needhelp22
Posts: 12 +0
I am being redirected using google with Internet explorer. I can sometimes get to the link using the open in new tab option. Also I get pop-ups usually only once or twice (most of the time its a registry cleaner one) until I restart the computer and I get them again.
I completed the 8 steps the best I could and here are the 3 logs and then I attached the last one.
Any help is greatly appreciated.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4374
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
7/31/2010 11:54:01 AM
mbam-log-2010-07-31 (11-54-01).txt
Scan type: Quick scan
Objects scanned: 132051
Time elapsed: 6 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-31 12:49:08
Windows 6.1.7600
Running: msl9oqr2.exe; Driver: C:\Users\Mark\AppData\Local\Temp\kxldypoc.sys
---- System - GMER 1.0.15 ----
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E203F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E092D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E08898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E201DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E206F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E211A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81E80599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81EA4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtProtectVirtualMemory 77C85380 5 Bytes JMP 0015000A
.text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtWriteVirtualMemory 77C85F00 5 Bytes JMP 0016000A
.text C:\Windows\system32\svchost.exe[772] ntdll.dll!KiUserExceptionDispatcher 77C86448 5 Bytes JMP 000C000A
.text C:\Windows\system32\svchost.exe[772] ole32.dll!CoCreateInstance 775957FC 5 Bytes JMP 0048000A
.text C:\Windows\Explorer.EXE[1268] ntdll.dll!NtProtectVirtualMemory 77C85380 5 Bytes JMP 0041000A
.text C:\Windows\Explorer.EXE[1268] ntdll.dll!NtWriteVirtualMemory 77C85F00 5 Bytes JMP 0042000A
.text C:\Windows\Explorer.EXE[1268] ntdll.dll!KiUserExceptionDispatcher 77C86448 5 Bytes JMP 0040000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 848A0EC5
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00271358dba4
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00271358dba4 (not active ControlSet)
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-03-17.01) - NTFSx86
Run by Mark at 12:55:13.10 on Sat 07/31/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1789.899 [GMT -5:00]
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Mark\Desktop\dds.scr
C:\Windows\system32\conhost.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ig
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-31 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-31 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-31 60936]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-2-26 26168]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-4-23 1831024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-2 102448]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-5 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-2-17 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-6 1343400]
=============== Created Last 30 ================
2010-07-31 16:45:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 16:45:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 16:45:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 15:47:34 0 d-----w- c:\users\mark\appdata\roaming\Avira
2010-07-31 15:43:18 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-31 15:43:17 0 d-----w- c:\programdata\Avira
2010-07-31 15:43:17 0 d-----w- c:\program files\Avira
2010-07-27 01:15:51 0 d-----w- c:\program files\AVG
2010-07-19 13:40:00 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-07-15 13:18:47 65536 --sha-w- c:\users\mark\ntuser.dat{abc40c12-9011-11df-9323-00271358dba4}.TM.blf
2010-07-15 13:18:47 524288 --sha-w- c:\users\mark\ntuser.dat{abc40c12-9011-11df-9323-00271358dba4}.TMContainer00000000000000000002.regtrans-ms
2010-07-15 13:18:47 524288 --sha-w- c:\users\mark\ntuser.dat{abc40c12-9011-11df-9323-00271358dba4}.TMContainer00000000000000000001.regtrans-ms
2010-07-15 11:32:38 65536 --sha-w- c:\users\mark\ntuser.dat{c63ebb33-8ffa-11df-aa4b-00271358dba4}.TM.blf
2010-07-15 11:32:38 524288 --sha-w- c:\users\mark\ntuser.dat{c63ebb33-8ffa-11df-aa4b-00271358dba4}.TMContainer00000000000000000002.regtrans-ms
2010-07-15 11:32:38 524288 --sha-w- c:\users\mark\ntuser.dat{c63ebb33-8ffa-11df-aa4b-00271358dba4}.TMContainer00000000000000000001.regtrans-ms
2010-07-15 01:08:34 65536 --sha-w- c:\users\mark\ntuser.dat{74356449-8f38-11df-93f3-00271358dba4}.TM.blf
2010-07-15 01:08:34 524288 --sha-w- c:\users\mark\ntuser.dat{74356449-8f38-11df-93f3-00271358dba4}.TMContainer00000000000000000002.regtrans-ms
2010-07-15 01:08:34 524288 --sha-w- c:\users\mark\ntuser.dat{74356449-8f38-11df-93f3-00271358dba4}.TMContainer00000000000000000001.regtrans-ms
2010-07-13 20:03:52 0 d-----w- c:\users\mark\appdata\roaming\C2432940CB55FA746B182EC9F6F57398
2010-07-11 11:22:06 26624 ----a-w- c:\users\mark\Babygame.doc
2010-07-02 14:25:50 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-07-02 14:24:43 97096 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-07-02 14:24:21 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-02 14:24:21 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-02 14:24:21 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-02 14:24:01 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
2010-07-02 14:24:01 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
2010-07-02 14:24:01 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-07-02 14:23:51 0 d-----w- c:\programdata\Symantec
2010-07-02 14:23:51 0 d-----w- c:\program files\Symantec
2010-07-02 14:23:51 0 d-----w- c:\program files\common files\Symantec Shared
2010-07-02 13:50:59 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-02 13:50:59 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-02 13:49:35 0 d-----w- c:\users\mark\appdata\roaming\Malwarebytes
2010-07-02 13:49:27 0 d-----w- c:\programdata\Malwarebytes
==================== Find3M ====================
2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14:28 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-09 09:14:55 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14:50 417792 ----a-w- c:\windows\system32\msdri.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 12:56:36.94 ===============
I completed the 8 steps the best I could and here are the 3 logs and then I attached the last one.
