DNS Hijacking: Attempted and Failed

Inactive
By groweedallday
Oct 5, 2010
Topic Status:
Not open for further replies.
  1. I am having the exact same problem as this user posted on 7-14-2010. Basically every time I go to something awful dot com. The URL at the bottom of the screen flashes to google-analytics.com, at which point that tab will hang. It is rare for other sites to do this; however it has happened where I try to access a site and get the 404 - Not found

    I am running win7 32bit
    I prefer firefox but it also happens in IE.
    I have run numerous Trojan removers, but some malicious code is always getting loaded in. No matter how many tools I use or problems that are found I can never get to my favorite site.

    here is the other "closed thread" http://www.techspot.com/vb/topic149973.html

    I also have the issue where I am required to load explorer.exe in task manager to start windows. should I fix this problem first and then move on to my malicious code injection?

    8-step attached - I appreciate any help and thank you all for your time~

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Could you clarify this 'exact same problem pleas Right now you refer to DNS hijack, google analytics and redirects. Unfortunately, I don't see a log for Malwarebytes which would help me sort it out.

    I don't see your homepage set as the same on the other 'Google analytics' thread. And I don't see the DNS hijack.

    Please clarify this:
    You do have evidence of a rootkit, so please run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Paste the Combofix log in next reply. Okay to use more than one post if needed. Include the Mbam log also.
  3. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    ComboFix will not run no matter what I do, I have installed, uninstalled, restarted, installed, turned off all programs... even screen saver.

    I am unable to get malwarebytes to run as well, thus no report.

    answer to your question:
    I need to use the task manager to start my OS (explorer.exe)
    when windows boots it will start and I see my user profile for a quick sec. then everything goes blank and all I can see is my pointer. Then ALT + Ctrl + DEL and click task manager. then click run, and type explorer. hit enter and everything starts to load as normal, personal settings, startup programs and the like!
  4. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    Last night I was a busy little boy.
    I got combofix to work by hitting (F2) added a dot exe then ran as admin. Next I got Malwarebytes to work; the report is now included. Combofix solved the problem I was having when booting into windows, runs great.
    Life would be Trojan free if the rootkit was gone for good. Thanks for all the time and help you put forth; while still continuing to prevent malware from thriving on so many hard drives. please let me know if you see something else odd in my reports.

    combofix.txt: from last night / early morning
    mbam-log 2010-10-06: last night/ early morning
    MBAM-log 10-6-10: 10am this morning

    *edit* Sorry I must not have skipped over your last sentence that clearly instructed me to post my combofix instead of attaching the file. Coming right up is the posted results from combofix and my last Malwarebytes

    Attached Files:

