQ\SHARED\HPQTOA~1.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-06 10:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 15:45

Pre-Run: 41,001,238,528 bytes free
Post-Run: 40,878,280,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E163E49F73CB8C9C2725B4BEF4B16809

Attached Files

  • Attached File  log.txt   27KB   332 downloads

#8 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 06 November 2009 - 12:24 PM

One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/index.php?s=&showtopic=108113&view=findpost&p=608576
KillAll::
MBR::
Collect::
C:\WINDOWS\system32\hivezuto.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe"

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please make sure you include the following items in your next post:
1. The contents of the ComboFix log that was produced after running ComboFix.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

#9 harlequin

harlequin

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 06 November 2009 - 12:53 PM

ComboFix 09-11-05.05 - Alyssa 11/06/2009 13:42.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.648 [GMT -5:00]
Running from: c:\documents and settings\Alyssa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alyssa\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091106-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-06 07:06 . 2009-11-06 07:06 -------- d-----w- c:\program files\Microsoft Reader
2009-11-06 07:06 . 2003-06-05 22:15 57436 ----a-w- c:\windows\DASShp.dll
2009-11-05 22:15 . 2009-11-05 22:15 -------- d-----w- c:\program files\Trend Micro
2009-11-05 22:01 . 2009-11-05 22:01 -------- d-----w- c:\documents and settings\Alyssa\Application Data\Malwarebytes
2009-11-05 21:39 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-05 21:39 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-05 21:39 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-05 21:39 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-05 21:39 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-05 21:39 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-05 21:39 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-05 21:39 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-05 21:38 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-05 21:38 . 2009-11-05 21:38 -------- d-----w- c:\program files\Alwil Software
2009-11-05 21:27 . 2009-11-05 21:27 -------- d-----w- c:\documents and settings\Alyssa\Local Settings\Application Data\Threat Expert
2009-11-05 20:51 . 2009-11-05 20:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-05 20:45 . 2009-11-05 20:45 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-05 20:45 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-05 20:43 . 2009-11-05 20:43 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-05 20:43 . 2009-11-05 20:43 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-05 20:43 . 2009-11-05 20:43 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-05 20:43 . 2009-11-05 20:43 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-05 20:43 . 2009-11-05 20:43 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-05 20:42 . 2009-11-05 20:42 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-05 20:42 . 2009-11-05 20:42 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-05 20:42 . 2009-11-05 20:42 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-05 20:42 . 2009-11-05 20:42 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-05 20:42 . 2009-11-05 20:42 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-05 20:40 . 2009-11-05 20:40 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-05 20:40 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-05 20:40 . 2009-11-05 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-05 20:40 . 2009-11-05 20:40 -------- d-----w- c:\program files\Lavasoft
2009-11-05 20:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 20:39 . 2009-11-05 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 20:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 20:39 . 2009-11-05 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 20:26 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-05 18:01 . 2009-11-05 18:01 -------- d-----w- c:\program files\Mad Scientist Productions
2009-11-05 17:54 . 2009-11-05 17:54 -------- d-----w- C:\ProgramData
2009-11-05 17:54 . 2009-11-05 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-05 17:50 . 2009-11-05 17:50 10134 ----a-r- c:\documents and settings\Alyssa\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-11-05 17:50 . 2009-11-05 17:50 -------- d-----w- c:\program files\Microsoft WSE
2009-11-05 17:50 . 2008-09-04 18:17 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-11-05 17:47 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-11-05 17:47 . 2009-11-05 17:47 -------- d-----w- c:\windows\Logs
2009-11-05 17:37 . 2009-11-05 17:51 -------- d-----w- c:\program files\Electronic Arts
2009-11-05 17:17 . 2009-11-05 17:17 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-05 17:17 . 2009-11-05 17:24 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-11-05 17:16 . 2009-11-05 17:36 -------- d-----w- c:\documents and settings\Alyssa\Application Data\DAEMON Tools Lite
2009-11-05 17:16 . 2009-11-05 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-05 07:39 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-11-05 07:39 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-11-05 07:39 . 2004-08-04 04:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-05 07:39 . 2004-08-04 04:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-05 04:16 . 2009-11-05 04:16 -------- d-sh--w- c:\documents and settings\Liz\IECompatCache
