[Inactive] Post Is 2010, Malware Defense, & Redirect Virus Check

Welcome to 247fixes PC Help Forum

Welcome to 247fixes PC Help Forum, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information. Take advantage of it immediately, Register Now or Sign In.

Start new topics and reply to others
Subscribe to topics and forums to get automatic updates
Add events to our community calendar
Get your own profile and make new friends
Customize your experience here

(2 Pages)
1
2
→

You cannot start a new topic
This topic is locked

[Inactive] Post Is 2010, Malware Defense, & Redirect Virus Check

#1 stratomaster

Newbie Member

Group: Member
Posts: 9
Joined: 30-January 10

Posted 30 January 2010 - 09:43 PM

Hello,

I am a new member. I think I have effectively removed Internet Security 2010, Malware Defense, and a browser redirect of some sort, but I would like to make sure. I've also notice an h8str (or whatever combination it was) file that keeps popping up in my malware scans. My hijackthis file is pasted below. Thanks for any and all help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:46 PM, on 1/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\U-ABIT\abitEQ\abiteq.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\abitEQ\abiteq.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7339 bytes

Back to top of the page up there ^
MultiQuote
Reply

#2 Extremeboy

Da 247 Malware Disintegrator Instructor

Group: Academy Instructor
Posts: 2680
Joined: 19-February 09
Gender:Male

Posted 30 January 2010 - 10:16 PM

Hello and welcome.

Let's get two more scans to see a more detailed look of your system.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results soon.
Follow the instructions that pop up for posting the results and then click Ok.
The black and message box window shall then disappear.
Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Download and Run GMER

We will use GMER to scan for rootkits.

Please download GMER from one of the following locations, and save it to your desktop:
- Main Mirror
  This version will download a randomly named file (Recommended)
- Zip Mirror
  Alternate Zip Mirror 1
  Alternate Zip Mirror 2
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

Close any and all open programs, as this process may crash your computer.
Double click http://billy-oneal.com/forums/gmer/gmerRandomIcon.png or http://billy-oneal.com/forums/gmer/gmerDesktopIcon.png on your desktop.
When you have done this, close all running programs.
There is a small chance this application may crash your computer so save any work you have open.

Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
Allow the gmer.sys driver to load if asked.

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.

In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
- Sections
- Registry
- Drives/Partition other than Systemdrive (typically C:\)
- Show all (Don't miss this one!)
Click on http://billy-oneal.com/forums/gmer/btnScan.png and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push http://billy-oneal.com/forums/gmer/btnSave.png and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

With Regards,
Extremeboy

Back to top of the page up there ^
MultiQuote
Reply

#3 stratomaster

Newbie Member

Group: Member
Posts: 9
Joined: 30-January 10

Posted 30 January 2010 - 10:30 PM

Thanks for the quick reply! Here is my DDS file. Should I attach the "Attach" file? Thanks again!

DDS (Ver_09-12-01.01) - NTFSx86
Run by Omar Molina Jr at 16:23:00.26 on Sat 01/30/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2159 [GMT -6:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\U-ABIT\abitEQ\abiteq.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Runtime Software\DriveImage XML\dixml.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Omar Molina Jr\Desktop\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydial/*http://www.yahoo.com/search/ie.html
uStart Page = hxxp://www.drudgereport.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ABIT uGuruIII] c:\program files\u-abit\abiteq\abiteq.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\omarmo~1\startm~1\programs\startup\rivatu~1.lnk - c:\program files\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTuner.exe
uPolicies-explorer: MaxRecentDocs = 99 (0x63)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\omarmo~1\applic~1\mozilla\firefox\profiles\ub4t9yxh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/?/
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-1-23 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-1-23 25160]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-1-23 723632]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2009-9-3 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R3 3xHybrid;WinFast HDTV Cinema;c:\windows\system32\drivers\3xHybrid.sys [2007-9-15 1117056]
R3 ABIT-IO;ABIT-IO;c:\program files\u-abit\abiteq\ABIT-IO.sys [2007-9-15 4608]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-1-22 69616]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-4-18 16896]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-15 1691480]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\omarmo~1\locals~1\temp\cdrmkaun.sys --> c:\docume~1\omarmo~1\locals~1\temp\cdrmkaun.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WFIOCTL;WFIOCTL;\??\c:\documents and settings\omar molina jr\wfioctl.sys --> c:\documents and settings\omar molina jr\WFIOCTL.SYS [?]
S4 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"c:\program files\solidworks\cosmos\floworks\bincfw\standaloneslv.exe" --> c:\program files\solidworks\cosmos\floworks\bincfw\StandAloneSlv.exe [?]

