Inactive [A] Windows 7/Vista Antivirus 2012 - Rootkit/Malware

[Piecake]

I have a rootkit/malware in the form of a fake antivirus. It's been jumping around on my local network and I'm working to clean up the last remaining copies of it. Logs are attached. I appreciate your assistance and the service provided here.

--------
MBAM Log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122102

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

12/21/2011 2:39:39 PM
mbam-log-2011-12-21 (14-39-39).txt

Scan type: Quick scan
Objects scanned: 168070
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\Windows\Temp\_ex-68.exe (Heuristics.Shuriken) -> 2880 -> Unloaded process successfully.
c:\Windows\Temp\_ex-08.exe (Trojan.FakeAlert) -> 3596 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MozillaAgent (Heuristics.Shuriken) -> Value: MozillaAgent -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\_ex-68.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\Windows\Temp\_ex-08.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\xrhuup\setup.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
--------

GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-21 16:05:36
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 SAMSUNG_HM251JI rev.2SS00_03
Running: fpion0sx.exe; Driver: C:\Users\sshado\AppData\Local\Temp\pxdiqpow.sys


---- System - GMER 1.0.15 ----

Code 9111EBFC ZwTraceEvent
Code 9111EBFB NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!NtTraceEvent 81E7C841 5 Bytes JMP 9111EC00
? System32\drivers\ctqtflkh.sys The system cannot find the path specified. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BE06340, 0x3EA427, 0xE8000020]
.text smb.sys 8FD8C000 17 Bytes [00, 00, 00, 00, 00, 00, 33, ...]
.text smb.sys 8FD8C012 50 Bytes [55, 8B, EC, 8B, 45, 08, 8B, ...]
.text smb.sys 8FD8C045 64 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
.text smb.sys 8FD8C086 40 Bytes [F0, 0F, C1, 11, 8D, 48, 0C, ...]
.text smb.sys 8FD8C0AF 4 Bytes [68, 00, 01, 00]
.text ...
? C:\Windows\system32\DRIVERS\smb.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 76F68968 5 Bytes JMP 0096000A
.text C:\Windows\system32\svchost.exe[1064] ntdll.dll!NtWriteVirtualMemory 76F692A8 5 Bytes JMP 009B000A
.text C:\Windows\system32\svchost.exe[1064] ntdll.dll!KiUserExceptionDispatcher 76F699E8 5 Bytes JMP 008A000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB58722$\1680112346 0 bytes
File C:\Windows\$NtUninstallKB58722$\743819575 0 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\@ 2048 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\bckfg.tmp 794 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\cfg.ini 208 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\keywords 13 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\L 0 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\L\qnbwvoto 66560 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\U 0 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\U\00000001.@ 1536 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB58722$\743819575\U\80000032.@ 97792 bytes

