Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

malware and missing drive


  • This topic is locked This topic is locked

#16
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Please start by rebooting your machine.

It doesn't look like the Combofix script ran properly. Please try again, making sure to follow the directions very carefully. We don't just want to run Combofix again, we want to drag that script over so it runs a fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.2:58465

File::
c:\users\tuche\AppData\Local\BITE9D8.tmp
c:\windows\system32\termvw32.dll
c:\windows\system32\config\systemprofile\AppData\Local\wry.exe

Firefox::
FF - ProfilePath - c:\users\tuche\AppData\Roaming\Mozilla\Firefox\Profiles\c3pvi0o4.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58465


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe. ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

Advertisements


#17
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
ComboFix 11-08-16.05 - tuche 08/19/2011 15:46:46.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.1126 [GMT -4:00]
Running from: c:\users\tuche\Desktop\ComboFix.exe
Command switches used :: c:\users\tuche\Desktop\cfscript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\tuche\AppData\Local\BITE9D8.tmp"
"c:\windows\system32\config\systemprofile\AppData\Local\wry.exe"
"c:\windows\system32\termvw32.dll"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-19 to 2011-08-19 )))))))))))))))))))))))))))))))
.
.
2011-08-19 19:59 . 2011-08-19 20:01 -------- d-----w- c:\users\tuche\AppData\Local\temp
2011-08-19 19:59 . 2011-08-19 19:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-19 19:59 . 2011-08-19 19:59 -------- d-----w- c:\users\jennifer and charlot\AppData\Local\temp
2011-08-19 19:59 . 2011-08-19 19:59 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-08-19 19:59 . 2011-08-19 19:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-11 00:44 . 2011-07-06 14:56 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 00:18 . 2011-08-11 00:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 00:11 . 2011-08-19 19:47 7680 ----a-w- c:\windows\system\svchost.exe
2011-08-01 14:31 . 2011-08-01 14:31 218624 ----a-w- c:\windows\system32\termvw32.dll
2011-08-01 07:01 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-07-30 21:32 . 2011-06-02 12:59 2042368 ----a-w- c:\windows\system32\win32k.sys
2011-07-30 19:39 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-30 19:39 . 2011-04-20 14:44 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-30 19:37 . 2010-12-20 15:39 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-07-30 16:47 . 2011-07-30 16:47 0 ---ha-w- c:\users\tuche\AppData\Local\BITE9D8.tmp
2011-07-29 15:36 . 2011-02-16 15:29 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-07-29 15:36 . 2011-02-16 13:24 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-07-29 15:36 . 2010-12-28 14:57 409600 ----a-w- c:\windows\system32\odbc32.dll
2011-07-29 15:36 . 2010-12-28 14:56 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-07-29 15:36 . 2010-12-28 14:56 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-07-29 15:36 . 2010-12-28 14:56 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-07-29 15:36 . 2010-12-28 14:56 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-07-29 15:36 . 2010-12-28 14:56 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-07-29 15:33 . 2011-02-22 12:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-07-29 15:32 . 2010-12-14 15:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-07-29 15:32 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-07-28 21:31 . 2011-07-28 21:32 -------- d-----w- c:\program files\Shop to Win 3
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Shop To Win
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Conduit
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\WhiteSmoke_Bar
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\FinderQuery Addon
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\IspAssistant Addon
2011-07-28 17:27 . 2011-04-14 14:24 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-07-28 17:27 . 2010-10-15 14:08 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-07-28 17:27 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-07-28 17:27 . 2010-10-15 14:08 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-07-28 17:26 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-07-28 17:26 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-07-28 17:23 . 2011-02-18 13:31 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-07-28 17:23 . 2011-03-02 14:49 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-07-28 17:23 . 2009-05-04 10:11 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-07-28 17:23 . 2011-04-21 13:16 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-07-28 17:20 . 2011-04-29 12:49 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-07-28 17:20 . 2011-04-29 12:49 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-02-15 14:05 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-02-15 14:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-20 12:57 . 2011-06-29 19:46 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD8B4F99-E108-47E5-9C8C-2A75F49BDCBB}\mpengine.dll
2011-05-28 06:08 . 2011-06-29 19:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:04 . 2011-06-29 19:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:04 . 2011-06-29 19:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:04 . 2011-06-29 19:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 06:04 . 2011-06-29 19:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 05:10 . 2011-06-29 19:18 385024 ----a-w- c:\windows\system32\html.iec