=============== Created Last 30 ================

2010-03-02 11:30:35 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-02 11:24:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-02 07:34:20 0 d-----w- c:\program files\SystemRequirementsLab
2010-02-28 05:35:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 05:31:39 3176 ----a-w- c:\windows\system32\spupdsvc.inf
2010-02-28 05:25:11 23392 ----a-w- c:\windows\system32\nscompat.tlb
2010-02-28 05:25:11 16832 ----a-w- c:\windows\system32\amcompat.tlb
2010-02-27 06:32:04 0 d-----w- c:\program files\ESET
2010-01-30 22:11:46 0 d-----w- c:\program files\Runtime Software
2010-01-30 21:36:14 0 d-----w- c:\program files\Trend Micro
2010-01-27 01:18:00 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-27 01:18:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-26 06:36:24 0 d-----w- c:\program files\SpywareBlaster
2010-01-26 06:21:07 0 d-----w- c:\program files\SpywareGuard
2010-01-23 12:32:25 4874240 ----a-w- c:\windows\system32\dllcache\wmp.dll
2010-01-23 12:31:13 2355200 ----a-w- c:\windows\system32\dllcache\wmvcore.dll
2010-01-23 12:31:12 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2010-01-23 12:14:16 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-01-23 11:41:56 336 ----a-w- c:\program files\temp995.bat
2010-01-23 11:06:22 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-01-23 11:06:22 171552 ----a-w- c:\windows\system32\guard32.dll
2010-01-23 11:06:22 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-23 11:06:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2010-01-23 11:06:14 0 d-----w- c:\program files\COMODO
2010-01-23 04:32:01 0 d-----w- c:\program files\Windows Media Connect 2
2010-01-23 04:30:05 0 d-----w- c:\windows\system32\LogFiles
2010-01-22 20:52:24 2 --shatr- c:\windows\winstart.bat
2010-01-22 20:51:58 0 d-----w- c:\program files\UnHackMe
2010-01-22 20:47:07 69616 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2010-01-22 08:30:06 0 d-----w- c:\program files\McAfee
2010-01-15 07:56:57 358944 ----a-w- c:\windows\vncutil.exe
2010-01-15 07:56:54 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-01-15 07:56:54 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-01-15 07:56:53 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-01-15 07:56:52 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-01-12 23:30:35 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-11 21:39:25 0 d-----w- c:\program files\Active Ports
2010-01-11 08:47:32 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-09 00:56:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 00:56:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 00:50:20 0 d-----w- c:\docume~1\omarmo~1\applic~1\Malwarebytes
2010-01-09 00:50:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-09 00:50:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 23:41:10 0 ----a-w- c:\windows\Nkuha.bin
2010-01-08 23:41:09 120 ----a-w- c:\windows\Vkaxovuzikagupi.dat
2010-01-07 06:46:25 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 06:34:12 0 d-----w- c:\program files\Microsoft Forefront
2010-01-07 06:09:49 0 d-----w- c:\windows\system32\xlive
2010-01-07 06:09:49 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-01-05 02:59:29 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll
2010-01-05 02:59:29 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-01-05 02:57:28 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-01-05 02:57:28 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

==================== Find3M ====================

2009-12-26 00:50:20 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2009-12-26 00:50:14 9721888 ----a-w- c:\windows\RTLCPL.EXE
2009-12-26 00:50:14 1833504 ----a-w- c:\windows\SkyTel.exe
2009-12-26 00:50:14 1489440 ----a-w- c:\windows\RtlUpd.exe
2009-12-26 00:50:02 18789408 ----a-w- c:\windows\RTHDCPL.EXE
2009-12-26 00:49:56 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2009-12-26 00:49:56 2177568 ----a-w- c:\windows\MicCal.exe
2009-12-26 00:49:50 64032 ----a-w- c:\windows\ALCMTR.EXE
2009-12-26 00:26:30 6039584 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-22 02:18:10 8020 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-01 00:02:40 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-12-01 00:02:38 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-24 23:40:20 838176 ----a-w- c:\windows\RtlExUpd.dll
2009-11-21 02:34:54 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-11-21 02:34:54 6282752 ----a-w- c:\windows\system32\nv4_disp.dll
2009-11-21 02:34:54 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34:54 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34:54 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-11-21 02:34:54 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34:54 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcodins.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34:54 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-11-21 02:34:54 11374592 ----a-w- c:\windows\system32\nvcompiler.dll
2009-11-21 02:34:54 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:32:14 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-11-21 02:32:14 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-11-21 02:32:14 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-11-21 02:32:14 12669544 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 02:32:14 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-21 02:32:10 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-11-20 03:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-11 23:50:51 53248 ----a-w- c:\documents and settings\omar molina jr\lametritonus_en.dll
2009-11-11 23:50:51 162304 ----a-w- c:\documents and settings\omar molina jr\lame_enc_en.dll
2009-11-06 16:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 16:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll

============= FINISH: 16:24:25.70 ===============

Back to top of the page up there ^
MultiQuote
Reply

#4 Extremeboy

Da 247 Malware Disintegrator Instructor

Group: Academy Instructor
Posts: 2680
Joined: 19-February 09
Gender:Male

Posted 30 January 2010 - 11:08 PM

Hello.

