Hail, benevolent ones,
I have the "System Check" virus - got pop-ups telling me my hard drive wasn't working and that my computer was overheating and so on. I tried to follow the advice on this other website: http://www.myantispyware.com/2012/01/02/how-to-remove-system-check-virus/ , and it did help some... it said to rename some suspicious-looking .exe files whose names consisted of a long string of random letters and numbers, so I renamed them to things like 123.exe, 34.exe, and so on. And after that, as promised, when I rebooted the System Check crap no longer came up and prevented me from doing stuff. So I can find all my files and access the internet and so on normally.
I haven't had much luck properly fixing it though. The next thing that website said to do was to run attrib -h /s /d in the command box, but when I tried that all I got was a string of "Access Denied"s. Then I ran Malwarebytes, and it found a couple things and deleted them (the file named 34.exe, which it deleted, is one of those that I manually renamed earlier - it's presumably a System Check file), but I'm sure that it didn't get everything. My desktop screen is still black (with icons on it for all my documents and programs, but my wallpaper isn't there). I also ran TDSSkiller, but it found nothing.
Below are my starting logs, as requested in the 5-step thread. I had to un-check "Devices" when I did GMER to get it to complete (the first time I tried to run it, it got interrupted mid-scan).
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.03.04.06
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19190
dawn :: DAWN-PC [administrator]
3/4/2012 7:35:28 PM
mbam-log-2012-03-04 (19-35-28).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 180123
Time elapsed: 9 minute(s), 6 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\ProgramData\34.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Users\dawn\AppData\Local\temp\7iOFnfqVi1fCpm.exe.tmp (Rogue.FakeHDD) -> Quarantined and deleted successfully.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-04 22:13:39
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000004f ST316081 rev.3.AD
Running: rs5sw4be (1).exe; Driver: C:\Users\dawn\AppData\Local\Temp\pxldapog.sys
---- System - GMER 1.0.15 ----
SSDT 8B94DD86 ZwCreateSection
SSDT 8B94DD8B ZwSetContextThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8BDE1640]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 215 820E1998 4 Bytes [86, DD, 94, 8B]
.text ntkrnlpa.exe!KeSetEvent + 56D 820E1CF0 4 Bytes [8B, DD, 94, 8B]
.text ntkrnlpa.exe!KeSetEvent + 621 820E1DA4 4 Bytes [40, 16, DE, 8B]
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19190 BrowserJavaVersion: 1.6.0_26
Run by dawn at 22:13:49 on 2012-03-04
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.958.144 [GMT -6:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [DwcShfdOUdbj.exe] c:\programdata\DwcShfdOUdbj.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\dawn\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A822FA93-8917-48F3-B7AB-52199DA2166D} : DhcpNameServer = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dawn\appdata\roaming\mozilla\firefox\profiles\7jbhv2ne.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.jzip.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-12 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-12 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-12 66616]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-27 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-5 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-5 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-05 02:04:48 709968 ----a-w- c:\windows\isRS-000.tmp