---- EOF - GMER 1.0.15 ----


--------

DDS Post & Attach Logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_22
Run by sshado at 16:06:58 on 2011-12-21
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1790.807 [GMT -5:00]
.
AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SMINST\BLService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\CPUID\HWMonitor\HWMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\ping.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.0.0.125\IPSBHO.DLL
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\sshado\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: Interfaces\{BAD71EF5-C6C9-4F43-B390-21FA9E6D5E6B} : NameServer = 68.87.73.246,68.87.71.230
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sshado\appdata\roaming\mozilla\firefox\profiles\jqaicke8.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\sshado\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-12-19 21992]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-25 365952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-11-23 131856]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-25 193840]
S4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [2008-10-25 115560]
.
=============== Created Last 30 ================
.
2011-12-21 19:40:03 -------- d-----w- C:\logs
2011-12-21 05:27:15 -------- d-----w- c:\users\sshado\appdata\roaming\OpenOffice.org
2011-12-21 04:19:01 -------- d-----w- c:\users\sshado\appdata\roaming\Malwarebytes
2011-12-21 04:18:09 -------- d-----w- c:\programdata\Malwarebytes
2011-12-21 04:18:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-21 04:18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-21 04:13:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-21 04:13:53 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-12-21 04:13:53 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-12-21 04:13:53 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-12-21 04:13:53 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-12-21 04:13:16 -------- d-----w- C:\lol
2011-12-21 03:47:40 -------- d-----r- C:\Sandbox
2011-12-21 03:46:18 -------- d-----w- c:\program files\Sandboxie
2011-12-20 21:43:45 -------- d-----w- c:\users\sshado\appdata\local\BIT.TRIP RUNNER
2011-12-20 21:43:30 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-20 21:43:30 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-20 21:43:30 -------- d-----w- c:\program files\OpenAL
2011-12-20 21:43:24 -------- d--h--w- c:\windows\msdownld.tmp
2011-12-20 21:43:23 -------- d-----w- c:\windows\system32\directx
2011-12-20 21:41:35 -------- d-----w- c:\users\sshado\appdata\roaming\Nicalis
2011-12-20 20:02:34 -------- d-----w- c:\users\sshado\appdata\roaming\Unity
2011-12-20 19:58:02 -------- d-----w- c:\users\sshado\appdata\local\Unity
2011-12-20 05:15:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-20 03:46:40 -------- d-----w- c:\program files\OpenOffice.org 3
2011-12-20 03:44:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-20 02:39:09 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-12-20 02:39:09 -------- d-----w- c:\program files\CPUID
2011-12-20 01:28:07 -------- d-----w- c:\windows\pss
2011-12-19 21:37:50 -------- d-----w- c:\program files\lol
2011-12-19 21:09:39 -------- d-----w- c:\users\sshado\appdata\local\PMB Files
2011-12-19 21:09:38 -------- d-----w- c:\programdata\PMB Files
2011-12-19 21:09:33 -------- d-----w- c:\program files\Pando Networks
2011-12-19 14:59:58 -------- d-----w- c:\program files\common files\Steam
2011-12-19 14:59:55 -------- d-----w- c:\program files\Steam
2011-12-19 14:02:43 -------- d-----w- c:\program files\uTorrent
2011-12-19 14:01:50 -------- d-----w- c:\users\sshado\appdata\roaming\uTorrent
2011-12-19 01:38:39 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-19 01:35:30 -------- d-----w- c:\program files\muvee Technologies
2011-12-19 01:35:20 -------- d-----w- c:\program files\common files\muvee Technologies
2011-12-19 01:31:16 82432 ----a-w- c:\windows\system32\msxml4r.dll
2011-12-19 01:31:16 44544 ----a-w- c:\windows\system32\msxml4a.dll
2011-12-19 01:31:16 1233920 ----a-w- c:\windows\system32\msxml4.dll
2011-12-19 01:30:50 89088 ------w- c:\windows\system32\atl71.dll
2011-12-19 01:30:46 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-12-19 01:30:46 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-12-19 01:30:46 225280 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll
2011-12-19 01:30:46 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-12-19 01:30:45 610436 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2011-12-19 01:27:32 6416928 ----a-w- c:\windows\system\DriveIcon.dll
2011-12-19 01:27:32 61952 ----a-w- c:\windows\system32\drivers\RTSTOR.sys
2011-12-19 01:26:20 -------- d-----w- c:\program files\NetWaiting
2011-12-19 01:26:04 -------- d-----w- c:\program files\CONEXANT
2011-12-19 01:25:03 -------- d-----w- c:\program files\Synaptics
2011-12-19 01:24:33 768544 ----a-w- c:\windows\system32\nvcplui.exe
2011-12-19 01:24:33 420384 ----a-w- c:\windows\system32\nvcpl.cpl