2011-05-28 04:33 . 2011-06-29 19:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:31 . 2011-06-29 19:18 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-24 23:14 . 2009-10-02 03:56 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( [email protected]_21.46.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:05 . 2011-08-19 13:07 83502 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-10-25 08:15 . 2011-08-16 21:17 17180 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-173749480-65635683-1868834750-1003_UserData.bin
+ 2008-10-25 08:15 . 2011-08-19 13:07 17180 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-173749480-65635683-1868834750-1003_UserData.bin
+ 2011-08-19 10:53 . 2011-08-19 00:04 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011081920110820\index.dat
+ 2011-08-17 09:08 . 2011-08-16 22:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011081720110818\index.dat
+ 2009-02-18 17:31 . 2011-08-16 23:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-18 17:31 . 2011-08-11 14:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-18 17:31 . 2011-08-15 19:53 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-18 17:31 . 2011-08-16 23:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-18 17:31 . 2011-08-11 14:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-18 17:31 . 2011-08-16 23:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-14 00:49 . 2011-08-16 21:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-14 00:49 . 2011-08-19 13:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-14 00:49 . 2011-08-19 13:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-14 00:49 . 2011-08-16 21:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2011-08-16 21:16 86016 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2011-08-19 19:47 86016 c:\windows\inf\infpub.dat
- 2011-08-16 21:14 . 2011-08-16 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-08-16 21:14 . 2011-08-19 13:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-08-16 21:14 . 2011-08-16 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-08-16 21:14 . 2011-08-19 13:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2007-10-20 00:37 . 2007-10-20 00:37 190072 c:\windows\System32\Macromed\Flash\FlashUtil9b.exe
- 2010-06-05 23:25 . 2011-08-15 23:51 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-06-05 23:25 . 2011-08-16 22:47 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2008-10-25 08:10 . 2011-08-16 21:14 229376 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-25 08:10 . 2011-08-19 16:42 229376 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-25 08:10 . 2011-08-19 16:42 966656 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-25 08:10 . 2011-08-16 21:14 966656 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2011-08-19 19:47 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2011-08-16 21:16 143360 c:\windows\inf\infstrng.dat
- 2010-03-08 05:46 . 2011-08-16 21:14 8159232 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-08 05:46 . 2011-08-19 16:42 8159232 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-05 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-18 22631608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 08:55 521776 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
2008-06-18 07:13 198184 ----a-w- c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 23:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 19:06 62760 ------w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-07 23:51 858632 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 04:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2007-10-23 17:56 200704 ----a-w- c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 21:23 81920 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-08 00:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-10-26 04:17 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-05 21:42 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-07 19:35 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9b4a777de65e4;Google Update Service (gupdate1c9b4a777de65e4);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\PythonService.exe [2008-10-25 10240]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 TermServices;Remote Desktop Service;c:\windows\System32\svchost.exe [2008-01-21 21504]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
termvvc REG_MULTI_SZ TermServices
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-01-03 c:\windows\Tasks\User_Feed_Synchronization-{8D48BC85-7DF9-46EB-A599-73C58B86D96C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 04:32]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\tuche\AppData\Roaming\Mozilla\Firefox\Profiles\c3pvi0o4.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com?pr=oovoo2_0
FF - prefs.js: keyword.URL - hxxp://ispassistant.com/?clid=0628b24ffbbd4eac91018d28efe6bd0e&prt=ispassistantbho&tmp=ispassistant_results&keywords=
FF - prefs.js: network.proxy.type - 4
FF - user.js: keyword.URL - hxxp://finderquery.com/?tmp=redir_bho_bing&prt=whitesmokefqbho&keywords=
FF - user.js: keyword.enabled - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-19 16:01
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3232)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2011-08-19 16:06:06
ComboFix-quarantined-files.txt 2011-08-19 20:06
ComboFix2.txt 2011-08-19 00:23
ComboFix3.txt 2011-08-16 21:52
ComboFix4.txt 2010-05-16 00:22
.
Pre-Run: 1,823,768,576 bytes free
Post-Run: 1,854,861,312 bytes free
.
- - End Of File - - 9B906AA6A89D92F43C6BE0E179B2ED73
  • 0

