Computer Hope

Software => Computer viruses and spyware => Topic started by: The Raddish on February 13, 2011, 06:43:49 AM

Title: Directed here from another part of the forum, but I believe I'm uninfected
Post by: The Raddish on February 13, 2011, 06:43:49 AM

I was directed here from this thread (http://www.computerhope.com/forum/index.php/topic,115829.msg774634.html) due to very high latencies.  I've been through the Virus and Spyware section Guidelines and my logs are posted below.  Aside from a few tracking cookies and a false-positive for an Auto-Hot-Key script I wrote, my scans were clear.

My HijackThis report (http://www.computerhope.com/cgi-bin/process.pl?o=128037)

Just to be sure, please take a peek. :)



[recovering disk space - old attachment deleted by admin]

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: SuperDave on February 13, 2011, 07:22:38 PM

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
***********************************************
Please do not attach your logs; just copy and paste them in your reply.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.Please place a check mark next to this/these line/lines.
O15 - Trusted Zone: http://raddishes.mvix.net

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
****************************************************
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: The Raddish on February 13, 2011, 10:51:09 PM

When running Combofix as administrator, I got a BSOD.  I tried two more times with the same result.  Booted into safe mode and ran as administrator and it completed, however it threw a BSOD again once the log was generated at the end.  Logs for HJT and Combofix are posted below.

As for the trusted zone, I only use it for my NAS drive, and that is the only time I use IE at all.  However, I went ahead and disabled it for the time being until this is cleared up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:33 AM, on 2/13/2011
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Users\The Raddish\Documents\AHK\setup\Zoë.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 8\firefox.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 8\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 8\plugin-container.exe
C:\Users\The Raddish\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://raddishes.mvix.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [OnekeyDM] C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O4 - Startup: dpclat.exe
O4 - Startup: Zoë.exe.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://raddishes.mvix.net
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8381 bytes



ComboFix 11-02-13.01 - The Raddish 02/13/2011  22:54:12.1.2 - x64 NETWORK
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4091.3214 [GMT -6:00]
Running from: c:\users\The Raddish\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
FW: PC Tools Firewall Plus *Disabled* {175D0B73-9F8F-2CA9-8BF1-62277A276DC9}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\users\The Raddish\AppData\Roaming\inst.exe
c:\users\The Raddish\Desktop\Battlestar Galactica - Miniseries - Pilot
c:\users\The Raddish\EULA.txt

.
(((((((((((((((((((((((((   Files Created from 2011-01-14 to 2011-02-14  )))))))))))))))))))))))))))))))
.