Any help is greatly appreciated.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4374
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
7/31/2010 11:54:01 AM
mbam-log-2010-07-31 (11-54-01).txt
Scan type: Quick scan
Objects scanned: 132051
Time elapsed: 6 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-31 12:49:08
Windows 6.1.7600
Running: msl9oqr2.exe; Driver: C:\Users\Mark\AppData\Local\Temp\kxldypoc.sys
---- System - GMER 1.0.15 ----
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E203F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E092D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E08898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E201DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E206F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E20F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E211A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81E80599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81EA4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtProtectVirtualMemory 77C85380 5 Bytes JMP 0015000A
.text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtWriteVirtualMemory 77C85F00 5 Bytes JMP 0016000A
.text C:\Windows\system32\svchost.exe[772] ntdll.dll!KiUserExceptionDispatcher 77C86448 5 Bytes JMP 000C000A
.text C:\Windows\system32\svchost.exe[772] ole32.dll!CoCreateInstance 775957FC 5 Bytes JMP 0048000A
.text C:\Windows\Explorer.EXE[1268] ntdll.dll!NtProtectVirtualMemory 77C85380 5 Bytes JMP 0041000A
.text C:\Windows\Explorer.EXE[1268] ntdll.dll!NtWriteVirtualMemory 77C85F00 5 Bytes JMP 0042000A
.text C:\Windows\Explorer.EXE[1268] ntdll.dll!KiUserExceptionDispatcher 77C86448 5 Bytes JMP 0040000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 848A0EC5
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00271358dba4
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00271358dba4 (not active ControlSet)
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-03-17.01) - NTFSx86
Run by Mark at 12:55:13.10 on Sat 07/31/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1789.899 [GMT -5:00]
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Mark\Desktop\dds.scr
C:\Windows\system32\conhost.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ig
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-31 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-31 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-31 60936]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-2-26 26168]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-4-23 1831024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-2 102448]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-5 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-2-17 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-6 1343400]
=============== Created Last 30 ================
2010-07-31 16:45:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 16:45:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 16:45:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 15:47:34 0 d-----w- c:\users\mark\appdata\roaming\Avira
2010-07-31 15:43:18 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-31 15:43:17 0 d-----w- c:\programdata\Avira
2010-07-31 15:43:17 0 d-----w- c:\program files\Avira
2010-07-27 01:15:51 0 d-----w- c:\program files\AVG
2010-07-19 13:40:00 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-07-15 13:18:47 65536 --sha-w- c:\users\mark\ntuser.dat{abc40c12-9011-11df-9323-00271358dba4}.TM.blf
2010-07-15 13:18:47 524288 --sha-w- c:\users\mark\ntuser.dat{abc40c12-9011-11df-9323-00271358dba4}.TMContainer00000000000000000002.regtrans-ms
2010-07-15 13:18:47 524288 --sha-w- c:\users\mark\ntuser.dat{abc40c12-9011-11df-9323-00271358dba4}.TMContainer00000000000000000001.regtrans-ms
2010-07-15 11:32:38 65536 --sha-w- c:\users\mark\ntuser.dat{c63ebb33-8ffa-11df-aa4b-00271358dba4}.TM.blf
2010-07-15 11:32:38 524288 --sha-w- c:\users\mark\ntuser.dat{c63ebb33-8ffa-11df-aa4b-00271358dba4}.TMContainer00000000000000000002.regtrans-ms
2010-07-15 11:32:38 524288 --sha-w- c:\users\mark\ntuser.dat{c63ebb33-8ffa-11df-aa4b-00271358dba4}.TMContainer00000000000000000001.regtrans-ms
2010-07-15 01:08:34 65536 --sha-w- c:\users\mark\ntuser.dat{74356449-8f38-11df-93f3-00271358dba4}.TM.blf
2010-07-15 01:08:34 524288 --sha-w- c:\users\mark\ntuser.dat{74356449-8f38-11df-93f3-00271358dba4}.TMContainer00000000000000000002.regtrans-ms
2010-07-15 01:08:34 524288 --sha-w- c:\users\mark\ntuser.dat{74356449-8f38-11df-93f3-00271358dba4}.TMContainer00000000000000000001.regtrans-ms
2010-07-13 20:03:52 0 d-----w- c:\users\mark\appdata\roaming\C2432940CB55FA746B182EC9F6F57398
2010-07-11 11:22:06 26624 ----a-w- c:\users\mark\Babygame.doc
2010-07-02 14:25:50 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-07-02 14:24:43 97096 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-07-02 14:24:21 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-02 14:24:21 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-02 14:24:21 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-02 14:24:01 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
2010-07-02 14:24:01 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
2010-07-02 14:24:01 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-07-02 14:23:51 0 d-----w- c:\programdata\Symantec
2010-07-02 14:23:51 0 d-----w- c:\program files\Symantec
2010-07-02 14:23:51 0 d-----w- c:\program files\common files\Symantec Shared
2010-07-02 13:50:59 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-02 13:50:59 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-02 13:49:35 0 d-----w- c:\users\mark\appdata\roaming\Malwarebytes
2010-07-02 13:49:27 0 d-----w- c:\programdata\Malwarebytes
==================== Find3M ====================
2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14:28 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-09 09:14:55 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14:50 417792 ----a-w- c:\windows\system32\msdri.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 12:56:36.94 ===============