#18
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\users\tuche\AppData\Local\BITE9D8.tmp
c:\windows\system32\termvw32.dll

Driver::
TermServices

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"termvv"=-



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe. ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Also, please let me know how the machine is running now.
  • 0

#19
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
as you already know after i get the combofix log i have to shut down my pc and restart so that i can use my programs , still says they are marked for deletion so thats my update for you other then that things seem to be working fine.


ComboFix 11-08-16.05 - tuche 08/21/2011 13:53:40.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.1070 [GMT -4:00]
Running from: c:\users\tuche\Desktop\ComboFix.exe
Command switches used :: c:\users\tuche\Desktop\cfscript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\tuche\AppData\Local\BITE9D8.tmp"
"c:\windows\system32\termvw32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_TermServices
.
.
((((((((((((((((((((((((( Files Created from 2011-07-21 to 2011-08-21 )))))))))))))))))))))))))))))))
.
.
2011-08-21 18:06 . 2011-08-21 18:31 -------- d-----w- c:\users\tuche\AppData\Local\temp
2011-08-21 18:06 . 2011-08-21 18:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-21 18:06 . 2011-08-21 18:06 -------- d-----w- c:\users\jennifer and charlot\AppData\Local\temp
2011-08-21 18:06 . 2011-08-21 18:06 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-08-21 18:06 . 2011-08-21 18:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-11 00:44 . 2011-07-06 14:56 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 00:18 . 2011-08-11 00:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 00:11 . 2011-08-21 18:07 7680 ----a-w- c:\windows\system\svchost.exe
2011-08-01 14:31 . 2011-08-01 14:31 218624 ----a-w- c:\windows\system32\termvw32.dll
2011-08-01 07:01 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-07-30 21:32 . 2011-06-02 12:59 2042368 ----a-w- c:\windows\system32\win32k.sys
2011-07-30 19:39 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-30 19:39 . 2011-04-20 14:44 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-30 19:37 . 2010-12-20 15:39 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-07-30 16:47 . 2011-07-30 16:47 0 ---ha-w- c:\users\tuche\AppData\Local\BITE9D8.tmp
2011-07-29 15:36 . 2011-02-16 15:29 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-07-29 15:36 . 2011-02-16 13:24 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-07-29 15:36 . 2010-12-28 14:57 409600 ----a-w- c:\windows\system32\odbc32.dll
2011-07-29 15:36 . 2010-12-28 14:56 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-07-29 15:36 . 2010-12-28 14:56 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-07-29 15:36 . 2010-12-28 14:56 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-07-29 15:36 . 2010-12-28 14:56 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-07-29 15:36 . 2010-12-28 14:56 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-07-29 15:33 . 2011-02-22 12:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-07-29 15:32 . 2010-12-14 15:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-07-29 15:32 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-07-28 21:31 . 2011-07-28 21:32 -------- d-----w- c:\program files\Shop to Win 3
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Shop To Win
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Conduit
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\WhiteSmoke_Bar
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\FinderQuery Addon
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\IspAssistant Addon
2011-07-28 17:27 . 2011-04-14 14:24 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-07-28 17:27 . 2010-10-15 14:08 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-07-28 17:27 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-07-28 17:27 . 2010-10-15 14:08 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-07-28 17:26 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-07-28 17:26 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-07-28 17:23 . 2011-02-18 13:31 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-07-28 17:23 . 2011-03-02 14:49 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-07-28 17:23 . 2009-05-04 10:11 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-07-28 17:23 . 2011-04-21 13:16 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-07-28 17:20 . 2011-04-29 12:49 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-07-28 17:20 . 2011-04-29 12:49 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-02-15 14:05 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-02-15 14:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-20 12:57 . 2011-06-29 19:46 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD8B4F99-E108-47E5-9C8C-2A75F49BDCBB}\mpengine.dll
2011-05-28 06:08 . 2011-06-29 19:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:04 . 2011-06-29 19:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:04 . 2011-06-29 19:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:04 . 2011-06-29 19:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 06:04 . 2011-06-29 19:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 05:10 . 2011-06-29 19:18 385024 ----a-w- c:\windows\system32\html.iec
2011-05-28 04:33 . 2011-06-29 19:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:31 . 2011-06-29 19:18 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-24 23:14 . 2009-10-02 03:56 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( [email protected]_21.46.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:05 . 2011-08-21 18:31 83542 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-25 08:15 . 2011-08-21 18:31 17368 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-173749480-65635683-1868834750-1003_UserData.bin
+ 2011-08-19 10:53 . 2011-08-19 00:04 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011081920110820\index.dat
+ 2011-08-17 09:08 . 2011-08-16 22:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011081720110818\index.dat
+ 2009-02-18 17:31 . 2011-08-16 23:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-18 17:31 . 2011-08-11 14:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-18 17:31 . 2011-08-15 19:53 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-18 17:31 . 2011-08-16 23:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-18 17:31 . 2011-08-16 23:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-18 17:31 . 2011-08-11 14:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-14 00:49 . 2011-08-21 18:28 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-14 00:49 . 2011-08-16 21:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-14 00:49 . 2011-08-21 18:28 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-14 00:49 . 2011-08-16 21:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2011-08-21 18:31 86016 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2011-08-16 21:16 86016 c:\windows\inf\infpub.dat
- 2011-08-16 21:14 . 2011-08-16 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-08-21 18:28 . 2011-08-21 18:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-08-16 21:14 . 2011-08-16 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-08-21 18:28 . 2011-08-21 18:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2007-10-20 00:37 . 2007-10-20 00:37 190072 c:\windows\System32\Macromed\Flash\FlashUtil9b.exe
+ 2010-06-05 23:25 . 2011-08-16 22:47 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2010-06-05 23:25 . 2011-08-15 23:51 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2008-10-25 08:10 . 2011-08-16 21:14 229376 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-25 08:10 . 2011-08-20 14:57 229376 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-25 08:10 . 2011-08-20 14:57 966656 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-25 08:10 . 2011-08-16 21:14 966656 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2011-08-21 18:31 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2011-08-16 21:16 143360 c:\windows\inf\infstrng.dat
- 2010-03-08 05:46 . 2011-08-16 21:14 8159232 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-08 05:46 . 2011-08-20 14:57 8159232 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-08-19 20:24 . 2011-08-19 20:24 1066496 c:\windows\Installer\19101e0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-05 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-18 22631608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 08:55 521776 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
2008-06-18 07:13 198184 ----a-w- c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 23:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 19:06 62760 ------w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-07 23:51 858632 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 04:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2007-10-23 17:56 200704 ----a-w- c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 21:23 81920 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-08 00:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-10-26 04:17 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-05 21:42 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-07 19:35 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9b4a777de65e4;Google Update Service (gupdate1c9b4a777de65e4);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\PythonService.exe [2008-10-25 10240]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
termvvc REG_MULTI_SZ TermServices
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-01-03 c:\windows\Tasks\User_Feed_Synchronization-{8D48BC85-7DF9-46EB-A599-73C58B86D96C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 04:32]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 68.87.68.162 68.87.74.162 68.87.68.166
FF - ProfilePath - c:\users\tuche\AppData\Roaming\Mozilla\Firefox\Profiles\c3pvi0o4.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com?pr=oovoo2_0
FF - prefs.js: keyword.URL - hxxp://ispassistant.com/?clid=0628b24ffbbd4eac91018d28efe6bd0e&prt=ispassistantbho&tmp=ispassistant_results&keywords=
FF - prefs.js: network.proxy.type - 4
FF - user.js: keyword.URL - hxxp://finderquery.com/?tmp=redir_bho_bing&prt=whitesmokefqbho&keywords=
FF - user.js: keyword.enabled - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-21 14:33
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1944)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-08-21 14:39:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-21 18:38
ComboFix2.txt 2011-08-19 20:06
ComboFix3.txt 2011-08-19 00:23
ComboFix4.txt 2011-08-16 21:52
ComboFix5.txt 2011-08-21 17:50
.
Pre-Run: 1,858,224,128 bytes free
Post-Run: 1,597,689,856 bytes free
.
- - End Of File - - B0978B103926410E43D3D02F9EFB4333
  • 0

#20
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
You have a very stubborn infection here. Please know that with Vista and Windows 7 it's not unusual to have to reboot after running Combofix.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\users\tuche\AppData\Local\BITE9D8.tmp
c:\windows\system32\termvw32.dll
C:\Windows\system\svchost.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"termvvc"=-


