TechSpot

Generic Host Process for Win32 Service problem with HijackThis log attachment

Inactive
By zenoperegrinus
Oct 12, 2010
Topic Status:
Not open for further replies.
  1. Hi folks,

    I searched for ways to overcome this GHS problem and was directed to run HijackThis. I attach the log file here.

    Some background. I think I have malware on my system as I am often redirected by IE. The GHS problem has started since I downloaded itunes yesterday. I was directed to use Firefox last week but was unable to run it so reverted back to IE. I started to check MSCONFIG but felt a little out of my depth.

    Any help is greatly appreciated.

    Zeno

    Attached Files:

  2. crunchie

    crunchie Malware Helper Posts: 761

    Hi and welcome to TechSpot forums :).

    ====

    Please read the directions given here and when done, post the requested logs.
    Please do not attach the logs unless requested, or unless they are to large to paste.
  3. zenoperegrinus

    zenoperegrinus TS Rookie Topic Starter

    log reports for 8-step Viruses/Spyware/Malware Preliminary Removal

    Hi crunchie,

    Thankyou for your response and direction.

    Please find the logs pasted below.

    One question: should I re-enable script blocking protection?

    Regards

    Zeno

    ----------------------------------------------
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4811

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    13/10/2010 17:48:46
    mbam-log-2010-10-13 (17-48-46).txt

    Scan type: Quick scan
    Objects scanned: 135505
    Time elapsed: 18 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 1
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\sys32 (Trojan.Malagent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot.
    ----------------------------------------------

    GMER 1.0.15.15315 - http://www.gmer.net
    Rootkit quick scan 2010-10-13 18:31:56
    Windows 5.1.2600 Service Pack 3
    Running: 2myf696x.exe; Driver: C:\DOCUME~1\ZENOPE~1\LOCALS~1\Temp\kxrirpow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x9976AB9C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x9976A9C0]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x9976AAFA]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    Device -> \Driver\iaStor \Device\Harddisk0\DR0 85535EC5

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----



    DDS (Ver_10-10-10.03) - NTFSx86
    Run by zenoperegrinus at 10:03:34.90 on 14/10/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.316 [GMT 1:00]

    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
    C:\Program Files\EeePC\ACPI\AsEPCMon.exe
    C:\Program Files\EeePC\ACPI\AsTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
    C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\zenoperegrinus\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Eee Docking] c:\program files\asus\eee docking\Eee Docking.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    uRun: [Sbofiqohuwudehi] rundll32.exe "c:\windows\kbdr40.dll",Startup
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
    mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
    mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Dgoxaquza] rundll32.exe "c:\windows\axoxebuxeyaki.dll",Startup
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {67084B91-FE65-4032-8A1B-9CEE301A6A95} - hxxp://upload.travelpod.com/includes/ImageUploader6.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-19 165456]
    R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-3 34792]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-19 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-19 40384]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-5 54752]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-28 38912]
    R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-3-16 39040]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-5 1684736]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-19 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-19 40384]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
    S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-5-5 232872]

    =============== Created Last 30 ================

    2010-10-12 22:18:10 -------- d-----w- c:\docume~1\zenope~1\applic~1\Trusteer
    2010-10-12 22:16:57 -------- d-----w- c:\program files\Trusteer
    2010-10-12 22:14:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
    2010-10-12 08:06:09 -------- d-----w- C:\HijackThis
    2010-10-11 18:38:21 -------- d-----w- c:\docume~1\zenope~1\applic~1\Foxit Software
    2010-10-11 18:38:17 -------- d-----w- c:\docume~1\zenope~1\applic~1\Foxit
    2010-10-11 18:37:54 -------- d-----w- c:\program files\Foxit Software
    2010-10-11 15:21:36 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-10-11 15:21:36 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-10-10 11:39:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-10-10 11:39:29 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-10-03 22:43:44 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2010-09-30 21:48:33 -------- d-----w- c:\program files\iPod
    2010-09-30 21:48:19 -------- d-----w- c:\program files\iTunes
    2010-09-30 21:48:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-09-30 21:46:13 -------- d-----w- c:\docume~1\zenope~1\locals~1\applic~1\Apple
    2010-09-30 21:44:59 -------- d-----w- c:\program files\Bonjour
    2010-09-30 21:43:48 -------- d-----w- c:\docume~1\zenope~1\locals~1\applic~1\Apple Computer
    2010-09-30 16:25:31 -------- d-----w- c:\docume~1\zenope~1\applic~1\Malwarebytes
    2010-09-30 16:24:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-30 16:24:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-09-30 16:24:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-30 16:24:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-21 22:05:42 -------- d-----w- c:\docume~1\zenope~1\locals~1\applic~1\{D99998DA-A89F-48C9-A08D-35A184BBF262}
    2010-09-21 06:58:56 -------- d-----w- c:\program files\riv7
    2010-09-17 16:27:56 -------- d-----w- c:\windows\system32\Registry Patrol
    2010-09-17 16:27:44 86016 ----a-w- c:\windows\unvise32.exe
    2010-09-17 16:27:18 -------- d-----w- c:\program files\Registry Patrol

