Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Hijacked by Malware Defense

Started by lucella31 , Dec 22 2009 11:11 AM

  • This topic is locked This topic is locked
20 replies to this topic

#1 lucella31

lucella31

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 22 December 2009 - 11:11 AM

Hello and Happy Holidays!

I'm aware that with Xmas coming so close, now is not the perfect time to ask for help, so my request comes with patience as always.

This morning I was downloading some torrents on my 2005 Fujitsu N3530 laptop (XP SP3, Firefox) and a popup with a title bar named Security Center Alert with an icon similar to MS Windows so I assumed it was legit. I clicked on the button Enable Protection (against the suspicious software named Backdoor.Win32.Kbot.al) and PRESTO! I became infected with all kinds of carp**. I don't know why I clicked on it...I usually don't! It's named Malware Defense.

I have not attempted to do anything else on the laptop such as access Firefox as I closed all windows. I have run CCleaner, for what it's worth, and I have a HijackThis Log and an Uninstall List. Malware Defense is on the Uninstall List and would like to delete it immediately but I will wait to hear from you first, just in case.

HiJackThis LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:11 AM, on 12/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinPatrol\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Vuze\Azureus.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Amber\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3930503046-423339824-1048491305-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-21-3930503046-423339824-1048491305-500\..\Run: [pdfSaver3] "C:\Program Files\PDF\pdfSaver\pdfSaver3.exe" (User 'Administrator')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O9 - Extra button: Webaroo: Capture Page - {670fc370-fcfe-11da-92e3-0800200c9a66} - C:\Program Files\Webaroo\IEToolbar\ToolbarProcessor.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - http://sympatico.zon...UI.cab53083.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://aolsvc.aol.co...eb.1.0.0.10.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.98.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB725217-DA8A-4A35-A698-7EB03F1ECB7E}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9120 bytes


HijackThis UNINSTALL LIST:

220-601 Practice Exam Package 1.0 from Pass-Guaranteed.com
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player 11.5
Agere Systems HDA Modem
Algebra 1 Solved!
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
Are You Smarter Than A 5th Grader Make The Grade
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 8.5
Babysitting Mania 10.1
Backyard Football
Beach Party Craze
Belarc Advisor 7.2
Big City Adventure San Francisco
Bonjour
Bridge Builder
Build-a-lot 2 - Town of the Year [h33t] [oi812heet]
Burger Island 2
Burger Shop
Can You See What I See
Casino Empire
Casino Island To Go
CCleaner (remove only)
CleanUp!
Coffee House Chaos
Compton's Interactive Encyclopedia 2000 Deluxe
Cooking Academy 2 World Cuisine
Crazy Machines
Critical Update for Windows Media Player 11 (KB959772)
CyberLink Codec
Easy WiFi Radar 1.0.5
eGames GameButler
Emperor: Rise of the Middle Kingdom
Encyclopaedia Britannica 2006 Ultimate Reference Suite DVD
ESET Online Scanner
Fishing Craze
Fujitsu Driver Update
Fujitsu Hotkey Utility
Fujitsu System Extension Utility
Full Tilt Poker
GemMaster Mystic
Geography Quiz 1.0
Go-Go Gourmet 2 - Chef of the Year
Goods Account version 1.2
Google Earth
Google Photos Screensaver
Google Update Helper
Gourmania
Governor of Poker
Hell's Kitchen
Hidden Expedition Titanic (remove only)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Insomnia: Night Shift
Intel® PROSet/Wireless Software
InterActual Player
iTunes
Java™ 6 Update 13
Jeopardy! 2nd Edition
Languages of the World
LifeBook Application Panel
MagicDisc 2.7.105
MakeDVD 2.0
Malware Defense
Malwarebytes' Anti-Malware
mCore
mDrWiFi
Merv Griffins Crosswords
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIWA
mLogView
mMHouse
Mozilla Firefox (3.5.6)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MULTIPEDIA
Museum Collection 2.0
mWlsSafe
mXML
MySQL Connector/ODBC 3.51
Mystery Museum
MyTypeArtist
mZConfig
National Geographic Games - Herod’s Lost Tomb ©
Nero Suite
Next Generation Visualisations
Norton Internet Security
Office 2003 Trial Assistant
OpenOffice.org 2.4
Panda ActiveScan
Panda ActiveScan 2.0
Perfect Pool
Phun beta 4.22
Picasa 2
PowerDirector Express
PowerProducer
Profitville
QuickTime
QuickTime 3.0
Realtek High Definition Audio Driver
Restaurant Rush
Rock and Roll JEOPARDY! (remove only)
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
ScanSoft OmniPage SE 4.0
Scrabble (remove only)
SCRABBLE Blast Deluxe
SCRABBLE Journey
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skies of War
Snap Simulation Engine Installer 1.10
Solitaire Antics Ultimate
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy 1.4
Stellarium 0.9.1
Street Challenge - 14 Mile Combat
Symantec KB-DocID:2003093015493306
System Mania
System Requirements Lab
Taito Legends
Taskbar Wallpaper 3.00
Test and Improve your Memory
TestOut Navigator (Online Version)
The First Olympic Tidy Up
Top Chef
Trivia Machine
Tropicabana
Tropico
Tumble Bees To Go
TuneUp Companion 1.5.5
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE for Windows Media Player
Virtual DJ - Atomix Productions
VLC media player 1.0.2
Vuze
Webaroo
Westward 2
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinISO 5.3
WinRAR archiver
Wonderland
Word Zen 1.0.0
World Book 2002
Yahoo! ¤u¨ã¦C
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yard Sale Hidden Treasures Sunnyville
Youda Marina
Zune Desktop Theme