  5. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    ComboFix 10-10-05.01 - Nate 10/06/2010 0:44.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1242 [GMT -5:00]
    Running from: c:\users\Nate\Desktop\ComboFix.exe.exe
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Nate\AppData\Roaming\cglogs.dat
    c:\users\Nate\AppData\Roaming\data.dat
    c:\users\Nate\AppData\Roaming\explorer.exe
    c:\users\Nate\AppData\Roaming\install\server.exe
    c:\users\Nate\AppData\Roaming\SQLite3.dll
    c:\users\Nate\AppData\Roaming\WindowsExplorer.log
    c:\users\Nate\oashdihasidhasuidhiasdhiashdiuasdhasd
    c:\windows\pthreadGC2.dll
    c:\windows\run_setup.exe
    c:\windows\system32\NSREG.DLL
    .
    ((((((((((((((((((((((((( Files Created from 2010-09-06 to 2010-10-06 )))))))))))))))))))))))))))))))
    .
    2010-10-06 05:55 . 2010-10-06 05:55 -------- d-----w- c:\users\Nate\AppData\Local\temp
    2010-10-06 05:55 . 2010-10-06 05:55 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-10-06 04:49 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-06 04:49 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-04 21:48 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-10-04 18:58 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-10-04 18:58 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-10-04 18:58 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-10-04 18:58 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\program files\Trojan Remover
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\users\Nate\AppData\Roaming\Simply Super Software
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\programdata\Simply Super Software
    2010-10-04 18:58 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-10-04 00:44 . 2010-10-04 00:46 -------- d-----w- c:\program files\SpywareBlaster
    2010-10-03 18:39 . 2010-10-06 05:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-03 06:25 . 2010-10-03 20:07 -------- dc----w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-10-03 06:24 . 2010-10-03 06:24 -------- d-----w- c:\program files\Lavasoft
    2010-10-01 20:13 . 2010-10-03 20:07 -------- d-----w- c:\program files\PDF Creator
    2010-09-27 18:00 . 2010-10-05 15:08 -------- d-----w- C:\N8
    2010-09-24 00:54 . 2010-09-24 00:54 -------- d-----w- c:\program files\AirPort
    2010-09-24 00:49 . 2010-09-24 00:49 -------- d-----w- c:\windows\Downloaded Installations
    2010-09-21 19:35 . 2010-09-21 19:35 -------- d-----w- c:\program files\Drug Wars
    2010-09-15 23:04 . 2010-09-15 23:05 -------- d-----w- c:\program files\QuickTime
    2010-09-15 08:06 . 2010-09-15 08:06 -------- d-----w- c:\windows\PCHEALTH
    2010-09-15 06:55 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-14 02:17 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-09-14 02:17 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-09-14 02:15 . 2010-09-14 02:15 -------- d-----w- c:\program files\iPod
    2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\program files\iTunes
    2010-09-14 02:14 . 2010-09-14 02:14 -------- d-----w- c:\program files\Apple Software Update
    2010-09-14 02:07 . 2010-09-14 02:07 -------- d-----w- c:\program files\Bonjour
    2010-09-13 23:00 . 2010-09-14 01:44 -------- d-----w- c:\users\Nate\.bh_gui
    2010-09-13 12:20 . 2010-07-25 02:24 344064 ----a-w- c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    2010-09-09 15:32 . 2010-09-09 15:32 -------- d-----w- c:\programdata\SRI
    2010-09-09 15:27 . 2010-09-09 15:28 -------- d-----w- c:\program files\WinPcap
    2010-09-09 14:34 . 2010-09-14 02:15 -------- d-----w- c:\program files\Common Files\Apple
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-06 05:54 . 2010-07-23 13:22 -------- d-----w- c:\users\Nate\AppData\Roaming\install
    2010-10-06 05:36 . 2010-07-09 18:50 -------- d-----w- c:\program files\LogMeIn
    2010-10-06 04:52 . 2010-01-21 12:20 -------- d-----w- c:\users\Nate\AppData\Roaming\Tor
    2010-10-06 04:41 . 2010-01-21 12:20 -------- d-----w- c:\users\Nate\AppData\Roaming\Vidalia
    2010-10-03 20:07 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
    2010-10-03 20:07 . 2010-03-03 05:45 -------- d-----w- c:\users\Nate\AppData\Roaming\Winamp
    2010-10-03 20:07 . 2010-02-02 03:20 -------- d-----w- c:\users\Nate\AppData\Roaming\uTorrent
    2010-10-03 06:24 . 2010-01-22 02:10 -------- d-----w- c:\programdata\Lavasoft
    2010-09-29 00:46 . 2009-10-30 13:16 -------- d-----w- c:\users\Nate\AppData\Roaming\.purple
    2010-09-28 18:50 . 2009-10-27 15:28 -------- d-----w- c:\users\Nate\AppData\Roaming\gtk-2.0
    2010-09-28 16:20 . 2009-10-03 15:29 -------- d-----w- c:\users\Nate\AppData\Roaming\GrabIt
    2010-09-28 14:36 . 2009-09-24 23:27 -------- d-----w- c:\programdata\Microsoft Help
    2010-09-24 00:58 . 2010-03-27 23:54 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-24 00:49 . 2010-08-25 22:48 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-09-23 19:26 . 2009-10-01 04:30 -------- d-----w- c:\program files\Mozilla Thunderbird
    2010-09-18 23:19 . 2009-11-06 06:44 -------- d-----w- c:\program files\Winamp
    2010-09-17 12:46 . 2010-03-24 01:57 -------- d-----w- c:\users\Nate\AppData\Roaming\vlc
    2010-09-16 23:23 . 2009-09-24 23:29 -------- d-----w- c:\program files\Microsoft.NET
    2010-09-15 03:27 . 2009-10-04 20:37 -------- d-----w- c:\users\Nate\AppData\Roaming\Apple Computer
    2010-09-09 14:32 . 2009-10-04 20:36 -------- d-----w- c:\programdata\Apple Computer
    2010-09-01 14:12 . 2010-09-01 14:12 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
    2010-08-26 12:55 . 2010-08-26 12:55 -------- d-----w- c:\users\Nate\AppData\Roaming\GeoVid
    2010-08-25 22:43 . 2010-08-25 22:43 -------- d-----w- c:\program files\Common Files\PctelEapPeer Authentication
    2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\program files\Common Files\Research in Motion
    2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\programdata\AT&T
    2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\program files\AT&T
    2010-08-25 22:40 . 2010-08-25 22:40 -------- d-----w- c:\program files\Common Files\Motorola Shared
    2010-08-25 22:39 . 2010-08-25 22:39 -------- d-----w- c:\program files\Option
    2010-08-25 22:38 . 2010-08-25 22:45 26504 ----a-w- c:\windows\system32\drivers\swmsflt.sys
    2010-08-25 22:38 . 2010-08-25 22:38 -------- d-----w- c:\users\Nate\AppData\Roaming\Sierra Wireless
    2010-08-25 22:38 . 2010-08-25 22:38 -------- d-----w- c:\program files\Sierra Wireless Inc
    2010-08-24 11:35 . 2010-06-27 02:58 -------- d-----w- c:\users\Nate\AppData\Roaming\DVD Flick
    2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\programdata\GeoVid
    2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\program files\Common Files\GeoVid
    2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\program files\GeoVid
    2010-08-10 22:55 . 2010-08-10 22:55 -------- d-----w- c:\program files\Wondershare
    2010-08-10 22:20 . 2010-08-10 22:20 -------- d-----w- c:\users\Nate\AppData\Roaming\U3
    2010-08-10 21:56 . 2010-08-10 21:56 -------- d-----w- c:\program files\MagicISO
    2010-08-10 17:03 . 2010-08-10 17:03 -------- d-----w- c:\program files\Microsoft
    2010-08-08 04:27 . 2009-09-21 11:24 -------- d-----w- c:\users\Nate\AppData\Roaming\Media Player Classic
    2010-08-07 16:41 . 2009-09-20 17:00 -------- d-----w- c:\program files\Songbird
    2010-07-29 06:30 . 2010-08-12 22:21 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30 . 2010-08-12 22:21 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-07-27 23:44 . 2010-07-27 23:44 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-07-27 23:44 . 2010-07-27 23:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-07-27 23:44 . 2010-07-27 23:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-07-24 05:01 . 2010-07-24 05:01 890900 ----a-w- c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E5AE8A78\p1v2USWoW_Installer.exe
    2010-07-23 17:10 . 2005-04-08 02:16 8148 ---ha-w- c:\users\Nate\AppData\Roaming\Natelog.dat
    2010-07-22 19:23 . 2010-07-22 19:23 160928 ----a-w- c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E5AE8A78\World of WarCraft Trial.exe
    2010-07-14 08:00 . 2010-07-26 20:40 108032 ----a-w- c:\windows\system32\ff_vfw.dll
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-05-26 20:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-11-20 5262834]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
    "avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-09-15 81000]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 0 (0x0)
    "EnableLUA"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
    backup=c:\windows\pss\BumpTop.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SABnzbd.lnk]
    backup=c:\windows\pss\SABnzbd.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk

    [HKLM\~\startupfolder\C:^Users^Nate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
    backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
    backupExtension=.Startup
    path=c:\users\Nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-09-08 22:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
    2008-06-10 03:27 33280 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
    2010-07-05 00:13 95576 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
    2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-02-22 00:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2010-06-08 23:05 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

    R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-24 721904]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-05-23 106496]
    R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [2008-05-23 118784]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 ssecbus;Samsung Mobile Modem Device driver (WDM);c:\windows\system32\DRIVERS\ssecbus.sys [2010-04-27 86528]
    R3 ssecmdfl;Samsung Mobile Modem Device 2 Filter;c:\windows\system32\DRIVERS\ssecmdfl.sys [2010-04-27 14976]
    R3 ssecmdm;Samsung Mobile Modem Device 2 Driver;c:\windows\system32\DRIVERS\ssecmdm.sys [2010-04-27 114304]
    R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [2008-01-10 165248]
    R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [2008-01-10 142976]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-25 1343400]
    S1 aswSP;avast! Self Protection; [x]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
    S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-07-05 238952]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
    S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-04-10 520704]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-10-03 6000640]
    S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]
    S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2007-04-25 31232]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - FSUSBEXDISK

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    (Next Post)
  6. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: hilton.com\rms
    Trusted Zone: marriott.com\extranet
    FF - ProfilePath - c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\
    FF - prefs.js: browser.search.selectedEngine - eBay
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL -
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
    FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);- - - - ORPHANS REMOVED - - - -

    HKCU-Run-fsm - (no file)
    HKCU-Run-HKCU_icqsetup - c:\users\Nate\AppData\Roaming\install\server.exe
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    HKLM-Run-NPSStartup - (no file)
    HKLM-Run-HKLM_icqsetup - c:\users\Nate\AppData\Roaming\install\server.exe
    MSConfigStartUp-black - c:\users\Nate\AppData\Roaming\server.exe
    MSConfigStartUp-FixCamera - c:\windows\FixCamera.exe
    MSConfigStartUp-Google Update - c:\users\Nate\AppData\Local\Google\Update\GoogleUpdate.exe
    MSConfigStartUp-HKCU_icqsetup - c:\users\Nate\AppData\Roaming\install\server.exe
    MSConfigStartUp-HKCU_MSSYSTEMS - c:\users\Nate\AppData\Roaming\install\server.exe
    MSConfigStartUp-HKLM_icqsetup - c:\users\Nate\AppData\Roaming\install\server.exe
    MSConfigStartUp-tsnpstd3 - c:\windows\tsnpstd3.exe
    MSConfigStartUp-Windows File Explorer - c:\users\Nate\AppData\Roaming\Explorer.EXE
    AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
    AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
    AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
    AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
    AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
    AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
    AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
    AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
    AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
    AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
    AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
    AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
    AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
    AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
    AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
    AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
    AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
    **************************************************************************
    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: >>UNKNOWN [0x82E4B000]<< >>UNKNOWN [0x89592000]<< >>UNKNOWN [0x89581000]<< >>UNKNOWN [0x85F97EC5]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
    SecurityProcedure -> 0x84ec2418
    QueryNameProcedure -> 0x84ec25a8
    user & kernel MBR OK

    **************************************************************************
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)

    Pre-Run: 12,281,815,040 bytes free
    Post-Run: 12,234,620,928 bytes free

    - - End Of File - - 99160FF2C025AC930878C3BAB8FE8772
  7. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    Malwarebytes is showing up clean as well...

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4754

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    10/6/2010 10:07:11 AM
    mbam-log-2010-10-06 (10-07-11).txt

    Scan type: Quick scan
    Objects scanned: 150045
    Time elapsed: 6 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Good for you! I was busy setting up ways for you to get around the problem! I'm setting up some script for you to run through Combofx now(it will include replacing a suspicious rootkit file.)

    Here is information about a program you have running:
    BumpTop has been acquired by Google. It is no longer being supported or updated. The free copy will no longer be available after second week in May, 2010. You have several registry entries for this> Would you like for me to include them in the script for removal? Let me know.
    ==================================
    Please download MBR Rootkit Detector and save it on your desktop.
    • Pause/Stop all antivirus/spyware active protection.
    • Then double click on mbr.exe to run it.
    • Select Run when you receive a Security Warning
    • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
    • A log file will the be created on your desktop where you ran mbr.exe
    • Copy and paste the contents of mbr.log on your next reply.
    ============================
    Follow with download of HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Need to make sure the DNS Changer is gone.

    Edit: I notice you removed/uninstalled many programs and drivers. You might want to run TFC again. then empty the Recycle Bin
  9. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    Hello again Bobbye,
    Here are the two reports you requested. These were run pre-TFC and I went ahead with removing bump top with its uninstaller. So yes please if you would be so kind as to include the Bump Top registry removal in the combofix script you are creating for me. I am somewhat sure DNS Changer is removed.

    MBR
    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK

    HiJackThis:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:51:57 PM, on 10/6/2010
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
    O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://khmr.hilton.com/activex/ScriptX/smsx.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: AT&T Con App Svc (CAATT) - PCTEL - C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe
    O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 5809 bytes
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\World of WarCraft Trial.exe
    c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\p1v2USWoW_Installer.exe
    
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
    path=-
    backup=-
    backupExtension=-
    
    DirLook::
    C:\N8
    Driver::
    aswSP
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
  11. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    ComboFix 10-10-07.02 - Nate 10/08/2010 22:44:52.2.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1196 [GMT -5:00]
    Running from: c:\users\Nate\Desktop\ComboFix.exe.exe
    Command switches used :: c:\users\Nate\Desktop\CFScript.txt

    FILE ::
    "c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\p1v2USWoW_Installer.exe"
    "c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\World of WarCraft Trial.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    Infected copy of c:\windows\system32\drivers\rdprefmp.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ASWSP
    -------\Service_aswSP


    ((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 )))))))))))))))))))))))))))))))
    .

