also @ TechSpot: Apple's iOS 7 to be "black, white and flat all over"

8 Steps and stuck on step 2

Discussion in 'Virus and Malware Removal' started by misschievous, Oct 16, 2010.

Page 2 of 4

  1. misschievous Newcomer, in training Posts: 53

    grrrr found it ...

    ComboFix 10-10-19.04 - owner 10/20/2010 11:34:38.1.2 - x86 MINIMAL
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3006.2510 [GMT -5:00]
    Running from: C:\Users\owner\Desktop\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\PlaySushi\PSTExt.dll
    C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\tracker.txt
    C:\Windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
    C:\Windows\system32\KBL.LOG
    C:\Windows\system32\winsusrm.dll
    C:\Windows\system32\winsusrx.dll
    C:\Windows\system32\xxxuvu.dll
    C:\Windows\winhelp.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_usnjsvc


    ((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 )))))))))))))))))))))))))))))))
    .

    2010-10-20 16:45:35 . 2010-10-20 16:55:12 -------- d-----w- C:\Users\owner\AppData\Local\temp
    2010-10-20 16:45:35 . 2010-10-20 16:45:35 -------- d-----w- C:\Users\Default\AppData\Local\temp
    2010-10-20 16:16:50 . 2010-10-20 16:16:52 -------- d-----w- C:\Windows\SQLTools9_KB970892_ENU
    2010-10-20 16:12:57 . 2010-10-20 16:13:00 -------- d-----w- C:\Windows\SQL9_KB970892_ENU
    2010-10-18 17:48:15 . 2010-04-29 20:39:38 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
    2010-10-18 17:48:02 . 2010-10-18 17:56:27 -------- d-----w- C:\Program Files\explorerexplorer
    2010-10-18 17:48:02 . 2010-04-29 20:39:26 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
    2010-10-18 16:34:32 . 2010-10-20 16:17:14 -------- d-----w- C:\Program Files\Microsoft SQL Server
    2010-10-18 16:33:25 . 2010-10-18 16:33:25 -------- d-----w- C:\Users\owner\AppData\Roaming\EJ innovations
    2010-10-18 16:33:22 . 2010-10-18 16:33:22 -------- d-----w- C:\Users\owner\AppData\Local\EJ_innovations
    2010-10-18 16:31:23 . 2010-10-18 16:31:23 -------- d-----w- C:\Program Files\EJ innovations
    2010-10-17 03:13:59 . 2010-10-17 03:13:59 -------- d-----w- C:\Users\owner\AppData\Roaming\Malwarebytes
    2010-10-17 01:15:30 . 2010-10-17 02:08:20 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
    2010-10-17 01:15:30 . 2010-10-17 01:15:31 -------- d-----w- C:\ProgramData\Malwarebytes
    2010-10-16 19:35:27 . 2010-10-20 16:54:48 111104 ---ha-w- C:\Windows\system32\xxxuvu.dll
    2010-10-16 18:06:48 . 2010-10-16 18:06:48 -------- d-----w- C:\Users\owner\AppData\Roaming\Avira
    2010-10-16 17:59:48 . 2010-03-01 15:05:24 124784 ----a-w- C:\Windows\system32\drivers\avipbb.sys
    2010-10-16 17:59:48 . 2010-02-16 19:24:01 60936 ----a-w- C:\Windows\system32\drivers\avgntflt.sys
    2010-10-16 17:59:48 . 2009-05-11 17:49:28 51992 ----a-w- C:\Windows\system32\drivers\avgntdd.sys
    2010-10-16 17:59:48 . 2009-05-11 17:49:28 17016 ----a-w- C:\Windows\system32\drivers\avgntmgr.sys
    2010-10-16 17:59:46 . 2010-10-16 17:59:46 -------- d-----w- C:\ProgramData\Avira
    2010-10-16 17:59:46 . 2010-10-16 17:59:46 -------- d-----w- C:\Program Files\Avira
    2010-10-15 18:15:51 . 2010-10-15 18:15:51 70144 --sha-r- C:\Windows\system32\wshbth8.dll
    2010-10-15 17:59:42 . 2010-10-15 17:59:42 -------- d-----w- C:\Users\owner\AppData\Local\Radium Technologies
    2010-10-15 17:59:25 . 2010-10-15 17:59:25 -------- dc-h--w- C:\ProgramData\{EFBAD1D6-DB32-4E45-ACA1-FB05458C6D20}
    2010-10-15 17:59:11 . 2010-10-15 17:59:11 -------- d-----w- C:\ProgramData\Radium Technologies
    2010-10-15 17:59:11 . 2010-10-15 17:59:11 -------- d-----w- C:\Program Files\Radium Technologies
    2010-10-15 16:01:13 . 2010-09-09 22:52:57 6084944 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D478BCDC-EF6E-40DD-8291-6AB98D016A92}\mpengine.dll
    2010-10-14 23:46:23 . 2010-09-13 13:56:02 168960 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe
    2010-10-14 23:46:22 . 2010-09-13 13:56:41 8147456 ----a-w- C:\Windows\system32\wmploc.DLL
    2010-10-14 23:46:06 . 2010-06-28 17:00:21 1316864 ----a-w- C:\Windows\system32\ole32.dll
    2010-10-14 23:46:06 . 2010-06-28 14:54:38 339968 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe
    2010-10-14 23:46:02 . 2010-08-10 15:53:15 274944 ----a-w- C:\Windows\system32\schannel.dll
    2010-09-29 17:42:04 . 2010-06-22 13:30:58 2048 ----a-w- C:\Windows\system32\tzres.dll
    2010-09-29 17:41:48 . 2010-08-26 04:23:37 13312 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
    2010-09-27 18:27:53 . 2010-09-27 18:30:31 -------- d-----w- C:\Users\owner\AppData\Roaming\dvdcss

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{EEE6C35D-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 20:15:06 187192]

    [HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD}]
    2009-05-26 15:41:44 1297920 ----a-w- C:\Program Files\Dogpile Toolbar\Toolbar.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
    2009-10-19 20:15:04 1345336 ----a-w- C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{C53FE659-316A-4F56-A194-A5BE491BE866}"= "C:\Program Files\Dogpile Toolbar\Toolbar.dll" [2009-05-26 15:41:44 1297920]
    "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 20:15:04 1345336]