2011-12-19 01:24:33 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2011-12-19 01:24:33 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
2011-12-19 01:23:00 3948 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-12-19 01:22:46 442368 ----a-w- c:\windows\system32\nvusmb.exe
2011-12-19 01:22:40 446464 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-12-19 01:21:32 909824 ----a-w- c:\windows\system32\drivers\athr.sys
2011-12-19 01:21:32 53248 ----a-w- c:\windows\system32\athihvui.dll
2011-12-19 01:21:32 393216 ----a-w- c:\windows\system32\athihvs.dll
2011-12-19 01:21:32 376832 ----a-w- c:\windows\system32\S64CPA.exe
2011-12-19 01:21:32 -------- d-----w- c:\windows\system32\nn-NO
2011-12-19 01:21:21 -------- d-----w- c:\program files\Atheros
2011-12-19 01:21:20 -------- d-----w- c:\program files\Cisco
2011-12-19 01:21:17 -------- d-----w- c:\programdata\Atheros
2011-12-19 01:20:51 3601976 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-19 01:20:51 3549752 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-18 22:49:38 -------- d-----w- c:\users\sshado\appdata\local\Hewlett-Packard
2011-12-18 22:46:02 -------- d-----w- c:\users\sshado\appdata\roaming\HP TCS
.
==================== Find3M ====================
.
2011-12-19 01:31:54 505392 ----a-w- c:\windows\system32\msvcp71.dll
2011-12-19 01:31:54 353840 ----a-w- c:\windows\system32\msvcr71.dll
2011-12-19 01:31:54 1053232 ----a-w- c:\windows\system32\MFC71u.dll
2011-12-19 01:31:53 1066544 ----a-w- c:\windows\system32\MFC71.dll
.
============= FINISH: 16:07:25.01 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/18/2011 8:16:53 PM
System Uptime: 12/21/2011 3:44:12 PM (1 hours ago)
.
Motherboard: Wistron | | 303C
Processor: AMD Athlon Dual-Core QL-62 | Socket A | 2000/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 203 GiB total, 160.274 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 0.707 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP7: 12/18/2011 5:45:21 PM - First_User_Boot
RP8: 12/19/2011 9:59:38 AM - Installed Steam
RP9: 12/19/2011 10:31:05 PM - Scheduled Checkpoint
RP10: 12/19/2011 10:41:48 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP11: 12/19/2011 10:44:04 PM - Installed Java(TM) 6 Update 22
RP12: 12/19/2011 10:44:47 PM - Installed OpenOffice.org 3.3
RP13: 12/19/2011 10:46:17 PM - Installed OpenOffice.org 3.3
RP15: 12/20/2011 3:38:47 PM - Installed DirectX
.
==== Installed Programs ======================
.
µTorrent
7-Zip 9.20
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 11 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9
Adobe Shockwave Player
Atheros Driver Installation Program
BIT.TRIP RUNNER
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CPUID HWMonitor 1.18
CyberLink DVD Suite
ESU for Microsoft Vista
HDAUDIO Soft Data Fax Modem with SmartCP
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Quick Launch Buttons 6.40 H2
HP Total Care Advisor
HP Update
HP User Guides 0118
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
HPTCSSetup
Jamestown
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 7
Juno Preloader
LabelPrint
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft Live Search Toolbar
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Works
Mozilla Firefox 8.0.1 (x86 en-US)
muvee Reveal
My HP Games
NetWaiting
NetZero Preloader
NightSky
Norton Internet Security
NVIDIA Drivers
OpenAL
OpenOffice.org 3.3
Pando Media Booster
Power2Go
PowerDirector
Realtek USB 2.0 Card Reader
Sandboxie 3.62 (32-bit)
Shank
SPORE Creature Creator Trial Edition
Steam
Synaptics Pointing Device Driver
Unity Web Player
Update for Office 2007 (KB934528)
.
==== Event Viewer Messages From Past Week ========
.
12/21/2011 3:44:48 PM, Error: EventLog [6008] - The previous system shutdown at 2:49:36 PM on 12/21/2011 was unexpected.
12/20/2011 2:51:58 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MegaSR
12/20/2011 2:51:58 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/20/2011 2:50:29 PM, Error: EventLog [6008] - The previous system shutdown at 1:49:39 AM on 12/20/2011 was unexpected.
12/20/2011 11:11:48 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr SRTSP SRTSPX Wanarpv6
12/20/2011 11:11:48 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
12/20/2011 11:11:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
12/20/2011 11:11:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
12/20/2011 11:11:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
12/20/2011 11:11:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/20/2011 11:11:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
12/20/2011 11:10:43 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
12/20/2011 10:58:14 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
12/20/2011 10:58:14 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
12/20/2011 10:58:14 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
12/20/2011 10:56:57 PM, Error: EventLog [6008] - The previous system shutdown at 10:54:55 PM on 12/20/2011 was unexpected.
12/19/2011 10:13:52 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
12/19/2011 10:13:52 AM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