NOTE: Malware Defense is on the list above!!!

I hope someone can help me!!! Thanks!!! :pullhair:

    Advertisements

Register to Remove

#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 23 December 2009 - 06:29 PM

Hi,

Please do the following:

Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


NEXT

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#3 lucella31

lucella31

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 25 December 2009 - 07:11 AM

Merry Xmas and/or Happy Holidays!!! (whichever the case may be)
Thank you for offering to help me. :D

I will be posting the 3 logs you have requested (exeHelper, DDS, & Gmer) but I want to get you current with my situation:

An IT guy at work helped me with the Malware Defense issue, so I "think" it's gone. Haven't run another HijackThis Log but I still don't see a trace of it, i.e., on the desktop or in the system tray. But maybe you'll find it again in the logs? :o

I had an issue with a GoogleUpdate.exe popup in which I went to services.msc and disabled it so it doesn't seem to be an issue anymore.
But....now I have a serious issue with a popup for Google Installer which freezes my desktop; I'm unable to click on anything and sometimes the task bar and system tray do not appear.

I am only able to download the programs you advised by running in SAFE MODE. I hope this doesn't pose a problem? Isn't SAFE MODE okay for most anti-malware programs anyway? I can't do anything unless I'm in SAFE MODE. :huh:

I also went and deleted the Google Installer folder under C:\Program Files and it's sitting in the Recycle Bin if you need me to restore it.
I don't know if Google Installer is causing all the problems now or if I still have malware.
Gmer did let me know that a rootkit was found after the scan completed. Also, I had to change the name of the gmer.exe file to shalala.exe as it was the only way I could run it. I guess the malware was stopping it.

A note on Gmer...I went and bolded the two lines that mentioned the word rootkit, and as you will see there are many items listed with H8SRTd. Please help! :(
Thanks!!! :)


Here are the logs:

exeHelper

exeHelper by Raktor
Build 20091220
Run at 17:57:01 on 12/24/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


DDS
DDS.txt report


DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Amber at 18:02:18.57 on Thu 12/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.773 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Amber\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [WinPatrol] c:\program files\winpatrol\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: labmentors.com\course
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - hxxp://community.webshots.com/html/atx/wsaxcontrol.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://aolsvc.aol.com/onlinegames/free-trial-zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://zone.msn.com/bingame/dash/default/DinerDash.1.0.0.98.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
TCP: {AB725217-DA8A-4A35-A698-7EB03F1ECB7E} = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amber\applic~1\mozilla\firefox\profiles\878z64qr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - component: c:\documents and settings\amber\application data\mozilla\firefox\profiles\878z64qr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\amber\application data\mozilla\firefox\profiles\878z64qr.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\amber\application data\mozilla\firefox\profiles\878z64qr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: XUL Cache: {64072CD2-2C5E-42E1-B165-E99006162C9D} - c:\documents and settings\amber\local settings\application data\{64072CD2-2C5E-42E1-B165-E99006162C9D}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2005-12-16 4864]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-9-18 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-13 335240]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-13 27784]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-13 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-13 297752]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-12-16 1251720]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 AVUSBPVR;AVerMedia USB MPEG-2 Capture Device;c:\windows\system32\drivers\avusbpvr.sys --> c:\windows\system32\drivers\avusbpvr.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-9-29 38528]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys --> c:\windows\system32\drivers\ss.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-25 133104]
S4 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]

=============== Created Last 30 ================

2009-12-22 14:08:41 654 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-22 14:07:38 202 ----a-w- c:\windows\system32\srcr.dat

