So I got hit with this virus about 5 days ago now, I wasn't even browsing the net when all of a sudden Java tried to open itself, then it was nonstop fake anti-virus software ads that looked like actual windows warning screens. When ANYTHING else was attempted to be opened, an "error" box would come up and say that "insert program here" has been infected and that it couldn't be opened. I ran AntiVir to no avail, even in safe mode, so I started calling some people.
I was told to put Malwarebytes on the laptop and it caught about 15 infections, removed them, and all seemed fine. But upon reboot, every time I run AntiVir or MBAM, it always shows ONE infection, some rootkit in the registry, and it says to reboot to remove, I do, and it's still there. Then I found this amazing forum, went through all the steps, and have attached my logs. I did manage to update all the programs except for Java, FireFox seems to be really pissed at Java at the moment and won't load it up, no matter what I try, and Internet Explorer just plain won't open at all even in regular mode. Any and all hep is greatly appreciated.
Malwarebytes Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4103
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
5/15/2010 10:37:10 AM
mbam-log-2010-05-15 (10-37-10).txt
Scan type: Quick scan
Objects scanned: 117932
Time elapsed: 7 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\system32\Drivers\nvvzywhs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
GMER Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-15 11:45:33
Windows 6.0.6002 Service Pack 2
Running: 6qzcbjyx.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kwdcipob.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 85487C08
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] nvvzywhs <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----
DDS Logs:
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Owner at 16:52:37.07 on Sat 05/15/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1097 [GMT -5:00]
SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [bthunet] rundll32 "c:\users\owner\appdata\local\temp\credhost.dll",DllEntryPoint
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-us.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\yvbztva0.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2008-5-19 21728]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-8-22 7168]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-1 11608]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-1 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-1 185089]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-1 56816]
S2 gupdate1c9b050b2c3a90;Google Update Service (gupdate1c9b050b2c3a90);c:\program files\google\update\GoogleUpdate.exe [2009-3-29 133104]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2007-4-26 99248]
S2 SCM_Service;SCM_Service;c:\windows\system32\WinService.exe [2008-5-19 180224]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-20 21504]
S3 MAUSBPRODUCER;Service for M-Audio Producer;c:\windows\system32\drivers\MAudioProducer.sys [2009-6-22 156808]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2008-5-19 288768]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
S4 nvvzywhs;nvvzywhs;c:\windows\system32\drivers\nvvzywhs.sys [2010-5-10 823808]
=============== Created Last 30 ================
2010-05-15 16:24:23 230520643 ----a-w- c:\windows\MEMORY.DMP
2010-05-13 00:45:49 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 03:41:57 0 d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2010-05-12 03:41:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 03:41:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-12 03:41:48 0 d-----w- c:\programdata\Malwarebytes
2010-05-12 03:41:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 01:23:09 0 d-----w- c:\programdata\AVP 2009
2010-05-12 01:23:09 0 ----a-w- c:\windows\system32\MSVolumeAMP.dll
2010-05-11 04:52:42 823808 ----a-w- c:\windows\system32\drivers\nvvzywhs.sys
2010-05-08 22:59:15 12 ----a-w- c:\users\owner\appdata\roaming\lipoqz.dat
2010-05-08 06:42:32 0 d-----w- c:\program files\iTunes
2010-04-19 17:42:42 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-19 17:42:41 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-19 16:57:41 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-19 16:57:41 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-19 16:57:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-19 16:57:30 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-19 16:55:36 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-19 16:55:36 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-19 16:55:36 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-19 16:53:41 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-19 16:53:41 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-19 16:47:06 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-19 16:46:48 98304 ----a-w- c:\windows\system32\cabview.dll
==================== Find3M ====================
2010-05-08 06:40:06 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-08 06:40:06 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-06 15:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 19:57:36 2856 ----a-w- c:\users\owner\appdata\roaming\wklnhst.dat
2010-04-11 06:12:47 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-20 22:20:51 87608 ----a-w- c:\users\owner\appdata\roaming\inst.exe
2010-03-20 22:20:51 47360 ----a-w- c:\users\owner\appdata\roaming\pcouffin.sys
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-18 01:43:36 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-23 07:11:17 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-15 04:18:21 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-09 05:13:50 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
============= FINISH: 16:53:15.29 ===============
I was told to put Malwarebytes on the laptop and it caught about 15 infections, removed them, and all seemed fine. But upon reboot, every time I run AntiVir or MBAM, it always shows ONE infection, some rootkit in the registry, and it says to reboot to remove, I do, and it's still there. Then I found this amazing forum, went through all the steps, and have attached my logs. I did manage to update all the programs except for Java, FireFox seems to be really pissed at Java at the moment and won't load it up, no matter what I try, and Internet Explorer just plain won't open at all even in regular mode. Any and all hep is greatly appreciated.
