[A] Windows 7/Vista Antivirus 2012 - Rootkit/Malware

Inactive
By Piecake
Dec 21, 2011
Topic Status:
Not open for further replies.
  1. I have a rootkit/malware in the form of a fake antivirus. It's been jumping around on my local network and I'm working to clean up the last remaining copies of it. Logs are attached. I appreciate your assistance and the service provided here.

    --------
    MBAM Log:
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122102

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    12/21/2011 2:39:39 PM
    mbam-log-2011-12-21 (14-39-39).txt

    Scan type: Quick scan
    Objects scanned: 168070
    Time elapsed: 7 minute(s), 0 second(s)

    Memory Processes Infected: 2
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    c:\Windows\Temp\_ex-68.exe (Heuristics.Shuriken) -> 2880 -> Unloaded process successfully.
    c:\Windows\Temp\_ex-08.exe (Trojan.FakeAlert) -> 3596 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MozillaAgent (Heuristics.Shuriken) -> Value: MozillaAgent -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\Temp\_ex-68.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    c:\Windows\Temp\_ex-08.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Windows\Temp\xrhuup\setup.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    --------

    GMER Log:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-21 16:05:36
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 SAMSUNG_HM251JI rev.2SS00_03
    Running: fpion0sx.exe; Driver: C:\Users\sshado\AppData\Local\Temp\pxdiqpow.sys


    ---- System - GMER 1.0.15 ----

    Code 9111EBFC ZwTraceEvent
    Code 9111EBFB NtTraceEvent

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!NtTraceEvent 81E7C841 5 Bytes JMP 9111EC00
    ? System32\drivers\ctqtflkh.sys The system cannot find the path specified. !
    .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BE06340, 0x3EA427, 0xE8000020]
    .text smb.sys 8FD8C000 17 Bytes [00, 00, 00, 00, 00, 00, 33, ...]
    .text smb.sys 8FD8C012 50 Bytes [55, 8B, EC, 8B, 45, 08, 8B, ...]
    .text smb.sys 8FD8C045 64 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
    .text smb.sys 8FD8C086 40 Bytes [F0, 0F, C1, 11, 8D, 48, 0C, ...]
    .text smb.sys 8FD8C0AF 4 Bytes [68, 00, 01, 00]
    .text ...
    ? C:\Windows\system32\DRIVERS\smb.sys suspicious PE modification

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 76F68968 5 Bytes JMP 0096000A
    .text C:\Windows\system32\svchost.exe[1064] ntdll.dll!NtWriteVirtualMemory 76F692A8 5 Bytes JMP 009B000A
    .text C:\Windows\system32\svchost.exe[1064] ntdll.dll!KiUserExceptionDispatcher 76F699E8 5 Bytes JMP 008A000A

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\$NtUninstallKB58722$\1680112346 0 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575 0 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\@ 2048 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\bckfg.tmp 794 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\cfg.ini 208 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\Desktop.ini 4608 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\keywords 13 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\kwrd.dll 223744 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\L 0 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\L\qnbwvoto 66560 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\lsflt7.ver 5176 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\U 0 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\U\00000001.@ 1536 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\U\00000002.@ 224768 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\U\00000004.@ 1024 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\U\80000000.@ 11264 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\U\80000004.@ 12800 bytes
    File C:\Windows\$NtUninstallKB58722$\743819575\U\80000032.@ 97792 bytes

