TechSpot

Infected netbt.sys

By canadawfb
Jul 20, 2010
  1. A couple of days a go my a-v kept telling me that I had an infected tmp file. when I ran a full scan it also showed that the netbt.sys file was infected ... now I can't access any computers on my network ... internet is ok but my printer/file sharing is not ... when I try to open on of the other computers I get "path cannot be found" error.

    I noticed a few other posts regarding this & saw the warnings not to attempt to fix this on my own so here I am ...

    not sure if this will help at all, but here is a hijackthis log

    ~edit- removed hijackthis log ~
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We don't 'screen' a system with HijackThis.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Please paste the logs into your next reply.

    Please uninstall or disable BitComet while I am helping you clean.
     
  3. canadawfb

    canadawfb TS Rookie Topic Starter

    Here are the logs from the scans listed ...

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4331

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18928

    7/20/2010 10:08:48 AM
    mbam-log-2010-07-20 (10-08-48).txt

    Scan type: Quick scan
    Objects scanned: 143522
    Time elapsed: 10 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 11
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> No action taken.
    HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.
    HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> No action taken.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
    HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> No action taken.
    HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\system32\Drivers\pmlbn.sys (Rootkit.Bubnix) -> No action taken.




    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-07-20 10:36:26
    Windows 6.0.6002 Service Pack 2
    Running: 96z8iiv2.exe; Driver: C:\Users\William\AppData\Local\Temp\pwtdipow.sys


    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8656DA08

    AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- Services - GMER 1.0.15 ----

    Service (*** hidden *** ) [BOOT] pmlbn <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  4. canadawfb

    canadawfb TS Rookie Topic Starter

    ok...I really need some help

    first off...oops... I know it's mentioned not to do any other scans, but I noticed that when I tried to do the scans listed in the "8 step" that Norton Online Security was still on & I couldn't get it to turn off so I used the norton removal tool which took off the online security & my symantec antivirus ... my isp provides a "complete protection" package so I decided to install that instead of the symantec... anyway, now I can't access anything with my wireless on my laptop... it shows that it is connected both local & internet , but nothing works. I have to connect via wire to get the internet to work...

    I re-did the scans mentioned & here are the results...

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4331

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18928

    7/21/2010 8:58:02 AM
    mbam-log-2010-07-21 (08-58-02).txt

    Scan type: Quick scan
    Objects scanned: 143611
    Time elapsed: 7 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 11
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> No action taken.
    HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.
    HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> No action taken.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
    HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> No action taken.
    HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\system32\Drivers\pmlbn.sys (Rootkit.Bubnix) -> No action taken.
    C:\Users\William\AppData\Roaming\dhxiuw.dat (Malware.Trace) -> No action taken.
    C:\Users\William\AppData\Local\Temp\services.exe (Password.Stealer) -> No action taken.

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-07-21 09:00:10
    Windows 6.0.6002 Service Pack 2
    Running: 96z8iiv2.exe; Driver: C:\Users\William\AppData\Local\Temp\pwtdipow.sys


    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8659D160
    Device \FileSystem\Ntfs \Ntfs 84C17758
    Device \FileSystem\Ntfs \Ntfs 847E5C40
    Device \FileSystem\Ntfs \Ntfs 977E9430
    Device \FileSystem\Ntfs \Ntfs 859675C8

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys
    AttachedDevice \Driver\tdx \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\tdx \Device\Ip dwprot.sys
    AttachedDevice \Driver\tdx \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\tdx \Device\Tcp dwprot.sys
    AttachedDevice \Driver\tdx \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\tdx \Device\Udp dwprot.sys
    AttachedDevice \Driver\tdx \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp dwprot.sys

    ---- Services - GMER 1.0.15 ----

    Service (*** hidden *** ) [BOOT] pmlbn <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  5. canadawfb

    canadawfb TS Rookie Topic Starter

    DDS part1


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by William at 9:03:11.35 on Wed 07/21/2010
    Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_18
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.779 [GMT -4:00]

    SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    = Running Processes =
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Rogers Online Protection\Rogers Online Protection\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\atashost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe "C:\Windows\system32\adsnte.exe"
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Sony\Network Utility\NSUService.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\PSIService.exe
    C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\ServicepointService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    C:\Program Files\Rogers Backup Manager\VaultClientSRV.exe
    C:\Program Files\Rogers Backup Manager\VaultClientUpgrade.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\CyberLink\InstantBurn\Win2K\IBurn.exe
    C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
    C:\Program Files\CyberLink\Shared files\brs.exe
    C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Windows\ehome\ehtray.exe
    C:\Users\William\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgentComHandler.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\William\Desktop\dds.scr

    = Pseudo HJT Report =
    uStart Page = hxxp://www.google.com/ig
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: D'Accord Music Software Toolbar: {c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} - c:\program files\d'accord_music_software\tbD'Ac.dll
    mURLSearchHooks: D'Accord Music Software Toolbar: {c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} - c:\program files\d'accord_music_software\tbD'Ac.dll
    BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    BHO: D'Accord Music Software Toolbar: {c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} - c:\program files\d'accord_music_software\tbD'Ac.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: D'Accord Music Software Toolbar: {c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} - c:\program files\d'accord_music_software\tbD'Ac.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WeatherEye] c:\users\william\appdata\local\theweathernetwork\weathereye\WeatherEye.exe
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [InstantBurn] c:\progra~1\cyberl~1\instan~1\win2k\IBurn.exe
    mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
    mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
    mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
    mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
    mRun: [RogersServicepointAgent.exe] "c:\program files\rogers online protection\rogers servicepoint agent\RogersServicepointAgent.exe" /AUTORUN
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    Trusted Zone: webprint.com\staplescanada
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: igfxcui - igfxdev.dll
    Notify: VESWinlogon - VESWinlogon.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    = FIREFOX =

    FF - ProfilePath - c:\users\william\appdata\roaming\mozilla\firefox\profiles\lyn23nxo.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\users\william\appdata\roaming\mozilla\firefox\profiles\lyn23nxo.default\extensions\{f904d379-5b2e-44ee-96c9-3b51bd98696c}\components\FFExternalAlert.dll
    FF - component: c:\users\william\appdata\roaming\mozilla\firefox\profiles\lyn23nxo.default\extensions\{f904d379-5b2e-44ee-96c9-3b51bd98696c}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\musicnotes\npmusicn.dll
    FF - plugin: c:\program files\musicnotes\NPSibelius.dll
    FF - plugin: c:\program files\opera\program\plugins\NPAXDLPI.dll
    FF - plugin: c:\program files\rogers online protection\rogers servicepoint agent\nprpspa.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {C5C352EF-71DF-4D20-9049-6ECF64F887AD} - c:\users\william\appdata\local\{c5c352ef-71df-4d20-9049-6ecf64f887ad}\
    FF - HiddenExtension: XULRunner: {69FEFA69-F5CA-46D0-9358-E05AAEBB4201} - c:\users\william\appdata\local\{69fefa69-f5ca-46d0-9358-e05aaebb4201}\
    FF - HiddenExtension: XULRunner: {1531F9BE-381F-48AD-9957-41DD340082F8} - c:\users\william\appdata\local\{1531f9be-381f-48ad-9957-41dd340082f8}\
    FF - HiddenExtension: XULRunner: {0FECA212-7432-4347-9071-6FEF7DA8B322} - c:\users\william\appdata\local\{0feca212-7432-4347-9071-6fef7da8b322}\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
     

    Attached Files:

  6. canadawfb

    canadawfb TS Rookie Topic Starter

    DDS part2

    ---- FIREFOX POLICIES ----
    pref(dom.disable_open_during_load, true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-7-20 25608]
    R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2010-6-25 15784]
    R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/06/25 08:59:25];c:\program files\cyberlink\powerdvd9\000.fcl [2009-9-1 87536]
    R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-7-20 20376]
    R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2010-6-25 163368]
    R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2009-1-7 204800]
    R2 Radialpoint Security Services;Rogers Online Protection;c:\program files\rogers online protection\rogers online protection\RpsSecurityAwareR.exe [2010-6-7 166944]
    R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\rogers online protection\rogers online protection\avg\identity protection\agent\bin\AVGIDSAgent.exe [2010-7-20 5832712]
    R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
    R2 ServicepointService;ServicepointService;c:\program files\rogers online protection\rogers servicepoint agent\ServicepointService.exe [2010-7-20 689392]
    R2 VaultClientSRV;Rogers Backup Manager Service;c:\program files\rogers backup manager\VaultClientSRV.exe [2010-6-7 1053936]
    R2 VaultClientUpgrade;Rogers Backup Manager Upgrade Service;c:\program files\rogers backup manager\VaultClientUpgrade.exe [2010-6-7 120048]
    R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\rogers online protection\rogers online protection\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2010-7-20 122376]
    R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\rogers online protection\rogers online protection\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2010-7-20 30216]
    R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\rogers online protection\rogers online protection\avg\identity protection\agent\drivers\AVGIDSShim.sys [2010-7-20 27800]
    R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-12-3 9344]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-12-3 812544]
    RUnknown DwProt;DwProt; [x]
    S2 ehstartPolicyAgent;Windows Media Center Service Launcher ehstartPolicyAgent;c:\windows\system32\adsnte.exe srv --> c:\windows\system32\adsnte.exe srv [?]
    S2 gupdate1ca0193f90bc980;Google Update Service (gupdate1ca0193f90bc980);c:\program files\google\update\GoogleUpdate.exe [2009-7-10 133104]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-1-7 21504]
    S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\system32\drivers\lmvac.sys [2009-3-25 18912]
    S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2009-1-7 745472]
    S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2009-1-7 397312]
    S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2009-1-7 1089536]
    S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2008-12-3 292128]
    S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2008-12-3 79136]