    ==================== Find3M ====================

    2010-09-23 23:28:35 0 ----a-w- c:\windows\Xtetovisidubadi.bin
    2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-07-27 17:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-07-27 17:44:10 75040 ----a-w- c:\windows\system32\jdns_sd.dll
    2010-07-27 17:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-07-27 17:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

    ============= FINISH: 10:06:12.07 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-10.03)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 26/08/2009 15:19:18
    System Uptime: 14/10/2010 09:54:31 (1 hours ago)

    Motherboard: ASUSTeK Computer INC. | | 1005HA
    Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | PBGA 437 | 1599/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 144 GiB total, 68.038 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP121: 10/10/2010 11:42:37 - Restore Operation
    RP122: 11/10/2010 13:38:06 - System Checkpoint
    RP123: 11/10/2010 16:20:25 - Installed iTunes
    RP124: 12/10/2010 23:16:48 - Installed Rapport

    ==== Installed Programs ======================

    32 Bit HP BiDi Channel Components Installer
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.4
    Altitude
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Asus ACPI Driver
    ASUSUpdate for Eee PC
    Atheros Client Installation Program
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    avast! Free Antivirus
    Azurewave Wireless LAN Card
    Bonjour
    CM 03-04 Demo
    Compatibility Pack for the 2007 Office system
    Data Sync
    EasyZip
    Eee Docking 1.3.1.0
    EeePC_1005HA Screen Saver
    EeeSplendid
    EzMessenger
    FontResizer
    Football Manager 2010
    Foxit Reader
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP LaserJet P4010_P4510 Series
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 18
    Junk Mail filter update
    LimeWire 5.5.9
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (Spanish) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel MUI (Spanish) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office Home and Student 2007 Trial
    Microsoft Office InfoPath MUI (Spanish) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (Spanish) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint MUI (Spanish) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (Basque) 2007
    Microsoft Office Proof (Catalan) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Galician) 2007
    Microsoft Office Proof (Portuguese (Brazil)) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (Spanish) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (Spanish) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (Spanish) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word MUI (Spanish) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Software Update for Web Folders (Spanish) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    MSVCRT
    QuickTime
    Rapport
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.0
    Registry Patrol
    Security Update for 2007 Microsoft Office System (KB2277947)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB980376)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2251419)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953155)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Skype™ 4.2
    Steam
    Super Hybrid Engine
    Synaptics Pointing Device Driver
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (kb2279264)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB953356)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB2.0 UVC Camera Device
    WebFldrs XP
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11

    ==== Event Viewer Messages From Past Week ========

    14/10/2010 09:56:24, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f743ae7d, parameter3 a9ebe9b0, parameter4 00000000.
    14/10/2010 09:56:15, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f743ae7d, parameter3 f28d79b0, parameter4 00000000.
    13/10/2010 20:12:46, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
    13/10/2010 19:39:00, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the PolicyAgent service.
    13/10/2010 19:38:50, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
    13/10/2010 16:37:26, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    13/10/2010 16:37:26, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    13/10/2010 16:37:26, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    13/10/2010 16:37:26, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    13/10/2010 16:37:26, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/10/2010 08:40:51, error: System Error [1003] - Error code 1000000a, parameter1 00000023, parameter2 00000002, parameter3 00000000, parameter4 8050c653.
    11/10/2010 01:00:43, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    10/10/2010 12:56:21, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
    10/10/2010 12:56:16, error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
    10/10/2010 11:30:53, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
    10/10/2010 11:28:06, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 0025D3459755 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    09/10/2010 13:15:00, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

    ==== End Of File ===========================
  4. crunchie

    crunchie Malware Helper Posts: 761

    Keep the script blocking disabled for now please.