    ---- EOF - GMER 1.0.15 ----


    --------

    DDS Post & Attach Logs:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_22
    Run by sshado at 16:06:58 on 2011-12-21
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1790.807 [GMT -5:00]
    .
    AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Sandboxie\SbieSvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\SMINST\BLService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Sandboxie\SbieCtrl.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\CPUID\HWMonitor\HWMonitor.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\System32\ping.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.0.0.125\IPSBHO.DLL
    BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
    TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
    uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\users\sshado\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    TCP: Interfaces\{BAD71EF5-C6C9-4F43-B390-21FA9E6D5E6B} : NameServer = 68.87.73.246,68.87.71.230
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\sshado\appdata\roaming\mozilla\firefox\profiles\jqaicke8.default\
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\users\sshado\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-12-19 21992]
    R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-25 365952]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
    R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-11-23 131856]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-25 193840]
    S4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [2008-10-25 115560]
    .
    =============== Created Last 30 ================
    .
    2011-12-21 19:40:03 -------- d-----w- C:\logs
    2011-12-21 05:27:15 -------- d-----w- c:\users\sshado\appdata\roaming\OpenOffice.org
    2011-12-21 04:19:01 -------- d-----w- c:\users\sshado\appdata\roaming\Malwarebytes
    2011-12-21 04:18:09 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-21 04:18:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-21 04:18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-21 04:13:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-21 04:13:53 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
    2011-12-21 04:13:53 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
    2011-12-21 04:13:53 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
    2011-12-21 04:13:53 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2011-12-21 04:13:16 -------- d-----w- C:\lol
    2011-12-21 03:47:40 -------- d-----r- C:\Sandbox
    2011-12-21 03:46:18 -------- d-----w- c:\program files\Sandboxie
    2011-12-20 21:43:45 -------- d-----w- c:\users\sshado\appdata\local\BIT.TRIP RUNNER
    2011-12-20 21:43:30 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-12-20 21:43:30 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-12-20 21:43:30 -------- d-----w- c:\program files\OpenAL
    2011-12-20 21:43:24 -------- d--h--w- c:\windows\msdownld.tmp
    2011-12-20 21:43:23 -------- d-----w- c:\windows\system32\directx
    2011-12-20 21:41:35 -------- d-----w- c:\users\sshado\appdata\roaming\Nicalis
    2011-12-20 20:02:34 -------- d-----w- c:\users\sshado\appdata\roaming\Unity
    2011-12-20 19:58:02 -------- d-----w- c:\users\sshado\appdata\local\Unity
    2011-12-20 05:15:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-20 03:46:40 -------- d-----w- c:\program files\OpenOffice.org 3
    2011-12-20 03:44:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-12-20 02:39:09 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
    2011-12-20 02:39:09 -------- d-----w- c:\program files\CPUID
    2011-12-20 01:28:07 -------- d-----w- c:\windows\pss
    2011-12-19 21:37:50 -------- d-----w- c:\program files\lol
    2011-12-19 21:09:39 -------- d-----w- c:\users\sshado\appdata\local\PMB Files
    2011-12-19 21:09:38 -------- d-----w- c:\programdata\PMB Files
    2011-12-19 21:09:33 -------- d-----w- c:\program files\Pando Networks
    2011-12-19 14:59:58 -------- d-----w- c:\program files\common files\Steam
    2011-12-19 14:59:55 -------- d-----w- c:\program files\Steam
    2011-12-19 14:02:43 -------- d-----w- c:\program files\uTorrent
    2011-12-19 14:01:50 -------- d-----w- c:\users\sshado\appdata\roaming\uTorrent
    2011-12-19 01:38:39 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-12-19 01:35:30 -------- d-----w- c:\program files\muvee Technologies
    2011-12-19 01:35:20 -------- d-----w- c:\program files\common files\muvee Technologies
    2011-12-19 01:31:16 82432 ----a-w- c:\windows\system32\msxml4r.dll
    2011-12-19 01:31:16 44544 ----a-w- c:\windows\system32\msxml4a.dll
    2011-12-19 01:31:16 1233920 ----a-w- c:\windows\system32\msxml4.dll
    2011-12-19 01:30:50 89088 ------w- c:\windows\system32\atl71.dll
    2011-12-19 01:30:46 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
    2011-12-19 01:30:46 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
    2011-12-19 01:30:46 225280 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll
    2011-12-19 01:30:46 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
    2011-12-19 01:30:45 610436 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
    2011-12-19 01:27:32 6416928 ----a-w- c:\windows\system\DriveIcon.dll
    2011-12-19 01:27:32 61952 ----a-w- c:\windows\system32\drivers\RTSTOR.sys
    2011-12-19 01:26:20 -------- d-----w- c:\program files\NetWaiting
    2011-12-19 01:26:04 -------- d-----w- c:\program files\CONEXANT
    2011-12-19 01:25:03 -------- d-----w- c:\program files\Synaptics
    2011-12-19 01:24:33 768544 ----a-w- c:\windows\system32\nvcplui.exe
    2011-12-19 01:24:33 420384 ----a-w- c:\windows\system32\nvcpl.cpl