2011-02-14 05:00 . 2011-02-14 05:00   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-02-14 04:35 . 2011-02-14 04:36   --------   d-----w-   c:\users\The Raddish\AppData\Roaming\PCToolsFirewallPlus
2011-02-14 04:33 . 2010-03-29 17:06   233488   ----a-w-   c:\windows\system32\drivers\PCTCore64.sys
2011-02-14 04:33 . 2010-11-17 16:20   331368   ----a-w-   c:\windows\system32\drivers\pctgntdi64.sys
2011-02-14 04:33 . 2010-11-17 16:20   136168   ----a-w-   c:\windows\system32\drivers\pctwfpfilter64.sys
2011-02-14 04:32 . 2011-02-14 04:33   --------   d-----w-   c:\program files (x86)\Common Files\PC Tools
2011-02-14 04:32 . 2010-11-24 15:18   119688   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter64.sys
2011-02-14 04:32 . 2010-07-08 15:49   79000   ----a-w-   c:\windows\system32\drivers\pctNdis64.sys
2011-02-14 04:32 . 2010-02-05 15:26   42968   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS64.sys
2011-02-14 04:31 . 2010-11-25 16:42   179464   ----a-w-   c:\windows\system32\drivers\pctplfw64.sys
2011-02-14 04:31 . 2011-02-14 04:36   --------   d-----w-   c:\program files (x86)\PC Tools Firewall Plus
2011-02-13 13:09 . 2011-01-13 10:20   7844688   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{4FF1E68B-93F8-4AC2-9591-72DCF361AB51}\mpengine.dll
2011-02-13 02:44 . 2011-02-13 02:44   --------   d-----w-   c:\users\The Raddish\AppData\Roaming\SUPERAntiSpyware.com
2011-02-13 02:44 . 2011-02-13 02:44   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2011-02-13 02:44 . 2011-02-13 02:44   --------   d-----w-   c:\programdata\!SASCORE
2011-02-13 02:44 . 2011-02-13 02:44   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-02-12 23:50 . 2011-02-12 23:50   --------   d-----w-   c:\program files\CCleaner
2011-02-12 15:21 . 2011-02-12 15:21   --------   d-----w-   c:\users\The Raddish\AppData\Roaming\Malwarebytes
2011-02-12 15:20 . 2010-12-21 00:09   38224   ----a-w-   c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-12 15:20 . 2011-02-12 15:20   --------   d-----w-   c:\programdata\Malwarebytes
2011-02-12 15:20 . 2010-12-21 00:08   24152   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-02-12 15:20 . 2011-02-12 15:20   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2011-02-12 14:54 . 2011-02-12 14:54   --------   d-----w-   c:\program files (x86)\Trend Micro
2011-02-10 02:44 . 2011-02-10 02:44   --------   d-----w-   c:\users\The Raddish\AppData\Local\ElevatedDiagnostics
2011-02-10 00:20 . 2010-12-21 06:16   214016   ----a-w-   c:\windows\system32\winsrv.dll
2011-02-10 00:17 . 2010-12-18 06:11   714752   ----a-w-   c:\windows\system32\kerberos.dll
2011-02-10 00:17 . 2010-12-18 05:29   541184   ----a-w-   c:\windows\SysWow64\kerberos.dll
2011-02-10 00:17 . 2011-01-05 06:20   612352   ----a-w-   c:\windows\system32\vbscript.dll
2011-02-10 00:17 . 2011-01-05 05:37   428032   ----a-w-   c:\windows\SysWow64\vbscript.dll
2011-02-10 00:17 . 2010-10-27 05:18   5510528   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-02-10 00:17 . 2010-10-27 05:16   1739176   ----a-w-   c:\windows\system32\ntdll.dll
2011-02-10 00:17 . 2010-10-27 04:40   1293120   ----a-w-   c:\windows\SysWow64\ntdll.dll
2011-02-10 00:17 . 2010-10-27 04:43   3901824   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2011-02-10 00:17 . 2010-10-27 04:43   3957120   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2011-02-10 00:08 . 2011-01-07 05:49   366080   ----a-w-   c:\windows\system32\atmfd.dll
2011-02-10 00:08 . 2011-01-07 05:33   294400   ----a-w-   c:\windows\SysWow64\atmfd.dll
2011-02-10 00:08 . 2011-01-07 08:06   46080   ----a-w-   c:\windows\system32\atmlib.dll
2011-02-10 00:08 . 2011-01-07 07:27   34304   ----a-w-   c:\windows\SysWow64\atmlib.dll
2011-02-06 14:40 . 2011-02-06 14:40   --------   d-----w-   C:\ubuntu
2011-02-06 05:09 . 2011-02-13 22:22   --------   d-----w-   c:\users\The Raddish\AppData\Roaming\vlc
2011-02-05 02:23 . 2011-02-05 02:23   --------   d-----w-   c:\program files (x86)\Lavalys
2011-02-05 01:24 . 2011-02-05 01:25   --------   d-----w-   c:\program files (x86)\NVIDIA Corporation
2011-02-05 01:18 . 2011-02-05 01:18   --------   d-----w-   c:\programdata\NVIDIA Corporation
2011-02-05 01:15 . 2011-02-05 01:21   --------   d-----w-   c:\program files\NVIDIA Corporation
2011-02-05 01:14 . 2011-02-05 01:14   --------   d-----w-   C:\NVIDIA
2011-02-05 01:03 . 2011-02-05 01:03   --------   d-----w-   c:\program files (x86)\SystemRequirementsLab
2011-02-05 01:03 . 2011-02-05 01:04   --------   d-----w-   c:\users\The Raddish\AppData\Roaming\SystemRequirementsLab
2011-01-26 04:10 . 2011-01-26 04:10   --------   d-----w-   C:\ASUS
2011-01-26 03:11 . 2011-02-06 19:21   --------   d-----w-   c:\program files (x86)\TightVNC
2011-01-26 03:01 . 2011-01-26 03:01   --------   d-----w-   c:\users\The Raddish\AppData\Local\Downloaded Installations
2011-01-26 00:23 . 2011-01-26 00:23   --------   d-----w-   c:\program files (x86)\Coupons
2011-01-25 23:45 . 2006-08-21 12:06   27648   ----a-w-   c:\windows\system32\Spool\prtprocs\x64\SSGB6pc.dll
2011-01-25 23:40 . 2006-11-20 14:22   151552   ----a-w-   c:\windows\system32\SSGB6ci.exe
2011-01-25 23:40 . 2006-11-21 17:40   89600   ----a-w-   c:\windows\system32\SSGB6ci.dll
2011-01-25 23:40 . 2009-03-02 20:12   11576   ------w-   c:\windows\system32\drivers\SSPORT.SYS
2011-01-25 23:40 . 2009-03-02 20:12   53816   ------w-   c:\windows\system32\drivers\DGIVECP.SYS
2011-01-25 23:40 . 2011-01-25 23:40   --------   d-----w-   c:\program files (x86)\SAMSUNG
2011-01-25 23:39 . 2011-01-25 23:39   --------   d-----w-   C:\Temp
2011-01-24 03:20 . 2011-01-24 03:20   --------   d-----w-   C:\BIOS
2011-01-24 01:58 . 2010-10-16 05:17   720896   ----a-w-   c:\windows\system32\odbc32.dll
2011-01-24 01:58 . 2010-10-16 05:16   1425408   ----a-w-   c:\program files\Common Files\System\ado\msado15.dll
2011-01-24 01:58 . 2010-10-16 04:34   573440   ----a-w-   c:\windows\SysWow64\odbc32.dll
2011-01-24 01:58 . 2010-10-16 05:16   495616   ----a-w-   c:\program files\Common Files\System\ado\msadox.dll
2011-01-24 01:58 . 2010-10-16 05:16   466944   ----a-w-   c:\program files\Common Files\System\ado\msadomd.dll
2011-01-24 01:58 . 2010-10-16 05:16   258048   ----a-w-   c:\program files\Common Files\System\msadc\msadco.dll
2011-01-24 01:58 . 2010-10-16 04:33   372736   ----a-w-   c:\program files (x86)\Common Files\System\ado\msadox.dll
2011-01-24 01:58 . 2010-10-16 04:33   352256   ----a-w-   c:\program files (x86)\Common Files\System\ado\msadomd.dll
2011-01-24 01:58 . 2010-10-16 04:33   987136   ----a-w-   c:\program files (x86)\Common Files\System\ado\msado15.dll
2011-01-24 01:58 . 2010-10-16 04:33   208896   ----a-w-   c:\program files (x86)\Common Files\System\msadc\msadco.dll
2011-01-24 00:55 . 2011-01-24 00:55   301688   ----a-w-   c:\users\The Raddish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dpclat.exe
2011-01-20 02:43 . 2011-01-20 02:43   --------   d-----w-   c:\program files (x86)\PDFZilla
2011-01-17 21:53 . 2011-01-17 21:53   --------   d-----w-   c:\windows\Sun