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe. ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#21
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
ComboFix 11-08-22.04 - tuche 08/22/2011 23:27:47.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.1187 [GMT -4:00]
Running from: c:\users\tuche\Desktop\ComboFix.exe
Command switches used :: c:\users\tuche\Desktop\cfscript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\tuche\AppData\Local\BITE9D8.tmp"
"c:\windows\system\svchost.exe"
"c:\windows\system32\termvw32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\tuche\AppData\Roaming\223A.4F5
.
.
((((((((((((((((((((((((( Files Created from 2011-07-23 to 2011-08-23 )))))))))))))))))))))))))))))))
.
.
2011-08-23 03:39 . 2011-08-23 03:41 -------- d-----w- c:\users\tuche\AppData\Local\temp
2011-08-23 03:39 . 2011-08-23 03:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-23 03:39 . 2011-08-23 03:39 -------- d-----w- c:\users\jennifer and charlot\AppData\Local\temp
2011-08-23 03:39 . 2011-08-23 03:39 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-08-23 03:39 . 2011-08-23 03:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-11 00:44 . 2011-07-06 14:56 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 00:18 . 2011-08-11 00:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 00:11 . 2011-08-21 18:07 7680 ----a-w- c:\windows\system\svchost.exe
2011-08-01 14:31 . 2011-08-01 14:31 218624 ----a-w- c:\windows\system32\termvw32.dll
2011-08-01 07:01 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-07-30 21:32 . 2011-06-02 12:59 2042368 ----a-w- c:\windows\system32\win32k.sys
2011-07-30 19:39 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-30 19:39 . 2011-04-20 14:44 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-30 19:37 . 2010-12-20 15:39 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-07-30 16:47 . 2011-07-30 16:47 0 ---ha-w- c:\users\tuche\AppData\Local\BITE9D8.tmp
2011-07-29 15:36 . 2011-02-16 15:29 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-07-29 15:36 . 2011-02-16 13:24 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-07-29 15:36 . 2010-12-28 14:57 409600 ----a-w- c:\windows\system32\odbc32.dll
2011-07-29 15:36 . 2010-12-28 14:56 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-07-29 15:36 . 2010-12-28 14:56 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-07-29 15:36 . 2010-12-28 14:56 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-07-29 15:36 . 2010-12-28 14:56 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-07-29 15:36 . 2010-12-28 14:56 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-07-29 15:33 . 2011-02-22 12:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-07-29 15:32 . 2010-12-14 15:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-07-29 15:32 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-07-28 21:31 . 2011-07-28 21:32 -------- d-----w- c:\program files\Shop to Win 3
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Shop To Win
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Conduit
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\WhiteSmoke_Bar
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\FinderQuery Addon
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\IspAssistant Addon
2011-07-28 17:27 . 2011-04-14 14:24 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-07-28 17:27 . 2010-10-15 14:08 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-07-28 17:27 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-07-28 17:27 . 2010-10-15 14:08 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-07-28 17:26 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-07-28 17:26 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-07-28 17:23 . 2011-02-18 13:31 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-07-28 17:23 . 2011-03-02 14:49 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-07-28 17:23 . 2009-05-04 10:11 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-07-28 17:23 . 2011-04-21 13:16 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-07-28 17:20 . 2011-04-29 12:49 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-07-28 17:20 . 2011-04-29 12:49 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-02-15 14:05 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-02-15 14:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-20 12:57 . 2011-06-29 19:46 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD8B4F99-E108-47E5-9C8C-2A75F49BDCBB}\mpengine.dll
2011-05-28 06:08 . 2011-06-29 19:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:04 . 2011-06-29 19:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:04 . 2011-06-29 19:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:04 . 2011-06-29 19:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 06:04 . 2011-06-29 19:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 05:10 . 2011-06-29 19:18 385024 ----a-w- c:\windows\system32\html.iec
2011-05-28 04:33 . 2011-06-29 19:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:31 . 2011-06-29 19:18 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((( [email protected]_21.46.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2011-08-21 18:47 86170 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2011-08-23 00:02 83558 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-25 08:15 . 2011-08-23 00:02 17440 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-173749480-65635683-1868834750-1003_UserData.bin
+ 2011-08-19 10:53 . 2011-08-19 00:04 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011081920110820\index.dat
+ 2011-08-17 09:08 . 2011-08-16 22:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011081720110818\index.dat
+ 2009-02-18 17:31 . 2011-08-16 23:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-18 17:31 . 2011-08-11 14:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-18 17:31 . 2011-08-15 19:53 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-18 17:31 . 2011-08-16 23:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-18 17:31 . 2011-08-11 14:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-18 17:31 . 2011-08-16 23:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-14 00:49 . 2011-08-16 21:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-14 00:49 . 2011-08-22 23:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-14 00:49 . 2011-08-22 23:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-14 00:49 . 2011-08-16 21:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2011-08-16 21:16 86016 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2011-08-23 03:28 86016 c:\windows\inf\infpub.dat
+ 2011-08-21 18:43 . 2011-08-22 23:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-08-16 21:14 . 2011-08-16 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-08-21 18:43 . 2011-08-22 23:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-08-16 21:14 . 2011-08-16 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2007-10-20 00:37 . 2007-10-20 00:37 190072 c:\windows\System32\Macromed\Flash\FlashUtil9b.exe
+ 2010-06-05 23:25 . 2011-08-16 22:47 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2010-06-05 23:25 . 2011-08-15 23:51 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2008-10-25 08:10 . 2011-08-16 21:14 229376 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-25 08:10 . 2011-08-23 00:09 229376 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-25 08:10 . 2011-08-23 00:09 966656 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-25 08:10 . 2011-08-16 21:14 966656 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2011-08-23 03:28 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2011-08-16 21:16 143360 c:\windows\inf\infstrng.dat
- 2010-03-08 05:46 . 2011-08-16 21:14 8159232 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-08 05:46 . 2011-08-23 00:09 8159232 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-08-19 20:24 . 2011-08-19 20:24 1066496 c:\windows\Installer\19101e0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-05 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-18 22631608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 08:55 521776 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
2008-06-18 07:13 198184 ----a-w- c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 23:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 19:06 62760 ------w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-07 23:51 858632 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 04:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2007-10-23 17:56 200704 ----a-w- c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 21:23 81920 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-08 00:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-10-26 04:17 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-05 21:42 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-07 19:35 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9b4a777de65e4;Google Update Service (gupdate1c9b4a777de65e4);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\PythonService.exe [2008-10-25 10240]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-01-03 c:\windows\Tasks\User_Feed_Synchronization-{8D48BC85-7DF9-46EB-A599-73C58B86D96C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 04:32]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\tuche\AppData\Roaming\Mozilla\Firefox\Profiles\c3pvi0o4.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com?pr=oovoo2_0
FF - prefs.js: keyword.URL - hxxp://ispassistant.com/?clid=0628b24ffbbd4eac91018d28efe6bd0e&prt=ispassistantbho&tmp=ispassistant_results&keywords=
FF - prefs.js: network.proxy.type - 4
FF - user.js: keyword.URL - hxxp://finderquery.com/?tmp=redir_bho_bing&prt=whitesmokefqbho&keywords=
FF - user.js: keyword.enabled - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-22 23:41
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-08-22 23:45:53
ComboFix-quarantined-files.txt 2011-08-23 03:45
ComboFix2.txt 2011-08-21 18:39
ComboFix3.txt 2011-08-19 20:06
ComboFix4.txt 2011-08-19 00:23
ComboFix5.txt 2011-08-23 03:25
.
Pre-Run: 1,890,816,000 bytes free
Post-Run: 1,807,564,800 bytes free
.
- - End Of File - - CE924CFA3D7B583AF9F29843A0D4DA3C
  • 0