    2011-12-19 01:24:33 313888 ----a-w- c:\windows\system32\nvexpbar.dll
    2011-12-19 01:24:33 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
    2011-12-19 01:23:00 3948 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2011-12-19 01:22:46 442368 ----a-w- c:\windows\system32\nvusmb.exe
    2011-12-19 01:22:40 446464 ----a-w- c:\windows\system32\NVUNINST.EXE
    2011-12-19 01:21:32 909824 ----a-w- c:\windows\system32\drivers\athr.sys
    2011-12-19 01:21:32 53248 ----a-w- c:\windows\system32\athihvui.dll
    2011-12-19 01:21:32 393216 ----a-w- c:\windows\system32\athihvs.dll
    2011-12-19 01:21:32 376832 ----a-w- c:\windows\system32\S64CPA.exe
    2011-12-19 01:21:32 -------- d-----w- c:\windows\system32\nn-NO
    2011-12-19 01:21:21 -------- d-----w- c:\program files\Atheros
    2011-12-19 01:21:20 -------- d-----w- c:\program files\Cisco
    2011-12-19 01:21:17 -------- d-----w- c:\programdata\Atheros
    2011-12-19 01:20:51 3601976 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-19 01:20:51 3549752 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-18 22:49:38 -------- d-----w- c:\users\sshado\appdata\local\Hewlett-Packard
    2011-12-18 22:46:02 -------- d-----w- c:\users\sshado\appdata\roaming\HP TCS
    .
    ==================== Find3M ====================
    .
    2011-12-19 01:31:54 505392 ----a-w- c:\windows\system32\msvcp71.dll
    2011-12-19 01:31:54 353840 ----a-w- c:\windows\system32\msvcr71.dll
    2011-12-19 01:31:54 1053232 ----a-w- c:\windows\system32\MFC71u.dll
    2011-12-19 01:31:53 1066544 ----a-w- c:\windows\system32\MFC71.dll
    .
    ============= FINISH: 16:07:25.01 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/18/2011 8:16:53 PM
    System Uptime: 12/21/2011 3:44:12 PM (1 hours ago)
    .
    Motherboard: Wistron | | 303C
    Processor: AMD Athlon Dual-Core QL-62 | Socket A | 2000/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 203 GiB total, 160.274 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 0.707 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP7: 12/18/2011 5:45:21 PM - First_User_Boot
    RP8: 12/19/2011 9:59:38 AM - Installed Steam
    RP9: 12/19/2011 10:31:05 PM - Scheduled Checkpoint
    RP10: 12/19/2011 10:41:48 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP11: 12/19/2011 10:44:04 PM - Installed Java(TM) 6 Update 22
    RP12: 12/19/2011 10:44:47 PM - Installed OpenOffice.org 3.3
    RP13: 12/19/2011 10:46:17 PM - Installed OpenOffice.org 3.3
    RP15: 12/20/2011 3:38:47 PM - Installed DirectX
    .
    ==== Installed Programs ======================
    .
    µTorrent
    7-Zip 9.20
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 11 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 9
    Adobe Shockwave Player
    Atheros Driver Installation Program
    BIT.TRIP RUNNER
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Compatibility Pack for the 2007 Office system
    Conexant HD Audio
    CPUID HWMonitor 1.18
    CyberLink DVD Suite
    ESU for Microsoft Vista
    HDAUDIO Soft Data Fax Modem with SmartCP
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Doc Viewer
    HP DVD Play 3.7
    HP Help and Support
    HP Quick Launch Buttons 6.40 H2
    HP Total Care Advisor
    HP Update
    HP User Guides 0118
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    HPNetworkAssistant
    HPTCSSetup
    Jamestown
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 7
    Juno Preloader
    LabelPrint
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft Live Search Toolbar
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Works
    Mozilla Firefox 8.0.1 (x86 en-US)
    muvee Reveal
    My HP Games
    NetWaiting
    NetZero Preloader
    NightSky
    Norton Internet Security
    NVIDIA Drivers
    OpenAL
    OpenOffice.org 3.3
    Pando Media Booster
    Power2Go
    PowerDirector
    Realtek USB 2.0 Card Reader
    Sandboxie 3.62 (32-bit)
    Shank
    SPORE Creature Creator Trial Edition
    Steam
    Synaptics Pointing Device Driver
    Unity Web Player
    Update for Office 2007 (KB934528)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/21/2011 3:44:48 PM, Error: EventLog [6008] - The previous system shutdown at 2:49:36 PM on 12/21/2011 was unexpected.
    12/20/2011 2:51:58 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MegaSR
    12/20/2011 2:51:58 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    12/20/2011 2:50:29 PM, Error: EventLog [6008] - The previous system shutdown at 1:49:39 AM on 12/20/2011 was unexpected.
    12/20/2011 11:11:48 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr SRTSP SRTSPX Wanarpv6
    12/20/2011 11:11:48 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    12/20/2011 11:11:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    12/20/2011 11:11:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    12/20/2011 11:11:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    12/20/2011 11:11:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/20/2011 11:11:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    12/20/2011 11:10:43 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
    12/20/2011 10:58:14 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    12/20/2011 10:58:14 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    12/20/2011 10:58:14 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    12/20/2011 10:56:57 PM, Error: EventLog [6008] - The previous system shutdown at 10:54:55 PM on 12/20/2011 was unexpected.
    12/19/2011 10:13:52 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
    12/19/2011 10:13:52 AM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================
  2. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. Piecake