2009-11-05 03:05 . 2009-11-05 03:05 -------- d-sh--w- c:\documents and settings\Liz\PrivacIE
2009-11-05 02:52 . 2009-11-05 02:52 -------- d-sh--w- c:\documents and settings\Liz\IETldCache
2009-11-04 17:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 17:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 17:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-04 17:44 . 2009-07-01 19:45 52224 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{ad605904-0ba5-4d5c-8725-5adbc8912667}\components\FFExternalAlert.dll
2009-11-04 17:44 . 2009-07-01 19:45 114688 ----a-w- c:\documents and settings\Alyssa\Application Data\Flock\Browser\Profiles\8ngju884.default\extensions\{ad605904-0ba5-4d5c-8725-5adbc8912667}\components\npmozax.dll
2009-11-04 17:43 . 2009-11-04 17:43 -------- d-----w- c:\documents and settings\Alyssa\Local Settings\Application Data\Flock
2009-11-04 17:43 . 2009-11-04 17:43 -------- d-----w- c:\documents and settings\Alyssa\Application Data\Flock
2009-11-04 17:43 . 2009-11-06 18:13 -------- d-----w- c:\program files\Flock
2009-11-04 17:35 . 2009-11-04 17:35 -------- d-sh--w- c:\documents and settings\Alyssa\IECompatCache
2009-11-04 17:34 . 2009-11-04 17:34 -------- d-sh--w- c:\documents and settings\Alyssa\PrivacIE
2009-11-04 17:33 . 2009-11-04 17:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-04 17:33 . 2009-11-04 17:33 -------- d-sh--w- c:\documents and settings\Alyssa\IETldCache
2009-11-04 17:32 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-11-04 17:32 . 2009-11-04 17:32 -------- d-----w- c:\windows\ie8updates
2009-11-04 17:31 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-04 17:31 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-04 17:31 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-04 17:31 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-11-04 17:31 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-04 17:31 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-11-04 17:31 . 2009-11-04 17:31 -------- dc-h--w- c:\windows\ie8
2009-11-04 17:16 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll
2009-11-04 17:15 . 2004-08-04 08:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-11-04 17:10 . 2009-11-04 17:10 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-04 17:09 . 2009-11-04 17:10 -------- d-----w- C:\7160f71001ce4df48a54
2009-11-04 17:09 . 2009-11-04 17:10 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-11-04 17:09 . 2009-11-04 17:09 -------- d-----w- c:\windows\system32\LogFiles
2009-11-04 16:43 . 2009-11-04 17:00 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-11-04 05:21 . 2009-11-04 05:21 -------- d-----w- c:\windows\ServicePackFiles
2009-11-04 05:20 . 2009-11-04 05:20 -------- d-----w- c:\program files\MSXML 4.0
2009-11-04 03:20 . 2009-11-04 03:20 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\JollyBear
2009-11-04 03:20 . 2009-11-04 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2009-11-04 03:20 . 2009-11-06 06:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-04 03:02 . 2009-11-04 03:02 -------- d-----w- c:\documents and settings\Liz\Application Data\Enki Games
2009-11-04 02:54 . 2009-11-04 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan
2009-11-04 02:46 . 2009-11-04 02:46 -------- d-----w- c:\documents and settings\Liz\Application Data\PlayFirst
2009-11-04 02:46 . 2009-11-04 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-11-04 02:46 . 2009-11-04 02:46 -------- d-----w- c:\documents and settings\Liz\Application Data\Big Fish Games
2009-11-04 02:44 . 2009-11-04 02:45 -------- d-----w- c:\program files\Games
2009-11-04 02:43 . 2009-11-04 02:43 -------- d-----w- c:\program files\Big City Adventure - New York
2009-11-04 02:43 . 2009-11-04 02:43 -------- d-----w- c:\windows\Big City Adventure - New York
2009-11-04 02:41 . 2009-11-04 02:43 -------- d-----w- c:\program files\Becky Brogan The Mystery of Meane Manor
2009-11-04 02:41 . 2009-11-04 02:41 -------- d-----w- c:\windows\Becky Brogan The Mystery of Meane Manor
2009-11-04 02:40 . 2009-11-04 02:40 -------- d-----w- c:\program files\Games Hastra
2009-11-04 02:38 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-04 02:38 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-11-04 02:31 . 2009-03-06 14:44 283648 ------w- c:\windows\system32\dllcache\pdh.dll
2009-11-04 02:31 . 2009-02-09 10:20 399360 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-11-04 02:31 . 2009-02-09 10:20 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-11-04 02:31 . 2009-02-09 10:20 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-11-04 02:31 . 2009-02-06 17:14 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-11-04 02:31 . 2009-02-06 16:54 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-11-04 02:31 . 2009-02-06 16:39 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-11-04 02:31 . 2005-07-26 04:39 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-11-04 02:31 . 2009-02-09 10:20 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-11-04 02:31 . 2009-02-09 10:20 616960 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-11-04 02:31 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-11-04 02:27 . 2008-05-08 12:28 202752 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-11-04 02:27 . 2008-10-24 11:10 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-04 02:27 . 2008-12-11 11:57 333184 ------w- c:\windows\system32\dllcache\srv.sys