 

[Broni]

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

============================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Piecake]

Thanks!

Thank you for your assistance, Broni. The amount of work I see you put in around here is always astounding. Happy holidays!

Two logs as requested.

aswMBR version 0.9.9.1116 Copyright(c) 2011 AVAST Software
Run date: 2011-12-21 21:37:44
-----------------------------
21:37:44.246 OS Version: Windows 6.0.6001 Service Pack 1
21:37:44.246 Number of processors: 2 586 0x301
21:37:44.248 ComputerName: SSHADO-PC UserName: sshado
21:37:48.526 Initialize success
21:39:15.391 AVAST engine defs: 11122102
21:39:19.467 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5
21:39:19.471 Disk 0 Vendor: SAMSUNG_HM251JI 2SS00_03 Size: 238475MB BusType: 3
21:39:21.568 Disk 0 MBR read successfully
21:39:21.572 Disk 0 MBR scan
21:39:21.581 Disk 0 unknown MBR code
21:39:21.619 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 208335 MB offset 63
21:39:21.698 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11138 MB offset 465580032
21:39:21.710 Disk 0 Partition - 00 05 Extended 18998 MB offset 426670335
21:39:21.843 Disk 0 Partition 3 00 83 Linux 18159 MB offset 426670398
21:39:21.856 Disk 0 Partition - 00 05 Extended 839 MB offset 463860810
21:39:21.979 Disk 0 scanning sectors +488390656
21:39:22.404 Disk 0 scanning C:\Windows\system32\drivers
21:40:54.371 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Aluroot [Rtk]
21:41:21.431 Service scanning
21:41:23.929 Modules scanning
21:43:14.794 Module: C:\Windows\system32\DRIVERS\smb.sys **SUSPICIOUS**
21:43:45.446 Disk 0 trace - called modules:
21:43:45.534 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8f696f10]<<
21:43:45.542 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85ba9968]
21:43:45.551 3 CLASSPNP.SYS[807a1745] -> nt!IofCallDriver -> [0x8f6dc658]
21:43:45.560 \Driver\00001239[0x8f634030] -> IRP_MJ_CREATE -> 0x8f696f10
21:43:47.255 AVAST engine scan C:\Windows
21:45:13.262 AVAST engine scan C:\Windows\system32
21:55:17.012 AVAST engine scan C:\Windows\system32\drivers
21:55:26.883 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Aluroot [Rtk]
21:55:32.649 AVAST engine scan C:\Users\sshado
21:59:28.234 AVAST engine scan C:\ProgramData
22:02:05.470 Scan finished successfully
22:02:19.770 Disk 0 MBR has been saved successfully to "C:\Users\sshado\Desktop\MBR.dat"
22:02:19.775 The log file has been saved successfully to "C:\Users\sshado\Desktop\aswMBR.txt"


-------

Combofix:

ComboFix 11-12-24.04 - sshado 12/24/2011 13:51:00.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1790.813 [GMT -5:00]
Running from: c:\users\sshado\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\lol
c:\program files\lol\LeagueOfLegends\0x0409.ini
c:\program files\lol\LeagueOfLegends\data1.cab
c:\program files\lol\LeagueOfLegends\data1.hdr
c:\program files\lol\LeagueOfLegends\data2.cab
c:\program files\lol\LeagueOfLegends\ISSetup.dll
c:\program files\lol\LeagueOfLegends\layout.bin
c:\program files\lol\LeagueOfLegends\setup.exe
c:\program files\lol\LeagueOfLegends\setup.ini
c:\program files\lol\LeagueOfLegends\setup.inx
c:\program files\lol\LeagueOfLegends\setup.isn
c:\windows\$NtUninstallKB58722$\1680112346
c:\windows\$NtUninstallKB58722$\743819575\@
c:\windows\$NtUninstallKB58722$\743819575\bckfg.tmp
c:\windows\$NtUninstallKB58722$\743819575\cfg.ini
c:\windows\$NtUninstallKB58722$\743819575\Desktop.ini
c:\windows\$NtUninstallKB58722$\743819575\keywords
c:\windows\$NtUninstallKB58722$\743819575\kwrd.dll
c:\windows\$NtUninstallKB58722$\743819575\L\qnbwvoto
c:\windows\$NtUninstallKB58722$\743819575\lsflt7.ver
c:\windows\$NtUninstallKB58722$\743819575\U\00000001.@
c:\windows\$NtUninstallKB58722$\743819575\U\00000002.@
c:\windows\$NtUninstallKB58722$\743819575\U\00000004.@
c:\windows\$NtUninstallKB58722$\743819575\U\80000000.@
c:\windows\$NtUninstallKB58722$\743819575\U\80000004.@
c:\windows\$NtUninstallKB58722$\743819575\U\80000032.@
.
.
((((((((((((((((((((((((( Files Created from 2011-11-24 to 2011-12-24 )))))))))))))))))))))))))))))))
.
.
2011-12-24 19:03 . 2011-12-24 19:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-24 15:48 . 2011-12-24 15:48 29184 ----a-w- c:\windows\system32\j10emyMr.com
2011-12-24 02:18 . 2011-12-24 02:26 -------- d-----w- c:\program files\Mumble
2011-12-23 21:22 . 2011-12-23 21:22 -------- d-----w- c:\program files\Foxit Software
2011-12-23 17:43 . 2011-12-23 17:43 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-12-22 18:18 . 2011-09-08 22:48 1107832 ----a-w- c:\windows\system32\Pen_Touch_Tablet.dll
2011-12-22 18:18 . 2011-09-08 22:49 10752 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2011-12-22 18:17 . 2011-09-08 22:49 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2011-12-22 18:15 . 2011-09-08 22:49 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2011-12-22 18:15 . 2011-09-08 22:48 1156472 ----a-w- c:\windows\system32\Wintab32.dll
2011-12-22 18:15 . 2011-09-08 22:48 1152888 ----a-w- c:\windows\system32\WacomMT.dll
2011-12-22 18:15 . 2011-09-08 22:48 1369464 ----a-w- c:\windows\system32\Pen_Tablet.dll
2011-12-22 18:15 . 2011-12-22 18:18 -------- d-----w- c:\program files\Tablet
2011-12-22 18:00 . 2011-12-22 18:05 -------- d-----w- c:\program files\Heroes of Newerth
2011-12-22 01:43 . 2008-07-12 13:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2011-12-22 01:43 . 2008-07-12 13:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2011-12-22 01:43 . 2008-07-12 13:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2011-12-22 01:35 . 2011-12-22 01:35 -------- d-----w- C:\Riot Games
2011-12-21 19:40 . 2011-12-21 21:11 -------- d-----w- C:\logs
2011-12-21 04:18 . 2011-12-21 04:18 -------- d-----w- c:\programdata\Malwarebytes
2011-12-21 04:18 . 2011-12-21 04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-21 04:18 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-21 04:13 . 2011-12-21 04:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- C:\lol
2011-12-21 03:47 . 2011-12-21 03:47 -------- d-----r- C:\Sandbox
2011-12-21 03:46 . 2011-12-21 03:46 -------- d-----w- c:\program files\Sandboxie
2011-12-21 03:14 . 2011-12-21 03:14 -------- d-----w- c:\windows\Sun
2011-12-20 22:52 . 2011-12-20 22:52 -------- d-----w- c:\program files\7-Zip
2011-12-20 21:43 . 2011-12-21 23:50 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-20 21:43 . 2011-12-21 23:50 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-20 21:43 . 2011-12-20 21:43 -------- d-----w- c:\program files\OpenAL
2011-12-20 21:43 . 2011-12-20 21:43 -------- d--h--w- c:\windows\msdownld.tmp