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 23:11 . 2009-11-26 01:32   270720   ------w-   c:\windows\system32\MpSigStub.exe
2011-01-08 03:27 . 2009-09-01 06:19   7729256   ----a-w-   c:\windows\system32\nvwgf2umx.dll
2011-01-08 03:27 . 2009-09-01 06:19   2200680   ----a-w-   c:\windows\system32\nvapi64.dll
2011-01-08 02:50 . 2011-01-08 02:50   795752   ----a-w-   c:\windows\system32\easyUpdatusAPIU64.dll
2011-01-08 02:50 . 2011-01-08 02:50   6143080   ----a-w-   c:\windows\system32\nvcpl.dll
2011-01-08 02:49 . 2011-01-08 02:49   3156072   ----a-w-   c:\windows\system32\nvsvc64.dll
2011-01-08 02:49 . 2011-01-08 02:49   117864   ----a-w-   c:\windows\system32\nvmctray.dll
2011-01-08 02:49 . 2011-01-08 02:49   307304   ----a-w-   c:\windows\SysWow64\oemdspif.dll
2011-01-08 02:49 . 2011-01-08 02:49   2558568   ----a-w-   c:\windows\system32\nvsvcr.dll
2011-01-08 02:49 . 2011-01-08 02:49   1005160   ----a-w-   c:\windows\system32\nvvsvc.exe
2010-12-02 03:35 . 2010-12-02 03:35   4280320   ----a-w-   c:\windows\SysWow64\GPhotos.scr
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2010-11-27 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OnekeyDM"="c:\program files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe" [2009-03-27 468480]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"00PCTFW"="c:\program files (x86)\PC Tools Firewall Plus\FirewallGUI.exe" [2010-11-29 2676696]