Yes, please do so. Then run the GMER scan and post that log too upon completion.

Back to top of the page up there ^
MultiQuote
Reply

#5 stratomaster

Newbie Member

Group: Member
Posts: 9
Joined: 30-January 10

Posted 31 January 2010 - 12:45 AM

GMER is taking a while, so I will add that as soon as I can. Thanks.

Back to top of the page up there ^
MultiQuote
Reply

#6 Extremeboy

Da 247 Malware Disintegrator Instructor

Group: Academy Instructor
Posts: 2680
Joined: 19-February 09
Gender:Male

Posted 31 January 2010 - 01:52 AM

Sure no problem. Post the results once done.

Back to top of the page up there ^
MultiQuote
Reply

#7 stratomaster

Newbie Member

Group: Member
Posts: 9
Joined: 30-January 10

Posted 31 January 2010 - 04:34 AM

Here are the GMER results. Thanks again for your help.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-30 22:29:03
Windows 5.1.2600 Service Pack 3
Running: ufji48o4.exe; Driver: C:\DOCUME~1\OMARMO~1\LOCALS~1\Temp\kwtdipob.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB2A88BF4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB2A881D2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB2A8885A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xB2A89374]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xB2A880B4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB2A8A084]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB2A8A31C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xB2A87C7A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xB2A88FDE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xB2A8918E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB2A87AAC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB2A89D06]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB2A88456]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB2A88A36]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xB2A877DC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB2A886E6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xB2A87954]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB2A8973A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xB2A8A662]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xB2A89AA2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xB2A88DDA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB2A89EB4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xB2A8953A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB2A883F0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB2A885DA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xB2A87F7E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB2A87E4C]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B7E226E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B7E227B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E22780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B7E22740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B7E22740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7E227B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B7E226E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E22780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E22780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B7E22740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7E227B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B7E226E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7E22740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7E22780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7E226E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7E227B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7E226E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7E227B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7E22740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E22780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7E22740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7E227B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7E226E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B7E22740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E22780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B7E226E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7E227B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Back to top of the page up there ^
MultiQuote
Reply

#8 Extremeboy

Da 247 Malware Disintegrator Instructor

Group: Academy Instructor
Posts: 2680
Joined: 19-February 09
Gender:Male

Posted 31 January 2010 - 09:20 PM

Let's start with Combofix.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Back to top of the page up there ^
MultiQuote
Reply

#9 stratomaster

Newbie Member

Group: Member
Posts: 9
Joined: 30-January 10

Posted 01 February 2010 - 12:50 AM

Combofix log pasted below:

ComboFix 10-01-31.03 - Omar Molina Jr 01/31/2010 18:40:21.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2396 [GMT -6:00]
Running from: c:\documents and settings\Omar Molina Jr\Desktop\Desktop Junk\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Omar Molina Jr\Start Menu\Programs\StartUp\RivaTuner.lnk

.
((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
.