    Piecake TechSpot Member Topic Starter Posts: 54

    Thanks!

    Thank you for your assistance, Broni. The amount of work I see you put in around here is always astounding. Happy holidays!

    Two logs as requested.

    aswMBR version 0.9.9.1116 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-21 21:37:44
    -----------------------------
    21:37:44.246 OS Version: Windows 6.0.6001 Service Pack 1
    21:37:44.246 Number of processors: 2 586 0x301
    21:37:44.248 ComputerName: SSHADO-PC UserName: sshado
    21:37:48.526 Initialize success
    21:39:15.391 AVAST engine defs: 11122102
    21:39:19.467 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5
    21:39:19.471 Disk 0 Vendor: SAMSUNG_HM251JI 2SS00_03 Size: 238475MB BusType: 3
    21:39:21.568 Disk 0 MBR read successfully
    21:39:21.572 Disk 0 MBR scan
    21:39:21.581 Disk 0 unknown MBR code
    21:39:21.619 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 208335 MB offset 63
    21:39:21.698 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11138 MB offset 465580032
    21:39:21.710 Disk 0 Partition - 00 05 Extended 18998 MB offset 426670335
    21:39:21.843 Disk 0 Partition 3 00 83 Linux 18159 MB offset 426670398
    21:39:21.856 Disk 0 Partition - 00 05 Extended 839 MB offset 463860810
    21:39:21.979 Disk 0 scanning sectors +488390656
    21:39:22.404 Disk 0 scanning C:\Windows\system32\drivers
    21:40:54.371 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Aluroot [Rtk]
    21:41:21.431 Service scanning
    21:41:23.929 Modules scanning
    21:43:14.794 Module: C:\Windows\system32\DRIVERS\smb.sys **SUSPICIOUS**
    21:43:45.446 Disk 0 trace - called modules:
    21:43:45.534 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8f696f10]<<
    21:43:45.542 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85ba9968]
    21:43:45.551 3 CLASSPNP.SYS[807a1745] -> nt!IofCallDriver -> [0x8f6dc658]
    21:43:45.560 \Driver\00001239[0x8f634030] -> IRP_MJ_CREATE -> 0x8f696f10
    21:43:47.255 AVAST engine scan C:\Windows
    21:45:13.262 AVAST engine scan C:\Windows\system32
    21:55:17.012 AVAST engine scan C:\Windows\system32\drivers
    21:55:26.883 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Aluroot [Rtk]
    21:55:32.649 AVAST engine scan C:\Users\sshado
    21:59:28.234 AVAST engine scan C:\ProgramData
    22:02:05.470 Scan finished successfully
    22:02:19.770 Disk 0 MBR has been saved successfully to "C:\Users\sshado\Desktop\MBR.dat"
    22:02:19.775 The log file has been saved successfully to "C:\Users\sshado\Desktop\aswMBR.txt"


    -------

    Combofix:

    ComboFix 11-12-24.04 - sshado 12/24/2011 13:51:00.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1790.813 [GMT -5:00]
    Running from: c:\users\sshado\Desktop\ComboFix.exe
    AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\program files\lol
    c:\program files\lol\LeagueOfLegends\0x0409.ini
    c:\program files\lol\LeagueOfLegends\data1.cab
    c:\program files\lol\LeagueOfLegends\data1.hdr
    c:\program files\lol\LeagueOfLegends\data2.cab
    c:\program files\lol\LeagueOfLegends\ISSetup.dll
    c:\program files\lol\LeagueOfLegends\layout.bin
    c:\program files\lol\LeagueOfLegends\setup.exe
    c:\program files\lol\LeagueOfLegends\setup.ini
    c:\program files\lol\LeagueOfLegends\setup.inx
    c:\program files\lol\LeagueOfLegends\setup.isn
    c:\windows\$NtUninstallKB58722$\1680112346
    c:\windows\$NtUninstallKB58722$\743819575\@
    c:\windows\$NtUninstallKB58722$\743819575\bckfg.tmp
    c:\windows\$NtUninstallKB58722$\743819575\cfg.ini
    c:\windows\$NtUninstallKB58722$\743819575\Desktop.ini
    c:\windows\$NtUninstallKB58722$\743819575\keywords
    c:\windows\$NtUninstallKB58722$\743819575\kwrd.dll
    c:\windows\$NtUninstallKB58722$\743819575\L\qnbwvoto
    c:\windows\$NtUninstallKB58722$\743819575\lsflt7.ver
    c:\windows\$NtUninstallKB58722$\743819575\U\00000001.@
    c:\windows\$NtUninstallKB58722$\743819575\U\00000002.@
    c:\windows\$NtUninstallKB58722$\743819575\U\00000004.@
    c:\windows\$NtUninstallKB58722$\743819575\U\80000000.@
    c:\windows\$NtUninstallKB58722$\743819575\U\80000004.@
    c:\windows\$NtUninstallKB58722$\743819575\U\80000032.@
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-24 to 2011-12-24 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-24 19:03 . 2011-12-24 19:03 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-24 15:48 . 2011-12-24 15:48 29184 ----a-w- c:\windows\system32\j10emyMr.com
    2011-12-24 02:18 . 2011-12-24 02:26 -------- d-----w- c:\program files\Mumble
    2011-12-23 21:22 . 2011-12-23 21:22 -------- d-----w- c:\program files\Foxit Software
    2011-12-23 17:43 . 2011-12-23 17:43 -------- d-----w- c:\program files\Combined Community Codec Pack
    2011-12-22 18:18 . 2011-09-08 22:48 1107832 ----a-w- c:\windows\system32\Pen_Touch_Tablet.dll
    2011-12-22 18:18 . 2011-09-08 22:49 10752 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
    2011-12-22 18:17 . 2011-09-08 22:49 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
    2011-12-22 18:15 . 2011-09-08 22:49 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
    2011-12-22 18:15 . 2011-09-08 22:48 1156472 ----a-w- c:\windows\system32\Wintab32.dll
    2011-12-22 18:15 . 2011-09-08 22:48 1152888 ----a-w- c:\windows\system32\WacomMT.dll
    2011-12-22 18:15 . 2011-09-08 22:48 1369464 ----a-w- c:\windows\system32\Pen_Tablet.dll
    2011-12-22 18:15 . 2011-12-22 18:18 -------- d-----w- c:\program files\Tablet
    2011-12-22 18:00 . 2011-12-22 18:05 -------- d-----w- c:\program files\Heroes of Newerth
    2011-12-22 01:43 . 2008-07-12 13:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
    2011-12-22 01:43 . 2008-07-12 13:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
    2011-12-22 01:43 . 2008-07-12 13:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
    2011-12-22 01:35 . 2011-12-22 01:35 -------- d-----w- C:\Riot Games
    2011-12-21 19:40 . 2011-12-21 21:11 -------- d-----w- C:\logs
    2011-12-21 04:18 . 2011-12-21 04:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-21 04:18 . 2011-12-21 04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-21 04:18 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-21 04:13 . 2011-12-21 04:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
    2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
    2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
    2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2011-12-21 04:13 . 2011-12-21 04:13 -------- d-----w- C:\lol
    2011-12-21 03:47 . 2011-12-21 03:47 -------- d-----r- C:\Sandbox
    2011-12-21 03:46 . 2011-12-21 03:46 -------- d-----w- c:\program files\Sandboxie
    2011-12-21 03:14 . 2011-12-21 03:14 -------- d-----w- c:\windows\Sun
    2011-12-20 22:52 . 2011-12-20 22:52 -------- d-----w- c:\program files\7-Zip
    2011-12-20 21:43 . 2011-12-21 23:50 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-12-20 21:43 . 2011-12-21 23:50 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-12-20 21:43 . 2011-12-20 21:43 -------- d-----w- c:\program files\OpenAL
