Solved Infected netbt.sys

Status
Not open for further replies.
C

canadawfb

Posts: 15   +0
A couple of days a go my a-v kept telling me that I had an infected tmp file. when I ran a full scan it also showed that the netbt.sys file was infected ... now I can't access any computers on my network ... internet is ok but my printer/file sharing is not ... when I try to open on of the other computers I get "path cannot be found" error.

I noticed a few other posts regarding this & saw the warnings not to attempt to fix this on my own so here I am ...

not sure if this will help at all, but here is a hijackthis log

~edit- removed hijackthis log ~
 
We don't 'screen' a system with HijackThis.

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Please paste the logs into your next reply.

Please uninstall or disable BitComet while I am helping you clean.
 
Here are the logs from the scans listed ...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4331

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/20/2010 10:08:48 AM
mbam-log-2010-07-20 (10-08-48).txt

Scan type: Quick scan
Objects scanned: 143522
Time elapsed: 10 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\pmlbn.sys (Rootkit.Bubnix) -> No action taken.




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-20 10:36:26
Windows 6.0.6002 Service Pack 2
Running: 96z8iiv2.exe; Driver: C:\Users\William\AppData\Local\Temp\pwtdipow.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8656DA08

AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] pmlbn <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
 

Attachments

  • mbam-log-2010-07-20 (10-08-48).txt
    2.2 KB · Views: 0
  • Attach.txt
    9.1 KB · Views: 0
  • DDS.txt
    29.8 KB · Views: 0
  • gmer.log
    774 bytes · Views: 0
ok...I really need some help

first off...oops... I know it's mentioned not to do any other scans, but I noticed that when I tried to do the scans listed in the "8 step" that Norton Online Security was still on & I couldn't get it to turn off so I used the norton removal tool which took off the online security & my symantec antivirus ... my isp provides a "complete protection" package so I decided to install that instead of the symantec... anyway, now I can't access anything with my wireless on my laptop... it shows that it is connected both local & internet , but nothing works. I have to connect via wire to get the internet to work...

I re-did the scans mentioned & here are the results...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4331

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/21/2010 8:58:02 AM
mbam-log-2010-07-21 (08-58-02).txt

Scan type: Quick scan
Objects scanned: 143611
Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\pmlbn.sys (Rootkit.Bubnix) -> No action taken.
C:\Users\William\AppData\Roaming\dhxiuw.dat (Malware.Trace) -> No action taken.
C:\Users\William\AppData\Local\Temp\services.exe (Password.Stealer) -> No action taken.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-21 09:00:10
Windows 6.0.6002 Service Pack 2
Running: 96z8iiv2.exe; Driver: C:\Users\William\AppData\Local\Temp\pwtdipow.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8659D160
Device \FileSystem\Ntfs \Ntfs 84C17758
Device \FileSystem\Ntfs \Ntfs 847E5C40
Device \FileSystem\Ntfs \Ntfs 977E9430
Device \FileSystem\Ntfs \Ntfs 859675C8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys
AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys
AttachedDevice \Driver\tdx \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\Ip dwprot.sys
AttachedDevice \Driver\tdx \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\Tcp dwprot.sys
AttachedDevice \Driver\tdx \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\Udp dwprot.sys
AttachedDevice \Driver\tdx \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\RawIp dwprot.sys

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] pmlbn <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
 

Attachments

  • mbam-log-2010-07-21 (08-58-02).txt
    2.2 KB · Views: 0
  • gmer2.log
    1.4 KB · Views: 0
DDS part1


DDS (Ver_10-03-17.01) - NTFSx86
Run by William at 9:03:11.35 on Wed 07/21/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.779 [GMT -4:00]

SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

= Running Processes =
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\atashost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe "C:\Windows\system32\adsnte.exe"
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Sony\Network Utility\NSUService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\ServicepointService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Rogers Backup Manager\VaultClientSRV.exe
C:\Program Files\Rogers Backup Manager\VaultClientUpgrade.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\CyberLink\InstantBurn\Win2K\IBurn.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\CyberLink\Shared files\brs.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\ehome\ehtray.exe
C:\Users\William\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgentComHandler.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\William\Desktop\dds.scr