    [HKEY_CLASSES_ROOT\clsid\{c53fe659-316a-4f56-a194-a5be491be866}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{587A2AD9-5F47-4029-8123-77327768C9F3}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

    [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{C53FE659-316A-4F56-A194-A5BE491BE866}"= "C:\Program Files\Dogpile Toolbar\Toolbar.dll" [2009-05-26 15:41:44 1297920]
    "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 20:15:04 1345336]

    [HKEY_CLASSES_ROOT\clsid\{c53fe659-316a-4f56-a194-a5be491be866}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{587A2AD9-5F47-4029-8123-77327768C9F3}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

    [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
    @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
    [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
    2010-01-04 15:36:28 2848568 ----a-w- C:\Program Files\MozyHome\mozyshell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
    @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
    [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
    2010-01-04 15:36:28 2848568 ----a-w- C:\Program Files\MozyHome\mozyshell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 07:33:09 125952]
    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 06:28:03 1233920]
    "iifddcsys"="xxxuvu.dll" [2010-10-20 16:54:48 111104]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 15:55:14 460216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 08:29:10 102400]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 02:17:32 49152]
    "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-12-04 07:42:00 13556256]
    "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-12-04 07:42:00 92704]
    "Microsoft Default Manager"="C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 17:05:02 233304]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-03-19 16:57:21 202256]
    "avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 16:28:31 282792]
    "rqpmnosys"="xxxuvu.dll" [2010-10-20 16:54:48 111104]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "mlijkksys"="xxxuvu.dll" [2010-10-20 16:54:48 111104]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 xxxuvu.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Corel Desktop Application Director 8.LNK]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Corel Desktop Application Director 8.LNK
    backup=C:\Windows\pss\Corel Desktop Application Director 8.LNK.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
    backup=C:\Windows\pss\Lotus Organizer EasyClip.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lotus QuickStart.lnk
    backup=C:\Windows\pss\Lotus QuickStart.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus SmartCenter.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
    backup=C:\Windows\pss\Lotus SmartCenter.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus SuiteStart.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
    backup=C:\Windows\pss\Lotus SuiteStart.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^MozyHome Status.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
    backup=C:\Windows\pss\MozyHome Status.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
    backup=C:\Windows\pss\Vongo Tray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
    path=C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk
    backup=C:\Windows\pss\IMVU.lnk.Startup
    backupExtension=.Startup

    [HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
    path=C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
    backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-27 21:10:28 35696 ----a-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2008-07-10 13:47:28 116040 ----a-w- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]
    2001-07-03 18:12:36 176128 ----a-w- C:\Windows\System32\BMUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
    2007-07-16 16:54:05 311984 ----a-w- C:\Program Files\Lexmark Fax Solutions\fm3032.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2008-06-16 13:03:20 75008 ----a-w- c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-10-15 02:17:32 49152 ----a-w- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
    2007-10-01 23:10:48 1783136 ----a-w- C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-06-02 07:55:22 80896 ----a-w- C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2007-09-13 15:47:52 480560 ----a-w- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-07-10 14:51:32 289064 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2007-08-24 01:36:30 455968 ----a-w- C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdiamon]
    2007-07-16 16:54:10 25264 ----a-w- C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdimon.exe]
    2007-07-16 16:54:07 434864 ----a-w- C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2008-10-17 01:57:52 4347120 ----a-w- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2008-12-04 07:42:00 13556256 ----a-w- C:\Windows\System32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2008-12-04 07:42:00 92704 ----a-w- C:\Windows\System32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
    2008-12-04 07:42:00 711200 ----a-w- C:\Windows\System32\nvsvc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
    2007-09-04 21:54:20 554320 ----a-w- C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
    2007-09-19 22:31:34 202032 ----a-w- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2007-10-01 03:34:14 181544 ----a-w- C:\Program Files\HP\QuickPlay\QPService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-05-27 14:50:30 413696 ----a-w- C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2008-05-30 19:54:14 21718312 ----a-r- C:\Program Files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-07-25 09:23:12 149280 ----a-w- C:\Program Files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
    2010-02-24 18:53:10 111928 ----a-r- C:\Program Files\SweetIM\Messenger\SweetIM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-19 16:57:21 202256 ----a-w- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
    2007-08-17 07:13:28 218408 ------w- C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
    2007-01-08 22:53:06 311296 ----a-w- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38:38 1008184 ----a-w- C:\Program Files\Windows Defender\MSASCui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 18:16:28 130384]
    R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-10-03 01:52:57 136176]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 18:16:28 753504]
    R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 06:14:59 16896]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-02-24 15:28:09 135336]
    S2 lxdi_device;lxdi_device;C:\Windows\system32\lxdicoms.exe [2007-06-11 14:14:51 517040]
    S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 14:14:42 99248]
    S2 MSSQL$CHEF;SQL Server (CHEF);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 08:27:04 29262680]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-08-24 01:34:48 451872 ----a-w- C:\Program Files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-20 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2010-10-03 01:53:23 . 2010-10-03 01:52:57]

    2010-10-20 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2010-10-03 01:53:23 . 2010-10-03 01:52:57]

    2010-09-28 C:\Windows\Tasks\HPCeeScheduleForowner.job
    - C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-10-23 05:54:39 . 2007-09-28 18:58:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://finance.groups.yahoo.com/group/credit-repair/
    mStart Page = hxxp://home.sweetim.com
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:29775
    IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
    DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
    .
    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-{19A0F032-27D7-4227-BBB5-51AA9E5904F5} - C:\Program Files\Dogpile Toolbar\Helper.dll
    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-DW6 - (no file)
    MSConfigStartUp-enaexpjm - C:\Users\owner\AppData\Local\mtyeblktr\umswbxluqiw.exe
    MSConfigStartUp-jdglwenb - C:\Users\owner\AppData\Local\Temp\ratrreivj\xcrhmosyhsn.exe
    MSConfigStartUp-KOO9RV9K4Z - C:\Users\owner\AppData\Local\Temp\Ftx.exe
    MSConfigStartUp-MsnMsgr - ~C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    MSConfigStartUp-SMH2B46TDP - C:\Users\owner\AppData\Local\Temp\Ft0.exe
    MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
    MSConfigStartUp-urdppohx - C:\Users\owner\AppData\Local\iupebtkcs\udujrequqiw.exe
    AddRemove-Corel Remove Program - E:\Corel\AppMan\Setup\remove.exe
    misschievous, Oct 20, 2010
    #21