2012-03-05 01:19:35 338944 ----a-w- c:\programdata\12.exe
2012-03-05 01:06:47 -------- d-----w- c:\users\dawn\appdata\local\{A5DD2183-4423-4F51-B922-010D7A46F306}
2012-03-05 01:06:31 -------- d-----w- c:\users\dawn\appdata\local\{9EE0D689-ADF1-41F1-BF81-410A98E50207}
2012-03-05 00:49:40 338944 ----a-w- c:\programdata\123.exe
2012-03-02 08:34:38 -------- d-----w- c:\users\dawn\appdata\local\{82A287C0-B25D-4900-9B53-802483FF29CD}
2012-03-02 08:34:25 -------- d-----w- c:\users\dawn\appdata\local\{6F80CF1B-6617-4240-B87C-7580497E53E1}
2012-03-02 07:57:01 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{cd50030e-f929-4857-a578-7880c717b17c}\mpengine.dll
2012-02-29 21:33:05 -------- d-----w- c:\users\dawn\appdata\local\{2F901420-A044-4056-9883-C1FD56C32E95}
2012-02-29 21:32:52 -------- d-----w- c:\users\dawn\appdata\local\{0CDFF2EA-F450-4DBE-8667-BF4CDEDFB08E}
2012-02-26 19:00:54 -------- d-----w- c:\users\dawn\appdata\local\{74BEBA07-6582-4635-93CB-7F490D9734D3}
2012-02-26 19:00:39 -------- d-----w- c:\users\dawn\appdata\local\{DBE15D7D-DF67-4FCF-9745-C3DF7780D0E3}
2012-02-21 06:12:29 -------- d-----w- c:\users\dawn\appdata\local\{46814D6E-A6EA-44B9-B6DB-15C1333B4EC9}
2012-02-21 06:12:12 -------- d-----w- c:\users\dawn\appdata\local\{F2FD9E30-D9E8-4F1B-BE0F-6BE327AD261C}
2012-02-19 22:08:51 -------- d-----w- c:\users\dawn\appdata\local\{FA1F1255-EE1B-4939-85ED-CD3741C2CE37}
2012-02-16 13:11:33 -------- d-----w- c:\users\dawn\appdata\local\{188844FA-E3B0-4751-85B4-F1ECC09A8EFA}
2012-02-16 00:03:16 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 00:03:11 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-16 00:03:05 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-02-15 22:43:15 -------- d-----w- c:\users\dawn\appdata\local\{F99B1246-4EAD-4722-8243-726431BC609E}
2012-02-15 22:42:49 -------- d-----w- c:\users\dawn\appdata\local\{BAFEF87A-4758-43E5-9AE7-5197A03BCFE6}
2012-02-13 04:38:26 -------- d-----w- c:\users\dawn\.texlive2011
2012-02-12 23:00:47 -------- d-----w- C:\texlive
2012-02-12 20:01:37 18328 ----a-w- c:\programdata\microsoft\identitycrl\production\ppcrlconfig600.dll
2012-02-12 19:56:12 -------- d-----w- c:\users\dawn\appdata\local\{E0C83C6D-BCAC-4EA8-876C-9F6CBF6A88EE}
2012-02-12 19:55:24 -------- d-----w- c:\users\dawn\appdata\local\{2DE6A306-44F8-414A-B57B-2E1251232137}
2012-02-08 18:54:13 -------- d-----w- c:\users\dawn\appdata\local\{7E731A66-814F-4E2F-847F-D4788D3E6F0B}
2012-02-08 18:53:56 -------- d-----w- c:\users\dawn\appdata\local\{F4C59DA3-DDD3-498C-8DD0-72C15E207D04}
2012-02-07 14:27:00 -------- d-----w- c:\users\dawn\appdata\local\{2D59AF0E-1E7A-4E67-AAA5-1AAE6767729E}
2012-02-07 14:26:43 -------- d-----w- c:\users\dawn\appdata\local\{2F1DA3C7-202A-4A8E-929D-BE3834A667F3}
2012-02-05 18:00:30 -------- d-----w- c:\users\dawn\appdata\local\{105093CE-5287-4448-8FD6-6068FF827452}
2012-02-05 17:59:26 -------- d-----w- c:\users\dawn\appdata\local\{42ED9FE6-3015-4356-BE8A-9438DAB461C6}
.
==================== Find3M ====================
.
2012-01-29 11:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-15 06:22:01 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-15 06:18:03 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-15 06:17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-15 06:17:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-12-15 06:17:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-15 05:21:27 385024 ----a-w- c:\windows\system32\html.iec
2011-12-15 04:45:13 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-15 04:43:48 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 08:13:26 9815040 ----a-w- c:\program files\openofficeorg31.msi
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe
.