= Pseudo HJT Report =
uStart Page = hxxp://www.google.com/ig
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: D'Accord Music Software Toolbar: {c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} - c:\program files\d'accord_music_software\tbD'Ac.dll
mURLSearchHooks: D'Accord Music Software Toolbar: {c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} - c:\program files\d'accord_music_software\tbD'Ac.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: D'Accord Music Software Toolbar: {c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} - c:\program files\d'accord_music_software\tbD'Ac.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: D'Accord Music Software Toolbar: {c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} - c:\program files\d'accord_music_software\tbD'Ac.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WeatherEye] c:\users\william\appdata\local\theweathernetwork\weathereye\WeatherEye.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [InstantBurn] c:\progra~1\cyberl~1\instan~1\win2k\IBurn.exe
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [RogersServicepointAgent.exe] "c:\program files\rogers online protection\rogers servicepoint agent\RogersServicepointAgent.exe" /AUTORUN
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: webprint.com\staplescanada
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

= FIREFOX =

FF - ProfilePath - c:\users\william\appdata\roaming\mozilla\firefox\profiles\lyn23nxo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\william\appdata\roaming\mozilla\firefox\profiles\lyn23nxo.default\extensions\{f904d379-5b2e-44ee-96c9-3b51bd98696c}\components\FFExternalAlert.dll
FF - component: c:\users\william\appdata\roaming\mozilla\firefox\profiles\lyn23nxo.default\extensions\{f904d379-5b2e-44ee-96c9-3b51bd98696c}\components\RadioWMPCore.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\opera\program\plugins\NPAXDLPI.dll
FF - plugin: c:\program files\rogers online protection\rogers servicepoint agent\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {C5C352EF-71DF-4D20-9049-6ECF64F887AD} - c:\users\william\appdata\local\{c5c352ef-71df-4d20-9049-6ecf64f887ad}\
FF - HiddenExtension: XULRunner: {69FEFA69-F5CA-46D0-9358-E05AAEBB4201} - c:\users\william\appdata\local\{69fefa69-f5ca-46d0-9358-e05aaebb4201}\
FF - HiddenExtension: XULRunner: {1531F9BE-381F-48AD-9957-41DD340082F8} - c:\users\william\appdata\local\{1531f9be-381f-48ad-9957-41dd340082f8}\
FF - HiddenExtension: XULRunner: {0FECA212-7432-4347-9071-6FEF7DA8B322} - c:\users\william\appdata\local\{0feca212-7432-4347-9071-6fef7da8b322}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
 

Attachments

  • DDS.txt
    31.9 KB · Views: 0
  • Attach.txt
    20.7 KB · Views: 0
DDS part2

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-7-20 25608]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2010-6-25 15784]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/06/25 08:59:25];c:\program files\cyberlink\powerdvd9\000.fcl [2009-9-1 87536]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-7-20 20376]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2010-6-25 163368]
R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2009-1-7 204800]
R2 Radialpoint Security Services;Rogers Online Protection;c:\program files\rogers online protection\rogers online protection\RpsSecurityAwareR.exe [2010-6-7 166944]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\rogers online protection\rogers online protection\avg\identity protection\agent\bin\AVGIDSAgent.exe [2010-7-20 5832712]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R2 ServicepointService;ServicepointService;c:\program files\rogers online protection\rogers servicepoint agent\ServicepointService.exe [2010-7-20 689392]
R2 VaultClientSRV;Rogers Backup Manager Service;c:\program files\rogers backup manager\VaultClientSRV.exe [2010-6-7 1053936]
R2 VaultClientUpgrade;Rogers Backup Manager Upgrade Service;c:\program files\rogers backup manager\VaultClientUpgrade.exe [2010-6-7 120048]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\rogers online protection\rogers online protection\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2010-7-20 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\rogers online protection\rogers online protection\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2010-7-20 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\rogers online protection\rogers online protection\avg\identity protection\agent\drivers\AVGIDSShim.sys [2010-7-20 27800]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-12-3 9344]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-12-3 812544]
RUnknown DwProt;DwProt; [x]
S2 ehstartPolicyAgent;Windows Media Center Service Launcher ehstartPolicyAgent;c:\windows\system32\adsnte.exe srv --> c:\windows\system32\adsnte.exe srv [?]
S2 gupdate1ca0193f90bc980;Google Update Service (gupdate1ca0193f90bc980);c:\program files\google\update\GoogleUpdate.exe [2009-7-10 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-1-7 21504]
S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\system32\drivers\lmvac.sys [2009-3-25 18912]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2009-1-7 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2009-1-7 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2009-1-7 1089536]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2008-12-3 292128]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2008-12-3 79136]