  2. crunchie Malware Helper Posts: 761

    Have a look in C:\qoobox to see if it is there.
    crunchie, Oct 20, 2010
    #22

  3. misschievous Newcomer, in training Posts: 53

    I found the log ... the contents are in post #21

    still have ghosts of iexplorer, not sure about the redirects ... It didn' when I "tested" it earlier but last time i spoke to soon.
    misschievous, Oct 20, 2010
    #23

  4. crunchie Malware Helper Posts: 761

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    
Folder::
C:\Program Files\explorerexplorer
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iifddcsys"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rqpmnosys"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"mlijkksys"=-
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    crunchie, Oct 21, 2010
    #24

  5. misschievous Newcomer, in training Posts: 53

    ComboFix 10-10-19.04 - owner 10/21/2010 16:32:37.2.2 - x86 MINIMAL
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3006.2564 [GMT -5:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    Command switches used :: c:\users\owner\Desktop\CFScript.txt
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\explorerexplorer
    c:\program files\explorerexplorer\changes.rtf
    c:\program files\explorerexplorer\explorer.exe
    c:\program files\explorerexplorer\Languages\belarusian.lng
    c:\program files\explorerexplorer\Languages\bosnian.lng
    c:\program files\explorerexplorer\Languages\bulgarian.lng
    c:\program files\explorerexplorer\Languages\catalan.lng
    c:\program files\explorerexplorer\Languages\chineseSI.lng
    c:\program files\explorerexplorer\Languages\chineseTR.lng
    c:\program files\explorerexplorer\Languages\croatian.lng
    c:\program files\explorerexplorer\Languages\czech.lng
    c:\program files\explorerexplorer\Languages\danish.lng
    c:\program files\explorerexplorer\Languages\dutch.lng
    c:\program files\explorerexplorer\Languages\english.lng
    c:\program files\explorerexplorer\Languages\estonian.lng
    c:\program files\explorerexplorer\Languages\finnish.lng
    c:\program files\explorerexplorer\Languages\french.lng
    c:\program files\explorerexplorer\Languages\german.lng
    c:\program files\explorerexplorer\Languages\greek.lng
    c:\program files\explorerexplorer\Languages\hebrew.lng
    c:\program files\explorerexplorer\Languages\hungarian.lng
    c:\program files\explorerexplorer\Languages\italian.lng
    c:\program files\explorerexplorer\Languages\korean.lng
    c:\program files\explorerexplorer\Languages\latvian.lng
    c:\program files\explorerexplorer\Languages\macedonian.lng
    c:\program files\explorerexplorer\Languages\norwegian.lng
    c:\program files\explorerexplorer\Languages\polish.lng
    c:\program files\explorerexplorer\Languages\portugueseBR.lng
    c:\program files\explorerexplorer\Languages\portuguesePT.lng
    c:\program files\explorerexplorer\Languages\romanian.lng
    c:\program files\explorerexplorer\Languages\russian.lng
    c:\program files\explorerexplorer\Languages\serbian.lng
    c:\program files\explorerexplorer\Languages\slovak.lng
    c:\program files\explorerexplorer\Languages\slovenian.lng
    c:\program files\explorerexplorer\Languages\spanish.lng
    c:\program files\explorerexplorer\Languages\swedish.lng
    c:\program files\explorerexplorer\Languages\turkish.lng
    c:\program files\explorerexplorer\license.txt
    c:\program files\explorerexplorer\mbam.chm
    c:\program files\explorerexplorer\mbam.dll
    c:\program files\explorerexplorer\mbamext.dll
    c:\program files\explorerexplorer\mbamgui.exe
    c:\program files\explorerexplorer\mbamservice.exe
    c:\program files\explorerexplorer\ssubtmr6.dll
    c:\program files\explorerexplorer\unins000.dat
    c:\program files\explorerexplorer\unins000.exe
    c:\program files\explorerexplorer\unins000.msg
    c:\program files\explorerexplorer\vbalsgrid6.ocx
    c:\program files\explorerexplorer\zlib.dll
    c:\windows\system32\byvvvw.dll
    c:\windows\system32\efffec.dll
    c:\windows\system32\hgfcab.dll
    c:\windows\system32\hgghhe.dll
    c:\windows\system32\iifghe.dll
    c:\windows\system32\jkheda.dll
    c:\windows\system32\ljkkig.dll
    c:\windows\system32\mlijgg.dll
    c:\windows\system32\xxxuvu.dll
    c:\windows\system32\yabcda.dll
    .
    ---- Previous Run -------
    .
    c:\program files\PlaySushi\PSTExt.dll
    c:\users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\tracker.txt
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
    c:\windows\system32\KBL.LOG
    c:\windows\system32\winsusrm.dll
    c:\windows\system32\winsusrx.dll
    c:\windows\system32\xxxuvu.dll
    c:\windows\winhelp.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_usnjsvc


    ((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
    .