    2011-12-20 21:43 . 2011-12-20 21:43 -------- d--h--w- c:\windows\msdownld.tmp
    2011-12-20 05:15 . 2011-12-20 05:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-20 03:46 . 2011-12-20 03:46 -------- d-----w- c:\program files\OpenOffice.org 3
    2011-12-20 03:44 . 2011-12-20 03:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-12-20 02:39 . 2011-12-20 02:39 -------- d-----w- c:\program files\CPUID
    2011-12-20 02:39 . 2010-11-09 20:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
    2011-12-19 21:09 . 2011-12-22 04:21 -------- d-----w- c:\programdata\PMB Files
    2011-12-19 21:09 . 2011-12-19 21:09 -------- d-----w- c:\program files\Pando Networks
    2011-12-19 14:59 . 2011-12-19 18:40 -------- d-----w- c:\program files\Common Files\Steam
    2011-12-19 14:59 . 2011-12-24 02:34 -------- d-----w- c:\program files\Steam
    2011-12-19 14:02 . 2011-12-19 14:02 -------- d-----w- c:\program files\uTorrent
    2011-12-19 01:38 . 2011-12-19 01:38 -------- d-----w- c:\programdata\NVIDIA
    2011-12-19 01:35 . 2011-12-19 01:35 -------- d-----w- c:\program files\muvee Technologies
    2011-12-19 01:35 . 2011-12-19 01:35 -------- d-----w- c:\program files\Common Files\muvee Technologies
    2011-12-19 01:31 . 2008-09-24 01:22 82432 ----a-w- c:\windows\system32\msxml4r.dll
    2011-12-19 01:31 . 2008-09-24 01:22 44544 ----a-w- c:\windows\system32\msxml4a.dll
    2011-12-19 01:31 . 2008-09-24 01:22 1233920 ----a-w- c:\windows\system32\msxml4.dll
    2011-12-19 01:30 . 2008-09-24 01:22 89088 ------w- c:\windows\system32\atl71.dll
    2011-12-19 01:30 . 2001-09-05 12:18 77824 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
    2011-12-19 01:30 . 2001-09-05 12:18 225280 ----a-w- c:\program files\Common Files\InstallShield\IScript\iscript.dll
    2011-12-19 01:30 . 2001-09-05 12:14 176128 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
    2011-12-19 01:30 . 2001-09-05 12:13 32768 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
    2011-12-19 01:30 . 2007-03-13 20:54 610436 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    2011-12-19 01:27 . 2008-09-20 01:43 61952 ----a-w- c:\windows\system32\drivers\RTSTOR.sys
    2011-12-19 01:27 . 2008-05-07 01:41 6416928 ----a-w- c:\windows\system\DriveIcon.dll
    2011-12-19 01:26 . 2011-12-19 01:26 -------- d-----w- c:\program files\NetWaiting
    2011-12-19 01:26 . 2011-12-19 01:27 -------- d-----w- c:\program files\CONEXANT
    2011-12-19 01:25 . 2011-12-19 01:25 -------- d-----w- c:\program files\Synaptics
    2011-12-19 01:24 . 2008-07-11 18:31 768544 ----a-w- c:\windows\system32\nvcplui.exe
    2011-12-19 01:24 . 2008-07-11 18:31 420384 ----a-w- c:\windows\system32\nvcpl.cpl
    2011-12-19 01:24 . 2008-07-11 18:31 313888 ----a-w- c:\windows\system32\nvexpbar.dll
    2011-12-19 01:24 . 2008-07-11 18:31 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
    2011-12-19 01:23 . 2008-01-17 06:17 3948 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2011-12-19 01:22 . 2008-01-10 14:30 442368 ----a-w- c:\windows\system32\nvusmb.exe
    2011-12-19 01:22 . 2008-07-11 23:44 446464 ----a-w- c:\windows\system32\NVUNINST.EXE
    2011-12-19 01:21 . 2011-12-19 01:21 -------- d-----w- c:\windows\system32\nn-NO
    2011-12-19 01:21 . 2008-04-27 19:07 909824 ----a-w- c:\windows\system32\drivers\athr.sys
    2011-12-19 01:21 . 2008-04-22 13:13 376832 ----a-w- c:\windows\system32\S64CPA.exe
    2011-12-19 01:21 . 2008-04-22 13:13 53248 ----a-w- c:\windows\system32\athihvui.dll
    2011-12-19 01:21 . 2008-04-22 13:12 393216 ----a-w- c:\windows\system32\athihvs.dll
    2011-12-19 01:21 . 2011-12-19 01:22 -------- d-----w- c:\program files\Atheros
    2011-12-19 01:21 . 2011-12-19 01:21 -------- d-----w- c:\program files\Cisco
    2011-12-19 01:21 . 2011-12-19 01:21 -------- d-----w- c:\programdata\Atheros
    2011-12-19 01:20 . 2008-09-05 05:17 3601976 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-19 01:20 . 2008-09-05 05:17 3549752 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-18 22:43 . 2011-12-22 18:18 -------- d-----w- c:\users\sshado
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-19 01:31 . 2008-10-26 00:00 1053232 ----a-w- c:\windows\system32\MFC71u.dll
    2011-12-19 01:31 . 2008-08-06 22:29 353840 ----a-w- c:\windows\system32\msvcr71.dll
    2011-12-19 01:31 . 2008-08-06 22:27 505392 ----a-w- c:\windows\system32\msvcp71.dll
    2011-12-19 01:31 . 2008-10-26 00:00 1066544 ----a-w- c:\windows\system32\MFC71.dll