=============== Created Last 30 ================

2010-07-21 12:46:16 0 d-s---w- C:\ComboFix
2010-07-21 00:20:02 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-07-21 00:19:50 0 d-----w- c:\program files\Rogers Backup Manager
2010-07-21 00:19:15 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-07-21 00:18:38 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2010-07-21 00:18:31 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2010-07-21 00:18:18 0 d-----w- c:\programdata\Raxco
2010-07-21 00:18:18 0 d-----w- c:\program files\Raxco
2010-07-21 00:10:17 0 d-----w- c:\programdata\Radialpoint
2010-07-21 00:10:16 0 d-----w- c:\program files\Rogers Online Protection
2010-07-20 19:59:28 0 d-----w- c:\program files\Pure Networks
2010-07-20 19:59:03 76184 ----a-w- c:\windows\system32\atsckernel.exe
2010-07-20 19:59:02 20376 ----a-w- c:\windows\system32\atashost.exe
2010-07-20 19:58:57 0 d-----w- c:\programdata\webex
2010-07-20 13:51:30 32 --s-a-w- c:\windows\system32\707316731.dat
2010-07-20 13:41:06 0 d-sh--w- C:\$RECYCLE.BIN
2010-07-20 13:22:03 98816 ----a-w- c:\windows\sed.exe
2010-07-20 13:22:03 77312 ----a-w- c:\windows\MBR.exe
2010-07-20 13:22:03 256512 ----a-w- c:\windows\PEV.exe
2010-07-20 13:22:03 161792 ----a-w- c:\windows\SWREG.exe
2010-07-20 13:07:58 0 d-----w- c:\users\william\appdata\roaming\Malwarebytes
2010-07-20 13:07:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 13:07:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 13:07:09 0 d-----w- c:\programdata\Malwarebytes
2010-07-20 13:07:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-19 21:20:16 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-07-19 21:02:11 65536 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.dpx
2010-07-19 21:02:11 3538944 ----a-w- c:\windows\ocsetup_install_MicrosoftWindowsPowerShell.etl
2010-07-19 21:02:11 196608 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.perf
2010-07-19 21:02:08 0 d-----w- c:\program files\Microsoft ATS
2010-07-19 11:31:21 0 d-----w- C:\New Folder
2010-07-19 02:30:41 0 d-----w- c:\users\william\DoctorWeb
2010-07-19 00:46:41 768000 ----a-w- c:\windows\system32\drivers\pmlbn.sys
2010-07-19 00:46:04 150 ----a-w- C:\zrpt.xml
2010-07-15 13:26:56 0 d-----w- c:\users\william\appdata\roaming\IDM
2010-07-15 13:26:51 0 d-----w- c:\program files\Internet Download Manager
2010-07-15 13:08:02 0 d-----w- c:\users\william\appdata\roaming\DMCache
2010-07-14 13:49:17 0 d-----w- c:\users\william\appdata\roaming\MozillaControl
2010-07-14 13:48:32 0 d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2010-07-14 13:47:44 0 d-----w- c:\program files\VideoLAN
2010-07-14 13:47:23 0 d-----w- c:\program files\Graboid
2010-07-13 15:44:11 0 d-----w- c:\windows\pss
2010-07-12 20:50:20 251440 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-12 20:20:39 12 ----a-w- c:\users\william\appdata\roaming\uzkrij.dat
2010-07-12 13:33:08 8 ----a-w- c:\users\william\appdata\roaming\vdnxlf.dat
2010-07-08 14:44:15 4 ----a-w- c:\users\william\appdata\roaming\dhxiuw.dat
2010-07-06 20:11:15 4472984 ----a-w- c:\users\william\mary_businessad.psd
2010-06-30 17:14:30 29272 ----a-r- c:\windows\system32\AdobePDF.dll
2010-06-26 06:04:35 0 d-----w- C:\1e4ddfe722e6e8642f433f48d6f573
2010-06-25 12:59:03 0 d-----w- c:\program files\common files\CyberLink
2010-06-25 12:55:34 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-06-25 12:36:59 163368 ------w- c:\windows\system32\drivers\CLBUDF.sys
2010-06-25 12:36:59 15784 ------w- c:\windows\system32\drivers\CLBStor.sys
2010-06-25 12:36:15 0 d-----w- c:\programdata\CyberLink
2010-06-23 20:57:53 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 20:57:52 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 20:57:52 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 20:57:51 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 20:57:51 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 01:07:51 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 01:07:50 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