2010-03-02 11:30 . 2010-03-02 11:33 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-02 11:23 . 2010-03-02 11:23 -------- d-----w- c:\program files\Java
2010-03-02 07:34 . 2010-03-02 07:34 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-02 07:34 . 2010-03-02 07:34 138240 ----a-w- c:\documents and settings\Omar Molina Jr\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2010-03-02 07:34 . 2010-03-02 07:34 138240 ----a-w- c:\documents and settings\Omar Molina Jr\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2010-03-02 07:34 . 2010-03-02 07:34 138240 ----a-w- c:\documents and settings\Omar Molina Jr\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2010-03-02 07:34 . 2010-03-02 07:34 138240 ----a-w- c:\documents and settings\Omar Molina Jr\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2010-03-02 07:34 . 2010-03-02 07:34 -------- d-----w- c:\documents and settings\Omar Molina Jr\Application Data\SystemRequirementsLab
2010-03-01 06:42 . 2010-03-01 06:42 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-28 05:35 . 2010-02-28 05:35 61440 ----a-w- c:\documents and settings\Omar Molina Jr\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4ab795fc-n\decora-sse.dll
2010-02-28 05:35 . 2010-02-28 05:35 503808 ----a-w- c:\documents and settings\Omar Molina Jr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7c8dc35e-n\msvcp71.dll
2010-02-28 05:35 . 2010-02-28 05:35 499712 ----a-w- c:\documents and settings\Omar Molina Jr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7c8dc35e-n\jmc.dll
2010-02-28 05:35 . 2010-02-28 05:35 348160 ----a-w- c:\documents and settings\Omar Molina Jr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7c8dc35e-n\msvcr71.dll
2010-02-28 05:35 . 2010-02-28 05:35 12800 ----a-w- c:\documents and settings\Omar Molina Jr\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4ab795fc-n\decora-d3d.dll
2010-02-28 05:35 . 2010-03-02 11:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-27 06:32 . 2010-02-27 06:32 -------- d-----w- c:\program files\ESET
2010-01-30 22:11 . 2010-01-30 22:11 -------- d-----w- c:\program files\Runtime Software
2010-01-30 21:36 . 2010-01-30 21:36 -------- d-----w- c:\program files\Trend Micro
2010-01-27 01:18 . 2010-01-27 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-27 01:18 . 2010-01-27 01:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-26 06:36 . 2010-02-28 05:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-26 06:36 . 2010-01-26 06:39 -------- d-----w- c:\program files\SpywareBlaster
2010-01-26 06:21 . 2010-01-26 06:25 -------- d-----w- c:\program files\SpywareGuard
2010-01-23 12:32 . 2009-07-12 17:21 4874240 ----a-w- c:\windows\system32\dllcache\wmp.dll
2010-01-23 12:31 . 2009-05-20 17:44 2355200 ----a-w- c:\windows\system32\dllcache\wmvcore.dll
2010-01-23 12:31 . 2005-09-28 19:46 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2010-01-23 12:14 . 2010-01-23 12:08 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-01-23 11:41 . 2010-01-23 11:41 336 ----a-w- c:\program files\temp995.bat
2010-01-23 11:06 . 2010-03-01 17:22 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-01-23 11:06 . 2010-03-01 17:22 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-01-23 11:06 . 2010-03-01 17:22 171552 ----a-w- c:\windows\system32\guard32.dll
2010-01-23 11:06 . 2010-03-01 17:21 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-23 11:06 . 2010-01-23 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2010-01-23 11:06 . 2010-01-23 11:06 -------- d-----w- c:\program files\COMODO
2010-01-23 04:32 . 2010-02-28 05:03 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-23 04:30 . 2010-02-28 05:30 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-01-23 04:30 . 2010-01-23 04:30 -------- d-----w- c:\windows\system32\LogFiles
2010-01-22 20:52 . 2010-01-22 20:52 2 --shatr- c:\windows\winstart.bat
2010-01-22 20:51 . 2010-01-22 21:01 -------- d-----w- c:\program files\UnHackMe
2010-01-22 20:47 . 2009-05-15 19:35 69616 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2010-01-15 07:56 . 2009-12-26 00:50 358944 ----a-w- c:\windows\vncutil.exe
2010-01-15 07:56 . 2009-12-26 00:50 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-01-15 07:56 . 2009-12-26 00:50 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-01-15 07:56 . 2009-11-18 13:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-01-15 07:56 . 2009-11-18 13:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-01-15 06:53 . 2010-03-02 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-12 23:30 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 04:17 . 2010-01-12 04:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 04:17 . 2010-01-12 04:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 04:17 . 2010-01-12 04:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 04:17 . 2010-01-12 04:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 04:17 . 2010-01-12 04:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 04:17 . 2010-01-12 04:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-11 22:55 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-01-11 21:39 . 2010-01-11 21:39 -------- d-----w- c:\program files\Active Ports
2010-01-11 08:47 . 2010-01-11 08:47 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-09 00:56 . 2010-01-09 00:56 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-09 00:56 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 00:56 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 00:50 . 2010-01-09 00:50 -------- d-----w- c:\documents and settings\Omar Molina Jr\Application Data\Malwarebytes
2010-01-09 00:50 . 2010-01-09 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-09 00:50 . 2010-01-23 10:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 23:41 . 2010-01-15 06:45 0 ----a-w- c:\windows\Nkuha.bin
2010-01-08 23:41 . 2010-01-15 09:04 120 ----a-w- c:\windows\Vkaxovuzikagupi.dat
2010-01-07 06:46 . 2010-01-14 17:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 06:34 . 2010-01-07 06:34 -------- d-----w- c:\program files\Microsoft Forefront
2010-01-07 06:09 . 2010-01-07 06:10 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-01-07 06:09 . 2010-01-07 06:09 -------- d-----w- c:\windows\system32\xlive
2010-01-05 04:45 . 2010-01-11 22:15 431048 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-05 02:59 . 2008-11-13 14:18 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll
2010-01-05 02:59 . 2008-11-13 14:18 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-01-05 02:57 . 2009-09-04 23:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-01-05 02:57 . 2009-09-04 23:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 11:24 . 2007-10-19 03:02 -------- d-----w- c:\program files\Common Files\Java
2010-01-31 14:31 . 2008-01-23 03:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-01-31 14:31 . 2007-10-23 08:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-31 14:30 . 2009-10-02 01:45 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-26 06:19 . 2007-10-20 07:58 -------- d-----w- c:\program files\Lavasoft