2011-12-20 05:15 . 2011-12-20 05:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-20 03:46 . 2011-12-20 03:46 -------- d-----w- c:\program files\OpenOffice.org 3
2011-12-20 03:44 . 2011-12-20 03:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-20 02:39 . 2011-12-20 02:39 -------- d-----w- c:\program files\CPUID
2011-12-20 02:39 . 2010-11-09 20:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-12-19 21:09 . 2011-12-22 04:21 -------- d-----w- c:\programdata\PMB Files
2011-12-19 21:09 . 2011-12-19 21:09 -------- d-----w- c:\program files\Pando Networks
2011-12-19 14:59 . 2011-12-19 18:40 -------- d-----w- c:\program files\Common Files\Steam
2011-12-19 14:59 . 2011-12-24 02:34 -------- d-----w- c:\program files\Steam
2011-12-19 14:02 . 2011-12-19 14:02 -------- d-----w- c:\program files\uTorrent
2011-12-19 01:38 . 2011-12-19 01:38 -------- d-----w- c:\programdata\NVIDIA
2011-12-19 01:35 . 2011-12-19 01:35 -------- d-----w- c:\program files\muvee Technologies
2011-12-19 01:35 . 2011-12-19 01:35 -------- d-----w- c:\program files\Common Files\muvee Technologies
2011-12-19 01:31 . 2008-09-24 01:22 82432 ----a-w- c:\windows\system32\msxml4r.dll
2011-12-19 01:31 . 2008-09-24 01:22 44544 ----a-w- c:\windows\system32\msxml4a.dll
2011-12-19 01:31 . 2008-09-24 01:22 1233920 ----a-w- c:\windows\system32\msxml4.dll
2011-12-19 01:30 . 2008-09-24 01:22 89088 ------w- c:\windows\system32\atl71.dll
2011-12-19 01:30 . 2001-09-05 12:18 77824 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-12-19 01:30 . 2001-09-05 12:18 225280 ----a-w- c:\program files\Common Files\InstallShield\IScript\iscript.dll
2011-12-19 01:30 . 2001-09-05 12:14 176128 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-12-19 01:30 . 2001-09-05 12:13 32768 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-12-19 01:30 . 2007-03-13 20:54 610436 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-12-19 01:27 . 2008-09-20 01:43 61952 ----a-w- c:\windows\system32\drivers\RTSTOR.sys
2011-12-19 01:27 . 2008-05-07 01:41 6416928 ----a-w- c:\windows\system\DriveIcon.dll
2011-12-19 01:26 . 2011-12-19 01:26 -------- d-----w- c:\program files\NetWaiting
2011-12-19 01:26 . 2011-12-19 01:27 -------- d-----w- c:\program files\CONEXANT
2011-12-19 01:25 . 2011-12-19 01:25 -------- d-----w- c:\program files\Synaptics
2011-12-19 01:24 . 2008-07-11 18:31 768544 ----a-w- c:\windows\system32\nvcplui.exe
2011-12-19 01:24 . 2008-07-11 18:31 420384 ----a-w- c:\windows\system32\nvcpl.cpl
2011-12-19 01:24 . 2008-07-11 18:31 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2011-12-19 01:24 . 2008-07-11 18:31 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
2011-12-19 01:23 . 2008-01-17 06:17 3948 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-12-19 01:22 . 2008-01-10 14:30 442368 ----a-w- c:\windows\system32\nvusmb.exe
2011-12-19 01:22 . 2008-07-11 23:44 446464 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-12-19 01:21 . 2011-12-19 01:21 -------- d-----w- c:\windows\system32\nn-NO
2011-12-19 01:21 . 2008-04-27 19:07 909824 ----a-w- c:\windows\system32\drivers\athr.sys
2011-12-19 01:21 . 2008-04-22 13:13 376832 ----a-w- c:\windows\system32\S64CPA.exe
2011-12-19 01:21 . 2008-04-22 13:13 53248 ----a-w- c:\windows\system32\athihvui.dll
2011-12-19 01:21 . 2008-04-22 13:12 393216 ----a-w- c:\windows\system32\athihvs.dll
2011-12-19 01:21 . 2011-12-19 01:22 -------- d-----w- c:\program files\Atheros
2011-12-19 01:21 . 2011-12-19 01:21 -------- d-----w- c:\program files\Cisco
2011-12-19 01:21 . 2011-12-19 01:21 -------- d-----w- c:\programdata\Atheros
2011-12-19 01:20 . 2008-09-05 05:17 3601976 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-19 01:20 . 2008-09-05 05:17 3549752 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-18 22:43 . 2011-12-22 18:18 -------- d-----w- c:\users\sshado
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-19 01:31 . 2008-10-26 00:00 1053232 ----a-w- c:\windows\system32\MFC71u.dll
2011-12-19 01:31 . 2008-08-06 22:29 353840 ----a-w- c:\windows\system32\msvcr71.dll