==================== Find3M ====================

2009-11-08 02:58:11 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-25 14:48:11 570016 ----a-w- c:\program files\GoogleEarthSetup.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 11:40:21 18527244 ----a-w- c:\program files\vlc-1.0.2-win32.exe
2009-09-27 17:37:00 242 ----a-w- c:\documents and settings\amber\jobq.dat
2009-09-27 17:33:55 27529754 ----a-w- c:\program files\FSIndexing_Setup.exe
2009-07-21 09:20:42 17828326 ----a-w- c:\program files\vlc-1.0.0-win32.exe
2009-07-21 01:33:20 14566424 ----a-w- c:\program files\vlc-0.9.4-win32.exe
2009-04-13 18:47:26 26446240 ----a-w- c:\program files\avg_free_stf_en_85_285a1462.exe.part
2009-02-15 08:07:19 547488 ----a-w- c:\program files\GoogleEarthPluginSetup.exe
2009-02-08 01:39:09 69076264 ----a-w- c:\program files\iTunesSetup.exe
2009-02-08 01:36:49 19003017 ----a-w- c:\program files\iTunesSetup.exe.part
2008-12-06 00:23:56 159721768 ----a-w- c:\program files\herods_lost_tomb-setup.exe
2008-12-06 00:19:44 71266824 ----a-w- c:\program files\gourmania-setup.exe
2008-10-06 11:25:38 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2007-04-30 04:25:48 251 -c--a-w- c:\program files\wt3d.ini
2008-08-02 17:13:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080220080803\index.dat

============= FINISH: 18:02:59.60 ===============

DDS
Attach.txt report


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/17/2006 1:48:24 AM
System Uptime: 12/24/2009 5:54:39 PM (1 hours ago)

Motherboard: FUJITSU | | TRUFF01
Processor: Genuine Intel® CPU T2400 @ 1.83GHz | On Board | 1828/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 111 GiB total, 60.515 GiB free.
D: is FIXED (NTFS) - 1 GiB total, 0.995 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is CDROM (CDFS)
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP577: 9/24/2009 5:54:07 AM - System Checkpoint
RP578: 9/25/2009 6:53:41 AM - System Checkpoint
RP579: 9/26/2009 7:53:00 AM - System Checkpoint
RP580: 9/27/2009 8:51:48 AM - System Checkpoint
RP581: 9/28/2009 9:43:57 AM - System Checkpoint
RP582: 9/29/2009 10:43:54 AM - System Checkpoint
RP583: 9/30/2009 11:43:57 AM - System Checkpoint
RP584: 10/1/2009 12:44:02 PM - System Checkpoint
RP585: 10/2/2009 1:44:08 PM - System Checkpoint
RP586: 10/3/2009 2:44:08 PM - System Checkpoint
RP587: 10/4/2009 2:45:01 PM - System Checkpoint
RP588: 10/5/2009 9:31:46 AM - Avg8 Update
RP589: 10/5/2009 9:33:05 AM - Avg8 Update
RP590: 10/6/2009 9:44:06 AM - System Checkpoint
RP591: 10/7/2009 8:27:20 AM - Avg8 Update
RP592: 10/8/2009 8:44:07 AM - System Checkpoint
RP593: 10/9/2009 9:44:20 AM - System Checkpoint
RP594: 10/10/2009 9:44:36 AM - System Checkpoint
RP595: 10/11/2009 10:10:43 AM - System Checkpoint
RP596: 10/12/2009 10:26:30 AM - System Checkpoint
RP597: 10/13/2009 10:31:01 AM - System Checkpoint
RP598: 10/14/2009 3:00:52 AM - Software Distribution Service 3.0
RP599: 10/14/2009 11:25:54 PM - Software Distribution Service 3.0
RP600: 10/16/2009 7:01:25 PM - Avg8 Update
RP601: 10/17/2009 7:06:54 PM - System Checkpoint
RP602: 10/18/2009 9:33:01 PM - System Checkpoint
RP603: 10/19/2009 10:49:38 PM - System Checkpoint
RP604: 10/20/2009 4:52:16 PM - Avg8 Update
RP605: 10/21/2009 5:48:45 PM - System Checkpoint
RP606: 10/22/2009 6:33:52 PM - System Checkpoint
RP607: 10/23/2009 7:40:48 PM - System Checkpoint
RP608: 10/24/2009 8:18:10 PM - System Checkpoint
RP609: 10/25/2009 8:23:27 PM - System Checkpoint
RP610: 10/26/2009 10:11:16 PM - System Checkpoint
RP611: 10/27/2009 11:09:10 PM - System Checkpoint
RP612: 10/29/2009 8:58:46 PM - System Checkpoint
RP613: 10/30/2009 9:17:33 PM - System Checkpoint
RP614: 11/1/2009 2:01:00 PM - System Checkpoint
RP615: 11/2/2009 10:39:18 AM - Avg8 Update
RP616: 11/3/2009 4:24:45 PM - System Checkpoint
RP617: 11/4/2009 4:00:28 AM - Software Distribution Service 3.0
RP618: 11/5/2009 7:11:14 AM - System Checkpoint
RP619: 11/5/2009 5:46:09 PM - Avg8 Update
RP620: 11/7/2009 9:54:13 AM - System Checkpoint
RP621: 11/8/2009 2:49:18 PM - System Checkpoint
RP622: 11/9/2009 7:46:05 PM - System Checkpoint
RP623: 11/10/2009 7:55:44 PM - System Checkpoint
RP624: 11/11/2009 8:34:15 PM - System Checkpoint
RP625: 11/12/2009 3:00:33 AM - Software Distribution Service 3.0
RP626: 11/13/2009 3:14:12 AM - System Checkpoint
RP627: 11/14/2009 3:47:01 AM - System Checkpoint
RP628: 11/15/2009 9:33:35 AM - System Checkpoint
RP629: 11/21/2009 5:53:32 PM - System Checkpoint
RP630: 11/22/2009 6:01:24 PM - System Checkpoint
RP631: 11/23/2009 7:49:42 PM - System Checkpoint
RP632: 11/25/2009 8:51:48 AM - Software Distribution Service 3.0
RP633: 11/26/2009 7:26:15 PM - Avg8 Update
RP634: 11/27/2009 8:49:58 PM - System Checkpoint
RP635: 11/28/2009 10:09:29 PM - System Checkpoint
RP636: 11/30/2009 12:34:35 AM - System Checkpoint
RP637: 12/3/2009 5:55:53 PM - System Checkpoint
RP638: 12/4/2009 10:40:24 PM - System Checkpoint
RP639: 12/6/2009 12:10:27 AM - System Checkpoint
RP640: 12/7/2009 12:25:25 AM - System Checkpoint
RP641: 12/8/2009 12:30:16 AM - System Checkpoint
RP642: 12/9/2009 1:17:26 AM - System Checkpoint
RP643: 12/9/2009 3:01:05 AM - Software Distribution Service 3.0
RP644: 12/9/2009 8:19:08 AM - Avg8 Update
RP645: 12/10/2009 4:13:23 PM - System Checkpoint
RP646: 12/11/2009 5:23:32 PM - System Checkpoint
RP647: 12/12/2009 9:36:24 AM - Avg8 Update
RP648: 12/12/2009 9:38:04 AM - Avg8 Update
RP649: 12/15/2009 2:06:16 AM - System Checkpoint
RP650: 12/16/2009 2:17:12 AM - System Checkpoint
RP651: 12/17/2009 2:48:20 AM - System Checkpoint
RP652: 12/18/2009 5:08:20 AM - System Checkpoint
RP653: 12/19/2009 12:24:08 AM - Software Distribution Service 3.0
RP654: 12/19/2009 3:01:18 AM - Software Distribution Service 3.0
RP655: 12/20/2009 3:42:23 AM - System Checkpoint
RP656: 12/20/2009 6:32:31 PM - Removed Caesar IV
RP657: 12/21/2009 9:24:19 AM - Avg8 Update