2010-01-26 06:19 . 2008-10-16 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-23 12:19 . 2007-09-18 06:48 -------- d-----w- c:\program files\Viewpoint
2010-01-23 12:19 . 2007-09-18 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-23 11:41 . 2009-01-20 02:45 -------- d-----w- c:\program files\PDF995
2010-01-23 10:25 . 2007-09-15 22:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-23 10:23 . 2007-11-11 20:03 -------- d-----w- c:\program files\EggTimerPlus
2010-01-23 10:22 . 2007-09-24 07:32 -------- d-----w- c:\program files\DWGeditor
2010-01-23 10:20 . 2007-09-18 07:30 -------- d-----w- c:\program files\545 Studios
2010-01-23 04:22 . 2007-09-15 23:23 109664 ----a-w- c:\documents and settings\Omar Molina Jr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-23 02:41 . 2007-09-17 21:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 21:36 . 2008-03-16 03:34 -------- d-----w- c:\program files\SolidWorks Installation Manager
2010-01-22 21:36 . 2007-09-24 07:13 -------- d-----w- c:\program files\SolidWorks
2010-01-22 21:36 . 2007-09-24 07:24 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-01-22 21:05 . 2009-01-20 02:45 -------- d-----w- c:\program files\TaxCut08
2010-01-22 08:35 . 2007-09-16 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-15 07:56 . 2007-09-15 23:42 -------- d-----w- c:\program files\Realtek
2010-01-13 03:49 . 2007-09-27 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-12 04:03 . 2009-12-22 09:56 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03 . 2009-12-22 09:56 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03 . 2009-08-17 05:57 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2009-08-17 05:57 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03 . 2009-08-17 05:57 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03 . 2009-08-17 05:57 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03 . 2007-11-07 01:30 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2007-11-07 01:30 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2007-11-07 01:30 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2007-10-08 17:32 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2007-10-08 17:32 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-11 22:51 . 2010-01-11 22:51 110056 ----a-w- c:\documents and settings\New\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 06:32 . 2007-10-09 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates
2010-01-04 23:16 . 2008-01-14 02:58 -------- d-----w- c:\program files\Eidos
2009-12-26 00:50 . 2007-09-15 23:43 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2009-12-26 00:50 . 2007-09-15 23:43 1833504 ----a-w- c:\windows\SkyTel.exe
2009-12-26 00:50 . 2007-09-15 23:43 1489440 ----a-w- c:\windows\RtlUpd.exe
2009-12-26 00:50 . 2007-09-15 23:43 9721888 ----a-w- c:\windows\RTLCPL.EXE
2009-12-26 00:50 . 2007-09-15 23:42 18789408 ----a-w- c:\windows\RTHDCPL.EXE
2009-12-26 00:49 . 2007-09-15 23:42 2177568 ----a-w- c:\windows\MicCal.exe
2009-12-26 00:49 . 2007-09-15 23:42 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2009-12-26 00:49 . 2007-10-04 07:29 64032 ----a-w- c:\windows\ALCMTR.EXE
2009-12-26 00:26 . 2007-09-15 23:42 6039584 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-12-22 05:21 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-22 02:18 . 2007-10-08 17:44 8020 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-01 00:02 . 2009-12-01 00:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-12-01 00:02 . 2009-12-01 00:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-24 23:40 . 2007-09-15 23:42 838176 ----a-w- c:\windows\RtlExUpd.dll
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 02:34 . 2008-01-23 00:02 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34 . 2007-11-07 01:30 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-20 03:42 . 2008-01-23 00:05 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-11 23:50 . 2009-11-11 23:50 53248 ----a-w- c:\documents and settings\Omar Molina Jr\lametritonus_en.dll
2009-11-11 23:50 . 2009-11-11 23:50 162304 ----a-w- c:\documents and settings\Omar Molina Jr\lame_enc_en.dll
2009-11-06 16:59 . 2009-11-06 16:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 16:59 . 2009-11-06 16:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-09-13 04:05 . 2009-09-13 04:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 04:06 . 2009-09-13 04:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 04:06 . 2009-09-13 04:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 04:06 . 2009-09-13 04:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 04:06 . 2009-09-13 04:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 04:07 . 2009-09-13 04:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 04:06 . 2009-09-13 04:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 04:06 . 2009-09-13 04:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-08-09 06:11 . 2009-08-09 06:11 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-08-09 06:30 . 2009-08-09 06:30 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-08-14 18:33 . 2009-08-14 18:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 04:06 . 2009-09-13 04:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"ABIT uGuruIII"="c:\program files\U-ABIT\abitEQ\abiteq.exe" [2007-09-05 421888]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-26 18789408]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2009-09-03 1033584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-28 1800464]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TMMonitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TMMonitor.lnk
backup=c:\windows\pss\TMMonitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2009-12-26 00:49 64032 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-12-26 00:50 18789408 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2009-12-26 00:50 1833504 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-09-16 04:54 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
2007-09-07 15:46 1910040 ----a-w- c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule2]
2007-05-22 14:14 405504 ----a-w- c:\program files\WinFast\WFDTV\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"SolidWorks Licensing Service"=3 (0x3)
"Remote Solver for COSMOSFloWorks 2007"=2 (0x2)
"Remote Solver for COSMOSFloWorks 2006"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NinjaVideo Helper.exe"=2 (0x2)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"CVPND"=2 (0x2)
"CiscoVpnInstallService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\Program Files\\Microsoft Games for Windows - LIVE\\Client\\GFWLive.exe"=
"c:\\Program Files\\Patriots\\Patriots.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games for Windows - LIVE\\Client\\GFWLClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3074:UDP"= 3074:UDP:gfwl content download
"80:UDP"= 80:UDP:gfwl internet