==================== Find3M ====================

2010-07-21 00:49:29 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-21 00:49:29 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-21 00:49:29 143360 ----a-w- c:\windows\inf\infstor.dat
2010-07-21 00:31:59 662 ----a-w- c:\program files\RejoinCommandLine.txt
2010-07-14 15:21:54 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-08 17:25:52 244 ----a-w- c:\users\william\appdata\roaming\wklnhst.dat
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 15:58:23 10 ----a-w- c:\programdata\VYAAUFMZPWSP.SYS
2010-05-04 14:02:52 88064 ----a-w- c:\windows\system32\AudioExCtl.dll
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40:40 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-23 14:13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 20:48:14 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-01-08 04:44:57 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2003-08-13 16:19:54 61440 ----a-w- c:\program files\mdMod1.dll
2002-06-21 17:33:06 24576 ----a-w- c:\program files\EnDeCrypt.dll
2002-08-01 00:55:12 106 --sh--w- c:\windows\WSYS049.SYS
2009-12-21 14:38:46 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2009-12-21 14:38:46 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2009-12-21 14:38:46 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-10-14 17:17:19 262144 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-06 12:46:21 98155040 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 9:03:33.43 ===============
 
Please go back and run Malwarebytes again: Your attention is brought to this:
Be sure that everything is checked, and click Remove Selected.
You have run it twice without removing anything> all entries show No Action Taken.
=========================================
Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
Thanks to Broni
 
Hi Bobbye, here's the bootkit remover results...

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`59500000
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...


attached is the log file it created
 

Attachments

  • bootkit_remover_debug_log.txt
    49.3 KB · Views: 3
You can delete that debug log.
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

    Code: 
    @ECHO OFF
START 
remover.exe fix \\.\PhysicalDrive0
EXIT
  • Go File > Save As> in
  • Choose All Files in File Type box.
  • Type fix.bat in File Name box.
  • Save fix.bat to your Desktop.
  • Double click fix.bat to run..
    You may see a black box appear; this is normal.
  • When done, run remover.exe again and post its output.

Do NOT reboot computer!
 
second remover results

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`59500000
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...


not sure if this means anything, but this came up durning the fix.bat...

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

Restoring boot code at \\.\PhysicalDrive0...
ERROR: No standard boot code found for your OS.
You can restore boot code only for Windows XP, Server 2003, Vista, Server 2008 a
nd Windows 7

Done;
Press any key to quit...
 
soooo what's the next step?
Click to expand...
Well, I was asleep last night when you posted this and I have now finished my Sunday morning paper and coffee. So I will begin my day. And hopefully you realized when the thread you had going in another forum was closed that it is frowned upon to post in multiple forums for the same problem at the same time.There are way more infected system than there those of us who help to clean them up. so expecting multiple helpers to be assisting you is not reasonable.

I need to see the Malwarebytes log. Do you have the Vista OS CD?
 
Hey Bobbye, I do understand that you're doing this on a volunteer basis and that there is an overflow of infected systems ... in my search for a solution I came across several posts with the same issue, so first of I want to express my appreciation and gratitude for the help...

In regards to the post on the other forum ... as I'm aware that people like you are quite busy and it seemed I wasn't seeming to get any response so I thought it might be beneficial to try elsewhere, I was not aware that this was "frowned upon", I was just trying to get some help for my pc problem, that's all ...

here is the results of the latest malwarebytes log & I do not have a windows cd but I do have the vaio recovery disks that were created when the system was first purchased...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4331

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/25/2010 4:20:20 PM
mbam-log-2010-07-25 (16-20-20).txt

Scan type: Quick scan
Objects scanned: 152936
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\pmlbn.sys (Rootkit.Bubnix) -> Quarantined and deleted successfully.
 

Attachments

  • mbam-log-2010-07-25 (16-20-20).txt
    960 bytes · Views: 0
I'm going to ask Broni about running /fixmbr. I'm not sure how you get in to the recovery discs.

Will be back- or he will.
 
Broni has been kind enough to give assistance with this: Since you have the Recovery Disc, start with step 2

If you have Vista DVD...
If you don't have Vista DVD...
1. Create Vista Recovery Disc.
Option 1:
http://www.c4consulting.com.au/soluctions/vista/VISTA SOLUCTIONS.htm

Option 2:
Download Vista Recovery Disc iso image: http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/
Burn it to CD, or DVD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD
=========================================
Since you have the Recovery disk, you would start here:
2. Boot from created disk.
At first screen click on Repair your computer:
setup-option.jpg

This will bring you to a new screen where the repair process will look for all Windows Vista installations on your computer. When done you will be presented with the System Recovery Options dialog box:
system-recovery-options.jpg

After this, it will present you with a list of options including startup repair, system restore and command prompt:
systemrecovery.jpg

Select Command Prompt

Type in:
bootrec /FixMbr (<--- there is a "space" after "bootrec")
and then press Enter

Once completed then type Exit, press Enter and restart computer.
Click to expand...
Credits in full to Broni
 
thnx Bobbye & Broni

I did the fixmbr as listed & it said "successful" ... when I rebooted, nothing had changed I still can't get netbt to load and it's not listed under the dependencies for tcp/ip netbios helper ...