#22
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
I know this must be frustrating for you, because you are not seeing symptoms of infection in how your machine is running. But please keep in mind, absence of symptoms does not mean absence of infection.
There are definitely some files that are not being removed and/or are recreating when they shouldn't be.


We need to get additional information about some files.

Please go to the following site:
http://www.virustotal.com/
Click on Choose File, and then upload the following files for analysis: (you will need to do them one at a time)

c:\windows\system\svchost.exe <<-- please make sure you choose this file location carefully - it is in the system folder NOT the system32 folder
c:\windows\system32\winrsmgr.dll

Then click Send File and allow the file to be scanned.

Please ensure the scan is complete and the results saved before submitting the next.
If a pop-up appears saying the file has been scanned already, please select the ReScan button.

Please copy and paste the links to each of the results here for me.




Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Right-click and choose Run as Administrator on SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir 
    c:\users\tuche\AppData\Local\temp /s
    c:\users\Public\AppData\Local\temp /s
    c:\users\jennifer and charlot\AppData\Local\temp /s
    c:\users\Default\AppData\Local\temp /s
    c:\users\Guest\AppData\Local\temp /s
    
    :filefind
    winrsmgr.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt










I know this must be frustrating for you, because you are not seeing symptoms of infection in how your machine is running. But please keep in mind, absence of symptoms does not mean absence of infection.
There are definitely some files that are not being removed and/or are recreating when they shouldn't be.


We need to get additional information about some files.

Please go to the following site:
http://www.virustotal.com/
Click on Choose File, and then upload the following files for analysis: (you will need to do them one at a time)

c:\windows\system\svchost.exe <<-- please make sure you choose this file location carefully - it is in the system folder NOT the system32 folder
c:\windows\system32\winrsmgr.dll

Then click Send File and allow the file to be scanned.

Please ensure the scan is complete and the results saved before submitting the next.
If a pop-up appears saying the file has been scanned already, please select the ReScan button.

Please copy and paste the links to each of the results here for me.




Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Right-click and choose Run as Administrator on SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir 
    c:\users\tuche\AppData\Local\temp /s
    c:\users\Public\AppData\Local\temp /s
    c:\users\jennifer and charlot\AppData\Local\temp /s
    c:\users\Default\AppData\Local\temp /s
    c:\users\Guest\AppData\Local\temp /s
    
    :filefind
    winrsmgr.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

#23
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: svchost.exe
Submission date: 2011-08-25 20:01:16 (UTC)
Current status: queued queued analysing finished