    ==

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
  5. zenoperegrinus

    zenoperegrinus TS Rookie Topic Starter

    Hi crunchie,

    I have a problem.

    I followed the instructions disconnecting from the internet and stopping all monitoring software. i started combifix. it started well. then it instructed me to reconnect to the internet so it could download some windows software to allow the system to create restore points. combofix then said it had found rootkit activity and needed to restart the system. i gave the ok. combifix restarted when the system restarted but i think it crashed when other programmes automatically reopened. i was never asked to save and can't find an automatically saved log so i don't think it completed. what should i do?

    Regards

    Zeno
  6. crunchie

    crunchie Malware Helper Posts: 761

    If there is a log you will find it at C:\qoobox otherwise run Combofix again please.
  7. zenoperegrinus

    zenoperegrinus TS Rookie Topic Starter

    Hi crunchie,

    2nd run went smoothly. Please find the log pasted below.


    ComboFix 10-10-12.03 - zenoperegrinus 14/10/2010 18:00:29.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.489 [GMT 1:00]
    Running from: c:\documents and settings\zenoperegrinus\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}
    c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}\chrome.manifest
    c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}\chrome\content\_cfg.js
    c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}\chrome\content\overlay.xul
    c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}\install.rdf
    c:\program files\Internet Explorer\complete.dat
    c:\program files\Internet Explorer\dmlconf.dat
    c:\windows\system32\dmlconf.dat
    c:\windows\system32\Thumbs.db

    Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
    .

    2010-10-14 12:08 . 2010-10-14 12:08 -------- d-----w- c:\windows\LastGood
    2010-10-12 22:18 . 2010-10-12 22:18 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Trusteer
    2010-10-12 22:16 . 2010-10-12 22:16 -------- d-----w- c:\program files\Trusteer
    2010-10-12 22:14 . 2010-10-12 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
    2010-10-12 08:06 . 2010-10-12 09:39 -------- d-----w- C:\HijackThis
    2010-10-11 18:38 . 2010-10-11 18:38 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Foxit Software
    2010-10-11 18:38 . 2010-10-11 18:38 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Foxit
    2010-10-11 18:37 . 2010-10-11 18:37 -------- d-----w- c:\program files\Foxit Software
    2010-10-11 15:21 . 2009-05-18 12:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-10-11 15:21 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-10-10 11:39 . 2010-10-10 11:39 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-10-10 10:56 . 2010-10-10 11:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2010-09-30 21:50 . 2010-10-11 15:25 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Apple Computer
    2010-09-30 21:48 . 2010-10-11 15:21 -------- d-----w- c:\program files\iPod
    2010-09-30 21:48 . 2010-10-11 15:21 -------- d-----w- c:\program files\iTunes
    2010-09-30 21:48 . 2010-09-30 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-09-30 21:46 . 2010-10-14 09:17 -------- d-----w- c:\program files\QuickTime
    2010-09-30 21:46 . 2010-09-30 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-09-30 21:46 . 2010-09-30 21:46 -------- d-----w- c:\documents and settings\zenoperegrinus\Local Settings\Application Data\Apple
    2010-09-30 21:45 . 2010-09-30 21:46 -------- d-----w- c:\program files\Apple Software Update
    2010-09-30 21:44 . 2010-09-30 21:45 -------- d-----w- c:\program files\Bonjour
    2010-09-30 21:44 . 2010-09-30 21:48 -------- d-----w- c:\program files\Common Files\Apple
    2010-09-30 21:44 . 2010-09-30 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2010-09-30 21:43 . 2010-09-30 21:50 -------- d-----w- c:\documents and settings\zenoperegrinus\Local Settings\Application Data\Apple Computer
    2010-09-30 16:25 . 2010-09-30 16:25 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Malwarebytes
    2010-09-30 16:24 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-30 16:24 . 2010-09-30 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-30 16:24 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-30 16:24 . 2010-09-30 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-21 06:58 . 2010-09-30 16:45 -------- d-----w- c:\program files\riv7
    2010-09-17 16:27 . 2010-09-17 16:27 -------- d-----w- c:\windows\system32\Registry Patrol
    2010-09-17 16:27 . 1999-12-17 09:13 86016 ----a-w- c:\windows\unvise32.exe
    2010-09-17 16:27 . 2010-09-17 16:44 -------- d-----w- c:\program files\Registry Patrol