    =============== Created Last 30 ================

    2010-07-21 12:46:16 0 d-s---w- C:\ComboFix
    2010-07-21 00:20:02 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2010-07-21 00:19:50 0 d-----w- c:\program files\Rogers Backup Manager
    2010-07-21 00:19:15 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2010-07-21 00:18:38 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2010-07-21 00:18:31 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2010-07-21 00:18:18 0 d-----w- c:\programdata\Raxco
    2010-07-21 00:18:18 0 d-----w- c:\program files\Raxco
    2010-07-21 00:10:17 0 d-----w- c:\programdata\Radialpoint
    2010-07-21 00:10:16 0 d-----w- c:\program files\Rogers Online Protection
    2010-07-20 19:59:28 0 d-----w- c:\program files\Pure Networks
    2010-07-20 19:59:03 76184 ----a-w- c:\windows\system32\atsckernel.exe
    2010-07-20 19:59:02 20376 ----a-w- c:\windows\system32\atashost.exe
    2010-07-20 19:58:57 0 d-----w- c:\programdata\webex
    2010-07-20 13:51:30 32 --s-a-w- c:\windows\system32\707316731.dat
    2010-07-20 13:41:06 0 d-sh--w- C:\$RECYCLE.BIN
    2010-07-20 13:22:03 98816 ----a-w- c:\windows\sed.exe
    2010-07-20 13:22:03 77312 ----a-w- c:\windows\MBR.exe
    2010-07-20 13:22:03 256512 ----a-w- c:\windows\PEV.exe
    2010-07-20 13:22:03 161792 ----a-w- c:\windows\SWREG.exe
    2010-07-20 13:07:58 0 d-----w- c:\users\william\appdata\roaming\Malwarebytes
    2010-07-20 13:07:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-20 13:07:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-20 13:07:09 0 d-----w- c:\programdata\Malwarebytes
    2010-07-20 13:07:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-19 21:20:16 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
    2010-07-19 21:02:11 65536 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.dpx
    2010-07-19 21:02:11 3538944 ----a-w- c:\windows\ocsetup_install_MicrosoftWindowsPowerShell.etl
    2010-07-19 21:02:11 196608 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.perf
    2010-07-19 21:02:08 0 d-----w- c:\program files\Microsoft ATS
    2010-07-19 11:31:21 0 d-----w- C:\New Folder
    2010-07-19 02:30:41 0 d-----w- c:\users\william\DoctorWeb
    2010-07-19 00:46:41 768000 ----a-w- c:\windows\system32\drivers\pmlbn.sys
    2010-07-19 00:46:04 150 ----a-w- C:\zrpt.xml
    2010-07-15 13:26:56 0 d-----w- c:\users\william\appdata\roaming\IDM
    2010-07-15 13:26:51 0 d-----w- c:\program files\Internet Download Manager
    2010-07-15 13:08:02 0 d-----w- c:\users\william\appdata\roaming\DMCache
    2010-07-14 13:49:17 0 d-----w- c:\users\william\appdata\roaming\MozillaControl
    2010-07-14 13:48:32 0 d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
    2010-07-14 13:47:44 0 d-----w- c:\program files\VideoLAN
    2010-07-14 13:47:23 0 d-----w- c:\program files\Graboid
    2010-07-13 15:44:11 0 d-----w- c:\windows\pss
    2010-07-12 20:50:20 251440 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-07-12 20:20:39 12 ----a-w- c:\users\william\appdata\roaming\uzkrij.dat
    2010-07-12 13:33:08 8 ----a-w- c:\users\william\appdata\roaming\vdnxlf.dat
    2010-07-08 14:44:15 4 ----a-w- c:\users\william\appdata\roaming\dhxiuw.dat
    2010-07-06 20:11:15 4472984 ----a-w- c:\users\william\mary_businessad.psd
    2010-06-30 17:14:30 29272 ----a-r- c:\windows\system32\AdobePDF.dll
    2010-06-26 06:04:35 0 d-----w- C:\1e4ddfe722e6e8642f433f48d6f573
    2010-06-25 12:59:03 0 d-----w- c:\program files\common files\CyberLink
    2010-06-25 12:55:34 29480 ----a-w- c:\windows\system32\msxml3a.dll
    2010-06-25 12:36:59 163368 ------w- c:\windows\system32\drivers\CLBUDF.sys
    2010-06-25 12:36:59 15784 ------w- c:\windows\system32\drivers\CLBStor.sys
    2010-06-25 12:36:15 0 d-----w- c:\programdata\CyberLink
    2010-06-23 20:57:53 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-06-23 20:57:52 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-06-23 20:57:52 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-06-23 20:57:51 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-06-23 20:57:51 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2010-06-23 01:07:51 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-06-23 01:07:50 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    ==================== Find3M ====================

    2010-07-21 00:49:29 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-07-21 00:49:29 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-07-21 00:49:29 143360 ----a-w- c:\windows\inf\infstor.dat
    2010-07-21 00:31:59 662 ----a-w- c:\program files\RejoinCommandLine.txt
    2010-07-14 15:21:54 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-06-08 17:25:52 244 ----a-w- c:\users\william\appdata\roaming\wklnhst.dat
    2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
    2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-04 15:58:23 10 ----a-w- c:\programdata\VYAAUFMZPWSP.SYS
    2010-05-04 14:02:52 88064 ----a-w- c:\windows\system32\AudioExCtl.dll
    2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
    2010-04-27 18:40:40 133616 ------w- c:\windows\system32\pxafs.dll
    2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-04-23 14:13:55 2048 ----a-w- c:\windows\system32\tzres.dll
    2009-10-27 20:48:14 665600 ----a-w- c:\windows\inf\drvindex.dat
    2009-01-08 04:44:57 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2003-08-13 16:19:54 61440 ----a-w- c:\program files\mdMod1.dll
    2002-06-21 17:33:06 24576 ----a-w- c:\program files\EnDeCrypt.dll
    2002-08-01 00:55:12 106 --sh--w- c:\windows\WSYS049.SYS
    2009-12-21 14:38:46 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
    2009-12-21 14:38:46 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
    2009-12-21 14:38:46 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
    2009-10-14 17:17:19 262144 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-07-06 12:46:21 98155040 --sha-w- c:\windows\system32\drivers\fidbox.dat