==== Installed Programs ======================

µTorrent
220-601 Practice Exam Package 1.0 from Pass-Guaranteed.com
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player 11.5
Agere Systems HDA Modem
Algebra 1 Solved!
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
Are You Smarter Than A 5th Grader Make The Grade
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 8.5
Babysitting Mania 10.1
Backyard Football
Beach Party Craze
Belarc Advisor 7.2
Big City Adventure San Francisco
Bonjour
Bridge Builder
Build-a-lot 2 - Town of the Year [h33t] [oi812heet]
Burger Island 2
Burger Shop
Can You See What I See
Casino Empire
Casino Island To Go
CCleaner (remove only)
CleanUp!
Coffee House Chaos
Compton's Interactive Encyclopedia 2000 Deluxe
Cooking Academy 2 World Cuisine
Crazy Machines
Critical Update for Windows Media Player 11 (KB959772)
CyberLink Codec
Easy WiFi Radar 1.0.5
eGames GameButler
eGames\DeepSeaTycoon
Emperor: Rise of the Middle Kingdom
Encyclopaedia Britannica 2006 Ultimate Reference Suite DVD
ESET Online Scanner
FamilySearch Indexing (www.familysearchindexing.org)
Fishing Craze
Fujitsu Driver Update
Fujitsu Hotkey Utility
Fujitsu System Extension Utility
Full Tilt Poker
GemMaster Mystic
Geography Quiz 1.0
Go-Go Gourmet 2 - Chef of the Year
Goods Account version 1.2
Google Earth
Google Photos Screensaver
Google Update Helper
Gourmania
Governor of Poker
Hell's Kitchen
Hidden Expedition Titanic (remove only)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hoyle Casino Empire
Intel® PROSet/Wireless Software
InterActual Player
iTunes
Java™ 6 Update 13
Jeopardy! 2nd Edition
Languages of the World
LifeBook Application Panel
MagicDisc 2.7.105
MakeDVD 2.0
Malwarebytes' Anti-Malware
mCore
mDrWiFi
Merv Griffins Crosswords
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIWA
mLogView
mMHouse
Mozilla Firefox (3.5.6)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MULTIPEDIA
Museum Collection 2.0
mWlsSafe
mXML
MySQL Connector/ODBC 3.51
Mystery Museum
MyTypeArtist
mZConfig
National Geographic Games - Herod’s Lost Tomb ©
Nero Suite
Next Generation Visualisations
Norton Internet Security
Office 2003 Trial Assistant
OpenOffice.org 2.4
Panda ActiveScan
Panda ActiveScan 2.0
Perfect Pool
Phun beta 4.22
Picasa 2
PowerDirector Express
PowerProducer
Profitville
QuickTime
QuickTime 3.0
Realtek High Definition Audio Driver
Restaurant Rush
Rock and Roll JEOPARDY! (remove only)
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
ScanSoft OmniPage SE 4.0
Scrabble (remove only)
SCRABBLE Blast Deluxe
SCRABBLE Journey
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skies of War
Snap Simulation Engine Installer 1.10
Solitaire Antics Ultimate
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy 1.4
Stellarium 0.9.1
Street Challenge - 14 Mile Combat
Symantec KB-DocID:2003093015493306
System Mania
System Requirements Lab
Taito Legends
Taskbar Wallpaper 3.00
Test and Improve your Memory
TestOut Navigator (Online Version)
The First Olympic Tidy Up
Top Chef
Trivia Machine
Tropicabana
Tropico
Tumble Bees To Go
TuneUp Companion 1.5.5
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE for Windows Media Player
Virtual DJ - Atomix Productions
VLC media player 1.0.2
Vuze
Webaroo
WebFldrs XP
Westward 2
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinISO 5.3
WinRAR archiver
Wonderland
Word Zen 1.0.0
World Book 2002
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! ¤u¨ã¦C
Yard Sale Hidden Treasures Sunnyville
Youda Marina
Zune Desktop Theme