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-06-10 22:28 1233288 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-05-08 395776]
    "Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784]
    "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
    "AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-16 118784]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
    "SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
    "RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-24 202256]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-5-5 376832]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:416082759509

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\football manager 2010\\fm.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [19/08/2010 18:37 165456]
    R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 23:54 34792]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19/08/2010 18:37 17744]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [28/04/2009 02:59 38912]
    R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [16/03/2009 22:27 39040]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [05/05/2009 17:00 1684736]
    S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [05/05/2009 18:16 232872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

    2010-10-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1042050900-1176399639-2793042620-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

    2010-10-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1042050900-1176399639-2793042620-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

    2010-10-14 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-06-10 22:28]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    DPF: {67084B91-FE65-4032-8A1B-9CEE301A6A95} - hxxp://upload.travelpod.com/includes/ImageUploader6.cab
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Sbofiqohuwudehi - c:\windows\kbdr40.dll
    HKLM-Run-Dgoxaquza - c:\windows\axoxebuxeyaki.dll
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    AddRemove-{19F5658D-92E8-4A08-8657-D38ABB1574B2} - c:\program files\InstallShield Installation Information\{19F5658D-92E8-4A08-8657-D38ABB1574B2}\setup.exe
    AddRemove-{3108C217-BE83-42E4-AE9E-A56A2A92E549} - c:\program files\InstallShield Installation Information\{3108C217-BE83-42E4-AE9E-A56A2A92E549}\setup.exe
    AddRemove-{6333FC29-BFE5-4024-AC78-958A1A7555D1} - c:\program files\InstallShield Installation Information\{6333FC29-BFE5-4024-AC78-958A1A7555D1}\setup.exe
    AddRemove-{88F08F98-12BC-4613-81A2-8F9B88CFC73E} - c:\program files\InstallShield Installation Information\{88F08F98-12BC-4613-81A2-8F9B88CFC73E}\setup.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1042050900-1176399639-2793042620-1006\Software\G*e*n*i*e*"!\FM Genie Scout 10]
    "GameDir"="c:\\Documents and Settings\\zenoperegrinus\\My Documents\\Sports Interactive\\Football Manager 2010\\games"
    "ShortlistDir"="c:\\Documents and Settings\\zenoperegrinus\\My Documents\\Sports Interactive\\Football Manager 2010\\shortlists"
    "ScreenshotsDir"="c:\\Documents and Settings\\zenoperegrinus\\My Documents\\Sports Interactive\\Football Manager 2010"
    "SaveDir"="c:\\Documents and Settings\\zenoperegrinus\\My Documents\\Sports Interactive\\Football Manager 2010\\"
    "HistoryDir"="c:\\Documents and Settings\\zenoperegrinus\\Desktop\\FM Genie Scout 10\\History Points"
    "LangDB"="c:\\program files\\steam\\steamapps\\common\\football manager 2010\\data\\db\\1000\\lang_db.dat"
    "LastSaveGame"=""
    "Language"="English"
    "LoadLangDB"=dword:00000001
    "CompressHistoryPoints"=dword:00000000
    "HighlightedAttributes"=dword:00000000
    "MinCondition"=dword:00000050
    "GraphStep"=dword:00000000
    "SkinName"="Steklo Black"
    "LastUpdateCheck"=dword:00009d36
    "HighQualityGUI"=dword:00000001
    "AutomaticallyUpdateCheck"=dword:00000001
    "AdvancedGeneration"=dword:00000000
    "TranslateStaffSkills"=dword:00000001
    "TranslatePlayerSkills"=dword:00000001
    "TranslatePositions"=dword:00000001
    "ShowHistory"=dword:00000001
    "Version"=dword:00000072
    "UniqueID"="F5-8ADF-C7BF"
    "Currency"=dword:00000056
    "UseProxy"=dword:00000000
    "ProxyHost"=""
    "ProxyPort"=""
    "UseAuthentication"=dword:00000000
    "UserName"=""
    "UserPassword"=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(812)
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2010-10-14 18:12:25
    ComboFix-quarantined-files.txt 2010-10-14 17:12

    Pre-Run: 72,790,745,088 bytes free
    Post-Run: 72,842,473,472 bytes free

    - - End Of File - - 0B91BC773D6ECC8E50267592C4907D99
  8. crunchie

    crunchie Malware Helper Posts: 761

    Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

    c:\windows\unvise32.exe

    ====

    How is the PC now?
  9. zenoperegrinus

    zenoperegrinus TS Rookie Topic Starter

    Crunchie,

    Here are the results from both.