============= FINISH: 22:14:50.25 ===============
I have the "System Check" virus - got pop-ups telling me my hard drive wasn't working and that my computer was overheating and so on. I tried to follow the advice on this other website: http://www.myantispyware.com/2012/01/02/how-to-remove-system-check-virus/ , and it did help some... it said to rename some suspicious-looking .exe files whose names consisted of a long string of random letters and numbers, so I renamed them to things like 123.exe, 34.exe, and so on. And after that, as promised, when I rebooted the System Check crap no longer came up and prevented me from doing stuff. So I can find all my files and access the internet and so on normally.
I haven't had much luck properly fixing it though. The next thing that website said to do was to run attrib -h /s /d in the command box, but when I tried that all I got was a string of "Access Denied"s. Then I ran Malwarebytes, and it found a couple things and deleted them (the file named 34.exe, which it deleted, is one of those that I manually renamed earlier - it's presumably a System Check file), but I'm sure that it didn't get everything. My desktop screen is still black (with icons on it for all my documents and programs, but my wallpaper isn't there). I also ran TDSSkiller, but it found nothing.
Below are my starting logs, as requested in the 5-step thread. I had to un-check "Devices" when I did GMER to get it to complete (the first time I tried to run it, it got interrupted mid-scan).
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.03.04.06
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19190
dawn :: DAWN-PC [administrator]
3/4/2012 7:35:28 PM
mbam-log-2012-03-04 (19-35-28).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 180123
Time elapsed: 9 minute(s), 6 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\ProgramData\34.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Users\dawn\AppData\Local\temp\7iOFnfqVi1fCpm.exe.tmp (Rogue.FakeHDD) -> Quarantined and deleted successfully.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-04 22:13:39
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000004f ST316081 rev.3.AD
Running: rs5sw4be (1).exe; Driver: C:\Users\dawn\AppData\Local\Temp\pxldapog.sys
---- System - GMER 1.0.15 ----
SSDT 8B94DD86 ZwCreateSection
SSDT 8B94DD8B ZwSetContextThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8BDE1640]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 215 820E1998 4 Bytes [86, DD, 94, 8B]
.text ntkrnlpa.exe!KeSetEvent + 56D 820E1CF0 4 Bytes [8B, DD, 94, 8B]
.text ntkrnlpa.exe!KeSetEvent + 621 820E1DA4 4 Bytes [40, 16, DE, 8B]
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19190 BrowserJavaVersion: 1.6.0_26
Run by dawn at 22:13:49 on 2012-03-04
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.958.144 [GMT -6:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [DwcShfdOUdbj.exe] c:\programdata\DwcShfdOUdbj.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\dawn\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A822FA93-8917-48F3-B7AB-52199DA2166D} : DhcpNameServer = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dawn\appdata\roaming\mozilla\firefox\profiles\7jbhv2ne.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.jzip.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-12 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-12 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-12 66616]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-27 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-5 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-5 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-05 02:04:48 709968 ----a-w- c:\windows\isRS-000.tmp