    2010-10-09 03:54 . 2010-10-09 03:54 -------- d-----w- c:\users\Nate\AppData\Local\temp
    2010-10-09 03:41 . 2010-10-09 03:41 -------- d-----w- C:\Device
    2010-10-09 03:12 . 2010-10-09 03:13 -------- d-----w- C:\32788R22FWJFW
    2010-10-09 03:03 . 2010-10-09 03:03 -------- d-----w- c:\program files\Common Files\Adobe
    2010-10-08 20:40 . 2010-10-08 20:40 -------- d-----w- c:\program files\MSECache
    2010-10-07 11:59 . 2010-10-07 11:59 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-10-07 04:49 . 2010-10-07 04:49 388096 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-07 04:49 . 2010-10-07 04:49 -------- d-----w- c:\program files\Trend Micro
    2010-10-06 04:49 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-06 04:49 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-04 21:48 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-10-04 18:58 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-10-04 18:58 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-10-04 18:58 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-10-04 18:58 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\program files\Trojan Remover
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\users\Nate\AppData\Roaming\Simply Super Software
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\programdata\Simply Super Software
    2010-10-04 18:58 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-10-04 00:44 . 2010-10-08 00:38 -------- d-----w- c:\program files\SpywareBlaster
    2010-10-03 18:39 . 2010-10-06 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-03 06:25 . 2010-10-03 20:07 -------- dc----w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-10-03 06:24 . 2010-10-03 06:24 -------- d-----w- c:\program files\Lavasoft
    2010-10-01 20:13 . 2010-10-03 20:07 -------- d-----w- c:\program files\PDF Creator
    2010-09-27 18:00 . 2010-10-08 21:56 -------- d-----w- C:\N8
    2010-09-24 00:54 . 2010-09-24 00:54 -------- d-----w- c:\program files\AirPort
    2010-09-24 00:49 . 2010-09-24 00:49 -------- d-----w- c:\windows\Downloaded Installations
    2010-09-21 19:35 . 2010-09-21 19:35 -------- d-----w- c:\program files\Drug Wars
    2010-09-15 23:04 . 2010-09-15 23:05 -------- d-----w- c:\program files\QuickTime
    2010-09-15 08:06 . 2010-09-15 08:06 -------- d-----w- c:\windows\PCHEALTH
    2010-09-15 06:55 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-14 02:17 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-09-14 02:17 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-09-14 02:15 . 2010-09-14 02:15 -------- d-----w- c:\program files\iPod
    2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\program files\iTunes
    2010-09-14 02:14 . 2010-09-14 02:14 -------- d-----w- c:\program files\Apple Software Update
    2010-09-14 02:07 . 2010-09-14 02:07 -------- d-----w- c:\program files\Bonjour
    2010-09-13 23:00 . 2010-09-14 01:44 -------- d-----w- c:\users\Nate\.bh_gui
    2010-09-13 12:20 . 2010-07-25 02:24 344064 ----a-w- c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    2010-09-09 15:32 . 2010-09-09 15:32 -------- d-----w- c:\programdata\SRI
    2010-09-09 15:27 . 2010-09-09 15:28 -------- d-----w- c:\program files\WinPcap
    2010-09-09 14:34 . 2010-09-14 02:15 -------- d-----w- c:\program files\Common Files\Apple