    2011-11-21 04:04 . 2011-12-19 19:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\steam.exe" [2011-12-19 1242448]
    "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-11-23 442640]
    "Hyperdesktop"="c:\users\sshado\AppData\Roaming\Hyperdesktop\hyperdesktop.exe" [2011-12-23 192560]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    .
    c:\users\sshado\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-06-12 09:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2008-10-09 14:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
    2008-09-30 23:56 972080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2008-04-15 21:51 488752 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
    2008-08-01 23:14 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2008-09-24 01:21 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 11:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
    2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
    2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
    2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
    2008-10-07 03:42 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
    .
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 PROCEXP151;PROCEXP151;c:\windows\system32\Drivers\PROCEXP151.SYS [x]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2011-09-08 10752]
    R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [2008-10-25 115560]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2010-11-09 21992]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2011-09-08 5554552]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2011-09-08 451960]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-24 c:\windows\Tasks\At1.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At11.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At13.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At15.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At17.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At19.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At21.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At23.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At25.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At27.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At29.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At3.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At31.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At33.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At35.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At37.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At39.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At41.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At43.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At45.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At47.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At5.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At7.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    2011-12-24 c:\windows\Tasks\At9.job
    - c:\windows\system32\j10emyMr.com [2011-12-24 15:48]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    TCP: Interfaces\{BAD71EF5-C6C9-4F43-B390-21FA9E6D5E6B}: NameServer = 68.87.73.246,68.87.71.230
    FF - ProfilePath - c:\users\sshado\AppData\Roaming\Mozilla\Firefox\Profiles\jqaicke8.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-24 14:03
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-12-24 14:05:01
    ComboFix-quarantined-files.txt 2011-12-24 19:04
    .
    Pre-Run: 120,031,473,664 bytes free
    Post-Run: 120,322,605,056 bytes free
    .
    - - End Of File - - 848084ED41918EA703B516465FF65C26
  4. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    [​IMG]

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      smb.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    =======================================================

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\j10emyMr.com
    
    At::
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  5. Piecake

    Piecake TechSpot Member Topic Starter Posts: 54

    Hello I apologize for the delays. I have been with family for the holidays and without internet connection most of the time.

    The requested information will be posted tomorrow morning! Thanks for your patience.
  6. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    No problem.
    I hope you had a good time :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.