2009-11-04 02:27 . 2008-05-01 14:30 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-11-04 02:27 . 2009-07-10 13:42 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-11-04 02:26 . 2008-04-11 18:50 683520 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-04 02:24 . 2009-08-04 12:51 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-11-04 02:24 . 2009-08-04 12:49 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-04 02:24 . 2009-08-04 12:02 2062976 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-04 02:24 . 2009-08-04 12:02 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-04 02:23 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 09:01 . 2009-11-03 04:30 63848 ----a-w- c:\documents and settings\Alyssa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 07:06 . 2006-02-22 10:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 06:14 . 2006-02-22 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-03 06:14 . 2006-02-22 11:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-03 06:08 . 2006-02-22 11:12 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-03 05:48 . 2009-11-03 05:46 61752 ----a-w- c:\documents and settings\Liz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 05:48 . 2009-11-03 05:46 126 ----a-w- c:\documents and settings\Liz\Local Settings\Application Data\fusioncache.dat
2009-11-03 05:47 . 2009-11-03 05:46 1756 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv8000 (EE944AV)_YN_0Pavi_QCND6111128_E398803002_46_I30A6_SHP_V56.23_BF.08_T060220_WXH2
_L409_M1023_J80_7Intel_8T2400_91.83_#060222_N80861092_(EE944AV)_XMOBILE_CN10_Z_2F
.08Tr14_G10DE01D8.MRK
2009-11-03 05:42 . 2006-02-22 10:54 -------- d-----w- c:\program files\HPQ
2009-11-03 04:24 . 2006-02-22 11:27 -------- d-----w- c:\program files\Synaptics
2009-11-03 04:24 . 2006-02-22 11:24 -------- d-----w- c:\program files\Sonic
2009-11-03 04:23 . 2006-02-22 11:43 -------- d-----w- c:\program files\Quickensetup
2009-11-03 04:23 . 2006-02-22 11:43 -------- d-----w- c:\program files\Quicken
2009-11-03 04:21 . 2006-02-22 11:42 -------- d-----w- c:\program files\muvee Technologies
2009-11-03 04:21 . 2006-02-22 11:42 -------- d-----w- c:\program files\music_now
2009-11-03 04:21 . 2006-02-22 11:18 -------- d-----w- c:\program files\MSN Encarta Plus
2009-11-03 04:21 . 2006-02-22 11:18 -------- d-----w- c:\program files\Microsoft Works
2009-11-03 04:20 . 2006-02-22 11:13 -------- d-----w- c:\program files\Microsoft Money 2006
2009-11-03 04:20 . 2006-02-22 10:46 -------- d-----w- c:\program files\microsoft frontpage
2009-11-03 04:20 . 2006-02-22 11:00 -------- d-----w- c:\program files\Java
2009-11-03 04:20 . 2006-02-22 10:56 -------- d-----w- c:\program files\Intel
2009-11-03 04:19 . 2006-02-22 11:07 -------- d-----w- c:\program files\HP
2009-11-03 04:18 . 2006-02-22 11:25 -------- d-----w- c:\program files\Common Files\TiVo Shared
2009-11-03 04:18 . 2006-02-22 10:55 -------- d-----w- c:\program files\CONEXANT
2009-11-03 04:18 . 2006-02-22 11:25 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-11-03 04:18 . 2006-02-22 11:08 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-03 04:18 . 2006-02-22 11:43 -------- d-----w- c:\program files\Common Files\Palo Alto Software
2009-11-03 04:18 . 2006-02-22 11:42 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-11-03 04:17 . 2006-02-22 11:47 -------- d-----w- c:\program files\Common Files\LightScribe
2009-11-03 04:17 . 2006-02-22 11:00 -------- d-----w- c:\program files\Common Files\Java
2009-11-03 04:17 . 2006-02-22 11:43 -------- d-----w- c:\program files\Common Files\Intuit
2009-11-03 04:17 . 2006-02-22 10:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-03 04:17 . 2006-02-22 11:07 -------- d-----w- c:\program files\Common Files\HP
2009-11-03 04:15 . 2009-11-03 05:46 -------- d-----w- c:\documents and settings\Liz\Application Data\Intuit
2009-11-03 04:15 . 2009-11-03 04:30 -------- d-----w- c:\documents and settings\Alyssa\Application Data\Intuit
2009-11-03 04:15 . 2006-02-22 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-11-03 04:15 . 2006-02-22 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SBSI
2009-11-03 04:15 . 2006-02-22 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies
2009-11-03 04:15 . 2006-02-22 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-11-03 04:15 . 2006-02-22 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-11-03 04:15 . 2006-02-22 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-11-03 04:15 . 2006-02-22 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-11 14:33 . 2004-08-04 08:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:16 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2007-02-12 08:20 . 2009-11-03 04:39 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_15.41.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-06 18:46 . 2009-11-06 18:46 16384 c:\windows\Temp\Perflib_Perfdata_534.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-15 7331840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-15 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"combofix"="c:\combofix\CF29190.exe" [2009-11-06 388608]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-15 1519616]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2005-11-08 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.14.lnk - c:\program files\802.11 Wireless LAN\802.11g Wireless USB 2.0 Adapter HW.14 V.1.00\WlanCU.exe [2006-9-12 569344]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/5/2009 3:45 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/5/2009 4:39 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/5/2009 4:39 PM 20560]
R3 RTLWUSB;802.11g USB 2.0 WLAN Dongle;c:\windows\system32\drivers\RTL8187.sys [11/3/2009 1:20 AM 169472]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 9:57 AM 13532]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:42]