==== Event Viewer Messages From Past Week ========

12/23/2009 10:14:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
12/22/2009 9:04:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/22/2009 9:03:45 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX BANTExt eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT pavboot RasAcd Rdbss Tcpip
12/22/2009 9:03:45 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 9:03:45 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 9:03:45 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 9:03:45 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 9:03:45 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 9:03:45 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 9:03:12 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/22/2009 9:00:17 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
12/22/2009 9:00:17 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
12/22/2009 9:00:17 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free8 WatchDog service to connect.
12/22/2009 9:00:17 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/22/2009 9:00:17 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/22/2009 9:00:17 AM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/19/2009 6:49:51 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
12/19/2009 2:38:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'updatecomps.cfg' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/18/2009 6:23:58 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Symantec Core LC service.
12/18/2009 6:23:51 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

==== End Of File ===========================



Gmer


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-25 04:23:30
Windows 5.1.2600 Service Pack 3
Running: shalala.exe; Driver: C:\DOCUME~1\Amber\LOCALS~1\Temp\pgldqpoc.sys


---- System - GMER 1.0.15 ----

INT 0x62 ? 86FD7BF8
INT 0x63 ? 86F3DF00
INT 0x94 ? 86F3DF00
INT 0xB4 ? 86F67BF8

Code 864426E8 ZwEnumerateKey
Code 86440358 ZwFlushInstructionCache
Code 8644271E IofCallDriver
Code 8644013E IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F661F8
Device \FileSystem\Fastfat \FatCdrom 863CA1F8
Device \Driver\usbuhci \Device\USBPDO-0 8655A1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F681F8
Device \Driver\dmio \Device\DmControl\DmConfig 86F681F8
Device \Driver\dmio \Device\DmControl\DmPnP 86F681F8
Device \Driver\dmio \Device\DmControl\DmInfo 86F681F8
Device \Driver\usbuhci \Device\USBPDO-1 8655A1F8
Device \Driver\PCI_PNP8578 \Device\00000052 spni.sys
Device \Driver\PCI_PNP8578 \Device\00000052 spni.sys
Device \Driver\usbuhci \Device\USBPDO-2 8655A1F8
Device \Driver\usbuhci \Device\USBPDO-3 8655A1F8
Device \Driver\usbehci \Device\USBPDO-4 8652D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD81F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD81F8
Device \Driver\iaStor \Device\Ide\iaStor0 [F738E7B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F742CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F742CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F738E7B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom2 865071F8
Device \Driver\usbuhci \Device\USBFDO-0 8655A1F8
Device \Driver\usbuhci \Device\USBFDO-1 8655A1F8
Device \Driver\usbuhci \Device\USBFDO-2 8655A1F8
Device \Driver\usbuhci \Device\USBFDO-3 8655A1F8
Device \Driver\usbehci \Device\USBFDO-4 8652D1F8
Device \Driver\Ftdisk \Device\FtControl 86FD81F8
Device \Driver\usbstor \Device\0000008b 864291F8
Device \Driver\sptd \Device\1170628578 spni.sys
Device \Driver\sptd \Device\1170628578 spni.sys
Device \Driver\usbstor \Device\0000008c 864291F8
Device \Driver\a5bprg77 \Device\Scsi\a5bprg771Port3Path0Target0Lun0 865001F8
Device \Driver\a5bprg77 \Device\Scsi\a5bprg771 865001F8
Device \FileSystem\Fastfat \Fat 863CA1F8
Device \FileSystem\Cdfs \Cdfs 863CD1F8