c:\users\The Raddish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
dpclat.exe [2011-1-23 301688]
Zo‰.exe.lnk - c:\users\The Raddish\Documents\AHK\setup\Zo‰.exe [2010-3-28 186601]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-06 136176]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2009-11-10 24576]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-05-14 5435904]
R3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\DRIVERS\pctNdis64.sys [2010-07-08 79000]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-30 222208]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2010-06-03 144656]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-24 1255736]
R3 WinPhlash;WinPhlash;c:\bios\BIOS\PHLASHNT.SYS [2008-05-07 47160]
S1 aswSP;aswSP;

S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi64.sys [2010-11-17 331368]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 aswFsBlk;aswFsBlk;

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 61008]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-03-02 11576]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 26128]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 70656]
S3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [2009-05-20 14848]
S3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [2008-04-25 6656]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-10 270848]
S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2009-09-16 6952960]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2009-08-22 84512]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter64.sys [2010-11-24 119688]
S3 pctNdisMP;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis64.sys [2010-07-08 79000]
S3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw64.sys [2010-11-25 179464]
S3 usbsmi;Lenovo EasyCamera;c:\windows\system32\DRIVERS\SMIksdrv.sys [2009-08-22 197120]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]

.
Contents of the 'Scheduled Tasks' folder

2011-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-06 18:48]

2011-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-06 18:48]

2011-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3259647352-4281637696-3222292564-1001Core.job
- c:\users\The Raddish\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 02:09]