    2010-10-21 21:44 . 2010-10-21 21:51 -------- d-----w- c:\users\owner\AppData\Local\temp
    2010-10-21 21:44 . 2010-10-21 21:44 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-10-21 21:30 . 2010-10-21 21:30 -------- d-----w- C:\32788R22FWJFW
    2010-10-21 02:38 . 2010-10-21 02:38 118272 ---ha-w- c:\windows\system32\vtrqrr.dll
    2010-10-21 00:38 . 2010-10-21 00:38 118272 ---ha-w- c:\windows\system32\nnonop.dll
    2010-10-20 22:38 . 2010-10-20 22:38 118272 ---ha-w- c:\windows\system32\yaxxwu.dll
    2010-10-20 18:38 . 2010-10-20 18:38 118272 ---ha-w- c:\windows\system32\xxyvuv.dll
    2010-10-20 16:16 . 2010-10-20 16:16 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
    2010-10-20 16:12 . 2010-10-20 16:13 -------- d-----w- c:\windows\SQL9_KB970892_ENU
    2010-10-18 17:48 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-18 17:48 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-18 16:34 . 2010-10-20 16:17 -------- d-----w- c:\program files\Microsoft SQL Server
    2010-10-18 16:33 . 2010-10-18 16:33 -------- d-----w- c:\users\owner\AppData\Roaming\EJ innovations
    2010-10-18 16:33 . 2010-10-18 16:33 -------- d-----w- c:\users\owner\AppData\Local\EJ_innovations
    2010-10-18 16:31 . 2010-10-18 16:31 -------- d-----w- c:\program files\EJ innovations
    2010-10-17 03:13 . 2010-10-17 03:13 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
    2010-10-17 01:15 . 2010-10-17 02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-17 01:15 . 2010-10-17 01:15 -------- d-----w- c:\programdata\Malwarebytes
    2010-10-16 18:06 . 2010-10-16 18:06 -------- d-----w- c:\users\owner\AppData\Roaming\Avira
    2010-10-16 17:59 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-10-16 17:59 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-10-16 17:59 . 2009-05-11 17:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-10-16 17:59 . 2009-05-11 17:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-10-16 17:59 . 2010-10-16 17:59 -------- d-----w- c:\programdata\Avira
    2010-10-16 17:59 . 2010-10-16 17:59 -------- d-----w- c:\program files\Avira
    2010-10-15 18:15 . 2010-10-15 18:15 70144 --sha-r- c:\windows\system32\wshbth8.dll
    2010-10-15 17:59 . 2010-10-15 17:59 -------- d-----w- c:\users\owner\AppData\Local\Radium Technologies
    2010-10-15 17:59 . 2010-10-15 17:59 -------- dc-h--w- c:\programdata\{EFBAD1D6-DB32-4E45-ACA1-FB05458C6D20}
    2010-10-15 17:59 . 2010-10-15 17:59 -------- d-----w- c:\programdata\Radium Technologies
    2010-10-15 17:59 . 2010-10-15 17:59 -------- d-----w- c:\program files\Radium Technologies
    2010-10-15 16:01 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D478BCDC-EF6E-40DD-8291-6AB98D016A92}\mpengine.dll
    2010-10-14 23:46 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
    2010-10-14 23:46 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-10-14 23:46 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
    2010-10-14 23:46 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
    2010-10-14 23:46 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
    2010-09-29 17:42 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-09-29 17:41 . 2010-08-26 04:23 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2010-09-27 18:27 . 2010-09-27 18:30 -------- d-----w- c:\users\owner\AppData\Roaming\dvdcss

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{19A0F032-27D7-4227-BBB5-51AA9E5904F5}"= "c:\program files\Dogpile Toolbar\Helper.dll" [BU]
    "{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 187192]

    [HKEY_CLASSES_ROOT\clsid\{19a0f032-27d7-4227-bbb5-51aa9e5904f5}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{4F996865-1782-4614-BAF5-C1365A030352}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

    [HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD}]
    2009-05-26 15:41 1297920 ----a-w- c:\program files\Dogpile Toolbar\Toolbar.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
    2009-10-19 20:15 1345336 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{C53FE659-316A-4F56-A194-A5BE491BE866}"= "c:\program files\Dogpile Toolbar\Toolbar.dll" [2009-05-26 1297920]
    "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

    [HKEY_CLASSES_ROOT\clsid\{c53fe659-316a-4f56-a194-a5be491be866}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{587A2AD9-5F47-4029-8123-77327768C9F3}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

    [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{C53FE659-316A-4F56-A194-A5BE491BE866}"= "c:\program files\Dogpile Toolbar\Toolbar.dll" [2009-05-26 1297920]
    "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

    [HKEY_CLASSES_ROOT\clsid\{c53fe659-316a-4f56-a194-a5be491be866}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{587A2AD9-5F47-4029-8123-77327768C9F3}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

    [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
    @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
    [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
    2010-01-04 15:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
    @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
    [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
    2010-01-04 15:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "DW6"="" [BU]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-19 202256]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Corel Desktop Application Director 8.LNK]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Corel Desktop Application Director 8.LNK
    backup=c:\windows\pss\Corel Desktop Application Director 8.LNK.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
    backup=c:\windows\pss\Lotus Organizer EasyClip.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Lotus QuickStart.lnk
    backup=c:\windows\pss\Lotus QuickStart.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus SmartCenter.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
    backup=c:\windows\pss\Lotus SmartCenter.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus SuiteStart.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
    backup=c:\windows\pss\Lotus SuiteStart.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^MozyHome Status.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
    backup=c:\windows\pss\MozyHome Status.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
    backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
    path=c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk
    backup=c:\windows\pss\IMVU.lnk.Startup
    backupExtension=.Startup

    [HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
    path=c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
    backup=c:\windows\pss\OpenOffice.org 2.3.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2008-07-10 13:47 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]
    2001-07-03 18:12 176128 ----a-w- c:\windows\System32\BMUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\enaexpjm]
    c:\users\owner\AppData\Local\mtyeblktr\umswbxluqiw.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
    2007-07-16 16:54 311984 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2008-06-16 13:03 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
    2007-10-01 23:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-06-02 07:55 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2007-09-13 15:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdglwenb]
    c:\users\owner\AppData\Local\Temp\ratrreivj\xcrhmosyhsn.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KOO9RV9K4Z]
    c:\users\owner\AppData\Local\Temp\Ftx.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2007-08-24 01:36 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdiamon]
    2007-07-16 16:54 25264 ----a-w- c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdimon.exe]
    2007-07-16 16:54 434864 ----a-w- c:\program files\Lexmark 3500-4500 Series\lxdimon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2008-10-17 01:57 4347120 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    ~c:\program files\Windows Live\Messenger\msnmsgr.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2008-12-04 07:42 13556256 ----a-w- c:\windows\System32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2008-12-04 07:42 92704 ----a-w- c:\windows\System32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
    2008-12-04 07:42 711200 ----a-w- c:\windows\System32\nvsvc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
    2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
    2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2008-05-30 19:54 21718312 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMH2B46TDP]
    c:\users\owner\AppData\Local\Temp\Ft0.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
    2010-02-24 18:53 111928 ----a-r- c:\program files\SweetIM\Messenger\SweetIM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-19 16:57 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
    2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
    c:\program files\uniblue\registrybooster\StartRegistryBooster.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\urdppohx]
    c:\users\owner\AppData\Local\iupebtkcs\udujrequqiw.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
    2007-01-08 22:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 136176]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
    S2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe [2007-06-11 517040]
    S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 99248]
    S2 MSSQL$CHEF;SQL Server (CHEF);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-08-24 01:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 01:52]