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-09 03:58 . 2010-01-21 12:20 -------- d-----w- c:\users\Nate\AppData\Roaming\Tor
    2010-10-07 22:44 . 2010-01-21 12:20 -------- d-----w- c:\users\Nate\AppData\Roaming\Vidalia
    2010-10-07 05:23 . 2010-03-24 01:57 -------- d-----w- c:\users\Nate\AppData\Roaming\vlc
    2010-10-06 05:54 . 2010-07-23 13:22 -------- d-----w- c:\users\Nate\AppData\Roaming\install
    2010-10-06 05:36 . 2010-07-09 18:50 -------- d-----w- c:\program files\LogMeIn
    2010-10-03 20:07 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
    2010-10-03 20:07 . 2010-03-03 05:45 -------- d-----w- c:\users\Nate\AppData\Roaming\Winamp
    2010-10-03 20:07 . 2010-02-02 03:20 -------- d-----w- c:\users\Nate\AppData\Roaming\uTorrent
    2010-10-03 06:24 . 2010-01-22 02:10 -------- d-----w- c:\programdata\Lavasoft
    2010-09-29 00:46 . 2009-10-30 13:16 -------- d-----w- c:\users\Nate\AppData\Roaming\.purple
    2010-09-28 18:50 . 2009-10-27 15:28 -------- d-----w- c:\users\Nate\AppData\Roaming\gtk-2.0
    2010-09-28 16:20 . 2009-10-03 15:29 -------- d-----w- c:\users\Nate\AppData\Roaming\GrabIt
    2010-09-28 14:36 . 2009-09-24 23:27 -------- d-----w- c:\programdata\Microsoft Help
    2010-09-24 00:58 . 2010-03-27 23:54 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-24 00:49 . 2010-08-25 22:48 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-09-23 19:26 . 2009-10-01 04:30 -------- d-----w- c:\program files\Mozilla Thunderbird
    2010-09-18 23:19 . 2009-11-06 06:44 -------- d-----w- c:\program files\Winamp
    2010-09-16 23:23 . 2009-09-24 23:29 -------- d-----w- c:\program files\Microsoft.NET
    2010-09-15 03:27 . 2009-10-04 20:37 -------- d-----w- c:\users\Nate\AppData\Roaming\Apple Computer
    2010-09-09 14:32 . 2009-10-04 20:36 -------- d-----w- c:\programdata\Apple Computer
    2010-09-01 14:12 . 2010-09-01 14:12 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
    2010-08-26 12:55 . 2010-08-26 12:55 -------- d-----w- c:\users\Nate\AppData\Roaming\GeoVid
    2010-08-25 22:43 . 2010-08-25 22:43 -------- d-----w- c:\program files\Common Files\PctelEapPeer Authentication
    2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\program files\Common Files\Research in Motion
    2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\programdata\AT&T
    2010-08-25 22:42 . 2010-08-25 22:42 -------- d-----w- c:\program files\AT&T
    2010-08-25 22:40 . 2010-08-25 22:40 -------- d-----w- c:\program files\Common Files\Motorola Shared
    2010-08-25 22:39 . 2010-08-25 22:39 -------- d-----w- c:\program files\Option
    2010-08-25 22:38 . 2010-08-25 22:45 26504 ----a-w- c:\windows\system32\drivers\swmsflt.sys
    2010-08-25 22:38 . 2010-08-25 22:38 -------- d-----w- c:\users\Nate\AppData\Roaming\Sierra Wireless
    2010-08-25 22:38 . 2010-08-25 22:38 -------- d-----w- c:\program files\Sierra Wireless Inc
    2010-08-24 11:35 . 2010-06-27 02:58 -------- d-----w- c:\users\Nate\AppData\Roaming\DVD Flick
    2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\programdata\GeoVid
    2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\program files\Common Files\GeoVid
    2010-08-11 02:14 . 2010-08-11 02:14 -------- d-----w- c:\program files\GeoVid
    2010-08-10 22:55 . 2010-08-10 22:55 -------- d-----w- c:\program files\Wondershare
    2010-08-10 22:20 . 2010-08-10 22:20 -------- d-----w- c:\users\Nate\AppData\Roaming\U3
    2010-08-10 21:56 . 2010-08-10 21:56 -------- d-----w- c:\program files\MagicISO
    2010-08-10 17:03 . 2010-08-10 17:03 -------- d-----w- c:\program files\Microsoft
    2010-07-29 06:30 . 2010-08-12 22:21 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30 . 2010-08-12 22:21 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-07-27 23:44 . 2010-07-27 23:44 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-07-27 23:44 . 2010-07-27 23:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-07-27 23:44 . 2010-07-27 23:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-07-24 05:01 . 2010-07-24 05:01 890900 ----a-w- c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E5AE8A78\p1v2USWoW_Installer.exe
    2010-07-23 17:10 . 2005-04-08 02:16 8148 ---ha-w- c:\users\Nate\AppData\Roaming\Natelog.dat
    2010-07-22 19:23 . 2010-07-22 19:23 160928 ----a-w- c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E5AE8A78\World of WarCraft Trial.exe
    2010-07-14 08:00 . 2010-07-26 20:40 108032 ----a-w- c:\windows\system32\ff_vfw.dll
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of C:\N8 ----

    2010-10-08 21:56 . 2010-10-08 21:56 165 ---ha-w- c:\n8\~$finance.xlsx
    2010-10-08 16:11 . 2010-10-08 16:11 268570 ----a-w- c:\n8\Timothy-Leary-The-Psychedelic-Experience-The-Tibetan-Book-Of-The-Dead.pdf
    2010-10-04 00:49 . 2010-10-04 00:49 427799 ----a-w- c:\n8\bookmarks-2010-10-03.json
    2010-09-25 20:57 . 2010-10-07 17:23 14785 ----a-w- c:\n8\finance.xlsx


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-11-20 5262834]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 0 (0x0)
    "EnableLUA"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
    @="FSFilter System Recovery"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
    backup=c:\windows\pss\BumpTop.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SABnzbd.lnk]
    backup=c:\windows\pss\SABnzbd.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk

    [HKLM\~\startupfolder\C:^Users^Nate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
    backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
    backupExtension=.Startup
    path=c:\users\Nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-09-08 22:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
    2008-06-10 03:27 33280 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
    2010-07-05 00:13 95576 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
    2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-02-22 00:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2010-06-08 23:05 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

    R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-24 721904]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-05-23 106496]
    R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [2008-05-23 118784]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 ssecbus;Samsung Mobile Modem Device driver (WDM);c:\windows\system32\DRIVERS\ssecbus.sys [2010-04-27 86528]
    R3 ssecmdfl;Samsung Mobile Modem Device 2 Filter;c:\windows\system32\DRIVERS\ssecmdfl.sys [2010-04-27 14976]
    R3 ssecmdm;Samsung Mobile Modem Device 2 Driver;c:\windows\system32\DRIVERS\ssecmdm.sys [2010-04-27 114304]
    R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [2008-01-10 165248]
    R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [2008-01-10 142976]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-25 1343400]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
    S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-07-05 238952]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
    S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-04-10 520704]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-10-03 6000640]
    S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]
    S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2007-04-25 31232]
     
  12. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - FSUSBEXDISK

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: hilton.com\rms
    Trusted Zone: marriott.com\extranet
    FF - ProfilePath - c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\
    FF - prefs.js: browser.search.selectedEngine - eBay
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL -
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
    FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-dmboot.sys
    SafeBoot-dmio.sys
    SafeBoot-dmload.sys
    SafeBoot-dmadmin
    SafeBoot-dmserver
    SafeBoot-SRService
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\Nate\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(4184)
    c:\windows\System32\NLSData0009.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\AEADISRV.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
    c:\windows\system32\conhost.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\Vidalia Bundle\Tor\tor.exe
    c:\windows\system32\conhost.exe
    c:\program files\Vidalia Bundle\Polipo\polipo.exe
    c:\windows\system32\conhost.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\DllHost.exe
    c:\windows\system32\sppsvc.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-08 23:02:58 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-09 04:02
    ComboFix2.txt 2010-10-06 06:00