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [1/23/2010 5:06 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [1/23/2010 5:06 AM 25160]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 5:13 PM 65584]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [9/3/2009 3:06 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R3 3xHybrid;WinFast HDTV Cinema;c:\windows\system32\drivers\3xHybrid.sys [9/15/2007 5:29 PM 1117056]
R3 ABIT-IO;ABIT-IO;c:\program files\U-ABIT\abitEQ\ABIT-IO.sys [9/15/2007 5:45 PM 4608]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [4/18/2009 7:20 PM 16896]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/15/2010 1:56 AM 1691480]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\OMARMO~1\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\OMARMO~1\LOCALS~1\Temp\cdrmkaun.sys [?]
S3 WFIOCTL;WFIOCTL;\??\c:\documents and settings\Omar Molina Jr\WFIOCTL.SYS --> c:\documents and settings\Omar Molina Jr\WFIOCTL.SYS [?]
S4 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"c:\program files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe" --> c:\program files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-31 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2009-09-03 21:06]

2010-01-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2009-09-03 21:06]

2010-01-31 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2009-09-03 21:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Omar Molina Jr\Application Data\Mozilla\Firefox\Profiles\ub4t9yxh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/?/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe
Notify-AtiExtEvent - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Bbotibofaxacumi - c:\windows\edepulen.dll
MSConfigStartUp-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-31 18:44
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\guard32.dll
c:\program files\Citrix\ICA Client\pnsson.dll

- - - - - - - > 'lsass.exe'(632)
c:\windows\system32\guard32.dll
.
Completion time: 2010-01-31 18:45:43
ComboFix-quarantined-files.txt 2010-02-01 00:45

Pre-Run: 162,787,319,808 bytes free
Post-Run: 162,829,357,056 bytes free

- - End Of File - - D420BE4D5045F52B967D4EA7F18BD2EE

Back to top of the page up there ^
MultiQuote
Reply

#10 Extremeboy

Da 247 Malware Disintegrator Instructor

Group: Academy Instructor
Posts: 2680
Joined: 19-February 09
Gender:Male

Posted 04 February 2010 - 03:27 AM

Hello.

Once again sorry for the delay. :(

Let's continue with a scan with Malwarebytes followed by a new DDS run.

Download and run MalwareBytes Anti-Malware

Please download [COLOR=blue]Malwarebytes Anti-Malware[/color] and save it to your desktop.
alternate download link 1

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from [COLOR=blue]here[/COLOR] and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy

Back to top of the page up there ^
MultiQuote
Reply

#11 stratomaster

Newbie Member

Group: Member
Posts: 9
Joined: 30-January 10

Posted 04 February 2010 - 04:03 AM

I've run this a few times since the infection and these two reg key infections keep showing up. DDS logs to follow.