    2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 01:52]

    2010-09-28 c:\windows\Tasks\HPCeeScheduleForowner.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-10-23 18:58]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://finance.groups.yahoo.com/group/credit-repair/
    mStart Page = hxxp://home.sweetim.com
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:29775
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
    DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-qomnomaudio - yabcda.dll
    HKCU-Run-jkhebasys - xxxuvu.dll
    HKLM-Run-yaxyyxaudio - yabcda.dll
    HKLM-Run-jkhhfgsys - xxxuvu.dll
    HKU-Default-Run-wvvwuvaudio - yabcda.dll
    HKU-Default-Run-yabcawsys - xxxuvu.dll
    AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\explorerexplorer\unins000.exe



    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x87814EC5]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0x8a5a5d24
    \Driver\ACPI -> acpi.sys @ 0x8060ed68
    \Driver\atapi -> ataport.SYS @ 0x8072aa2c
    IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\AUDIODG.EXE
    c:\windows\system32\rundll32.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\spool\DRIVERS\W32X86\3\lxdiserv.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\MozyHome\mozybackup.exe
    c:\program files\MozyHome\mozybackup.exe
    c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
    c:\program files\MozyHome\mozybackup.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-21 17:09:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-21 22:09

    Pre-Run: 106,829,778,944 bytes free
    Post-Run: 106,657,832,960 bytes free

    - - End Of File - - DFDB943EF02DE635E203D25E8743E5CC
    misschievous, Oct 21, 2010
    #25

  6. crunchie Malware Helper Posts: 761

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
    crunchie, Oct 21, 2010
    #26
     

  7. misschievous Newcomer, in training Posts: 53

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: df1c10548966c4f16c540ebf80ffd180

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
    misschievous, Oct 23, 2010
    #27

  8. crunchie Malware Helper Posts: 761

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.
    crunchie, Oct 23, 2010
    #28

  9. misschievous Newcomer, in training Posts: 53

    remover.exe not found

    was it supposed to be "bootkit_remover.exe"?
    misschievous, Oct 23, 2010
    #29

  10. misschievous Newcomer, in training Posts: 53

    I just renamed it ....

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Restoring boot code at \\.\PhysicalDrive0...
    ERROR: No standard boot code found for your OS.
    You can restore boot code only for Windows XP, Server 2003, Vista, Server 2008 a
    nd Windows 7

    Done;
    Press any key to quit...
    misschievous, Oct 23, 2010
    #30

  11. crunchie Malware Helper Posts: 761

    No, but had this problem before.

    Try this one instead.

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
    crunchie, Oct 23, 2010
    #31

  12. misschievous Newcomer, in training Posts: 53

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Quanta
    BIOS Manufacturer: Hewlett-Packard
    System Manufacturer: Hewlett-Packard
    System Product Name: HP Pavilion dv9700 Notebook PC
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 161):
    0x82435000 \SystemRoot\system32\ntkrnlpa.exe
    0x82402000 \SystemRoot\system32\hal.dll
    0x8040A000 \SystemRoot\system32\kdcom.dll
    0x80411000 \SystemRoot\system32\PSHED.dll
    0x80422000 \SystemRoot\system32\BOOTVID.dll
    0x8042A000 \SystemRoot\system32\CLFS.SYS
    0x8046B000 \SystemRoot\system32\CI.dll
    0x8054B000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x805C7000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80606000 \SystemRoot\system32\drivers\acpi.sys
    0x8064C000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x80655000 \SystemRoot\system32\drivers\msisadrv.sys
    0x8065D000 \SystemRoot\system32\drivers\pci.sys
    0x80684000 \SystemRoot\System32\drivers\partmgr.sys
    0x80693000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x80696000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x806A0000 \SystemRoot\system32\drivers\volmgr.sys
    0x806AF000 \SystemRoot\System32\drivers\volmgrx.sys
    0x806F9000 \SystemRoot\system32\drivers\pciide.sys
    0x80700000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x8070E000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8071E000 \SystemRoot\system32\drivers\atapi.sys
    0x80726000 \SystemRoot\system32\drivers\ataport.SYS
    0x80744000 \SystemRoot\system32\drivers\fltmgr.sys
    0x80776000 \SystemRoot\system32\drivers\fileinfo.sys
    0x80786000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x82A0D000 \SystemRoot\system32\drivers\ndis.sys
    0x82B18000 \SystemRoot\system32\drivers\msrpc.sys
    0x82B43000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8A204000 \SystemRoot\System32\drivers\tcpip.sys
    0x8A2EE000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8A400000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8A510000 \SystemRoot\system32\drivers\wd.sys
    0x8A518000 \SystemRoot\system32\drivers\volsnap.sys
    0x8A551000 \SystemRoot\System32\Drivers\spldr.sys
    0x8A559000 \SystemRoot\System32\Drivers\mup.sys
    0x8A568000 \SystemRoot\System32\drivers\ecache.sys
    0x8A58F000 \SystemRoot\system32\drivers\disk.sys
    0x8A5A0000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x8A5C1000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8A5EA000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8A5F5000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x8A309000 \SystemRoot\system32\DRIVERS\amdk8.sys
    0x8A319000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8A5FE000 \SystemRoot\system32\DRIVERS\HpqRemHid.sys
    0x8A31D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x8A32D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x8A334000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x8A33D000 \SystemRoot\system32\DRIVERS\nvsmu.sys
    0x8A340000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x8A34A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8A388000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8A397000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8A3AF000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0x8DE01000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8DE8E000 \SystemRoot\system32\DRIVERS\ohci1394.sys
    0x8DE9E000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
    0x8DEAC000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0x8DEC6000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
    0x8DED5000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
    0x8DEE9000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
    0x8E40F000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
    0x8E20F000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
    0x8E602000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x8ED44000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8EDE5000 \SystemRoot\System32\drivers\watchdog.sys
    0x8E311000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8EDF1000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
    0x8E324000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8E32F000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8EDF6000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8E35D000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8E368000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8E397000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8E3D8000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8E3E3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8E200000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8E510000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8E533000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8E542000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8E556000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8E56B000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8EDF8000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8E57B000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8E5A5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8E5AF000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8E5BC000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x8E5C5000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8DF3A000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8DF4B000 \SystemRoot\system32\drivers\CHDART.sys
    0x8DF7B000 \SystemRoot\system32\drivers\portcls.sys
    0x8DFA8000 \SystemRoot\system32\drivers\drmk.sys
    0x8A3B2000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
    0x8F80A000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
    0x8F90D000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    0x8F9C2000 \SystemRoot\system32\drivers\modem.sys
    0x8F9D8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8E400000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0x8F800000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0x8DFCD000 \SystemRoot\system32\DRIVERS\dot4usb.sys
    0x8DFDA000 \SystemRoot\system32\DRIVERS\Dot4.sys
    0x82B7E000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x8F9F7000 \SystemRoot\system32\DRIVERS\Dot4Prt.sys
    0x82B9F000 \SystemRoot\system32\DRIVERS\mozy.sys
    0x8A3F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8A3F9000 \SystemRoot\System32\Drivers\Null.SYS
    0x82BB2000 \SystemRoot\System32\Drivers\Beep.SYS
    0x82BB9000 \SystemRoot\System32\drivers\vga.sys
    0x82BC5000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x82BE6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x82BEE000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x82A00000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x805D4000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x82BF6000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x805E2000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x9000C000 \SystemRoot\system32\DRIVERS\smb.sys
    0x90020000 \SystemRoot\system32\drivers\afd.sys
    0x90068000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x9009A000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x900B0000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x900BE000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x900D1000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0x900D7000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x90113000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x9011D000 \SystemRoot\System32\Drivers\dfsc.sys
    0x90134000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0x90156000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x90163000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x9016E000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0x95610000 \SystemRoot\System32\win32k.sys
    0x90176000 \SystemRoot\System32\drivers\Dxapi.sys
    0x90180000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x95830000 \SystemRoot\System32\TSDDD.dll
    0x95850000 \SystemRoot\System32\cdd.dll
    0x9018F000 \SystemRoot\system32\drivers\luafv.sys
    0x901AA000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xA1C01000 \SystemRoot\system32\drivers\spsys.sys
    0xA1CB1000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0xA1CC1000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0xA1CEB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA1CF5000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0xA1D08000 \SystemRoot\system32\drivers\HTTP.sys
    0xA1D75000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xA1D92000 \SystemRoot\system32\DRIVERS\bowser.sys
    0xA1DAB000 \SystemRoot\System32\drivers\mpsdrv.sys
    0xA1DC0000 \SystemRoot\system32\drivers\mrxdav.sys
    0xA1DE1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x901C7000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x8A5CA000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xA2C03000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xA2C2B000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA2C91000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA2C95000 \SystemRoot\system32\drivers\peauth.sys
    0xA2D73000 \??\C:\Windows\system32\drivers\pmemnt.sys
    0xA2D75000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xA2D7F000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xA2D8B000 \SystemRoot\system32\DRIVERS\xaudio.sys
    0xA2D93000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0xA2DAB000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xA2DB4000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x77010000 \Windows\System32\ntdll.dll