Result: 3/ 43 (7.0%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.08.25.01 2011.08.25 -
AntiVir 7.11.13.232 2011.08.25 -
Antiy-AVL 2.0.3.7 2011.08.25 -
Avast 4.8.1351.0 2011.08.25 Win32:Delf-QLG [Trj]
Avast5 5.0.677.0 2011.08.25 Win32:Delf-QLG [Trj]
AVG 10.0.0.1190 2011.08.25 -
BitDefender 7.2 2011.08.25 -
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.08.25 -
ClamAV 0.97.0.0 2011.08.25 -
Commtouch 5.3.2.6 2011.08.25 -
Comodo 9873 2011.08.25 -
Emsisoft 5.1.0.10 2011.08.25 -
eSafe 7.0.17.0 2011.08.25 -
eTrust-Vet 36.1.8521 2011.08.25 -
F-Prot 4.6.2.117 2011.08.25 -
F-Secure 9.0.16440.0 2011.08.25 -
Fortinet 4.2.257.0 2011.08.24 -
GData 22 2011.08.25 Win32:Delf-QLG
Ikarus T3.1.1.107.0 2011.08.25 -
Jiangmin 13.0.900 2011.08.25 -
K7AntiVirus 9.111.5056 2011.08.25 -
Kaspersky 9.0.0.837 2011.08.25 -
McAfee 5.400.0.1158 2011.08.25 -
McAfee-GW-Edition 2010.1D 2011.08.25 -
Microsoft 1.7604 2011.08.25 -
NOD32 6410 2011.08.25 -
Norman 6.07.10 2011.08.25 -
nProtect 2011-08-25.01 2011.08.25 -
Panda 10.0.3.5 2011.08.25 -
PCTools 8.0.0.5 2011.08.25 -
Prevx 3.0 2011.08.25 -
Rising 23.72.03.03 2011.08.25 -
Sophos 4.68.0 2011.08.25 -
SUPERAntiSpyware 4.40.0.1006 2011.08.25 -
Symantec 20111.2.0.82 2011.08.25 -
TheHacker 6.7.0.1.284 2011.08.25 -
TrendMicro 9.500.0.1008 2011.08.25 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.25 -
VBA32 3.12.16.4 2011.08.25 -
VIPRE 10267 2011.08.25 -
ViRobot 2011.8.25.4639 2011.08.25 -
VirusBuster 14.0.185.0 2011.08.25 -
Additional informationShow all
MD5 : 4e85b7323dff89b26abd2e94032f79a3
SHA1 : 7749d0e899830c74ae24f0d89bd4a60b91ee4fff
SHA256: ad0128eaa670a77e655f0a05dd18dffd67c87b5c0e3e042d9be7f0d4a80c5ed2
ssdeep: 96:nP5hlCGe3oSxSKTfOkGMO4VOvUsNNFRvxArzdLO0U3g3Dba++ryYw:nhhlClN39IvdNNXUlb
a+vYw
File size : 7680 bytes
First seen: 2011-08-02 03:04:10
Last seen : 2011-08-25 20:01:16
TrID:
Win32 Executable Borland Delphi 6 (92.2%)
Win32 Executable Generic (2.9%)
Win32 Dynamic Link Library (generic) (2.6%)
Win16/32 Executable Delphi generic (0.7%)
Generic Win/DOS Executable (0.7%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: BobSoft Mini Delphi -> BoB / BobSoft
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1F90
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
CODE, 0x1000, 0xFAC, 0x1000, 6.39, d8c283e77eb1e47cac264c35d28a846d
DATA, 0x2000, 0x194, 0x200, 2.39, d75825077a458f4e418cab833c9061dd
BSS, 0x3000, 0x681, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.idata, 0x4000, 0x1AE, 0x200, 3.51, 4017978d1f196f600374099439ed2ecd
.tls, 0x5000, 0x4, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.rdata, 0x6000, 0x18, 0x200, 0.20, 5f399dd8b385140205fa2a3b6bf3bccf
.reloc, 0x7000, 0x174, 0x200, 5.05, 722d5d4b66195a679c8731332455d337
.rsrc, 0x8000, 0x200, 0x200, 2.11, de272ca3d83f6b027c29e10ee97b0d01

[[ 3 import(s) ]]
kernel32.dll: GetCurrentThreadId, ExitProcess, RtlUnwind, RaiseException, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
kernel32.dll: GetProcAddress, GetModuleHandleA

ExifTool:
file metadata
CodeSize: 4096
EntryPoint: 0x1f90
FileSize: 7.5 kB
FileType: Win32 EXE
ImageVersion: 0.0
InitializedDataSize: 2560
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 0

Symantec reputation:Suspicious.Insight












File name: winrsmgr.dll
Submission date: 2011-08-25 20:08:25 (UTC)
Current status: queued queued analysing finished


Result: 0/ 44 (0.0%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.08.25.01 2011.08.25 -
AntiVir 7.11.13.232 2011.08.25 -
Antiy-AVL 2.0.3.7 2011.08.25 -
Avast 4.8.1351.0 2011.08.25 -
Avast5 5.0.677.0 2011.08.25 -
AVG 10.0.0.1190 2011.08.25 -
BitDefender 7.2 2011.08.25 -
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.08.25 -
ClamAV 0.97.0.0 2011.08.25 -
Commtouch 5.3.2.6 2011.08.25 -
Comodo 9873 2011.08.25 -
DrWeb 5.0.2.03300 2011.08.25 -
Emsisoft 5.1.0.10 2011.08.25 -
eSafe 7.0.17.0 2011.08.25 -
eTrust-Vet 36.1.8521 2011.08.25 -
F-Prot 4.6.2.117 2011.08.25 -
F-Secure 9.0.16440.0 2011.08.25 -
Fortinet 4.2.257.0 2011.08.24 -
GData 22 2011.08.25 -
Ikarus T3.1.1.107.0 2011.08.25 -
Jiangmin 13.0.900 2011.08.25 -
K7AntiVirus 9.111.5056 2011.08.25 -
Kaspersky 9.0.0.837 2011.08.25 -
McAfee 5.400.0.1158 2011.08.25 -
McAfee-GW-Edition 2010.1D 2011.08.25 -
Microsoft 1.7604 2011.08.25 -
NOD32 6410 2011.08.25 -
Norman 6.07.10 2011.08.25 -
nProtect 2011-08-25.01 2011.08.25 -
Panda 10.0.3.5 2011.08.25 -
PCTools 8.0.0.5 2011.08.25 -
Prevx 3.0 2011.08.25 -
Rising 23.72.03.03 2011.08.25 -
Sophos 4.68.0 2011.08.25 -
SUPERAntiSpyware 4.40.0.1006 2011.08.25 -
Symantec 20111.2.0.82 2011.08.25 -
TheHacker 6.7.0.1.284 2011.08.25 -
TrendMicro 9.500.0.1008 2011.08.25 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.25 -
VBA32 3.12.16.4 2011.08.25 -
VIPRE 10267 2011.08.25 -
ViRobot 2011.8.25.4639 2011.08.25 -
VirusBuster 14.0.185.0 2011.08.25 -
Additional informationShow all
MD5 : 3fa837e3c30334ba8ca5eeb2b375d50c
SHA1 : 7d913cc7280cb6f2cbb9b016c7a3c92ee9314c2f
SHA256: 75b1a001a83c1aaff83da95a15e000c50b21dbc055eb5f17f526a9d7aa739abb
ssdeep: 24:e9GS7InClsztCIZW0HG3cN2lCrbpa135WWdPOPND:KDycIZWUG3K2lU9at5Wwa
File size : 2048 bytes
First seen: 2009-10-28 21:47:29
Last seen : 2011-08-25 20:08:25
TrID:
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: WSMan Shell API
original name: winrsmgr.dll
internal name: winrsmgr.dll
file version.: 6.0.6002.18111 (vistasp2_gdr_win7ip_winman(wmbla).091009-1451)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x0
timedatestamp....: 0x4ACFB177 (Fri Oct 09 21:56:07 2009)
machinetype......: 0x14c (I386)