    The PC seems fine now. I didn't even see the dll warnings on startup. Thank you so very much for your help. Can I make a donation to this site or something to show my gratitude?

    Jotti's malware scan

    This file has been scanned before. The results for this previous scan are listed below.
    --------------------------------------------------------------------------------
    Filename: unvise32.exe
    Status: Scan finished. 0 out of 19 scanners reported malware.
    Scan taken on: Thu 29 Jul 2010 05:24:43 (CET) Permalink

    Additional info
    File size: 86016 bytes
    Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5: 84b4f61f59a421bd85d97b35d194b42b
    SHA1: d3f2bac1a72f82c42d551c066c8ec841f46adb60
    ----

    VirusTotal

    0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
    File name: unvise32.exe
    Submission date: 2010-09-14 18:26:33 (UTC)
    Current status: finished
    Result: 0 /41 (0.0%)
    VT Community

    not reviewed
    Safety score: -
    Compact Print results Antivirus Version Last Update Result
    AhnLab-V3 2010.09.13.00 2010.09.13 -
    AntiVir 8.2.4.52 2010.09.14 -
    Antiy-AVL 2.0.3.7 2010.09.14 -
    Authentium 5.2.0.5 2010.09.14 -
    Avast 4.8.1351.0 2010.09.14 -
    Avast5 5.0.594.0 2010.09.14 -
    BitDefender 7.2 2010.09.14 -
    CAT-QuickHeal 11.00 2010.09.14 -
    ClamAV 0.96.2.0-git 2010.09.14 -
    Comodo 6076 2010.09.14 -
    Emsisoft 5.0.0.37 2010.09.14 -
    eSafe 7.0.17.0 2010.09.14 -
    eTrust-Vet 36.1.7854 2010.09.14 -
    F-Prot 4.6.1.107 2010.09.14 -
    F-Secure 9.0.15370.0 2010.09.14 -
    Fortinet 4.1.143.0 2010.09.13 -
    GData 21 2010.09.14 -
    Ikarus T3.1.1.88.0 2010.09.14 -
    Jiangmin 13.0.900 2010.09.14 -
    K7AntiVirus 9.63.2512 2010.09.14 -
    Kaspersky 7.0.0.125 2010.09.14 -
    McAfee 5.400.0.1158 2010.09.14 -
    McAfee-GW-Edition 2010.1B 2010.09.14 -
    Microsoft 1.6103 2010.09.14 -
    NOD32 5451 2010.09.14 -
    Norman 6.06.06 2010.09.14 -
    nProtect 2010-09-14.01 2010.09.14 -
    Panda 10.0.2.7 2010.09.14 -
    PCTools 7.0.3.5 2010.09.14 -
    Prevx 3.0 2010.09.14 -
    Rising 22.65.01.04 2010.09.14 -
    Sophos 4.57.0 2010.09.14 -
    Sunbelt 6875 2010.09.14 -
    SUPERAntiSpyware 4.40.0.1006 2010.09.14 -
    Symantec 20101.1.1.7 2010.09.14 -
    TheHacker 6.7.0.0.017 2010.09.14 -
    TrendMicro 9.120.0.1004 2010.09.14 -
    TrendMicro-HouseCall 9.120.0.1004 2010.09.14 -
    VBA32 3.12.14.0 2010.09.14 -
    ViRobot 2010.8.25.4006 2010.09.14 -
    VirusBuster 12.65.6.0 2010.09.14 -
    Additional informationShow all
    MD5 : 84b4f61f59a421bd85d97b35d194b42b
    SHA1 : d3f2bac1a72f82c42d551c066c8ec841f46adb60
    SHA256: f241f37d423dd5c192b22ca1d4655dbf9e9b861487a6ac0f958b190e975934dc
    ------
  10. crunchie

    crunchie Malware Helper Posts: 761

    As far as I am aware, there is no facility for making a donation to the site, but thank you for the offer anyway :).

    Looks like you are good to go :).

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC by OldTimer:
    Save it to your Desktop.
    Double click OTC.exe.
    Click the CleanUp! button.
    If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.