Malwarebytes Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4103
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
5/15/2010 10:37:10 AM
mbam-log-2010-05-15 (10-37-10).txt
Scan type: Quick scan
Objects scanned: 117932
Time elapsed: 7 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\system32\Drivers\nvvzywhs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
GMER Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-15 11:45:33
Windows 6.0.6002 Service Pack 2
Running: 6qzcbjyx.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kwdcipob.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 85487C08
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] nvvzywhs <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----
DDS Logs:
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Owner at 16:52:37.07 on Sat 05/15/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1097 [GMT -5:00]
SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [bthunet] rundll32 "c:\users\owner\appdata\local\temp\credhost.dll",DllEntryPoint
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-us.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\yvbztva0.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2008-5-19 21728]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-8-22 7168]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-1 11608]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-1 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-1 185089]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-1 56816]
S2 gupdate1c9b050b2c3a90;Google Update Service (gupdate1c9b050b2c3a90);c:\program files\google\update\GoogleUpdate.exe [2009-3-29 133104]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2007-4-26 99248]
S2 SCM_Service;SCM_Service;c:\windows\system32\WinService.exe [2008-5-19 180224]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-20 21504]
S3 MAUSBPRODUCER;Service for M-Audio Producer;c:\windows\system32\drivers\MAudioProducer.sys [2009-6-22 156808]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2008-5-19 288768]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
S4 nvvzywhs;nvvzywhs;c:\windows\system32\drivers\nvvzywhs.sys [2010-5-10 823808]
=============== Created Last 30 ================
2010-05-15 16:24:23 230520643 ----a-w- c:\windows\MEMORY.DMP
2010-05-13 00:45:49 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 03:41:57 0 d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2010-05-12 03:41:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 03:41:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-12 03:41:48 0 d-----w- c:\programdata\Malwarebytes
2010-05-12 03:41:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 01:23:09 0 d-----w- c:\programdata\AVP 2009
2010-05-12 01:23:09 0 ----a-w- c:\windows\system32\MSVolumeAMP.dll
2010-05-11 04:52:42 823808 ----a-w- c:\windows\system32\drivers\nvvzywhs.sys
2010-05-08 22:59:15 12 ----a-w- c:\users\owner\appdata\roaming\lipoqz.dat
2010-05-08 06:42:32 0 d-----w- c:\program files\iTunes
2010-04-19 17:42:42 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-19 17:42:41 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-19 16:57:41 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-19 16:57:41 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-19 16:57:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-19 16:57:30 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-19 16:55:36 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-19 16:55:36 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-19 16:55:36 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-19 16:53:41 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-19 16:53:41 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-19 16:47:06 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-19 16:46:48 98304 ----a-w- c:\windows\system32\cabview.dll
==================== Find3M ====================
2010-05-08 06:40:06 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-08 06:40:06 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-06 15:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 19:57:36 2856 ----a-w- c:\users\owner\appdata\roaming\wklnhst.dat
2010-04-11 06:12:47 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-20 22:20:51 87608 ----a-w- c:\users\owner\appdata\roaming\inst.exe
2010-03-20 22:20:51 47360 ----a-w- c:\users\owner\appdata\roaming\pcouffin.sys
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-18 01:43:36 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-23 07:11:17 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-15 04:18:21 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-09 05:13:50 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
============= FINISH: 16:53:15.29 ===============