Malwarebytes' Anti-Malware 1.44
Database version: 3662
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/3/2010 9:58:13 PM
mbam-log-2010-02-03 (21-58-13).txt

Scan type: Quick Scan
Objects scanned: 129655
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7|-11d1-bc44-00c04fd912be} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5a8d6ee0-3e18-11d0-8z1e-444553540000} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Back to top of the page up there ^
MultiQuote
Reply

#12 stratomaster

Newbie Member

Group: Member
Posts: 9
Joined: 30-January 10

Posted 04 February 2010 - 04:06 AM

DDS (Ver_09-12-01.01) - NTFSx86
Run by Omar Molina Jr at 22:04:20.26 on Wed 02/03/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1923 [GMT -6:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\U-ABIT\abitEQ\abiteq.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\calc.exe
C:\Documents and Settings\Omar Molina Jr\Desktop\Desktop Junk\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.drudgereport.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ABIT uGuruIII] c:\program files\u-abit\abiteq\abiteq.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: MaxRecentDocs = 99 (0x63)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\omarmo~1\applic~1\mozilla\firefox\profiles\ub4t9yxh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/?/
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-1-23 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-1-23 25160]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-1-23 723632]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2009-9-3 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R3 3xHybrid;WinFast HDTV Cinema;c:\windows\system32\drivers\3xHybrid.sys [2007-9-15 1117056]
R3 ABIT-IO;ABIT-IO;c:\program files\u-abit\abiteq\ABIT-IO.sys [2007-9-15 4608]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-1-22 69616]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-4-18 16896]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-15 1691480]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\omarmo~1\locals~1\temp\cdrmkaun.sys --> c:\docume~1\omarmo~1\locals~1\temp\cdrmkaun.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WFIOCTL;WFIOCTL;\??\c:\documents and settings\omar molina jr\wfioctl.sys --> c:\documents and settings\omar molina jr\WFIOCTL.SYS [?]
S4 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"c:\program files\solidworks\cosmos\floworks\bincfw\standaloneslv.exe" --> c:\program files\solidworks\cosmos\floworks\bincfw\StandAloneSlv.exe [?]

=============== Created Last 30 ================

2010-03-02 11:30:35 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-02 11:24:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-02 07:34:20 0 d-----w- c:\program files\SystemRequirementsLab
2010-02-28 05:35:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 05:31:39 3176 ----a-w- c:\windows\system32\spupdsvc.inf
2010-02-28 05:25:11 23392 ----a-w- c:\windows\system32\nscompat.tlb
2010-02-28 05:25:11 16832 ----a-w- c:\windows\system32\amcompat.tlb
2010-02-27 06:32:04 0 d-----w- c:\program files\ESET
2010-02-01 00:39:29 0 d-----w- C:\ComboFix
2010-02-01 00:37:41 0 d-sha-r- C:\cmdcons
2010-02-01 00:37:03 98816 ----a-w- c:\windows\sed.exe
2010-02-01 00:37:03 77312 ----a-w- c:\windows\MBR.exe
2010-02-01 00:37:03 261632 ----a-w- c:\windows\PEV.exe
2010-02-01 00:37:03 161792 ----a-w- c:\windows\SWREG.exe
2010-01-30 22:11:46 0 d-----w- c:\program files\Runtime Software
2010-01-30 21:36:14 0 d-----w- c:\program files\Trend Micro
2010-01-27 01:18:00 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-27 01:18:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-26 06:36:24 0 d-----w- c:\program files\SpywareBlaster
2010-01-26 06:21:07 0 d-----w- c:\program files\SpywareGuard
2010-01-23 12:32:25 4874240 ----a-w- c:\windows\system32\dllcache\wmp.dll
2010-01-23 12:31:13 2355200 ----a-w- c:\windows\system32\dllcache\wmvcore.dll
2010-01-23 12:31:12 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2010-01-23 12:14:16 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-01-23 11:41:56 336 ----a-w- c:\program files\temp995.bat
2010-01-23 11:06:22 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-01-23 11:06:22 171552 ----a-w- c:\windows\system32\guard32.dll
2010-01-23 11:06:22 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-23 11:06:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2010-01-23 11:06:14 0 d-----w- c:\program files\COMODO
2010-01-23 04:32:01 0 d-----w- c:\program files\Windows Media Connect 2
2010-01-23 04:30:05 0 d-----w- c:\windows\system32\LogFiles
2010-01-22 20:52:24 2 --shatr- c:\windows\winstart.bat
2010-01-22 20:51:58 0 d-----w- c:\program files\UnHackMe
2010-01-22 20:47:07 69616 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2010-01-15 07:56:57 358944 ----a-w- c:\windows\vncutil.exe
2010-01-15 07:56:54 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-01-15 07:56:54 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-01-15 07:56:53 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-01-15 07:56:52 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-01-12 23:30:35 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 04:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 04:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 04:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 04:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 04:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 04:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-12 04:17:30 65332 ----a-w- c:\windows\system32\NvwsApps.xml
2010-01-12 04:17:30 268519 ----a-w- c:\windows\system32\NvApps.xml
2010-01-11 21:39:25 0 d-----w- c:\program files\Active Ports
2010-01-11 08:47:32 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-09 00:56:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 00:56:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 00:50:20 0 d-----w- c:\docume~1\omarmo~1\applic~1\Malwarebytes
2010-01-09 00:50:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-09 00:50:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 23:41:10 0 ----a-w- c:\windows\Nkuha.bin
2010-01-08 23:41:09 120 ----a-w- c:\windows\Vkaxovuzikagupi.dat
2010-01-07 06:46:25 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 06:34:12 0 d-----w- c:\program files\Microsoft Forefront
2010-01-07 06:09:49 0 d-----w- c:\windows\system32\xlive
2010-01-07 06:09:49 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE

==================== Find3M ====================

Back to top of the page up there ^
MultiQuote
Reply

#13 stratomaster

Newbie Member

Group: Member
Posts: 9
Joined: 30-January 10

Posted 04 February 2010 - 04:09 AM

Despite the notice the DDS does not make reg edits, COMODO alerted me some .exe was attempting to modify a reg key as DDS was running. Also, when MBAM finds those two files, I can hear my computer buzz--and the search speeds up after they are found.

Back to top of the page up there ^
MultiQuote
Reply

#14 Extremeboy

Da 247 Malware Disintegrator Instructor

Group: Academy Instructor
Posts: 2680
Joined: 19-February 09
Gender:Male

Posted 05 February 2010 - 01:23 AM

CAn you let me know the exact filename that's in question please.

How's your computer running so far? Let's get an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Open the Kaspersky WebScanner
page.
Click on the http://i526.photobucket.com/albums/cc345/MPKwings/kaspersky_scan_now.gif button on the main page.
The program will launch and fill in the Information section on the left.
Read the "Requirements and Limitations" then press the http://i526.photobucket.com/albums/cc345/MPKwings/Kasaccept.png button.
The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
Once the files have been downloaded, click on the http://i526.photobucket.com/albums/cc345/MPKwings/KasperskySettings.png ...button.
In the scan settings make sure the following are selected:
- Detect malicious programs of the following categories:
  Viruses, Worms, Trojan Horses, Rootkits
  Spyware, Adware, Dialers and other potentially dangerous programs
- Scan compound files (doesn't apply to the File scan area):
  Archives
  Mail databases
  By default the above items should already be checked.
- Click the http://i526.photobucket.com/albums/cc345/MPKwings/Kassave.png button, if you made any changes.
Now under the Scan section on the left:

Select My Computer
The program will now start and scan your system. This will run for a while, be patient and let it finish.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

Thanks.

With Regards,
Extremeboy

Back to top of the page up there ^
MultiQuote
Reply

#15 Extremeboy

Da 247 Malware Disintegrator Instructor

Group: Academy Instructor
Posts: 2680
Joined: 19-February 09
Gender:Male

Posted 09 February 2010 - 12:52 AM

Bump? Still with me?

Back to top of the page up there ^
MultiQuote
Reply

(2 Pages)
1
2
→

You cannot start a new topic
This topic is locked

247fixes PC Help Forum: [Inactive] Post Is 2010, Malware Defense, & Redirect Virus Check - 247fixes PC Help Forum

Welcome to 247fixes PC Help Forum

[Inactive] Post Is 2010, Malware Defense, & Redirect Virus Check

#1 stratomaster

#2 Extremeboy

#3 stratomaster

#4 Extremeboy

#5 stratomaster

#6 Extremeboy

#7 stratomaster

#8 Extremeboy

#9 stratomaster

#10 Extremeboy

#11 stratomaster

#12 stratomaster

#13 stratomaster

#14 Extremeboy

#15 Extremeboy

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Skin and Language

Execution Stats

247fixes PC Help Forum: [Inactive] Post Is 2010, Malware Defense, & Redirect Virus Check - 247fixes PC Help Forum

Welcome to 247fixes PC Help Forum

[Inactive] Post Is 2010, Malware Defense, & Redirect Virus Check

1 User(s) are reading this topic 0 members, 1 guests, 0 anonymous users

Skin and Language

Execution Stats

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users