    Pre-Run: 12,991,705,088 bytes free
    Post-Run: 12,952,137,728 bytes free

    - - End Of File - - 2BACF89830CD7CC1114B86AB04A8C48B
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\p1v2USWoW_Installer.exe
    c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\World of WarCraft Trial.exe
    c:\windows\pss\BumpTop.lnk
    
    DirLook::
    C:\Device
    Registry::
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    You will need to do a manual removal for a BumpTop files:
    You will need to display hidden files and folders: Using Windows Explorer: Windows key + E>
    • Click on Tools> Folder Options> View tab>
    • Check 'show hidden files and folders'>
    • Uncheck 'hide operating system files (Recommended'>
    • Click on My Computer> Local Drive> Documents & Settings> All Users>
    • Application data> do a right click> Delete on any iWin files or folders to remove>
    • Click on Apply> OK when finished.
    Now go back and rehide the files and folders, Close Windows Explorer.
    ===========================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Are you still noticing ant of the original problem?
  14. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    ComboFix 10-10-11.01 - Nate 10/11/2010 19:15:34.3.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1211 [GMT -5:00]
    Running from: c:\users\Nate\Desktop\ComboFix.exe.exe
    Command switches used :: c:\users\Nate\Desktop\CFScript.txt

    FILE ::
    "c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\p1v2USWoW_Installer.exe"
    "c:\users\Nate\AppData\Roaming\OpenCandy\OpenCandy_18C31CC45A9647C6A420D5B4E 5AE8A78\World of WarCraft Trial.exe"
    "c:\windows\pss\BumpTop.lnk"
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
    .

    2010-10-12 00:26 . 2010-10-12 00:26 -------- d-----w- c:\users\Nate\AppData\Local\temp
    2010-10-12 00:26 . 2010-10-12 00:26 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-10-12 00:03 . 2010-10-12 00:04 -------- d-----w- C:\32788R22FWJFW
    2010-10-09 03:41 . 2010-10-09 03:41 -------- d-----w- C:\Device
    2010-10-09 03:03 . 2010-10-09 03:03 -------- d-----w- c:\program files\Common Files\Adobe
    2010-10-08 20:40 . 2010-10-08 20:40 -------- d-----w- c:\program files\MSECache
    2010-10-08 09:08 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1E06FC56-124C-4AE9-AC77-6992AD12CE53}\mpengine.dll
    2010-10-07 11:59 . 2010-10-07 11:59 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-10-07 04:49 . 2010-10-07 04:49 388096 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-07 04:49 . 2010-10-07 04:49 -------- d-----w- c:\program files\Trend Micro
    2010-10-06 04:49 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-06 04:49 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-04 21:48 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-10-04 18:58 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-10-04 18:58 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-10-04 18:58 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-10-04 18:58 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\program files\Trojan Remover
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\users\Nate\AppData\Roaming\Simply Super Software
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\programdata\Simply Super Software
    2010-10-04 18:58 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-10-04 00:44 . 2010-10-08 00:38 -------- d-----w- c:\program files\SpywareBlaster
    2010-10-03 18:39 . 2010-10-06 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-03 06:25 . 2010-10-03 20:07 -------- dc----w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-10-03 06:24 . 2010-10-03 06:24 -------- d-----w- c:\program files\Lavasoft
    2010-10-01 20:13 . 2010-10-03 20:07 -------- d-----w- c:\program files\PDF Creator
    2010-09-27 18:00 . 2010-10-11 17:14 -------- d-----w- C:\N8
    2010-09-24 00:54 . 2010-09-24 00:54 -------- d-----w- c:\program files\AirPort
    2010-09-24 00:49 . 2010-09-24 00:49 -------- d-----w- c:\windows\Downloaded Installations
    2010-09-23 23:40 . 2010-09-14 22:59 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-09-23 23:40 . 2010-09-14 22:59 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2010-09-21 19:35 . 2010-09-21 19:35 -------- d-----w- c:\program files\Drug Wars
    2010-09-15 08:06 . 2010-09-15 08:06 -------- d-----w- c:\windows\PCHEALTH
    2010-09-15 06:55 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-14 02:17 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-09-14 02:17 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-09-14 02:15 . 2010-09-14 02:15 -------- d-----w- c:\program files\iPod
    2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\program files\iTunes
    2010-09-14 02:14 . 2010-09-14 02:14 -------- d-----w- c:\program files\Apple Software Update
    2010-09-14 02:07 . 2010-09-14 02:07 -------- d-----w- c:\program files\Bonjour
    2010-09-13 23:00 . 2010-09-14 01:44 -------- d-----w- c:\users\Nate\.bh_gui

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of C:\Device ----

    2010-10-09 03:55 . 2010-10-09 03:41 32768 ----a-w- c:\device\HarddiskVolume1\Boot\BCD.bak
    2010-10-09 03:55 . 2010-10-09 03:55 0 --sha-w- c:\device\HarddiskVolume1\Boot\BCD.tmp.LOG1
    2010-10-09 03:55 . 2010-10-09 03:55 0 --sha-w- c:\device\HarddiskVolume1\Boot\BCD.tmp.LOG2
    2010-10-09 03:41 . 2010-10-09 03:55 32768 ----a-w- c:\device\HarddiskVolume1\Boot\BCD


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-11-20 5262834]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 0 (0x0)
    "EnableLUA"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
    @="FSFilter System Recovery"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
    backup=c:\windows\pss\BumpTop.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SABnzbd.lnk]
    backup=c:\windows\pss\SABnzbd.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk

    [HKLM\~\startupfolder\C:^Users^Nate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
    backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
    backupExtension=.Startup
    path=c:\users\Nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-09-08 22:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
    2008-06-10 03:27 33280 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
    2010-07-05 00:13 95576 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
    2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-02-22 00:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2010-06-08 23:05 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