    Processes (total 77):
    0 System Idle Process
    4 System
    432 C:\Windows\System32\smss.exe
    500 csrss.exe
    552 C:\Windows\System32\wininit.exe
    560 csrss.exe
    596 C:\Windows\System32\services.exe
    612 C:\Windows\System32\lsass.exe
    620 C:\Windows\System32\lsm.exe
    644 C:\Windows\System32\winlogon.exe
    800 C:\Windows\System32\svchost.exe
    868 C:\Windows\System32\nvvsvc.exe
    900 C:\Windows\System32\svchost.exe
    1000 C:\Windows\System32\svchost.exe
    1032 C:\Windows\System32\svchost.exe
    1064 C:\Windows\System32\svchost.exe
    1212 C:\Windows\System32\audiodg.exe
    1236 C:\Windows\System32\svchost.exe
    1292 C:\Windows\System32\SLsvc.exe
    1336 C:\Windows\System32\rundll32.exe
    1364 C:\Windows\System32\svchost.exe
    1484 C:\Windows\System32\svchost.exe
    1668 C:\Windows\System32\wlanext.exe
    1712 C:\Windows\System32\spoolsv.exe
    1720 C:\Windows\System32\taskeng.exe
    1760 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1788 C:\Windows\System32\svchost.exe
    1856 C:\Windows\System32\rundll32.exe
    680 C:\Windows\System32\dwm.exe
    1164 C:\Windows\explorer.exe
    700 C:\Windows\System32\taskeng.exe
    2128 C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    2136 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    2164 C:\Windows\System32\rundll32.exe
    2412 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    2468 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    2480 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    2524 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    2552 C:\Windows\ehome\ehtray.exe
    2568 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    2592 C:\Program Files\Windows Sidebar\sidebar.exe
    2608 C:\Program Files\Bonjour\mDNSResponder.exe
    2628 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    2692 C:\Windows\System32\svchost.exe
    2804 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    2816 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    2860 C:\Windows\System32\spool\drivers\w32x86\3\lxdiserv.exe
    2900 C:\Windows\System32\lxdicoms.exe
    2956 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
    2992 C:\Windows\ehome\ehmsas.exe
    3020 C:\Program Files\MozyHome\mozybackup.exe
    3080 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    3116 C:\Windows\System32\svchost.exe
    3168 C:\Windows\System32\svchost.exe
    3224 C:\Windows\System32\svchost.exe
    3268 C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
    3628 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    3652 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    3696 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    3732 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    3832 C:\Windows\System32\svchost.exe
    3852 C:\Program Files\MozyHome\mozybackup.exe
    3908 C:\Windows\System32\svchost.exe
    3988 C:\Windows\System32\SearchIndexer.exe
    4076 C:\Windows\System32\drivers\XAudio.exe
    792 C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
    4240 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    4292 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    4888 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    5580 C:\Program Files\Avira\AntiVir Desktop\avscan.exe
    5792 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
    5228 C:\Program Files\Internet Explorer\iexplore.exe
    4500 C:\Program Files\Internet Explorer\iexplore.exe
    4512 C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
    5460 C:\Windows\System32\SearchProtocolHost.exe
    4036 C:\Windows\System32\SearchFilterHost.exe
    5364 C:\Users\owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`3db0da00 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGHM250JI, Rev: HS100-10

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    misschievous, Oct 23, 2010
    #32

  13. crunchie Malware Helper Posts: 761

    Run MBRCheck again.