I did another malwarebytes scan just in case... here's the log...
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4331

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/29/2010 5:17:31 PM
mbam-log-2010-07-29 (17-17-31).txt

Scan type: Quick scan
Objects scanned: 152681
Time elapsed: 13 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\pmlbn.sys (Rootkit.Bubnix) -> Quarantined and deleted successfully.
 
Here a description of this Trojan: http://www.microsoft.com/security/p...dia/Entry.aspx?Name=Trojan:WinNT/Bubnix.gen!A

I'd like you to run this:

Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
Code: 
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
  • This will have the program write a detailed log
  • The screen will resemble this black screen:
2663_5.jpg

  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
  • You should get a screen like this:
TDSSKillerResults.jpg

  • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
  • Follow the prompts and attach the report to your next reply.
 
Downloaded & unzipped to desktop... copy & pasted command line into run ... got the following error ....



also tried to enter in the full path to the file "C:\Users\William\Desktop\TDSSKiller.exe" -l C:\report.txt -v but got the same error
 

Attachments

  • tdsskiller_error.jpg
    tdsskiller_error.jpg
    18.3 KB · Views: 2
That worked ... when it picked up the pmlbn file I tried "quaratine" first, but there was no change, so I scanned again & tried it with "delete" ("clean" was not an option) and it removed the file on reboot... here's the log .... I only put down what it found, it was too long to post ... total report linked...


2010/07/30 12:16:33.0090 Suspicious service (NoAccess): pmlbn
2010/07/30 12:16:33.0309 pmlbn (b7e2234d097b9fdc827eaa8a8b559090) C:\Windows\system32\drivers\pmlbn.sys
2010/07/30 12:16:33.0309 Suspicious file (NoAccess): C:\Windows\system32\drivers\pmlbn.sys. md5: b7e2234d097b9fdc827eaa8a8b559090
2010/07/30 12:16:33.0309 pmlbn - detected Locked service (1)


2010/07/30 12:16:47.0629 Scan finished
2010/07/30 12:16:47.0629 ================================================================================
2010/07/30 12:16:47.0645 Detected object count: 1
2010/07/30 12:16:59.0704 HKLM\SYSTEM\ControlSet001\services\pmlbn - will be deleted after reboot
2010/07/30 12:16:59.0751 HKLM\SYSTEM\ControlSet002\services\pmlbn - will be deleted after reboot
2010/07/30 12:16:59.0782 HKLM\SYSTEM\ControlSet003\services\pmlbn - will be deleted after reboot
2010/07/30 12:16:59.0813 HKLM\SYSTEM\ControlSet004\services\pmlbn - will be deleted after reboot
2010/07/30 12:16:59.0829 HKLM\SYSTEM\ControlSet005\services\pmlbn - will be deleted after reboot
2010/07/30 12:16:59.0860 C:\Windows\system32\drivers\pmlbn.sys - will be deleted after reboot
2010/07/30 12:16:59.0860 Locked service(pmlbn) - User select action: Delete
2010/07/30 12:17:04.0197 Deinitialize success
 

Attachments

  • report.txt
    60.6 KB · Views: 1
I did another malwarebytes scan and it came up clean
... now I just need to get the network working again... I tried the netsh commands for winsock, ipv4 and ipv6 but got the same error message I was getting on ipv4 & ipv6 ... I'll post those again tomorrow, or is there another step I need to do first?
 
I tried for a year to get my own network set up. I followed every set of directions I could find and failed every time. Finally, I got Network Magic> it had the network set up and mapped in 20 minutes!

You can remove all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
 
Bobbye,

Thanks again for the help... I had my network up and running it's just the first issue I had with this little bug was it caused by netbt.sys file to be quarantined, which apparently is an important file for networking systems together, now I can't get netbt.sys to load...

I'll try Network Magic to see if that works...

Thanks again... guess we can mark this trogan problem "solved" ... really appreciate it!
 
Status
Not open for further replies.

Similar threads

R
Solved Norton blocked attack by: System Infected: Miner.Bitcoinminer Activity #
2
Replies
32
Views
3K
Broni
Broni
A
FBI shoots down Qakbot botnet used to deliver ransomware
Replies
1
Views
345
Hotlynx16
H
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
476
eriksnyman1
E

Latest posts

Back