    R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-24 721904]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-05-23 106496]
    R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [2008-05-23 118784]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 ssecbus;Samsung Mobile Modem Device driver (WDM);c:\windows\system32\DRIVERS\ssecbus.sys [2010-04-27 86528]
    R3 ssecmdfl;Samsung Mobile Modem Device 2 Filter;c:\windows\system32\DRIVERS\ssecmdfl.sys [2010-04-27 14976]
    R3 ssecmdm;Samsung Mobile Modem Device 2 Driver;c:\windows\system32\DRIVERS\ssecmdm.sys [2010-04-27 114304]
    R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [2008-01-10 165248]
    R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [2008-01-10 142976]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-25 1343400]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
    S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-07-05 238952]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
    S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-04-10 520704]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-10-03 6000640]
    S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]
    S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2007-04-25 31232]
  15. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - FSUSBEXDISK

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: hilton.com\rms
    Trusted Zone: marriott.com\extranet
    FF - ProfilePath - c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\
    FF - prefs.js: browser.search.selectedEngine - eBay
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL -
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
    FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: >>UNKNOWN [0x82E49000]<< >>UNKNOWN [0x89585000]<< >>UNKNOWN [0x89618000]<< >>UNKNOWN [0x88F46000]<< >>UNKNOWN [0x82E12000]<< >>UNKNOWN [0x891AE000]<< >>UNKNOWN [0x88F69000]<< >>UNKNOWN [0x830E3F8F]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
    SecurityProcedure -> 0x84ec2418
    QueryNameProcedure -> 0x84ec25a8
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-10-11 19:28:50
    ComboFix-quarantined-files.txt 2010-10-12 00:28
    ComboFix2.txt 2010-10-09 04:02
    ComboFix3.txt 2010-10-06 06:00

    Pre-Run: 13,983,944,704 bytes free
    Post-Run: 13,928,345,600 bytes free

    - - End Of File - - 31AC5434F7C86AB8D88FCF681ED6F9EE
  16. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4796

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    10/11/2010 8:43:52 PM
    mbam-log-2010-10-11 (20-43-52).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 274496
    Time elapsed: 1 hour(s), 12 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ==========================
    ESET Scanner found these files!!!
    ==========================
    C:\Qoobox\Quarantine\C\Windows\System32\Drivers\RDPREFMP.sys.vir Win32/Olmarik.ZC trojan
    C:\Qoobox\Quarantine\C\Windows\System32\Drivers\RDPREFMP.sys.vir_ Win32/Olmarik.ZC trojan
    C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPREFMP.sys Win32/Olmarik.ZC trojan
  17. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:25:27 PM, on 10/11/2010
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://khmr.hilton.com/activex/ScriptX/smsx.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: AT&T Con App Svc (CAATT) - PCTEL - C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe
    O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 5748 bytes
  18. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    Fixed with Ghostery add-on for firefox. stopped the freeze on some pages while transferring from google-analytic.com. feel free to close the thread, unless you see something malicious.
    Thanks again for all your time and help!
  19. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    Would anyone recommend using ccleaner for cleaning the registry? OR is this something that is better left untouched?
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry for delay. Had flu for 4 days. Couldn't even watch screen scroll for logs!

    About this:
    Most of us do not recommend using a Registry cleaner. The benefit is much less than the problems it can cause. So answers are No/Yes

    Let's finish up. Only one of the entries in the Eset log is active so we'll remove it. The only reference I find for the combination of RDPRE and FMP.sys is a Japanese porno video site. FMP.sys is for FileMakerPro. The Qoobox entries are from the Combofix quarantine folder and are no longer active. These will be removed when I have you uninstall Combofix.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      :Files  
      C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPRE FMP.sys 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    Need to check these Registry entires:
    Custom CFScrip

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    Registry::
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    =====================================
    Also, Combofix indicates we need to check the MBR:

    Please download MBR Rootkit Detector and save it on your desktop.
    • Pause/Stop all antivirus/spyware active protection.
    • Then double click on mbr.exe to run it.
    • Select Run when you receive a Security Warning
    • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
    • A log file will the be created on your desktop where you ran mbr.exe
    • Copy and paste the contents of mbr.log on your next reply.
    ============================
    HijackThis is okay, but the above need to be checked before I let you go.
  21. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    Old Time Movit
    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    File/Folder C:\Windows\winsxs\x86_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7600.16385_none_17fc66573f2afc60\RDPRE FMP.sys not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes

    User: Nate
    ->Temp folder emptied: 1756205 bytes
    ->Temporary Internet Files folder emptied: 51795613 bytes
    ->Java cache emptied: 87675992 bytes
    ->FireFox cache emptied: 102112499 bytes
    ->Google Chrome cache emptied: 557424 bytes
    ->Flash cache emptied: 1194 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 82227 bytes
    RecycleBin emptied: 2039671 bytes

    Total Files Cleaned = 235.00 mb


    OTM by OldTimer - Version 3.1.16.1 log created on 10132010_201554

    Files moved on Reboot...
    File C:\Windows\temp\_avast4_\Webshlock.txt not found!

    Registry entries deleted on Reboot...
  22. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    ComboFix 10-10-12.03 - Nate 10/13/2010 20:34:42.4.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1241 [GMT -5:00]
    Running from: c:\users\Nate\Desktop\ComboFix.exe.exe
    Command switches used :: c:\users\Nate\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
    .