[[ 1 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.rsrc, 0x1000, 0x420, 0x600, 2.56, 7acfb0c49088f2649eb73b8eec767a90

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 0
CompanyName: Microsoft Corporation
EntryPoint: 0x0000
FileDescription: WSMan Shell API
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 2.0 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 6.0.6002.18111 (vistasp2_gdr_win7ip_winman(wmbla).091009-1451)
FileVersionNumber: 6.0.6002.18111
ImageVersion: 6.0
InitializedDataSize: 1536
InternalName: winrsmgr.dll
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.0
ObjectFileType: Dynamic link library
OriginalFilename: winrsmgr.dll
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 6.0.6002.18111
ProductVersionNumber: 6.0.6002.18111
Subsystem: Windows command line
SubsystemVersion: 6.0
TimeStamp: 2009:10:09 23:56:07+02:00
UninitializedDataSize: 0
  • 0

#24
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
SystemLook 30.07.11 by jpshortstuff
Log created at 16:31 on 25/08/2011 by tuche
Administrator - Elevation successful

========== dir ==========

c:\users\tuche\AppData\Local\temp - Parameters: "/s "

---Files---
AdobeARM.log --a---- 1328 bytes [15:39 23/08/2011] [15:39 23/08/2011]
ArmUI.ini --a---- 142194 bytes [15:39 23/08/2011] [15:39 23/08/2011]
flaF736.tmp --a---- 711953 bytes [22:06 24/08/2011] [22:06 24/08/2011]
tuche.bmp --a---- 31832 bytes [03:45 23/08/2011] [03:45 23/08/2011]
~DFB4B1.tmp --a---- 16384 bytes [19:45 23/08/2011] [19:45 23/08/2011]
~DFD182.tmp --a---- 16384 bytes [19:45 23/08/2011] [20:28 25/08/2011]
~DFD609.tmp --a---- 45056 bytes [21:50 24/08/2011] [21:52 24/08/2011]
~DFD6B.tmp --a---- 49152 bytes [19:45 23/08/2011] [19:45 23/08/2011]
~DFD8D8.tmp --a---- 24576 bytes [01:14 24/08/2011] [20:22 25/08/2011]
~DFD8E.tmp --a---- 512 bytes [19:45 23/08/2011] [19:45 23/08/2011]
~DFDB6.tmp --a---- 16384 bytes [19:45 23/08/2011] [19:45 23/08/2011]
~DFDC0.tmp --a---- 512 bytes [19:45 23/08/2011] [19:45 23/08/2011]
~DFDF6.tmp --a---- 32768 bytes [19:45 23/08/2011] [19:45 23/08/2011]
~DFE3F.tmp --a---- 512 bytes [19:45 23/08/2011] [19:45 23/08/2011]
~DFE74.tmp --a---- 32768 bytes [19:45 23/08/2011] [19:45 23/08/2011]
~DFE9F.tmp --a---- 512 bytes [19:45 23/08/2011] [19:45 23/08/2011]

c:\users\tuche\AppData\Local\temp\Low d------ [13:44 23/08/2011]

c:\users\tuche\AppData\Local\temp\WPDNSE d------ [03:46 23/08/2011]

c:\users\Public\AppData\Local\temp - Parameters: "/s "

---Files---
None found.

No folders found.

c:\users\jennifer and charlot\AppData\Local\temp - Parameters: "/s "

---Files---
None found.

No folders found.

c:\users\Default\AppData\Local\temp - Parameters: "/s "

---Files---
None found.

No folders found.

c:\users\Guest\AppData\Local\temp - Parameters: "/s "

---Files---
None found.

No folders found.

- Unable to find folder.

========== filefind ==========

Searching for "winrsmgr.dll"
C:\Windows\System32\winrsmgr.dll --a---- 2048 bytes [07:01 01/08/2011] [21:56 09/10/2009] 3FA837E3C30334BA8CA5EEB2B375D50C
C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.0.6001.18000_none_1636766731a74faf\winrsmgr.dll --a---- 215552 bytes [02:24 21/01/2008] [02:24 21/01/2008] 3297EA165A1D7628959B3A21BF2F7EC6
C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_7.0.6001.18181_none_0751757cbccdee84\winrsmgr.dll --a---- 2048 bytes [07:01 01/08/2011] [21:56 09/10/2009] 3FA837E3C30334BA8CA5EEB2B375D50C

-= EOF =-
  • 0

#25
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)

Click Scan
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.



This scan make take awhile depending on how many items are on the computer. You may want to run it at a time you won't be needing the machine. It should be run from IE and I'd recommend not doing anything else while it's running.


http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
Click on the Start button next to it.
You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
A new window will appear asking "Do you want to install this software?"".
Answer Yes to download and install the ActiveX controls that allows the scan to run.
Click Start.
Uncheck Remove found threats.
Click Scan to begin.
If offered the option to get information or buy software. Just close the window.
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic.