2011-12-19 01:31 . 2008-08-06 22:27 505392 ----a-w- c:\windows\system32\msvcp71.dll
2011-12-19 01:31 . 2008-10-26 00:00 1066544 ----a-w- c:\windows\system32\MFC71.dll
2011-11-21 04:04 . 2011-12-19 19:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2011-12-19 1242448]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-11-23 442640]
"Hyperdesktop"="c:\users\sshado\AppData\Roaming\Hyperdesktop\hyperdesktop.exe" [2011-12-23 192560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
c:\users\sshado\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 14:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2008-09-30 23:56 972080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2008-04-15 21:51 488752 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-08-01 23:14 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2008-09-24 01:21 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 11:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-10-07 03:42 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 PROCEXP151;PROCEXP151;c:\windows\system32\Drivers\PROCEXP151.SYS [x]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2011-09-08 10752]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [2008-10-25 115560]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2010-11-09 21992]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2011-09-08 5554552]
S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2011-09-08 451960]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-24 c:\windows\Tasks\At1.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At11.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At13.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At15.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At17.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At19.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At21.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At23.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At25.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At27.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At29.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At3.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At31.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At33.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At35.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At37.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At39.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At41.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At43.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At45.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At47.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At5.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At7.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
2011-12-24 c:\windows\Tasks\At9.job
- c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
TCP: Interfaces\{BAD71EF5-C6C9-4F43-B390-21FA9E6D5E6B}: NameServer = 68.87.73.246,68.87.71.230
FF - ProfilePath - c:\users\sshado\AppData\Roaming\Mozilla\Firefox\Profiles\jqaicke8.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-24 14:03
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-24 14:05:01
ComboFix-quarantined-files.txt 2011-12-24 19:04
.
Pre-Run: 120,031,473,664 bytes free
Post-Run: 120,322,605,056 bytes free
.
- - End Of File - - 848084ED41918EA703B516465FF65C26

 

[Broni]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box and paste it into the main textfield:
  

  :filefind
  smb.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

=======================================================

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\j10emyMr.com

At::

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Piecake]

Hello I apologize for the delays. I have been with family for the holidays and without internet connection most of the time.

The requested information will be posted tomorrow morning! Thanks for your patience.

 

[Broni]

No problem.
I hope you had a good time