    When it's done you'll see the following line:
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Press the Y key and then press Enter

    When the program asks you to Enter your choice, enter 2 and press the Enter key.

    Next the program will ask you to Enter the physical disk number to fix (0-99, -1 to cancel):
    Enter 0 (zero) and press the Enter key.

    Next the program will show Available MBR codes:, followed by a list of operating systems.
    Please enter 3 for Windows Vista, and then press Enter.

    Next the program will prompt for confirmation.
    Type YES and hit Enter.

    When it's done there should be a text file with the results on your desktop.
    Please copy and paste it back here.

    Then reboot and run MBRCheck again and post that log.
    crunchie, Oct 23, 2010
    #33

  14. misschievous Newcomer, in training Posts: 53

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Quanta
    BIOS Manufacturer: Hewlett-Packard
    System Manufacturer: Hewlett-Packard
    System Product Name: HP Pavilion dv9700 Notebook PC
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 161):
    0x82435000 \SystemRoot\system32\ntkrnlpa.exe
    0x82402000 \SystemRoot\system32\hal.dll
    0x8040A000 \SystemRoot\system32\kdcom.dll
    0x80411000 \SystemRoot\system32\PSHED.dll
    0x80422000 \SystemRoot\system32\BOOTVID.dll
    0x8042A000 \SystemRoot\system32\CLFS.SYS
    0x8046B000 \SystemRoot\system32\CI.dll
    0x8054B000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x805C7000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80606000 \SystemRoot\system32\drivers\acpi.sys
    0x8064C000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x80655000 \SystemRoot\system32\drivers\msisadrv.sys
    0x8065D000 \SystemRoot\system32\drivers\pci.sys
    0x80684000 \SystemRoot\System32\drivers\partmgr.sys
    0x80693000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x80696000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x806A0000 \SystemRoot\system32\drivers\volmgr.sys
    0x806AF000 \SystemRoot\System32\drivers\volmgrx.sys
    0x806F9000 \SystemRoot\system32\drivers\pciide.sys
    0x80700000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x8070E000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8071E000 \SystemRoot\system32\drivers\atapi.sys
    0x80726000 \SystemRoot\system32\drivers\ataport.SYS
    0x80744000 \SystemRoot\system32\drivers\fltmgr.sys
    0x80776000 \SystemRoot\system32\drivers\fileinfo.sys
    0x80786000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x82A0D000 \SystemRoot\system32\drivers\ndis.sys
    0x82B18000 \SystemRoot\system32\drivers\msrpc.sys
    0x82B43000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8A204000 \SystemRoot\System32\drivers\tcpip.sys
    0x8A2EE000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8A400000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8A510000 \SystemRoot\system32\drivers\wd.sys
    0x8A518000 \SystemRoot\system32\drivers\volsnap.sys
    0x8A551000 \SystemRoot\System32\Drivers\spldr.sys
    0x8A559000 \SystemRoot\System32\Drivers\mup.sys
    0x8A568000 \SystemRoot\System32\drivers\ecache.sys
    0x8A58F000 \SystemRoot\system32\drivers\disk.sys
    0x8A5A0000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x8A5C1000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8A5EA000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8A5F5000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x8A309000 \SystemRoot\system32\DRIVERS\amdk8.sys
    0x8A319000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8A5FE000 \SystemRoot\system32\DRIVERS\HpqRemHid.sys
    0x8A31D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x8A32D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x8A334000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x8A33D000 \SystemRoot\system32\DRIVERS\nvsmu.sys
    0x8A340000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x8A34A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8A388000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8A397000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8A3AF000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0x8DE01000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8DE8E000 \SystemRoot\system32\DRIVERS\ohci1394.sys
    0x8DE9E000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
    0x8DEAC000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0x8DEC6000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
    0x8DED5000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
    0x8DEE9000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
    0x8E40F000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
    0x8E20F000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
    0x8E602000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x8ED44000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8EDE5000 \SystemRoot\System32\drivers\watchdog.sys
    0x8E311000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8EDF1000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
    0x8E324000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8E32F000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8EDF6000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8E35D000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8E368000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8E397000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8E3D8000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8E3E3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8E200000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8E510000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8E533000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8E542000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8E556000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8E56B000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8EDF8000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8E57B000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8E5A5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8E5AF000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8E5BC000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x8E5C5000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8DF3A000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8DF4B000 \SystemRoot\system32\drivers\CHDART.sys
    0x8DF7B000 \SystemRoot\system32\drivers\portcls.sys
    0x8DFA8000 \SystemRoot\system32\drivers\drmk.sys
    0x8A3B2000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
    0x8F80A000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
    0x8F90D000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    0x8F9C2000 \SystemRoot\system32\drivers\modem.sys
    0x8F9D8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8E400000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0x8F800000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0x8DFCD000 \SystemRoot\system32\DRIVERS\dot4usb.sys
    0x8DFDA000 \SystemRoot\system32\DRIVERS\Dot4.sys
    0x82B7E000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x8F9F7000 \SystemRoot\system32\DRIVERS\Dot4Prt.sys
    0x82B9F000 \SystemRoot\system32\DRIVERS\mozy.sys
    0x8A3F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8A3F9000 \SystemRoot\System32\Drivers\Null.SYS
    0x82BB2000 \SystemRoot\System32\Drivers\Beep.SYS
    0x82BB9000 \SystemRoot\System32\drivers\vga.sys
    0x82BC5000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x82BE6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x82BEE000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x82A00000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x805D4000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x82BF6000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x805E2000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x9000C000 \SystemRoot\system32\DRIVERS\smb.sys
    0x90020000 \SystemRoot\system32\drivers\afd.sys
    0x90068000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x9009A000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x900B0000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x900BE000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x900D1000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0x900D7000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x90113000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x9011D000 \SystemRoot\System32\Drivers\dfsc.sys
    0x90134000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0x90156000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x90163000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x9016E000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0x95610000 \SystemRoot\System32\win32k.sys
    0x90176000 \SystemRoot\System32\drivers\Dxapi.sys
    0x90180000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x95830000 \SystemRoot\System32\TSDDD.dll
    0x95850000 \SystemRoot\System32\cdd.dll
    0x9018F000 \SystemRoot\system32\drivers\luafv.sys
    0x901AA000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xA1C01000 \SystemRoot\system32\drivers\spsys.sys
    0xA1CB1000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0xA1CC1000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0xA1CEB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA1CF5000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0xA1D08000 \SystemRoot\system32\drivers\HTTP.sys
    0xA1D75000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xA1D92000 \SystemRoot\system32\DRIVERS\bowser.sys
    0xA1DAB000 \SystemRoot\System32\drivers\mpsdrv.sys
    0xA1DC0000 \SystemRoot\system32\drivers\mrxdav.sys
    0xA1DE1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x901C7000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x8A5CA000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xA2C03000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xA2C2B000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA2C91000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA2C95000 \SystemRoot\system32\drivers\peauth.sys
    0xA2D73000 \??\C:\Windows\system32\drivers\pmemnt.sys
    0xA2D75000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xA2D7F000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xA2D8B000 \SystemRoot\system32\DRIVERS\xaudio.sys
    0xA2D93000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0xA2DAB000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xA2DB4000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x77010000 \Windows\System32\ntdll.dll