    2010-10-14 01:45 . 2010-10-14 01:45 -------- d-----w- c:\users\Nate\AppData\Local\temp
    2010-10-14 01:45 . 2010-10-14 01:45 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-10-14 01:25 . 2010-10-14 01:26 -------- d-----w- C:\32788R22FWJFW
    2010-10-14 01:15 . 2010-10-14 01:15 -------- d-----w- C:\_OTM
    2010-10-13 01:00 . 2010-10-13 01:01 -------- d-----w- c:\program files\iTunes
    2010-10-13 01:00 . 2010-10-13 01:00 -------- d-----w- c:\program files\iPod
    2010-10-12 11:59 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0094B185-FC2F-4B28-B0DC-13FB87956D9C}\mpengine.dll
    2010-10-12 01:47 . 2010-10-12 01:47 -------- d-----w- c:\program files\ESET
    2010-10-09 03:41 . 2010-10-09 03:41 -------- d-----w- C:\Device
    2010-10-09 03:03 . 2010-10-09 03:03 -------- d-----w- c:\program files\Common Files\Adobe
    2010-10-08 20:40 . 2010-10-08 20:40 -------- d-----w- c:\program files\MSECache
    2010-10-07 11:59 . 2010-10-07 11:59 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-10-07 04:49 . 2010-10-07 04:49 388096 ----a-r- c:\users\Nate\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-07 04:49 . 2010-10-07 04:49 -------- d-----w- c:\program files\Trend Micro
    2010-10-06 04:49 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-06 04:49 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-04 21:48 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-10-04 18:58 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-10-04 18:58 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-10-04 18:58 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-10-04 18:58 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\program files\Trojan Remover
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\users\Nate\AppData\Roaming\Simply Super Software
    2010-10-04 18:58 . 2010-10-04 18:58 -------- d-----w- c:\programdata\Simply Super Software
    2010-10-04 18:58 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-10-04 00:44 . 2010-10-08 00:38 -------- d-----w- c:\program files\SpywareBlaster
    2010-10-03 18:39 . 2010-10-06 06:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-03 06:25 . 2010-10-03 20:07 -------- dc----w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-10-03 06:24 . 2010-10-03 06:24 -------- d-----w- c:\program files\Lavasoft
    2010-10-01 20:13 . 2010-10-03 20:07 -------- d-----w- c:\program files\PDF Creator
    2010-09-27 18:00 . 2010-10-12 03:08 -------- d-----w- C:\N8
    2010-09-24 00:54 . 2010-09-24 00:54 -------- d-----w- c:\program files\AirPort
    2010-09-24 00:49 . 2010-09-24 00:49 -------- d-----w- c:\windows\Downloaded Installations
    2010-09-23 23:40 . 2010-09-14 22:59 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-09-23 23:40 . 2010-09-14 22:59 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2010-09-21 19:35 . 2010-09-21 19:35 -------- d-----w- c:\program files\Drug Wars
    2010-09-15 08:06 . 2010-09-15 08:06 -------- d-----w- c:\windows\PCHEALTH
    2010-09-15 06:55 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-14 02:17 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-09-14 02:17 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-09-14 02:15 . 2010-09-14 02:17 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-09-14 02:14 . 2010-09-14 02:14 -------- d-----w- c:\program files\Apple Software Update
    2010-09-14 02:07 . 2010-09-14 02:07 -------- d-----w- c:\program files\Bonjour

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-11-20 5262834]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
    "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 0 (0x0)
    "EnableLUA"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
    @="FSFilter System Recovery"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
    backup=c:\windows\pss\BumpTop.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SABnzbd.lnk]
    backup=c:\windows\pss\SABnzbd.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk

    [HKLM\~\startupfolder\C:^Users^Nate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
    backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
    backupExtension=.Startup
    path=c:\users\Nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-09-08 22:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
    2008-06-10 03:27 33280 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
    2010-07-05 00:13 95576 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-24 07:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
    2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-02-22 00:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2010-06-08 23:05 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

    R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-24 721904]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-05-23 106496]
    R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [2008-05-23 118784]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 ssecbus;Samsung Mobile Modem Device driver (WDM);c:\windows\system32\DRIVERS\ssecbus.sys [2010-04-27 86528]
    R3 ssecmdfl;Samsung Mobile Modem Device 2 Filter;c:\windows\system32\DRIVERS\ssecmdfl.sys [2010-04-27 14976]
    R3 ssecmdm;Samsung Mobile Modem Device 2 Driver;c:\windows\system32\DRIVERS\ssecmdm.sys [2010-04-27 114304]
    R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [2008-01-10 165248]
    R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [2008-01-10 142976]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-25 1343400]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
    S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-07-05 238952]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
    S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-04-10 520704]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-10-03 6000640]
    S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]
    S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2007-04-25 31232]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    .next post :)
  23. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: hilton.com\rms
    Trusted Zone: marriott.com\extranet
    FF - ProfilePath - c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\
    FF - prefs.js: browser.search.selectedEngine - eBay
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL -
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
    FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    FF - plugin: c:\users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\so4xtik1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: >>UNKNOWN [0x82E40000]<< >>UNKNOWN [0x895AF000]<< >>UNKNOWN [0x8959E000]<< >>UNKNOWN [0x88F24000]<< >>UNKNOWN [0x82E09000]<< >>UNKNOWN [0x891CC000]<< >>UNKNOWN [0x88F47000]<< >>UNKNOWN [0x82EF9FF0]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
    SecurityProcedure -> 0x84ec2418
    QueryNameProcedure -> 0x84ec25a8
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2010-10-13 20:47:24
    ComboFix-quarantined-files.txt 2010-10-14 01:47
    ComboFix2.txt 2010-10-12 00:28
    ComboFix3.txt 2010-10-09 04:02
    ComboFix4.txt 2010-10-06 06:00

    Pre-Run: 17,822,343,168 bytes free
    Post-Run: 17,636,007,936 bytes free

    - - End Of File - - 77E9E082FBED2933BE26995870F95456

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Where is this section from the Combofix log? (((((((( Find3M Report ))))))))))))

    The scan is still showing signs of possible rootkit. I'd like you to run this: Combofix isn't quite as clean as I'd like it to be.

    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Credits to Broni
  25. groweedallday

    groweedallday Newcomer, in training Topic Starter Posts: 22

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Ultimate Edition (build 7600), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
    Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.