    ============= FINISH: 9:03:33.43 ===============
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please go back and run Malwarebytes again: Your attention is brought to this:
    Be sure that everything is checked, and click Remove Selected.
    You have run it twice without removing anything> all entries show No Action Taken.
    =========================================
    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Thanks to Broni
     
  8. canadawfb

    canadawfb TS Rookie Topic Starter

    hi Bobbye, here's the bootkit remover results...

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`59500000
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...


    attached is the log file it created
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can delete that debug log.
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

      Code:
      @ECHO OFF
      START 
      remover.exe fix \\.\PhysicalDrive0
      EXIT
      
    • Go File > Save As> in
    • Choose All Files in File Type box.
    • Type fix.bat in File Name box.
    • Save fix.bat to your Desktop.
    • Double click fix.bat to run..
      You may see a black box appear; this is normal.
    • When done, run remover.exe again and post its output.

    Do NOT reboot computer!
     
  10. canadawfb

    canadawfb TS Rookie Topic Starter

    second remover results

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`59500000
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...


    not sure if this means anything, but this came up durning the fix.bat...

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    Restoring boot code at \\.\PhysicalDrive0...
    ERROR: No standard boot code found for your OS.
    You can restore boot code only for Windows XP, Server 2003, Vista, Server 2008 a
    nd Windows 7

    Done;
    Press any key to quit...
     
  11. canadawfb

    canadawfb TS Rookie Topic Starter

    soooo what's the next step?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, I was asleep last night when you posted this and I have now finished my Sunday morning paper and coffee. So I will begin my day. And hopefully you realized when the thread you had going in another forum was closed that it is frowned upon to post in multiple forums for the same problem at the same time.There are way more infected system than there those of us who help to clean them up. so expecting multiple helpers to be assisting you is not reasonable.

    I need to see the Malwarebytes log. Do you have the Vista OS CD?
     
  13. canadawfb

    canadawfb TS Rookie Topic Starter

    Hey Bobbye, I do understand that you're doing this on a volunteer basis and that there is an overflow of infected systems ... in my search for a solution I came across several posts with the same issue, so first of I want to express my appreciation and gratitude for the help...

    In regards to the post on the other forum ... as I'm aware that people like you are quite busy and it seemed I wasn't seeming to get any response so I thought it might be beneficial to try elsewhere, I was not aware that this was "frowned upon", I was just trying to get some help for my pc problem, that's all ...

    here is the results of the latest malwarebytes log & I do not have a windows cd but I do have the vaio recovery disks that were created when the system was first purchased...

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4331

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18928

    7/25/2010 4:20:20 PM
    mbam-log-2010-07-25 (16-20-20).txt

    Scan type: Quick scan
    Objects scanned: 152936
    Time elapsed: 8 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\system32\Drivers\pmlbn.sys (Rootkit.Bubnix) -> Quarantined and deleted successfully.
     

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm going to ask Broni about running /fixmbr. I'm not sure how you get in to the recovery discs.

    Will be back- or he will.
     
  15. canadawfb

    canadawfb TS Rookie Topic Starter

    k thnx ... I really do appreciate all the help
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Broni has been kind enough to give assistance with this: Since you have the Recovery Disc, start with step 2

    Credits in full to Broni
     
  17. canadawfb

    canadawfb TS Rookie Topic Starter

    thnx Bobbye & Broni

    I did the fixmbr as listed & it said "successful" ... when I rebooted, nothing had changed I still can't get netbt to load and it's not listed under the dependencies for tcp/ip netbios helper ...