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRToqvptinbrr.sys (*** hidden *** ) F6F27000-F6F43000 (114688 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTxqsoebliiw.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [912] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRToqvptinbrr.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002760cfe0a
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRToqvptinbrr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRToqvptinbrr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRThoqxxrxoiy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdiqhlsvkmg.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTxqsoebliiw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5D 0xBC 0xD3 0x61 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x00 0x84 0xC4 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x98 0x54 0x65 0xD4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0002760cfe0a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRToqvptinbrr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRToqvptinbrr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRThoqxxrxoiy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdiqhlsvkmg.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTxqsoebliiw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5D 0xBC 0xD3 0x61 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x00 0x84 0xC4 0x57 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x98 0x54 0x65 0xD4 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Usage@HandWritingFiles 999884968
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@C:\Program Files\Acer GameZone\National Geographic Games - Herod\x2019s Lost Tomb \xa9\Uninstall.exe 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Amber\Local Settings\temp\H8SRT1fb8.tmp 343040 bytes executable
File C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\AAA3LGD1\errorPageStrings[3] 0 bytes
File C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\AAA3LGD1\info_48[2] 0 bytes
File C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\AAA3LGD1\tools[2] 0 bytes
File C:\WINDOWS\system32\drivers\H8SRToqvptinbrr.sys 39936 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\H8SRTdiqhlsvkmg.dat 202 bytes
File C:\WINDOWS\system32\H8SRThoqxxrxoiy.dll 23040 bytes executable
File C:\WINDOWS\system32\H8SRTxqsoebliiw.dll 36864 bytes executable

---- EOF - GMER 1.0.15 ----

Edited by lucella31, 25 December 2009 - 07:36 AM.

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 25 December 2009 - 08:10 AM

Hi.

Please do the following:

Download Combofix from one of the links below. You must rename it to lucella.exe before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


Link 1
Link 2



-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#5 lucella31

lucella31

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 25 December 2009 - 11:09 AM

OK, I have a problem! :smack: I have not run ComboFix yet as I cannot disable AVG, WinPatrol or MalwareBytes. For AVG, I must access the Control Center in the systray but this doesn't appear in Safe Mode. I tried to boot up again as normal, without entering Safe Mode, and my desktop is still frozen. I tried renaming the exe files for both AVG and WinPatrol, but programs are limited in Safe Mode. The only way around this is for me to completely remove the above programs. Should I do that or do you know what I must do to disable them and leave them on my system? I have ComboFix ready to run as you instructed, under lucella.exe. Just waiting for the OK from you to do it anyway. Thanks. :blush:

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 25 December 2009 - 11:33 AM

Hi, Please remove AVG and Winpatrol if you can, we can reinstall them later. Then go ahead and run ComboFix

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#7 lucella31

lucella31

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 25 December 2009 - 11:45 AM

OK, going to do this right now.....thanks.

#8 lucella31

lucella31

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 25 December 2009 - 12:57 PM

WinPatrol was not a problem. Had trouble removing all of AVG. A dll file couldn't be deleted so I renamed it, and I thought that helped, but ComboFix still detects a real-time scanner with AVG. ComboFix is running now, but not in Safe Mode as it restarted itself. I hope this is OK because I am letting ComboFix do its thing as it keeps rebooting the system. Scanning now...

#9 lucella31

lucella31

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 25 December 2009 - 01:21 PM

Finally am getting functionality out of the desktop!

Here's the ComboFix log:

ComboFix 09-12-24.02 - Amber 12/25/2009 10:55:38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.682 [GMT -8:00]
Running from: h:\progs to use from whatthetech re 12-22-09 laptop\lucella.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Amber\LOCALS~1\Temp\wscsvc32.exe
c:\documents and settings\Amber\Application Data\.#
c:\documents and settings\Amber\Application Data\.#\MBX@113C@384170.###
c:\windows\kb913800.exe
c:\windows\system32\drivers\H8SRToqvptinbrr.sys
c:\windows\system32\H8SRTdiqhlsvkmg.dat
c:\windows\system32\H8SRThoqxxrxoiy.dll
c:\windows\system32\H8SRTxqsoebliiw.dll
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\srcr.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-11-25 to 2009-12-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-25 17:48 . 2009-04-13 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-25 09:34 . 2005-12-16 23:17 -------- d-----w- c:\program files\Google
2009-12-23 18:45 . 2008-09-30 02:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 16:47 . 2008-09-13 11:13 -------- d-----w- c:\documents and settings\Amber\Application Data\Azureus
2009-12-21 02:38 . 2008-04-21 16:28 -------- d-----w- c:\program files\KaM - The Peasants Rebellion
2009-12-21 02:33 . 2007-01-29 09:10 -------- d-----w- c:\program files\Sierra
2009-12-21 02:33 . 2005-12-16 22:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-20 18:18 . 2009-07-21 09:35 -------- d-----w- c:\documents and settings\Amber\Application Data\vlc
2009-12-20 00:58 . 2007-12-29 22:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-12 17:37 . 2009-12-12 17:38 2065688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-27 03:24 . 2009-12-12 17:38 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-27 03:24 . 2009-12-12 17:38 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-24 06:05 . 2008-09-13 11:12 -------- d-----w- c:\program files\Vuze
2009-11-19 19:48 . 2009-11-28 01:59 872960 ----a-w- c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 19:48 . 2009-11-28 01:59 43008 ----a-w- c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 19:48 . 2009-11-28 01:59 340480 ----a-w- c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 19:48 . 2009-11-28 01:59 346624 ----a-w- c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-10 00:17 . 2009-11-07 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-08 23:13 . 2009-11-08 23:09 -------- d-----w- c:\program files\MasqueGames
2009-11-08 19:50 . 2009-11-08 19:50 -------- d-----w- c:\program files\Play at Joe's
2009-11-08 02:58 . 2007-01-29 09:25 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-08 02:57 . 2009-11-08 02:57 -------- d-----w- c:\program files\Hasbro
2009-11-07 19:51 . 2009-11-07 19:51 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-29 07:46 . 2005-12-16 17:11 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2008-07-30 00:15 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2008-07-30 00:15 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-25 14:48 . 2009-10-25 14:12 570016 ----a-w- c:\program files\GoogleEarthSetup.exe
2009-10-21 05:38 . 2008-07-30 00:16 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38 . 2008-07-30 00:16 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 21:33 . 2009-11-09 08:21 103424 ----a-w- c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-10-20 21:33 . 2009-11-09 08:21 545280 ----a-w- c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-10-20 21:33 . 2009-11-09 08:20 4716544 ----a-w- c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\piclens@cooliris.com\components\cooliris.dll
2009-10-20 21:33 . 2009-11-09 08:20 153600 ----a-w- c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-10-20 21:33 . 2009-11-09 08:20 344064 ----a-w- c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-10-20 16:20 . 2008-07-30 00:15 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-07-30 00:15 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-07-30 00:15 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-07-30 00:15 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 11:40 . 2009-10-12 11:36 18527244 ----a-w- c:\program files\vlc-1.0.2-win32.exe
2009-09-27 17:37 . 2009-09-27 17:37 242 ----a-w- c:\documents and settings\Amber\jobq.dat
2009-09-27 17:33 . 2009-09-27 17:33 27529754 ----a-w- c:\program files\FSIndexing_Setup.exe
2009-07-21 09:20 . 2009-07-21 09:19 17828326 ----a-w- c:\program files\vlc-1.0.0-win32.exe
2009-07-21 01:33 . 2009-07-21 01:29 14566424 ----a-w- c:\program files\vlc-0.9.4-win32.exe
2009-02-15 08:07 . 2009-02-15 08:07 547488 ----a-w- c:\program files\GoogleEarthPluginSetup.exe
2009-02-08 01:39 . 2009-02-08 01:24 69076264 ----a-w- c:\program files\iTunesSetup.exe
2009-02-08 01:36 . 2009-02-08 01:24 19003017 ----a-w- c:\program files\iTunesSetup.exe.part
2008-12-06 00:23 . 2008-12-06 00:14 159721768 ----a-w- c:\program files\herods_lost_tomb-setup.exe
2008-12-06 00:19 . 2008-12-06 00:15 71266824 ----a-w- c:\program files\gourmania-setup.exe
2008-10-06 11:25 . 2008-10-06 11:26 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2007-04-30 04:25 . 2007-04-30 04:25 251 -c--a-w- c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-08-09 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-11-10 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-10 602182]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Taskbar Wallpaper.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Taskbar Wallpaper.lnk
backup=c:\windows\pss\Taskbar Wallpaper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Amber^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Amber\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Amber^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Amber\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-11-17 01:03 88203 ----a-r- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 09:43 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-07-02 11:48 163840 ----a-r- c:\program files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2005-08-12 22:43 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FJUPDNV_Chitose]
2005-11-18 09:44 303104 ----a-w- c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadBtnHnd]
2005-11-01 19:06 61440 ----a-w- c:\program files\Fujitsu\BtnHnd\BtnHnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadFUJ02E3]
2005-06-08 17:20 69632 ----a-w- c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadFujitsuQuickTouch]
2005-11-01 19:11 242688 ----a-w- c:\program files\Fujitsu\Application Panel\QuickTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 18:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-07-15 09:07 32768 ----a-w- c:\program files\CyberLink Codec\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-12-09 06:49 15691264 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-13 18:08 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Webaroo]
2007-03-10 07:00 162864 ----a-w- c:\program files\Webaroo\WebarooClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\MakeDVD\\MakeDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\TESTOUT\\CMI\\NAVIGATOR.EXE"=
"c:\\PROGRA~1\\TESTOUT\\cmi\\Navigator.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49153:TCP"= 49153:TCP:*:Disabled:Azureus