2011-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3259647352-4281637696-3222292564-1001UA.job
- c:\users\The Raddish\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 02:09]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2009-06-16 4333384]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2009-06-18 5828936]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-17 9643040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://raddishes.mvix.net/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: mvix.net\raddishes
FF - ProfilePath - c:\users\The Raddish\AppData\Roaming\Mozilla\Firefox\Profiles\ttoflpmu.default\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files (x86)\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files (x86)\DivX\DivXPlayerUninstall.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="0FBFF4D00FE274B01890541049064856C24A58C E984ECE03C24F69B0E7626D926BF5FEBC9E127B ECC74CFEBC9E127BECC74CFEBC9E127BECC74CF EBC9E127BECC74CFEBC9E127BECC74CFEBC9E12 7BECC74CA6A0AC4980AC7933A6171C11EC38DE3 DA2D97226D213B555A2D97226D213B55543A07A 5DD19DF8AF5F94C148E59B315B2235E9E5B9624 9D194A7430495FED9F6888BBF6576B8E7B440F5 FE8E1ECD1EDB70FBB0A57DC7D57C09CCC3E0635 FEB6953DCE70606EC70B35E21DFF354EB15CC3A 581CC99B8B012207E4B38AFB5560D6CCBA1D67A B5CD090AF5541828F0099C5E243E05A983F3327 FCC4BB2A001C2318127299F2C68A9CB11DF5160 68AF782DCBFDB42A4AD5A2BF6CFE2152CC65276 06B0F22E59E8603B83820F618D36A5FDB11AE19 ABAC6B5F6FE55D99046D7FB6F00AE513F8CD8A9 E6F4314BBD6EB5BC89E131BD5AF183117DAF586 8116C7300F96883C4C5C49017ADFA6F7C57415F 587993B6F60262BA8D767F97710D59872AD1269 A28CC7DBFBC748C759771DFC0F4766FCF3DA9E9 F2B2EE6947FB128ABCA98AA3547D757448936FA 471B45FEB18747A221862792A69E948E70E333C 43EA1208CE05E7F3AD41F7AA4382918BC9D89CD 7DB1BDBAF860F03B5000765410820DA041C75AE 90EFF3A9846C3E8EF2A12B9430D15E43212987A F4135C08667251EDE8E01DFBD27C6DF4E31A82E B1A6DE6AECFB3C5456327FAB064791BE2C0AA7D 95F087875A5A80138EC35814FA1CCB2A51587D7 E9F7DCBA877F7923F6131961FDFCA501591A193 2E172ED88122D1D8F20E272667B2D304F5DFC5B FBD59796E7E5C1F11DA4F210B0783087D0DB45E 5AFD2102F2ADA20CE77203FC5B0B9BF1B172596 4AD3E2AB3B98495886F086FC888DE7B9076DCF9 F6E2FF8EDE5DB752F518C81CC612F1565D849D7 0640855E8FF96A40E0157C921C58B8C491BC1AD 03378A9F1963B3EAC62BF645B34E12EA358444A 6EEB4AA8D2ABEB9892199F8E06B86495268CB29 3148B56D23E42670F8CD80374B924E8C5B00A1D 1828D736DCC455FABAFEA9F646276D193E1D76A 5CEC13668769DB50A2DC3126F43FD03FCB0AEBD B84513CC877134B519964CF84299DF393A1FCA3 2973B95C87DEC40374637DCCDACA8AAB93A3281 3B7A10D155B89EF8CC5183A311D250A3D1F62A4 FEFB5A05A047A1BC2183B2C46F3749FE87CD692 10051BFABFA9CF5060781D53C01244A3A303D89 70E728585ACFA55017E42412CA1151922EB3A75 25322AC785DB623F7B2E92925AF1396D69D7927 B34365F6C2796565FD9A66300BBF278DE239D0C C5625F9C08E687BE9607599D5B7CE5F02544534 6984523ABFD83709961CF379D4F1D13B02C039D 3BFA8F3BA37DDF99F609C5AA04014DC97CD4726 CE663F40C0922EF198106B8334AE9B9F7D07FAA 0ED40A7466D5EA9CB422"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files (x86)\CDBurnerXP\NMSAccessU.exe
c:\program files (x86)\PC Tools Firewall Plus\FWService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
.
**************************************************************************
.
Completion time: 2011-02-13  23:35:50 - machine was rebooted
ComboFix-quarantined-files.txt  2011-02-14 05:35

Pre-Run: 91,547,361,280 bytes free
Post-Run: 91,495,088,128 bytes free

- - End Of File - - 5B79F7EDBD5FB57639CE9A2F1EB51823

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: SuperDave on February 14, 2011, 11:53:46 AM

Please download the Sophos Anti-Rootkit Scanner (http://www.sophos.com/products/free-tools/sophos-anti-rootkit/download/) and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

• Once you have downloaded the file, double click the sarsfx icon
  
• Review the licence agreement and click on the Accept button
  
• The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
  
  
• Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  
• Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  
• Allow the program to scan your computer - please be patient as it may take some time
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  
• In the main window, you will see each of the entries found by the scan (if any)
• If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
• Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
• If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
• To clean up these entries click on the Clean up checked items button
  
• If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
• Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
• When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: The Raddish on February 15, 2011, 04:48:19 AM

The program has changed since your instructions were written.  It is no longer placed in the root directory, but now defaults to the program directory like a regular installation.

Also, it will not allow a scan of running processes in the free version.

At any rate, here is the text of the warning:




Warning:   Failed to query live registry key \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009. You may not have access rights to the whole registry.

Incorrect function.

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: SuperDave on February 15, 2011, 12:40:57 PM

Quote

The program has changed since your instructions were written.  It is no longer placed in the root directory, but now defaults to the program directory like a regular installation.