    I did another malwarebytes scan just in case... here's the log...
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4331

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18928

    7/29/2010 5:17:31 PM
    mbam-log-2010-07-29 (17-17-31).txt

    Scan type: Quick scan
    Objects scanned: 152681
    Time elapsed: 13 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\system32\Drivers\pmlbn.sys (Rootkit.Bubnix) -> Quarantined and deleted successfully.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Here a description of this Trojan: http://www.microsoft.com/security/p...dia/Entry.aspx?Name=Trojan:WinNT/Bubnix.gen!A

    I'd like you to run this:

    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • You should get a screen like this:
    [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.
     
  19. canadawfb

    canadawfb TS Rookie Topic Starter

    downloaded & unzipped to desktop... copy & pasted command line into run ... got the following error ....



    also tried to enter in the full path to the file "C:\Users\William\Desktop\TDSSKiller.exe" -l C:\report.txt -v but got the same error
     

    Attached Files:

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  21. canadawfb

    canadawfb TS Rookie Topic Starter

    that worked ... when it picked up the pmlbn file I tried "quaratine" first, but there was no change, so I scanned again & tried it with "delete" ("clean" was not an option) and it removed the file on reboot... here's the log .... I only put down what it found, it was too long to post ... total report linked...


    2010/07/30 12:16:33.0090 Suspicious service (NoAccess): pmlbn
    2010/07/30 12:16:33.0309 pmlbn (b7e2234d097b9fdc827eaa8a8b559090) C:\Windows\system32\drivers\pmlbn.sys
    2010/07/30 12:16:33.0309 Suspicious file (NoAccess): C:\Windows\system32\drivers\pmlbn.sys. md5: b7e2234d097b9fdc827eaa8a8b559090
    2010/07/30 12:16:33.0309 pmlbn - detected Locked service (1)


    2010/07/30 12:16:47.0629 Scan finished
    2010/07/30 12:16:47.0629 ================================================================================
    2010/07/30 12:16:47.0645 Detected object count: 1
    2010/07/30 12:16:59.0704 HKLM\SYSTEM\ControlSet001\services\pmlbn - will be deleted after reboot
    2010/07/30 12:16:59.0751 HKLM\SYSTEM\ControlSet002\services\pmlbn - will be deleted after reboot
    2010/07/30 12:16:59.0782 HKLM\SYSTEM\ControlSet003\services\pmlbn - will be deleted after reboot
    2010/07/30 12:16:59.0813 HKLM\SYSTEM\ControlSet004\services\pmlbn - will be deleted after reboot
    2010/07/30 12:16:59.0829 HKLM\SYSTEM\ControlSet005\services\pmlbn - will be deleted after reboot
    2010/07/30 12:16:59.0860 C:\Windows\system32\drivers\pmlbn.sys - will be deleted after reboot
    2010/07/30 12:16:59.0860 Locked service(pmlbn) - User select action: Delete
    2010/07/30 12:17:04.0197 Deinitialize success
     

    Attached Files:

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Awesome! What is the system status now?
     
  23. canadawfb

    canadawfb TS Rookie Topic Starter

    I did another malwarebytes scan and it came up clean
    ... now I just need to get the network working again... I tried the netsh commands for winsock, ipv4 and ipv6 but got the same error message I was getting on ipv4 & ipv6 ... I'll post those again tomorrow, or is there another step I need to do first?
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I tried for a year to get my own network set up. I followed every set of directions I could find and failed every time. Finally, I got Network Magic> it had the network set up and mapped in 20 minutes!

    You can remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  25. canadawfb

    canadawfb TS Rookie Topic Starter

    Bobbye,

    Thanks again for the help... I had my network up and running it's just the first issue I had with this little bug was it caused by netbt.sys file to be quarantined, which apparently is an important file for networking systems together, now I can't get netbt.sys to load...

    I'll try Network Magic to see if that works...

    Thanks again... guess we can mark this trogan problem "solved" ... really appreciate it!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...