2012-03-05 01:19:35 338944 ----a-w- c:\programdata\12.exe
2012-03-05 01:06:47 -------- d-----w- c:\users\dawn\appdata\local\{A5DD2183-4423-4F51-B922-010D7A46F306}
2012-03-05 01:06:31 -------- d-----w- c:\users\dawn\appdata\local\{9EE0D689-ADF1-41F1-BF81-410A98E50207}
2012-03-05 00:49:40 338944 ----a-w- c:\programdata\123.exe
2012-03-02 08:34:38 -------- d-----w- c:\users\dawn\appdata\local\{82A287C0-B25D-4900-9B53-802483FF29CD}
2012-03-02 08:34:25 -------- d-----w- c:\users\dawn\appdata\local\{6F80CF1B-6617-4240-B87C-7580497E53E1}
2012-03-02 07:57:01 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{cd50030e-f929-4857-a578-7880c717b17c}\mpengine.dll
2012-02-29 21:33:05 -------- d-----w- c:\users\dawn\appdata\local\{2F901420-A044-4056-9883-C1FD56C32E95}
2012-02-29 21:32:52 -------- d-----w- c:\users\dawn\appdata\local\{0CDFF2EA-F450-4DBE-8667-BF4CDEDFB08E}
2012-02-26 19:00:54 -------- d-----w- c:\users\dawn\appdata\local\{74BEBA07-6582-4635-93CB-7F490D9734D3}
2012-02-26 19:00:39 -------- d-----w- c:\users\dawn\appdata\local\{DBE15D7D-DF67-4FCF-9745-C3DF7780D0E3}
2012-02-21 06:12:29 -------- d-----w- c:\users\dawn\appdata\local\{46814D6E-A6EA-44B9-B6DB-15C1333B4EC9}
2012-02-21 06:12:12 -------- d-----w- c:\users\dawn\appdata\local\{F2FD9E30-D9E8-4F1B-BE0F-6BE327AD261C}
2012-02-19 22:08:51 -------- d-----w- c:\users\dawn\appdata\local\{FA1F1255-EE1B-4939-85ED-CD3741C2CE37}
2012-02-16 13:11:33 -------- d-----w- c:\users\dawn\appdata\local\{188844FA-E3B0-4751-85B4-F1ECC09A8EFA}
2012-02-16 00:03:16 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 00:03:11 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-16 00:03:05 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-02-15 22:43:15 -------- d-----w- c:\users\dawn\appdata\local\{F99B1246-4EAD-4722-8243-726431BC609E}
2012-02-15 22:42:49 -------- d-----w- c:\users\dawn\appdata\local\{BAFEF87A-4758-43E5-9AE7-5197A03BCFE6}
2012-02-13 04:38:26 -------- d-----w- c:\users\dawn\.texlive2011
2012-02-12 23:00:47 -------- d-----w- C:\texlive
2012-02-12 20:01:37 18328 ----a-w- c:\programdata\microsoft\identitycrl\production\ppcrlconfig600.dll
2012-02-12 19:56:12 -------- d-----w- c:\users\dawn\appdata\local\{E0C83C6D-BCAC-4EA8-876C-9F6CBF6A88EE}
2012-02-12 19:55:24 -------- d-----w- c:\users\dawn\appdata\local\{2DE6A306-44F8-414A-B57B-2E1251232137}
2012-02-08 18:54:13 -------- d-----w- c:\users\dawn\appdata\local\{7E731A66-814F-4E2F-847F-D4788D3E6F0B}
2012-02-08 18:53:56 -------- d-----w- c:\users\dawn\appdata\local\{F4C59DA3-DDD3-498C-8DD0-72C15E207D04}
2012-02-07 14:27:00 -------- d-----w- c:\users\dawn\appdata\local\{2D59AF0E-1E7A-4E67-AAA5-1AAE6767729E}
2012-02-07 14:26:43 -------- d-----w- c:\users\dawn\appdata\local\{2F1DA3C7-202A-4A8E-929D-BE3834A667F3}
2012-02-05 18:00:30 -------- d-----w- c:\users\dawn\appdata\local\{105093CE-5287-4448-8FD6-6068FF827452}
2012-02-05 17:59:26 -------- d-----w- c:\users\dawn\appdata\local\{42ED9FE6-3015-4356-BE8A-9438DAB461C6}
.
==================== Find3M ====================
.
2012-01-29 11:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-15 06:22:01 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-15 06:18:03 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-15 06:17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-15 06:17:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-12-15 06:17:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-15 05:21:27 385024 ----a-w- c:\windows\system32\html.iec
2011-12-15 04:45:13 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-15 04:43:48 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 08:13:26 9815040 ----a-w- c:\program files\openofficeorg31.msi
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe
.
============= FINISH: 22:14:50.25 ===============