That's possible. I'll have to check it out. Please try this one.

Please download Rooter (http://eric71.geekstogo.com/tools/Rooter.exe) and Save it to your desktop.

• Double click it to start the tool.Vista and Windows7 run as administrator.
• Click Scan.
  
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: The Raddish on February 15, 2011, 05:37:26 PM

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 Home Edition (6.1.7600)
[32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Disabled !
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 8.0.7600.16385
Mozilla Firefox 4.0b11 (en-US)
.
C:\  [Fixed-NTFS] .. ( Total:297 Go - Free:84 Go )
D:\  [CD_Rom]
.
Scan : 18:36.41
Path : C:\Users\The Raddish\Downloads\Rooter.exe
User : The Raddish ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ?????????? (356)
______ ?????????? (504)
______ ?????????? (564)
______ ?????????? (576)
______ ?????????? (624)
______ ?????????? (632)
______ ?????????? (640)
______ ?????????? (700)
______ ?????????? (780)
______ ?????????? (860)
______ ?????????? (900)
______ ?????????? (984)
______ ?????????? (396)
______ ?????????? (500)
______ ?????????? (1068)
______ ?????????? (1132)
______ ?????????? (1144)
______ ?????????? (1264)
______ C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (1420)
______ ?????????? (1756)
______ ?????????? (1800)
______ ?????????? (1820)
______ ?????????? (2040)
______ ?????????? (1400)
______ C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe (1392)
______ C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe (1732)
______ C:\Program Files (x86)\PC Tools Firewall Plus\FWService.exe (1476)
______ C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (2092)
______ ?????????? (2132)
______ ?????????? (2196)
______ C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe (2340)
______ ?????????? (2520)
______ ?????????? (2528)
______ ?????????? (2556)
______ C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (2976)
______ ?????????? (2984)
______ ?????????? (2992)
______ ?????????? (3000)
______ ?????????? (3008)
______ ?????????? (1968)
______ ?????????? (3436)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (3508)
______ C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe (3764)
______ C:\Program Files (x86)\PC Tools Firewall Plus\FirewallGUI.exe (3892)
______ ?????????? (3968)
______ ?????????? (4000)
______ ?????????? (3532)
______ ?????????? (868)
______ ?????????? (4540)
______ ?????????? (4968)
______ C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 8\firefox.exe (4608)
______ C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 8\plugin-container.exe (4548)
______ C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 8\plugin-container.exe (2828)
______ ?????????? (4732)
______ C:\Users\The Raddish\Downloads\Rooter.exe (3856)
______ C:\Users\The Raddish\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe (1248)
______ ?????????? (5036)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:104857600)
\Device\Harddisk0\Partition2 (Start_Offset:105906176 | Length:319965626368)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3259647352-4281637696-3222292564-1001Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3259647352-4281637696-3222292564-1001UA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 18:37.30
.
C:\Rooter$\Rooter_2.txt - (15/02/2011 | 18:37.30)

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: SuperDave on February 16, 2011, 12:52:45 PM

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
 ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
  

•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: The Raddish on February 17, 2011, 04:40:53 AM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=f6700a7d4166574986c46305eb070d8b
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-17 11:30:44
# local_time=2011-02-17 05:30:44 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=770 16774141 100 97 14623557 73692545 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 0 49447723 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=174096
# found=0
# cleaned=0
# scan_time=37974

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: SuperDave on February 17, 2011, 01:01:01 PM

I can't see any infections that could be causing the problems you're experiencing. Let's do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(http://i582.photobucket.com/albums/ss269/Cat_Byte/Combofix_uninstall_image.jpg)

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

**********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*************************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)

Check out Keeping Yourself Safe On The Web  (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: The Raddish on February 17, 2011, 07:52:25 PM

Just like with Combofix, running TFC as administrator caused an instant BSOD.  I did successfully run it from safe mode.

Thanks for your help in this thread, it is greatly appreciated!  I'll head back to my original thread to continue the diagnosis.

Title: Re: Directed here from another part of the forum, but I believe I'm uninfected
Post by: SuperDave on February 18, 2011, 11:48:26 AM

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.