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/18/2008 4:58 PM 28544]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [12/16/2005 10:50 AM 4864]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [11/18/1999 12:20 AM 3872]
S3 AVUSBPVR;AVerMedia USB MPEG-2 Capture Device;c:\windows\system32\DRIVERS\avusbpvr.sys --> c:\windows\system32\DRIVERS\avusbpvr.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/29/2008 6:29 PM 38528]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/8/2008 4:18 PM 717296]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: labmentors.com\course
TCP: {AB725217-DA8A-4A35-A698-7EB03F1ECB7E} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - component: c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\Amber\Application Data\Mozilla\Firefox\Profiles\878z64qr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: XUL Cache: {64072CD2-2C5E-42E1-B165-E99006162C9D} - c:\documents and settings\Amber\Local Settings\Application Data\{64072CD2-2C5E-42E1-B165-E99006162C9D}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-Btikesogolog - c:\windows\olelirikij.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
AddRemove-Build-a-lot 2 - Town of the Year [h33t] [oi812heet] - c:\windows\Build-a-lot 2 - Town of the Year [h33t] [oi812heet]\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-25 11:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3930503046-423339824-1048491305-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f5,92,c2,b1,ad,81,b6,80,a6,c5,23,d4,df,6d,69,75,3d,50,76,b2,d2,7f,00,
fa,f4,15,b0,11,ae,97,44,07,4f,eb,de,90,46,c7,8c,bf,7e,b1,c0,10,76,4c,80,e8,\
"??"=hex:60,f8,37,1a,81,4a,65,5d,86,0b,f0,93,a7,a6,65,9d

[HKEY_USERS\S-1-5-21-3930503046-423339824-1048491305-1005\Software\SecuROM\License information*]
"datasecu"=hex:a3,a5,3b,13,13,f1,6c,e0,1b,60,c2,60,17,5f,85,62,60,10,8f,14,6b,
df,fc,65,b9,88,e4,03,c1,ff,6f,e5,08,3c,97,d2,e3,64,81,2b,b2,da,58,2c,1a,93,\
"rkeysecu"=hex:8c,f2,6b,31,b8,4c,0a,93,1d,be,11,a7,a6,19,5d,ea
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-12-25 11:12:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-25 19:12
ComboFix2.txt 2009-04-13 17:37

Pre-Run: 65,151,803,392 bytes free
Post-Run: 65,169,170,432 bytes free

- - End Of File - - 2992BBCA050219A89F109E7FC67326FB

#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 25 December 2009 - 02:54 PM

Hi,

Please do the following:
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove

#11 lucella31

lucella31

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 25 December 2009 - 04:47 PM

...in the process of scanning with MalwareBytes right now.... thanks so far! looking better! :woot:

#12 lucella31

lucella31

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 25 December 2009 - 04:55 PM

Um, Malwarebytes found nothing so I am not seeing the Show Results screen or tab you are talking about. A log in notepad automatically popped up though. Do I just continue with whatever does come up per your instructions?

#13 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 25 December 2009 - 05:47 PM

Hi, Yes, If nothing was found, a log will display stating that. Please continue with the Kaspersky scan, that can take several hours, so please allow it to finish.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#14 lucella31

lucella31

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 26 December 2009 - 01:35 AM

Hello, I have the logs for MBAM and Kaspersky. Finally I was able to use my laptop and connect to the internet to run these last 2 programs and save the reports. :D I'm sure I'm close to the "all clean" from you. Just a sidenote: I was wondering if the rootkit that was found affected the GoogleUpdate and Google Installer popups or was that a separate issue? I have them deleted or disabled and not so concerned with their availability at this point, but I'm just curious. Also, do you know offhand if the rootkit was connected to Malware Defense? Thanks! ---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.42 Database version: 3289 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 12/25/2009 2:49:32 PM mbam-log-2009-12-25 (14-49-32).txt Scan type: Quick Scan Objects scanned: 113938 Time elapsed: 5 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ---------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Friday, December 25, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, December 26, 2009 00:30:42 Records in database: 3411896 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ G:\ H:\ Scan statistics: Objects scanned: 134285 Threats found: 4 Infected objects found: 5 Suspicious objects found: 0 Scan duration: 04:48:41 File name / Threat / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1AA977E0.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as 1 C:\Program Files\MSN Games\Burger Shop\Launch.exe Infected: Trojan.Win32.Inject.afnt 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\H8SRToqvptinbrr.sys.vir Infected: Trojan.Win32.Tdss.avbu 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRThoqxxrxoiy.dll.vir Infected: Packed.Win32.TDSS.aa 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTxqsoebliiw.dll.vir Infected: Packed.Win32.TDSS.aa 1 Selected area has been scanned. ---------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------

Edited by lucella31, 26 December 2009 - 01:38 AM.

#15 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 26 December 2009 - 08:45 AM

Hi,

Please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Program Files\MSN Games\Burger Shop\Launch.exe"


Next

Please post a fresh DDS and Attach.txt and advise how your computer is running now and if there are any outstanding issues.


The google update issues may very well have been affected by the malware.
The Rogue security program is a separate infection from the rootkit, but you may have been infected with both at the same time from the same download..

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·