2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{1C898877-50F0-40ED-9AFF-149ADEDD1193}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Alyssa\Application Data\Mozilla\Firefox\Profiles\aucromhz.default\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 13:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys spzu.sys >>UNKNOWN [0x86787938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x867671f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0xF186 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0xF186 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x12896 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x12B58 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0x17E66 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x17FC6 != 0xF72DD7B0 iaStor.sys
\Driver\iaStor IRP hooks detected !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-11-06 13:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 18:51
ComboFix2.txt 2009-11-06 15:45

Pre-Run: 40,864,317,440 bytes free
Post-Run: 40,828,895,232 bytes free

- - End Of File - - 8FF9637AA2EA110A6E6028E758EA2A80

Attached Files


#10 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 06 November 2009 - 09:58 PM

STEP 1.
Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform full scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

STEP 2.
Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the drop-down menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
STEP 3.
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

Note:
It is recommended to disable on board Anti-Virus program and Anti-Spyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident Anti-Virus protection along with whatever Anti-Spyware app you use.


Please do a scan with Kaspersky Online Scanner or from Here.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
  • Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop
  • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.
Please make sure you include the following items in your next post:
1. The log that was produced after running MalwareBytes' Anti-Malware.
2. The log that was produced after running the Kaspersky Online Scanner.
3. An update on how your computer is currently running?

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

    Advertisements

Register to Remove

#11 harlequin

harlequin

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 07 November 2009 - 09:31 PM

I'm just posting to say I haven't had a chance to take the next steps yet. I will however be back and post the results by Monday latest. Just wanted to make sure this thread doesn't get closed. And thank you for the help thus far. :thumbup:

#12 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 07 November 2009 - 11:04 PM

No worries! Thanks for letting me know. I appreciate it. I will make sure that your thread does not get closed between now and then. SweetTech.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

#13 harlequin

harlequin

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 09 November 2009 - 01:42 PM

Malwarebytes' Anti-Malware 1.41 Database version: 3133 Windows 5.1.2600 Service Pack 3 11/9/2009 10:56:35 AM mbam-log-2009-11-09 (10-56-35).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 179264 Time elapsed: 1 hour(s), 49 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Monday, November 9, 2009 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, November 09, 2009 15:23:13 Records in database: 3181254 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Objects scanned: 73803 Threats found: 1 Infected objects found: 3 Suspicious objects found: 0 Scan duration: 02:23:51 File name / Threat / Threats count C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP16\A0003334.dll Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP16\A0003346.dll Infected: Packed.Win32.TDSS.aa 1 C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP16\A0003347.dll Infected: Packed.Win32.TDSS.aa 1 Selected area has been scanned.

Attached Files


#14 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 09 November 2009 - 05:59 PM

Clean-Up Time:
The following will implement some cleanup procedures as well as reset System Restore points:
Posted Image
Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall

Remove Tools
From your Desktop please delete the following things:
  • Any notepad/logs that we created
  • DDS.scr
  • GMER.zip from wherever you downloaded the file to.
  • GMER.exe from where you extracted it.
Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
OR, after uninstalling Adobe Reader, you could try installing Foxit Reader from >here<
Foxit Reader has fewer add-ons therefore loads more quickly.

All Clean Speech

===>Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===

Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE
  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here
    • If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
      • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

#15 harlequin

harlequin

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 09 November 2009 - 06:10 PM

thanks so much for all of your help :thumbup:

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·