    Processes (total 75):
    0 System Idle Process
    4 System
    432 C:\Windows\System32\smss.exe
    500 csrss.exe
    552 C:\Windows\System32\wininit.exe
    560 csrss.exe
    596 C:\Windows\System32\services.exe
    612 C:\Windows\System32\lsass.exe
    620 C:\Windows\System32\lsm.exe
    644 C:\Windows\System32\winlogon.exe
    800 C:\Windows\System32\svchost.exe
    868 C:\Windows\System32\nvvsvc.exe
    900 C:\Windows\System32\svchost.exe
    1000 C:\Windows\System32\svchost.exe
    1032 C:\Windows\System32\svchost.exe
    1064 C:\Windows\System32\svchost.exe
    1212 C:\Windows\System32\audiodg.exe
    1236 C:\Windows\System32\svchost.exe
    1292 C:\Windows\System32\SLsvc.exe
    1336 C:\Windows\System32\rundll32.exe
    1364 C:\Windows\System32\svchost.exe
    1484 C:\Windows\System32\svchost.exe
    1668 C:\Windows\System32\wlanext.exe
    1712 C:\Windows\System32\spoolsv.exe
    1720 C:\Windows\System32\taskeng.exe
    1760 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1788 C:\Windows\System32\svchost.exe
    1856 C:\Windows\System32\rundll32.exe
    680 C:\Windows\System32\dwm.exe
    1164 C:\Windows\explorer.exe
    700 C:\Windows\System32\taskeng.exe
    2128 C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    2136 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    2164 C:\Windows\System32\rundll32.exe
    2412 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    2468 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    2480 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    2524 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    2552 C:\Windows\ehome\ehtray.exe
    2568 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    2592 C:\Program Files\Windows Sidebar\sidebar.exe
    2608 C:\Program Files\Bonjour\mDNSResponder.exe
    2628 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    2692 C:\Windows\System32\svchost.exe
    2804 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    2816 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    2860 C:\Windows\System32\spool\drivers\w32x86\3\lxdiserv.exe
    2900 C:\Windows\System32\lxdicoms.exe
    2956 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
    2992 C:\Windows\ehome\ehmsas.exe
    3020 C:\Program Files\MozyHome\mozybackup.exe
    3080 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    3116 C:\Windows\System32\svchost.exe
    3168 C:\Windows\System32\svchost.exe
    3224 C:\Windows\System32\svchost.exe
    3268 C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
    3628 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    3652 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    3696 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    3732 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    3832 C:\Windows\System32\svchost.exe
    3852 C:\Program Files\MozyHome\mozybackup.exe
    3908 C:\Windows\System32\svchost.exe
    3988 C:\Windows\System32\SearchIndexer.exe
    4076 C:\Windows\System32\drivers\XAudio.exe
    792 C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
    4240 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    4292 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    4888 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    5580 C:\Program Files\Avira\AntiVir Desktop\avscan.exe
    5792 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
    5228 C:\Program Files\Internet Explorer\iexplore.exe
    4500 C:\Program Files\Internet Explorer\iexplore.exe
    4512 C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
    5968 C:\Users\owner\Desktop\Trojan\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`3db0da00 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGHM250JI, Rev: HS100-10

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
    [ 0] Default (Windows Vista)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive: 3
    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
    Successfully wrote new MBR code!
    Please reboot your computer to complete the fix.


    Done!
    misschievous, Oct 23, 2010
    #34

  15. misschievous Newcomer, in training Posts: 53

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Quanta
    BIOS Manufacturer: Hewlett-Packard
    System Manufacturer: Hewlett-Packard
    System Product Name: HP Pavilion dv9700 Notebook PC
    Logical Drives Mask: 0x0000001c

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`3db0da00 (NTFS)

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    misschievous, Oct 23, 2010
    #35

  16. crunchie Malware Helper Posts: 761

    The repair did not work so we will have to try something else.

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.
    crunchie, Oct 24, 2010
    #36

  17. misschievous Newcomer, in training Posts: 53

    OK ... for the second time MBR will not allow me to right click or highlight and copy. So I Will just retype it ...

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Quanta
    BIOS Manufacturer: Hewlett-Packard
    System Manufacturer: Hewlett-Packard
    System Product Name: HP Pavilion dv9700 Notebook PC
    Logical Drives Mask: 0x0000001c

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`3db0da00 (NTFS)

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

    Done!
    Press Enter to exit...
    misschievous, Oct 26, 2010
    #37

  18. misschievous Newcomer, in training Posts: 53

    actually ... let me clarify ...

    I was merely stating that this is the second time it would not allow me to copy ...

    on review it looks like i was being a smart@ss "for the second time" and that wasn't the intent
    misschievous, Oct 26, 2010
    #38

  19. crunchie Malware Helper Posts: 761

    :).

    That MBR looks ok now.

    How are things looking?
    crunchie, Oct 26, 2010
    #39

  20. misschievous Newcomer, in training Posts: 53

    still have multiple iexplorers opening and redirects.

    to be clearer ... for each iexplorer window (not tabs) there are two iexplorer processes running in task manager

    Attached Files:

    misschievous, Oct 26, 2010
    #40
Page 2 of 4
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.