*Note: We are bracing for some rough weather this weekend and there is the possibility my internet could be affected. Please stick with me and I assure you I will answer just as quickly as possible.
  • 0

Advertisements


#26
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-08-26 23:51:50
-----------------------------
23:51:50.544 OS Version: Windows 6.0.6001 Service Pack 1
23:51:50.545 Number of processors: 2 586 0x6802
23:51:50.547 ComputerName: TUCHE-PC UserName: tuche
23:52:35.573 Initialize success
23:52:50.688 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:52:50.695 Disk 0 Vendor: Hitachi_HTS542512K9SA00 BB2OC31P Size: 114473MB BusType: 3
23:52:52.722 Disk 0 MBR read successfully
23:52:52.733 Disk 0 MBR scan
23:52:52.747 Disk 0 unknown MBR code
23:52:52.773 Disk 0 scanning sectors +234438656
23:52:52.947 Disk 0 scanning C:\Windows\system32\drivers
23:53:02.006 Service scanning
23:53:04.786 Modules scanning
23:53:15.094 Disk 0 trace - called modules:
23:53:15.143 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
23:53:15.158 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85466ac8]
23:53:15.170 3 CLASSPNP.SYS[82da0745] -> nt!IofCallDriver -> [0x84ea5e28]
23:53:15.183 5 acpi.sys[806106a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84e9dba0]
23:53:15.203 Scan finished successfully
23:54:49.692 Disk 0 MBR has been saved successfully to "C:\Users\tuche\Desktop\MBR.dat"
23:54:49.710 The log file has been saved successfully to "C:\Users\tuche\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   456bytes   42 downloads

  • 0

#27
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=8f1014cbcd69ee43835d3e95b04250a4
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-27 06:02:03
# local_time=2011-08-27 02:02:03 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=5892 16776574 66 100 4119506 151025443 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=159212
# found=0
# cleaned=0
# scan_time=7008
  • 0

#28
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
We will be using Combofix again but will run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE

http://www.geekstogo.com/forum/topic/305753-malware-and-missing-drive/

Collect::
c:\users\tuche\AppData\Local\BITE9D8.tmp
c:\windows\system32\termvw32.dll
C:\Windows\system\svchost.exe 

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below. ComboFix may request an update; please allow it.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


Please post the Combofix log in your next reply.
  • 0

#29
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
ComboFix 11-08-28.01 - tuche 08/28/2011 21:08:59.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.1036 [GMT -4:00]
Running from: c:\users\tuche\Desktop\ComboFix.exe
Command switches used :: c:\users\tuche\Desktop\cfscript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\users\tuche\AppData\Local\BITE9D8.tmp
file zipped: c:\windows\system\svchost.exe
file zipped: c:\windows\system32\termvw32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
.
.
2011-08-29 01:20 . 2011-08-29 01:42 -------- d-----w- c:\users\tuche\AppData\Local\temp
2011-08-29 01:20 . 2011-08-29 01:20 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-29 01:20 . 2011-08-29 01:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-29 01:20 . 2011-08-29 01:20 -------- d-----w- c:\users\jennifer and charlot\AppData\Local\temp
2011-08-29 01:20 . 2011-08-29 01:20 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-08-27 04:00 . 2011-08-27 04:00 -------- d-----w- c:\program files\ESET
2011-08-11 00:44 . 2011-07-06 14:56 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 00:18 . 2011-08-11 00:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 00:11 . 2011-08-29 01:08 7680 ----a-w- c:\windows\system\svchost.exe
2011-08-01 14:31 . 2011-08-29 01:08 218624 ----a-w- c:\windows\system32\termvw32.dll
2011-08-01 07:01 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-07-30 21:32 . 2011-06-02 12:59 2042368 ----a-w- c:\windows\system32\win32k.sys
2011-07-30 19:39 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-30 19:39 . 2011-04-20 14:44 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-30 19:37 . 2010-12-20 15:39 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-07-30 16:47 . 2011-07-30 16:47 0 ---ha-w- c:\users\tuche\AppData\Local\BITE9D8.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-02-15 14:05 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-02-15 14:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-20 12:57 . 2011-06-29 19:46 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD8B4F99-E108-47E5-9C8C-2A75F49BDCBB}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-05 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-18 22631608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 08:55 521776 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
2008-06-18 07:13 198184 ----a-w- c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 23:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 19:06 62760 ------w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-07 23:51 858632 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 04:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2007-10-23 17:56 200704 ----a-w- c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 21:23 81920 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-08 00:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-10-26 04:17 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-05 21:42 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-07 19:35 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9b4a777de65e4;Google Update Service (gupdate1c9b4a777de65e4);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 CFcatchme;CFcatchme;c:\users\tuche\AppData\Local\Temp\CFcatchme.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\PythonService.exe [2008-10-25 10240]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-01-03 c:\windows\Tasks\User_Feed_Synchronization-{8D48BC85-7DF9-46EB-A599-73C58B86D96C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 04:32]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\tuche\AppData\Roaming\Mozilla\Firefox\Profiles\c3pvi0o4.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com?pr=oovoo2_0
FF - prefs.js: keyword.URL - hxxp://ispassistant.com/?clid=0628b24ffbbd4eac91018d28efe6bd0e&prt=ispassistantbho&tmp=ispassistant_results&keywords=
FF - prefs.js: network.proxy.type - 4
FF - Ext: FinderQuery Extension: [email protected] - c:\program files\Mozilla Firefox\extensions\[email protected]
FF - Ext: IspAssistant Extension: [email protected] - c:\program files\Mozilla Firefox\extensions\[email protected]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Oberon GamesBar: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - user.js: keyword.URL - hxxp://finderquery.com/?tmp=redir_bho_bing&prt=whitesmokefqbho&keywords=
FF - user.js: keyword.enabled - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-28 21:42
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3644)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-08-28 21:48:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-29 01:48
ComboFix2.txt 2011-08-23 03:45
ComboFix3.txt 2011-08-21 18:39
ComboFix4.txt 2011-08-19 20:06
ComboFix5.txt 2011-08-29 01:04
.
Pre-Run: 3,392,888,832 bytes free
Post-Run: 3,297,681,408 bytes free
.
- - End Of File - - F2D1C5066802D0754503CC35E22DB393
Upload was successful
  • 0

#30
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Download & extract this file to it's own folder - Registry Search

Launch Registry Search


In the search box, enter ...

c:\windows\system\svchost.exe
termvw32.dll

  • Then click "Ok".
  • Notepad will open with some text in it (the file will also be saved in the program's folder as well).
  • Post this text in your next reply

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP